Skip to content

Instantly share code, notes, and snippets.

@Anubisss
Last active March 13, 2024 10:04
Show Gist options
  • Save Anubisss/afea82b97058e418e8030ee35e40f54f to your computer and use it in GitHub Desktop.
Save Anubisss/afea82b97058e418e8030ee35e40f54f to your computer and use it in GitHub Desktop.
How to compile statically linked OpenVPN client for ARMv5

How to compile statically linked OpenVPN client for ARMv5

You need to install ARMv5 gcc cross compiler: apt-get install gcc-arm-linux-gnueabi

You have to define a directory (via --prefix) where all of your binaries will be installed (copied). In the guide I use the following: /home/user/vpn_compile

OpenSSL

  1. Download the source: wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
  2. Extract it and change the working directory: tar -xvf openssl-1.0.2j.tar.gz && cd openssl-1.0.2j
  3. Configure it: ./Configure gcc -static -no-shared --prefix=/home/user/vpn_compile --cross-compile-prefix=arm-linux-gnueabi-
  4. Compile: make
  5. Install: make install

LZO

  1. Download the source: wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.09.tar.gz
  2. Extract it and change the working directory: tar -xvf lzo-2.09.tar.gz && cd lzo-2.09
  3. Configure it: ./configure --prefix=/home/user/vpn_compile --enable-static --target=arm-linux-gnueabi --host=arm-linux-gnueabi --disable-debug
  4. Compile: make
  5. Install: make install

OpenVPN

  1. Download the source: wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.12.tar.gz
  2. Extract it and change the working directory: tar -xvf openvpn-2.3.12.tar.gz && cd openvpn-2.3.12
  3. Configure it: ./configure --target=arm-linux-gnueabi --host=arm-linux-gnueabi --prefix=/home/user/vpn_compile --disable-server --enable-static --disable-shared --disable-debug --disable-plugins OPENSSL_SSL_LIBS="-L/home/user/vpn_compile/lib -lssl" OPENSSL_SSL_CFLAGS="-I/home/user/vpn_compile/include" OPENSSL_CRYPTO_LIBS="-L/home/user/vpn_compile/lib -lcrypto" OPENSSL_CRYPTO_CFLAGS="-I/home/user/vpn_compile/include" LZO_CFLAGS="-I/home/user/vpn_compile/include" LZO_LIBS="-L/home/user/vpn_compile/lib -llzo2"
  4. Compile: make LIBS="-all-static"
  5. Install: make install

Your OpenVPN client is here: /home/user/vpn_compile/sbin/openvpn

Make sure this is what you need:

$ file /home/user/vpn_compile/sbin/openvpn
/home/user/vpn_compile/sbin/openvpn: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=e6fd2008c129fef90ed9826e3ffb9d53e83eb42c, not stripped

Versions

Build system:

$ uname -rm
4.4.0-45-generic x86_64
$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
$ arm-linux-gnueabi-gcc --version
arm-linux-gnueabi-gcc (Ubuntu/Linaro 5.4.0-6ubuntu1~16.04.1) 5.4.0 20160609

Target system:

$ uname -rm
3.2.34 armv5tejl
$ openvpn --version
OpenVPN 2.3.12 arm-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 27 2016
library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=no enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=no enable_plugins=no enable_port_share=yes enable_selinux=no enable_server=no enable_shared=no enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
@BenoitDuffez
Copy link

Step OpenVPN, end of step 3: missing slash:

LZO_LIBS="-L/home/user/vpn_compilelib -llzo2"

vs

LZO_LIBS="-L/home/user/vpn_compile/lib -llzo2"

Otherwise thanks a lot for all of this. I'd still need to figure out how to build for linux 2.6 though, my target device has a very old kernel.

@adrianhans
Copy link

adrianhans commented Jul 6, 2017

if experiencing any error related to "unable to find openssl lib" (e.g. configure: error: openssl check failed), you may want to try replacing
OPENSSL_SSL_LIBS="-L/home/user/vpn_compile/lib -lssl" OPENSSL_SSL_CFLAGS="-I/home/user/vpn_compile/include" OPENSSL_CRYPTO_LIBS="-L/home/user/vpn_compile/lib -lcrypto" OPENSSL_CRYPTO_CFLAGS="-I/home/user/vpn_compile/include" LZO_CFLAGS="-I/home/user/vpn_compile/include" LZO_LIBS="-L/home/user/vpn_compilelib -llzo2"

with

OPENSSL_SSL_CFLAGS="-I/home/user/vpn_compile/include" OPENSSL_CRYPTO_CFLAGS="-I/home/user/vpn_compile/include" LZO_CFLAGS="-I/home/user/vpn_compile/include" LIBS="-L/home/user/vpn_compile/lib -lssl -lcrypto -llzo2"

since the order of "-lssl -lcrypto -llzo2" matters. It works for me.

