OpenVPN from recent Merlin FW or Entware

[zd59]

Hello!

I bought RT-AC86U and want to use OpenVPN.
Want to use libOpenSSL version 1.1.1 which is more secure than 1.0.X.
In Merlin FW are installed both libraries libOpenSSL version 1.1.X and 1.0.X. Which is used for VPN?

Need advice, which one to use: one from Merlin FW 384.11_2 or from https://bin.entware.net/aarch64-k3.10 released may 2019?

 

[Martineau]

Want to use libOpenSSL version 1.1.1 which is more secure than 1.0.X. In Merlin FW are installed both libraries libOpenSSL version 1.1.X and 1.0.X.

Which is used for VPN?

From the changelog since v384.10 (24-March-2019)

 

[ColinTaylor]

Always use the router's built-in entware-setup.sh script. It will download the current version.

Read the change log:

384.10 (24-March-2019)
  - NEW: Added OpenSSL 1.1.1b in parallel to 1.0.2.  Some services
         like AiCloud are still linked against 1.0.2 because they
         would require Asus to recompile them against 1.1.1.

         Main services that currently use OpenSSL 1.1.1:
         httpd (webui), OpenVPN, wget, net-snmp, Tor,
         Strongswan (IPSEC server), inadyn, vsftpd, avahi.

         Models that lack AES acceleration will prioritize the use
         of CHACHA20 over AES-256-GCM, for a small performance
         improvement (for instance with the webui).

         Note that OpenVPN 2.4.7's support is still limited.
         TLS 1.3 is supported, but CHACHA20 support is
         only expected with OpenVPN 2.5.0.

         The 1.0.2 userspace tool is still named "openssl", while
         the 1.1.x version is named "openssl11".

 

[zd59]

Thank you both.

So Melin FW version VPN is current and I'll use it.

 

[eibgrad]

You can always go to a shell (ssh) and get the OpenVPN version, which will also show the OpenSSL version in use.

admin@RT-AC68U-0960:/tmp/home/root# openvpn --version
OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun  7 2019
library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=no enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

And lots of other details.