diff mbox series

[RFC] openvpn: update to 2.5 beta2

Message ID 20200831160330.1213-1-mkroken@gmail.com
State New
Headers show
Series [RFC] openvpn: update to 2.5 beta2 | expand

Commit Message

Magnus Kroken Aug. 31, 2020, 4:03 p.m. UTC
New features:
* Per client tls-crypt keys
* ChaCha20-Poly1305 can be used to encrypt the data channel
* Routes are added/removed via Netlink instead of ifconfig/route
  (unless iproute2 support is enabled).
* VLAN support when using a TAP device

Significant changes:
* Server support can no longer be disabled.
* Crypto support can no longer be disabled, remove nossl variant.
* Blowfish (BF-CBC) is no longer implicitly the default cipher.
  OpenVPN peers prior to 2.4, or peers with data cipher negotiation
  disabled, will not be able to connect to a 2.5 peer unless
  option data_fallback_ciphers is set on the 2.5 peer and it contains a
  cipher supported by the client.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
---
Compile-tested mbedtls and openssl variants on mips_24kc and
arm_cortex-a9. Runtime-tested mbedtls variant as server and openssl as
client.

I propose disabling LZO compression support by default, due to:
* Compression is not recommended, as it may weaken the security of the
  connection
* For users who need compression, we build with LZ4 support by default
* LZO in OpenVPN pulls in liblzo at approx. 32 kB. LZO support also
adds about 1 kB to the OpenVPN package itself. LZ4 support (using
OpenVPN bundled LZ4) adds about 6 kB to the OpenVPN package in total.

This means OpenWrt users will not be able to connect to OpenVPN
peers that require LZO compression, unless they build the package
themselves.

I left the PROVIDES line as "openvpn openvpn-crypto". As the nossl
variant will no longer exist and all OpenVPN packages will cover both
cases I am not entirely sure how this should be handled.

.../services/openvpn/Config-mbedtls.in        |  6 +-
 .../network/services/openvpn/Config-nossl.in  | 50 --------------
 .../services/openvpn/Config-openssl.in        |  6 +-
 package/network/services/openvpn/Makefile     | 20 +-----
 .../services/openvpn/files/openvpn.config     | 67 ++++++++++++-------
 .../services/openvpn/files/openvpn.options    | 14 +++-
 .../001-reproducible-remove_DATE.patch        |  6 +-
 ...bedtls-disable-runtime-version-check.patch |  2 +-
 ...l-dont-use-deprecated-ssleay-symbols.patch | 58 ----------------
 ...enssl-add-missing-include-statements.patch | 65 ------------------
 .../210-build_always_use_internal_lz4.patch   |  2 +-
 .../openvpn/patches/220-disable_des.patch     | 21 ++----
 12 files changed, 72 insertions(+), 245 deletions(-)
 delete mode 100644 package/network/services/openvpn/Config-nossl.in
 delete mode 100644 package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
 delete mode 100644 package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch
diff mbox series

Patch

diff --git a/package/network/services/openvpn/Config-mbedtls.in b/package/network/services/openvpn/Config-mbedtls.in
index beac492022..3cf233b8f7 100644
--- a/package/network/services/openvpn/Config-mbedtls.in
+++ b/package/network/services/openvpn/Config-mbedtls.in
@@ -2,16 +2,12 @@  if PACKAGE_openvpn-mbedtls
 
 config OPENVPN_mbedtls_ENABLE_LZO
 	bool "Enable LZO compression support"
-	default y
+	default n
 
 config OPENVPN_mbedtls_ENABLE_LZ4
 	bool "Enable LZ4 compression support"
 	default y
 