@Anubisss
Copy link
Author

@BenoitDuffez Thanks i fixed it.

@mzpqnxow
Copy link

mzpqnxow commented Apr 14, 2018

I just want to point out here to save others time.. some time between OpenVPN 2.3 and OpenVPN 2.4.5 the names of the variables related to OpenSSL changed from OPENSSL_SSL_CFLAGS to OPENSSL_CFLAGS as well as OPENSSL_SSL_LIBS to OPENSSL_LIBS. I was banging my head against a wall until I finally just did a diff of the ./configure --help output of the 2 versions :>

Building for a Ubiquity EdgeRouter, my final configure command for OpenVPN 2.4.5 (latest stable) ended up like this (note I added LZ4 and a few other things just to match the stock Ubiquity shipped OpenVPN:

~/openvpn-2.4.5$ ./configure --disable-plugins --target=mips-32-linux-musl --host=mips-32-linux-musl --prefix=/home/user/vpn_compile --disable-server --enable-static --disable-shared --disable-debug OPENSSL_LIBS="-L/home/user/vpn_compile/lib -lssl" OPENSSL_CFLAGS="-I/home/user/vpn_compile/include" OPENSSL_CRYPTO_LIBS="-L/home/user/vpn_compile/lib -lcrypto" OPENSSL_CRYPTO_CFLAGS="-I/home/user/vpn_compile/include" LZO_CFLAGS="-I/home/user/vpn_compile/include" LZ4_CFLAGS='-I/home/user/vpn_compile/include' LZO_LIBS="-L/home/user/vpn_compile/lib -llzo2" LZ4_LIBS="-L/home/user/vpn_compile/lib -llz4" LIBS="-L/home/user/vpn_compile/lib -lssl -lcrypto -llzo2 -llz4" IFCONFIG=/sbin/ifconfig ROUTE=/sbin/route NETSTAT=/bin/netstat IPROUTE=/sbin/ip --enable-x509-alt-username --enable-fast-install --enable-iproute2

@hanneshoettinger
Copy link

hanneshoettinger commented Jul 1, 2020

I am building 2.4.9 (2.3.12 works with the given description, thanks for that!!):
./configure --target=arm-linux-gnueabihf --host=arm-linux-gnueabihf --prefix=/home/user/vpn_compile --disable-server --enable-static --disable-shared --disable-debug --disable-plugins OPENSSL_LIBS="-L/home/user/vpn_compile/lib -lssl" OPENSSL_CFLAGS="-I/home/user/vpn_compile/include" OPENSSL_CRYPTO_LIBS="-L/home/user/vpn_compile/lib -lcrypto" OPENSSL_CRYPTO_CFLAGS="-I/home/user/vpn_compile/include" LZO_CFLAGS="-I/home/user/vpn_compile/include" LZO_LIBS="-L/home/user/vpn_compile/lib -llzo2" LIBS="-L/home/user/vpn_compile/lib -lssl -lcrypto -llzo2"

However, resulting in:

