51 replies to this topic

[Erik Slagter]

www.google.com "site:openpli.org openvpn"

[daveraver]

there is a way to build all with enigma2 box, but it is not created by me and I wont publish it in openpli forum. Maybe google can find this method too.

[WanWizard]

To build what? OpenVPN itself is available in the feeds, and that comes with an init script to stop and start it.

 

As to the config, there are two possibilities. If you use the box a client, the server usually delivers the config. Most OpenVPN server devices, and most VPN providers do. If you want to use the box as a server, you need to setup your own server config.

 

As we are of the opinion that the STB is not a (hardened) security device, and it will never become one, it should not be used to terminate public connections originating from the internet. This is as true for a VPN solution as it is for the webinterface.

[daveraver]

I mean build all files, crt, ca, dh, client.ovpn... with easy-rsa package for enigma2, yes, enigma2.

[littlesat]

You can build them with your settop box when the packages are included... But you can also use your PC to create them... SpaceRat demonstrates that this is possilbe and how...

 

I think is is more user friendly to use your PC to create them....

Edited by littlesat, 5 March 2017 - 16:52.

[SpaceRat]

easy-rsa as available from the feeds for certain distros is exactly the same as the normal easy-rsa you can find on Debian, Ubuntu.

I suspended working on simple-rsa for the moment, more relevant things to do

[daveraver]

ok, somebody maybe interested in it, not advanced users, this is an example to automatisation of the process, a script I borrow from a certain forum.
Could anybody adapt it to work with 2.4 openvpn version???
I have seen the script names them clients as 3 apple device clients, it doesnt matter.

Attached Files

•  setup_openvpn.sh.zip   1.58KB   34 downloads

Edited by daveraver, 5 March 2017 - 17:08.

[daveraver]

And script has been created by vix image users...well, my real intention is to get 2.4 openvpn version.

[littlesat]

And even whit that script you have to create your own keyser.... But a few weeks ago the whole story was posted here on this forum...

Edited by littlesat, 5 March 2017 - 17:32.

[SpaceRat]

It actually creates keysets using easy-rsa

See this part:

. ./vars
./clean-all
./pkitool --initca
./pkitool --server server
./pkitool client1
./pkitool client2
./pkitool client3

[daveraver]

yes, it may do keyset on own enigma2 box.

[daveraver]

And even whit that script you have to create your own keyser.... But a few weeks ago the whole story was posted here on this forum...

I didnt see it. I saw it on a 2014 post on openvix forum.

Edited by daveraver, 5 March 2017 - 17:42.

[daveraver]

I would like to know how to build openvpn v.2.4, not in the feeds, with the source code, I think it would be created in ssh shell, I never create any binnary from source code, well sometimes with help... nobody can build the v.2.4 binnary? Or update the feeds...please...

[daveraver]

ok, somebody maybe interested in it, not advanced users, this is an example to automatisation of the process, a script I borrow from a certain forum.
Could anybody adapt it to work with 2.4 openvpn version???
I have seen the script names them clients as 3 apple device clients, it doesnt matter.

The script suposes that you have downloaded easy-rsa files to create the openvpn rsa and certificates. But version 2.3.2 and 2.4 dont include the easy-rsa tool, because it's known we can run easy-rsa on windows dist. The manual of openvix works on v2.2.2. Well, I just want v2.4.0 binary, please...enigma2 binary of course. I stop here, I am sorry. Thanks.

Edited by daveraver, 5 March 2017 - 18:33.

[SpaceRat]

No, you don't.
You wouldn't want OpenVPN (Neither the old one on the feeds nor the newer one) in conjunction with those ancient OpenSSL libs that OpenPLi 4.0 comes with.

Even the OpenSSL in OpenATV 5.3 and 6.0 is already obsoleted by new vulnerabilities I didn't have the time yet to check in the CVE patches for.

Fighting for security in E2 images feels a lot like f*cking for virginity ... pretty useless

[daveraver]

And openpli 5.0? I think an official image of openpli team would have to exist. Why have we to play with beta images or sfteam team openpli 5 based images? I am very proud of sfteam but why openpli team dont launch version 5.0? At the end, could openpli 5.0 work with a safety OpenSSL libraries?? I really dont have idea.

Edited by daveraver, 5 March 2017 - 23:40.

[WanWizard]

It is very simple: because not every image works yet, although we have managed to narrow the issues down to a two manufacturers now. Once this is taken care off, we'll put the release engine in motion.

[Dream1975]

It is very simple: because not every image works yet, although we have managed to narrow the issues down to a two manufacturers now. Once this is taken care off, we'll put the release engine in motion.

 

Just a suggestion, but wouldn't it be possible to realease OpenPLi 5 for the rest (and only not build for these 2 manufacturers)?

[SpaceRat]

And openpli 5.0?

That will have more or less up-to-date OpenSSL ... in the beginning.

Usually, once images go into "stable" state, they are built against the same revision of openembedded for the rest of their life-time.

I have had to add a bunch of security fixes (from Debian and Ubuntu) to oe-a as well to make OpenSSL in OpenATV 5.3/OpenViX 4.2 and OpenATV 6.0 secure again ... for that moment.
Since then new vulnerabilities have been found and not yet fixed, because I can not replace whole security teams that Debian or Ubuntu have.

The next thing is, that not all vulnerabilities are necessarily relevant for OpenVPN, but maybe only for things that aren't even in use on your E2 box.


Generally speaking, if you have the chance to run OpenVPN on either a well maintained router OS (Like LEDE, the de-facto-successor of OpenWrt) or a machine running a full version of a current Linux/BSD, e.g. Debian or Ubuntu, then do that.
A Raspberry Pi with Raspbian would already do.
Those will be much better maintained when it comes to security.
You can also rely on these to have the tools to distribute/allow/deny traffic (Firewall, Masquerading, ...)

You should only use the OpenVPN on your E2 box if you do not have one of these better alternatives, as it will still be better than port-forwardings for the OpenWebif, ftp, ...

[daveraver]

very Interesting, I thought about openwrt OS router to give to a Smart Tv a vpn client conection, but I didnt know LEDE replace Openwrt. I've seen it now. thank you.