-config OPENVPN_mbedtls_ENABLE_SERVER
-	bool "Enable server support (otherwise only client mode is support)"
-	default y
-
 #config OPENVPN_mbedtls_ENABLE_EUREPHIA
 #	bool "Enable support for the eurephia plug-in"
 #	default n
diff --git a/package/network/services/openvpn/Config-nossl.in b/package/network/services/openvpn/Config-nossl.in
deleted file mode 100644
index 79140ad5d1..0000000000
--- a/package/network/services/openvpn/Config-nossl.in
+++ /dev/null
@@ -1,50 +0,0 @@ 
-if PACKAGE_openvpn-nossl
-
-config OPENVPN_nossl_ENABLE_LZO
-	bool "Enable LZO compression support"
-	default y
-
-config OPENVPN_nossl_ENABLE_LZ4
-	bool "Enable LZ4 compression support"
-	default y
-
-config OPENVPN_nossl_ENABLE_SERVER
-	bool "Enable server support (otherwise only client mode is support)"
-	default y
-
-config OPENVPN_nossl_ENABLE_MANAGEMENT
-	bool "Enable management server support"
-	default n
-
-config OPENVPN_nossl_ENABLE_FRAGMENT
-	bool "Enable internal fragmentation support (--fragment)"
-	default y
-
-config OPENVPN_nossl_ENABLE_MULTIHOME
-	bool "Enable multi-homed UDP server support (--multihome)"
-	default y
-
-config OPENVPN_nossl_ENABLE_PORT_SHARE
-	bool "Enable TCP server port-share support (--port-share)"
-	default y
-
-config OPENVPN_nossl_ENABLE_DEF_AUTH
-	bool "Enable deferred authentication"
-	default y
-
-config OPENVPN_nossl_ENABLE_PF
-	bool "Enable internal packet filter"
-	default y
-
-config OPENVPN_nossl_ENABLE_IPROUTE2
-	bool "Enable support for iproute2"
-	default n
-
-config OPENVPN_nossl_ENABLE_SMALL
-	bool "Enable size optimization"
-	default y
-	help
-	  enable smaller executable size (disable OCC, usage
-	  message, and verb 4 parm list)
-
-endif
diff --git a/package/network/services/openvpn/Config-openssl.in b/package/network/services/openvpn/Config-openssl.in
index f2b618eff1..335bbaa2c4 100644
--- a/package/network/services/openvpn/Config-openssl.in
+++ b/package/network/services/openvpn/Config-openssl.in
@@ -2,7 +2,7 @@  if PACKAGE_openvpn-openssl
 
 config OPENVPN_openssl_ENABLE_LZO
 	bool "Enable LZO compression support"
-	default y
+	default n
 
 config OPENVPN_openssl_ENABLE_LZ4
 	bool "Enable LZ4 compression support"
@@ -12,10 +12,6 @@  config OPENVPN_openssl_ENABLE_X509_ALT_USERNAME
 	bool "Enable the --x509-username-field feature"
 	default n
 
-config OPENVPN_openssl_ENABLE_SERVER
-	bool "Enable server support (otherwise only client mode is support)"
-	default y
-
 #config OPENVPN_openssl_ENABLE_EUREPHIA
 #	bool "Enable support for the eurephia plug-in"
 #	default n
diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile
index 9482e9ce39..551a84b0ca 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -9,14 +9,14 @@  include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.4.9
-PKG_RELEASE:=4
+PKG_VERSION:=2.5_beta2
+PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
 	https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2
+PKG_HASH:=9c98fb683dccaaf21b48bf4823eb9bfd12fc968355c28093bd0835ed354cd0d4
 
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 
@@ -37,16 +37,11 @@  define Package/openvpn/Default
   MENU:=1
   DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3)
   VARIANT:=$(1)
-ifeq ($(1),nossl)
-  PROVIDES:=openvpn
-else
   PROVIDES:=openvpn openvpn-crypto
-endif
 endef
 
 Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
 Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
-Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))
 
 define Package/openvpn/config/Default
 	source "$(SOURCE)/Config-$(1).in"
@@ -54,7 +49,6 @@  endef
 
 Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl)
 Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls)
-Package/openvpn-nossl/config=$(call Package/openvpn/config/Default,nossl)
 
 ifeq ($(BUILD_VARIANT),mbedtls)
 CONFIG_OPENVPN_MBEDTLS:=y
@@ -62,13 +56,8 @@  endif
 ifeq ($(BUILD_VARIANT),openssl)
 CONFIG_OPENVPN_OPENSSL:=y
 endif
-ifeq ($(BUILD_VARIANT),nossl)
-CONFIG_OPENVPN_NOSSL:=y
-endif
 