/home/user/vpn_compile/lib/libssl.a(statem_clnt.o): In function `tls_construct_client_hello':
statem_clnt.c:(.text+0x1a2): undefined reference to `OPENSSL_sk_num'
statem_clnt.c:(.text+0x1be): undefined reference to `OPENSSL_sk_value'
statem_clnt.c:(.text+0x332): undefined reference to `RAND_bytes'
statem_clnt.c:(.text+0x39a): undefined reference to `ERR_add_error_data'
statem_clnt.c:(.text+0x458): undefined reference to `OPENSSL_sk_num'
statem_clnt.c:(.text+0x470): undefined reference to `OPENSSL_sk_value'
/home/user/vpn_compile/lib/libssl.a(statem_clnt.o): In function `tls_construct_cke_gost':
statem_clnt.c:(.text+0x660): undefined reference to `X509_get0_pubkey'
statem_clnt.c:(.text+0x666): undefined reference to `EVP_PKEY_CTX_new'
statem_clnt.c:(.text+0x67e): undefined reference to `CRYPTO_malloc'
statem_clnt.c:(.text+0x68a): undefined reference to `EVP_PKEY_encrypt_init'
statem_clnt.c:(.text+0x696): undefined reference to `RAND_bytes'
statem_clnt.c:(.text+0x6be): undefined reference to `EVP_PKEY_CTX_free'
statem_clnt.c:(.text+0x6ce): undefined reference to `CRYPTO_clear_free'
statem_clnt.c:(.text+0x6d4): undefined reference to `EVP_MD_CTX_free'
statem_clnt.c:(.text+0x724): undefined reference to `EVP_MD_CTX_new'
statem_clnt.c:(.text+0x72e): undefined reference to `OBJ_nid2sn'
statem_clnt.c:(.text+0x732): undefined reference to `EVP_get_digestbyname'
statem_clnt.c:(.text+0x73a): undefined reference to `EVP_DigestInit'
statem_clnt.c:(.text+0x784): undefined reference to `EVP_DigestUpdate'
statem_clnt.c:(.text+0x794): undefined reference to `EVP_DigestUpdate'
statem_clnt.c:(.text+0x7a6): undefined reference to `EVP_DigestFinal_ex'
statem_clnt.c:(.text+0x7b0): undefined reference to `EVP_MD_CTX_free'
statem_clnt.c:(.text+0x7c8): undefined reference to `EVP_PKEY_CTX_ctrl'
statem_clnt.c:(.text+0x7ec): undefined reference to `EVP_PKEY_encrypt'
statem_clnt.c:(.text+0x856): undefined reference to `EVP_PKEY_CTX_free'
/home/user/vpn_compile/lib/libssl.a(statem_clnt.o): In function `tls_construct_cke_psk_preamble':
statem_clnt.c:(.text+0xa48): undefined reference to `CRYPTO_memdup'
statem_clnt.c:(.text+0xa5a): undefined reference to `CRYPTO_strdup'
statem_clnt.c:(.text+0xa80): undefined reference to `CRYPTO_free'
statem_clnt.c:(.text+0xa98): undefined reference to `CRYPTO_free'
statem_clnt.c:(.text+0xaf0): undefined reference to `OPENSSL_cleanse'
statem_clnt.c:(.text+0xaf8): undefined reference to `OPENSSL_cleanse'
statem_clnt.c:(.text+0xb06): undefined reference to `CRYPTO_clear_free'
statem_clnt.c:(.text+0xb14): undefined reference to `CRYPTO_clear_free'
/home/user/vpn_compile/lib/libssl.a(statem_clnt.o): In function `tls_construct_client_key_exchange':
statem_clnt.c:(.text+0xc68): undefined reference to `CRYPTO_clear_free'
statem_clnt.c:(.text+0xc7c): undefined reference to `CRYPTO_clear_free'
statem_clnt.c:(.text+0xcaa): undefined reference to `X509_get0_pubkey'
statem_clnt.c:(.text+0xcb0): undefined reference to `EVP_PKEY_get0_RSA'
statem_clnt.c:(.text+0xcc6): undefined reference to `CRYPTO_malloc'
statem_clnt.c:(.text+0xce8): undefined reference to `RAND_bytes'
statem_clnt.c:(.text+0xd4a): undefined reference to `EVP_PKEY_get0_DH'
statem_clnt.c:(.text+0xd6a): undefined reference to `EVP_PKEY_free'
statem_clnt.c:(.text+0xda0): undefined reference to `EVP_PKEY_CTX_new'
statem_clnt.c:(.text+0xda8): undefined reference to `EVP_PKEY_encrypt_init'
.
.
.

Any idea what's wrong?
openssl 1.1.1f

@Anubisss
Copy link
Author

Anubisss commented Jul 2, 2020

@hanneshoettinger I have no idea to be honest. I'm not working on/with this anymore.
From the error message it looks like you have to link (-l) some lib (or the proper version?) to able to compile (link) the openSSL.

@trendymail
Copy link

trendymail commented Sep 25, 2020

Hello!

Long story short: this page/tutorial and your replies saved my life... ^^

@Anubisss: many many thanks for your hard work. It's simply awesome!