 CONFIGURE_VARS += \
-	IFCONFIG=/sbin/ifconfig \
-	ROUTE=/sbin/route \
 	IPROUTE=/sbin/ip \
 	NETSTAT=/sbin/netstat
 
@@ -86,7 +75,6 @@  define Build/Configure
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \
-		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
@@ -94,7 +82,6 @@  define Build/Configure
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \
-		$(if $(CONFIG_OPENVPN_NOSSL),--disable-crypto,--enable-crypto) \
 		$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \
 		$(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \
 	)
@@ -155,4 +142,3 @@  endef
 
 $(eval $(call BuildPackage,openvpn-openssl))
 $(eval $(call BuildPackage,openvpn-mbedtls))
-$(eval $(call BuildPackage,openvpn-nossl))
diff --git a/package/network/services/openvpn/files/openvpn.config b/package/network/services/openvpn/files/openvpn.config
index 3de1881e35..0c2fa7a424 100644
--- a/package/network/services/openvpn/files/openvpn.config
+++ b/package/network/services/openvpn/files/openvpn.config
@@ -254,6 +254,24 @@  config openvpn sample_server
 	# on the system
 #	option tls_version_min "1.2 'or-highest'"
 
+	# List the preferred ciphers to use for the data channel.
+	# Run openvpn --show-ciphers to see all supported ciphers.
+#	list data_ciphers 'AES-256-GCM'
+#	list data_ciphers 'AES-128-GCM'
+#	list data_ciphers 'CHACHA20-POLY1305'
+
+	# Set a fallback cipher in order to be compatible with
+	# peers that do not support cipher negotiation.
+	#
+	# Use AES-256-CBC as fallback
+#	option data_ciphers_fallback 'AES-128-CBC'
+	# Use AES-128-CBC as fallback
+#	option data_ciphers_fallback 'AES-256-CBC'
+	# Use Triple-DES as fallback
+#	option data_ciphers_fallback 'DES-EDE3-CBC'
+	# Use BF-CBC as fallback
+#	option data_ciphers_fallback 'BF-CBC'
+
 	# OpenVPN versions 2.4 and later will attempt to
 	# automatically negotiate the most secure cipher
 	# between the client and server, regardless of a
@@ -265,21 +283,6 @@  config openvpn sample_server
 	# cipher option instead (not recommended).
 #	option ncp_disable
 
-	# Select a cryptographic cipher.
-	# This config item must be copied to
-	# the client config file as well.
-	#
-	# To see all supported ciphers, run:
-	# openvpn --show-ciphers
-	#
-	# Blowfish (default for backwards compatibility,
-	# but not recommended due to weaknesses):
-#	option cipher BF-CBC
-	# AES:
-#	option cipher AES-128-CBC
-	# Triple-DES:
-#	option cipher DES-EDE3-CBC
-
 	# Enable compression on the VPN link.
 	# If you enable it here, you must also
 	# enable it in the client config file.
@@ -290,9 +293,16 @@  config openvpn sample_server
 	#
 	# LZ4 requires OpenVPN 2.4+ client and server
 #	option compress lz4
-	# LZO is compatible with most OpenVPN versions
-	# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
-#	option compress lzo
+
+	# Control how OpenVPN handles peers using compression
+	#
+	# Do not allow any connections using compression
+#	option allow_compression 'no'
+	# Allow incoming compressed packets, but do not send compressed packets to other peers
+	# This can be useful when migrating old configurations with compression activated
+#	option allow_compression 'asym'
+	# Both incoming and outgoing packets may be compressed
+#	option allow_compression 'yes'
 
 	# The maximum number of concurrently connected
 	# clients we want to allow.
@@ -449,10 +459,21 @@  config openvpn sample_client
 	# on the system
 #	option tls_version_min "1.2 'or-highest'"
 
-	# Select a cryptographic cipher.
-	# If the cipher option is used on the server
-	# then you must also specify it here.
-#	option cipher x
+	# List the preferred ciphers for the data channel.
+#	list data_ciphers 'AES-256-GCM'
+#	list data_ciphers 'AES-128-GCM'
+#	list data_ciphers 'CHACHA20-POLY1305'
+
+	# Set a fallback cipher if you connect to a peer that does
+	# not support cipher negotiation.
+	# Use AES-256-CBC as fallback
+#	option data_ciphers_fallback 'AES-128-CBC'
+	# Use AES-128-CBC as fallback
+#	option data_ciphers_fallback 'AES-256-CBC'
+	# Use Triple-DES as fallback
+#	option data_ciphers_fallback 'DES-EDE3-CBC'
+	# Use BF-CBC as fallback
+#	option data_ciphers_fallback 'BF-CBC'
 
 	# Enable compression on the VPN link.
 	# Don't enable this unless it is also
@@ -464,8 +485,6 @@  config openvpn sample_client
 	#
 	# LZ4 requires OpenVPN 2.4+ on server and client
 #	option compress lz4
-	# LZO is compatible with most OpenVPN versions
-#	option compress lzo
 
 	# Set log file verbosity.
 	option verb 3
diff --git a/package/network/services/openvpn/files/openvpn.options b/package/network/services/openvpn/files/openvpn.options
index 5d7a387cd3..02558ca3bf 100644
--- a/package/network/services/openvpn/files/openvpn.options
+++ b/package/network/services/openvpn/files/openvpn.options
@@ -1,10 +1,12 @@ 
 OPENVPN_PARAMS='
+allow_compression
 askpass
 auth
 auth_retry
 auth_user_pass
 auth_user_pass_verify
 bcast_buffers
+bind_dev
 ca
 capath
 cd
@@ -21,6 +23,7 @@  connect_retry
 connect_retry_max
 connect_timeout
 crl_verify
+data_ciphers_fallback
 dev
 dev_node
 dev_type
@@ -51,7 +54,6 @@  iroute_ipv6
 keepalive
 key
 key_direction
-key_method
 keysize
 learn_address
 link_mtu
@@ -69,7 +71,6 @@  mssfix
 mtu_disc
 mute
 nice
-ns_cert_type
 ping
 ping_exit
 ping_restart
@@ -116,6 +117,9 @@  syslog
 tcp_queue_limit
 tls_auth
 tls_crypt
+tls_crypt_v2
+tls_crypt_v2_verify
+tls_export_cert
 tls_timeout
 tls_verify
 tls_version_min
@@ -129,6 +133,8 @@  user
 verb
 verify_client_cert
 verify_x509_name
+vlan_accept
+vlan_pvid
 x509_username_field
 '
 
@@ -137,6 +143,7 @@  allow_recursive_routing
 auth_nocache
 auth_user_pass_optional
 bind
+block-ipv6
 ccd_exclusive
 client
 client_to_client
@@ -185,10 +192,13 @@  tls_server
 up_delay
 up_restart
 username_as_common_name
+vlan_tagging
 '
 
 OPENVPN_LIST='
+data_ciphers
 ncp_ciphers
 tls_cipher
 tls_ciphersuites
+tls_groups
 '
diff --git a/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch b/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch
index 101fa12ba2..e4e6d39413 100644
--- a/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch
+++ b/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch
@@ -1,9 +1,9 @@ 
 --- a/src/openvpn/options.c
 +++ b/src/openvpn/options.c
-@@ -106,7 +106,6 @@ const char title_string[] =
- #ifdef HAVE_AEAD_CIPHER_MODES
-     " [AEAD]"
+@@ -105,7 +105,6 @@ const char title_string[] =
+ #endif
  #endif
+     " [AEAD]"
 -    " built on " __DATE__
  ;
  