Below, a quick digest (tested twice) to build OpenVPN 2.4.9 (server & client) with lzo and lz4 for ARM using Debian 9.

Debian

apt-get install build-essential gcc-arm-linux-gnueabi ca-certificates

mkdir /home/source /home/openvpn

LZO

cd /home/source
wget https://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz
tar xvzf lzo-2.10.tar.gz

cd lzo-2.10
./configure --prefix=/home/openvpn --enable-static --target=arm-linux-gnueabi --host=arm-linux-gnueabi

make && make install

LZ4

cd /home/source
wget https://github.com/lz4/lz4/archive/v1.9.2.tar.gz
tar xvzf v1.9.2.tar.gz

cd lz4-1.9.2
make && PREFIX=/home/openvpn make install

Openssl

cd /home/source
wget https://www.openssl.org/source/openssl-1.1.1h.tar.gz
tar xvzf openssl-1.1.1h.tar.gz

cd openssl-1.1.1h
./Configure gcc -static -no-shared --prefix=/home/openvpn --cross-compile-prefix=arm-linux-gnueabi-

make && make install

OpenVPN

cd /home/source
wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.9.tar.gz
tar xvzf openvpn-2.4.9.tar.gz

cd openvpn-2.4.9
./configure --target=arm-linux-gnueabi --host=arm-linux-gnueabi --prefix=/home/openvpn --enable-static --disable-shared --disable-debug --disable-plugins OPENSSL_CFLAGS="-I/home/openvpn/include" OPENSSL_LIBS="-L/home/openvpn/lib -lssl -lcrypto" LZO_CFLAGS="-I/home/openvpn/include" LZO_LIBS="-L/home/openvpn/lib -llzo2" LZ4_CFLAGS="-I/home/openvpn/include" LZ4_LIBS="-L/home/openvpn/lib -llz4" IFCONFIG=/sbin/ifconfig ROUTE=/sbin/route NETSTAT=/bin/netstat IPROUTE=/sbin/ip --enable-iproute2

make LIBS="-all-static" && make install

Final

cd /home/openvpn/sbin/

openvpn (static) binary is here!

@Anubisss
Copy link
Author

@trendymail Great work, thank you!

@ksaurabh02
Copy link

ksaurabh02 commented Sep 28, 2020

@trendymail

Hello!

Long story short: this page/tutorial and your replies saved my life... ^^

@Anubisss: many many thanks for your hard work. It's simply awesome!

Below, a quick digest (tested twice) to build OpenVPN 2.4.9 (server & client) with lzo and lz4 for ARM using Debian 9.

Debian

apt-get install build-essential gcc-arm-linux-gnueabi ca-certificates

mkdir /home/source /home/openvpn

LZO

cd /home/source
wget https://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz
tar xvzf lzo-2.10.tar.gz

cd lzo-2.10
./configure --prefix=/home/openvpn --enable-static --target=arm-linux-gnueabi --host=arm-linux-gnueabi

make && make install

LZ4

cd /home/source
wget https://github.com/lz4/lz4/archive/v1.9.2.tar.gz
tar xvzf v1.9.2.tar.gz

cd lz4-1.9.2
make && PREFIX=/home/openvpn make install

Openssl

cd /home/source
wget https://www.openssl.org/source/openssl-1.1.1h.tar.gz
tar xvzf openssl-1.1.1h.tar.gz

cd openssl-1.1.1h
./Configure gcc -static -no-shared --prefix=/home/openvpn --cross-compile-prefix=arm-linux-gnueabi-

make && make install

OpenVPN

cd /home/source
wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.9.tar.gz
tar xvzf openvpn-2.4.9.tar.gz

cd openvpn-2.4.9
./configure --target=arm-linux-gnueabi --host=arm-linux-gnueabi --prefix=/home/openvpn --enable-static --disable-shared --disable-debug --disable-plugins OPENSSL_CFLAGS="-I/home/openvpn/include" OPENSSL_LIBS="-L/home/openvpn/lib -lssl -lcrypto" LZO_CFLAGS="-I/home/openvpn/include" LZO_LIBS="-L/home/openvpn/lib -llzo2" LZ4_CFLAGS="-I/home/openvpn/include" LZ4_LIBS="-L/home/openvpn/lib -llz4" IFCONFIG=/sbin/ifconfig ROUTE=/sbin/route NETSTAT=/bin/netstat IPROUTE=/sbin/ip --enable-iproute2

make LIBS="-all-static" && make install

Final

cd /home/openvpn/sbin/

openvpn (static) binary is here!