diff --git a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
index cb16a906fe..4141c2863c 100644
--- a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
+++ b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
@@ -1,6 +1,6 @@ 
 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
-@@ -1415,7 +1415,7 @@ const char *
+@@ -1520,7 +1520,7 @@ const char *
  get_ssl_library_version(void)
  {
      static char mbedtls_version[30];
diff --git a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
deleted file mode 100644
index c7faf7c0c0..0000000000
--- a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
+++ /dev/null
@@ -1,58 +0,0 @@ 
-From 17a476fd5c8cc49f1d103a50199e87ede76b1b67 Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan@karger.me>
-Date: Sun, 26 Nov 2017 16:04:00 +0100
-Subject: [PATCH] openssl: don't use deprecated SSLEAY/SSLeay symbols
-
-Compiling our current master against OpenSSL 1.1 with
--DOPENSSL_API_COMPAT=0x10100000L screams bloody murder.  This patch fixes
-the errors about the deprecated SSLEAY/SSLeay symbols and defines.
-
-Signed-off-by: Steffan Karger <steffan@karger.me>
-Acked-by: Gert Doering <gert@greenie.muc.de>
-Message-Id: <20171126150401.28565-1-steffan@karger.me>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
----
- configure.ac                 | 1 +
- src/openvpn/openssl_compat.h | 8 ++++++++
- src/openvpn/ssl_openssl.c    | 2 +-
- 3 files changed, 10 insertions(+), 1 deletion(-)
-
---- a/configure.ac
-+++ b/configure.ac
-@@ -904,6 +904,7 @@ if test "${enable_crypto}" = "yes" -a "$
- 			EVP_MD_CTX_free \
- 			EVP_MD_CTX_reset \
- 			EVP_CIPHER_CTX_reset \
-+			OpenSSL_version \
- 			SSL_CTX_get_default_passwd_cb \
- 			SSL_CTX_get_default_passwd_cb_userdata \
- 			SSL_CTX_set_security_level \
---- a/src/openvpn/openssl_compat.h
-+++ b/src/openvpn/openssl_compat.h
-@@ -689,6 +689,14 @@ EC_GROUP_order_bits(const EC_GROUP *grou
- #endif
- 
- /* SSLeay symbols have been renamed in OpenSSL 1.1 */
-+#ifndef OPENSSL_VERSION
-+#define OPENSSL_VERSION SSLEAY_VERSION
-+#endif
-+
-+#ifndef HAVE_OPENSSL_VERSION
-+#define OpenSSL_version SSLeay_version
-+#endif
-+
- #if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT)
- #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
- #endif
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -2008,7 +2008,7 @@ get_highest_preference_tls_cipher(char *
- const char *
- get_ssl_library_version(void)
- {
--    return SSLeay_version(SSLEAY_VERSION);
-+    return OpenSSL_version(OPENSSL_VERSION);
- }
- 
- #endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */
diff --git a/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch b/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch
deleted file mode 100644
index 6a62b16500..0000000000
--- a/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch
+++ /dev/null
@@ -1,65 +0,0 @@ 
-From 1987498271abadf042d8bb3feee1fe0d877a9d55 Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan@karger.me>
-Date: Sun, 26 Nov 2017 16:49:12 +0100
-Subject: [PATCH] openssl: add missing #include statements
-
-Compiling our current master against OpenSSL 1.1 with
--DOPENSSL_API_COMPAT=0x10100000L screams bloody murder.  This patch fixes
-the errors caused by missing includes.  Previous openssl versions would
-usually include 'the rest of the world', but they're fixing that.  So we
-should no longer rely on it.
-
-(And sneaking in alphabetic ordering of the includes while touching them.)
-
-Signed-off-by: Steffan Karger <steffan@karger.me>
-Acked-by: Gert Doering <gert@greenie.muc.de>
-Message-Id: <20171126154912.13283-1-steffan@karger.me>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15936.html
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
----
- src/openvpn/openssl_compat.h     | 1 +
- src/openvpn/ssl_openssl.c        | 6 +++++-
- src/openvpn/ssl_verify_openssl.c | 3 ++-
- 3 files changed, 8 insertions(+), 2 deletions(-)
-
---- a/src/openvpn/openssl_compat.h
-+++ b/src/openvpn/openssl_compat.h
-@@ -42,6 +42,7 @@
- 
- #include "buffer.h"
- 
-+#include <openssl/rsa.h>
- #include <openssl/ssl.h>
- #include <openssl/x509.h>
- 
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -52,10 +52,14 @@
- 
- #include "ssl_verify_openssl.h"
- 
-+#include <openssl/bn.h>
-+#include <openssl/crypto.h>
-+#include <openssl/dh.h>
-+#include <openssl/dsa.h>
- #include <openssl/err.h>
- #include <openssl/pkcs12.h>
-+#include <openssl/rsa.h>
- #include <openssl/x509.h>
--#include <openssl/crypto.h>
- #ifndef OPENSSL_NO_EC
- #include <openssl/ec.h>
- #endif
---- a/src/openvpn/ssl_verify_openssl.c
-+++ b/src/openvpn/ssl_verify_openssl.c
-@@ -44,8 +44,9 @@
- #include "ssl_verify_backend.h"
- #include "openssl_compat.h"
- 
--#include <openssl/x509v3.h>
-+#include <openssl/bn.h>
- #include <openssl/err.h>
-+#include <openssl/x509v3.h>
- 
- int
- verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
diff --git a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
index 5cf5174a9d..a99f923644 100644
--- a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
+++ b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
@@ -1,6 +1,6 @@ 
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1080,68 +1080,15 @@ dnl
+@@ -1077,68 +1077,15 @@ dnl
  AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
  AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
  if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
diff --git a/package/network/services/openvpn/patches/220-disable_des.patch b/package/network/services/openvpn/patches/220-disable_des.patch
index 2b8f47a802..9ddf1047b5 100644
--- a/package/network/services/openvpn/patches/220-disable_des.patch
+++ b/package/network/services/openvpn/patches/220-disable_des.patch
@@ -1,24 +1,17 @@ 
 --- a/src/openvpn/syshead.h
 +++ b/src/openvpn/syshead.h
-@@ -597,11 +597,11 @@ socket_defined(const socket_descriptor_t
+@@ -572,7 +572,7 @@ socket_defined(const socket_descriptor_t
  /*
   * Should we include NTLM proxy functionality
   */
--#if defined(ENABLE_CRYPTO)
 -#define NTLM 1
--#else
-+//#if defined(ENABLE_CRYPTO)
 +//#define NTLM 1
-+//#else
- #define NTLM 0
--#endif
-+//#endif
  
  /*
   * Should we include proxy digest auth functionality
 --- a/src/openvpn/crypto_mbedtls.c
 +++ b/src/openvpn/crypto_mbedtls.c
-@@ -319,6 +319,7 @@ int
+@@ -383,6 +383,7 @@ int
  key_des_num_cblocks(const mbedtls_cipher_info_t *kt)
  {
      int ret = 0;
@@ -26,7 +19,7 @@ 
      if (kt->type == MBEDTLS_CIPHER_DES_CBC)
      {
          ret = 1;
-@@ -331,6 +332,7 @@ key_des_num_cblocks(const mbedtls_cipher
+@@ -395,6 +396,7 @@ key_des_num_cblocks(const mbedtls_cipher
      {
          ret = 3;
      }
@@ -34,7 +27,7 @@ 
  
      dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
      return ret;
-@@ -339,6 +341,7 @@ key_des_num_cblocks(const mbedtls_cipher
+@@ -403,6 +405,7 @@ key_des_num_cblocks(const mbedtls_cipher
  bool
  key_des_check(uint8_t *key, int key_len, int ndc)
  {
@@ -42,7 +35,7 @@ 
      int i;
      struct buffer b;
  
-@@ -367,11 +370,15 @@ key_des_check(uint8_t *key, int key_len,
+@@ -431,11 +434,15 @@ key_des_check(uint8_t *key, int key_len,
  
  err:
      return false;
@@ -58,7 +51,7 @@ 
      int i;
      struct buffer b;
  
-@@ -386,6 +393,7 @@ key_des_fixup(uint8_t *key, int key_len,
+@@ -450,6 +457,7 @@ key_des_fixup(uint8_t *key, int key_len,
          }
          mbedtls_des_key_set_parity(key);
      }
@@ -66,7 +59,7 @@ 
  }
  
  /*
-@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch
+@@ -770,10 +778,12 @@ cipher_des_encrypt_ecb(const unsigned ch
                         unsigned char *src,
                         unsigned char *dst)
  {