I am getting configure: error: openssl check failed.
I fixed it, for future reference. Do Check config.log, there would be different errors. See how you can fix them

@zoobab
Copy link

zoobab commented Jan 19, 2022

If I follow those instructions to build statically for x86_64 (remove the right -target args), I end up with a non-static build:

zoobab@vic /home/zoobab/sbin [16]$ ldd openvpn
        linux-vdso.so.1 (0x00007fffcad4f000)
        libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007f631610f000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f6315ef8000)
        liblz4.so.1 => not found
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6315b4d000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f6316327000)

I have all the .a libs at the right place though...

@zoobab
Copy link

zoobab commented Jan 19, 2022

I did a cleanup, it works, sorry for the noise:

zoobab@vic /home/zoobab/sbin [34]$ ldd openvpn
        not a dynamic executable

@pepeteg
Copy link

pepeteg commented Apr 27, 2022

Hi!!

I have follow the steps but I have a dynamic library dependency for lz4:

otool -L openvpn
openvpn:
/usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/local/lib/liblz4.1.dylib (compatibility version 1.0.0, current version 1.9.2)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1311.100.3)

I am working in macOS.

I have checked the libraries and I have the static lz4 library:

ls -l liblz4*
-rwxr-xr-x 1 pepeteg staff 156987 25 abr 23:37 liblz4.1.9.2.dylib
lrwxr-xr-x 1 pepeteg staff 18 25 abr 23:37 liblz4.1.dylib -> liblz4.1.9.2.dylib
-rw-r--r-- 1 pepeteg staff 151800 25 abr 23:37 liblz4.a
lrwxr-xr-x 1 pepeteg staff 18 25 abr 23:37 liblz4.dylib -> liblz4.1.9.2.dylib

Please, could you tell me how you solved it?.

Thanks in advance.

Best regards

@thomasa88
Copy link

Not related to above comment, but this is how I managed to compile OpenVPN 2.5.5 for the Synology DS212j (a bit old).

Synology toolchains:
https://sourceforge.net/projects/dsgpl/files/Tool%20Chain
For DS212j:
https://deac-ams.dl.sourceforge.net/project/dsgpl/Tool%20Chain/DSM%206.2.4%20Tool%20Chains/Marvell%2088F628x%20Linux%202.6.32/6281-gcc464_glibc215_88f6281-GPL.txz

Synology 6.2.4, DS212j build

export TOOLCHAIN=$HOME/src/openvpn-synology/arm-marvell-linux-gnueabi
# find arm-marvell-linux-gnueabi/ -name '*crt1*'
export SYSROOT=$TOOLCHAIN/arm-marvell-linux-gnueabi/libc
# Not all tools are contained inside the sysroot, so cannot use that "gcc" etc
#export PATH=$SYSROOT/bin:$PATH
export PATH=$TOOLCHAIN/bin:$PATH
export PREFIX=$HOME/src/openvpn-synology/prefix
export HOST=arm-marvell-linux-gnueabi

openssl-1.1.1n:
./Configure gcc --cross-compile-prefix=${HOST}- -static -no-shared --prefix=$PREFIX --sysroot=$SYSROOT
make -j8
make install


lzo-2.10: # Needed if we want lzo compression
./configure --host $HOST CC=$TOOLCHAIN/bin/${HOST}-gcc --enable-static --prefix=$PREFIX LDFLAGS="--sysroot=$SYSROOT" CFLAGS="--sysroot=$SYSROOT"
make -j8
make install


openvpn-2.5.5:
# lz4 compression compat files kicks in automatically.
./configure --host=$HOST CC=$TOOLCHAIN/bin/${HOST}-gcc --prefix=$PREFIX --enable-static --disable-shared --disable-debug --disable-plugins --disable-unit-tests LDFLAGS="--sysroot=$SYSROOT -L$PREFIX/lib" CFLAGS="--sysroot=$SYSROOT" CPPFLAGS="-I$PREFIX/include" 

# Fails on "no module named docutils", but succeeds if run again..
make -j8 LIBS="-all-static"

make install

@locnnil
Copy link

locnnil commented Nov 11, 2022

@hanneshoettinger Go inside the configure script and search for the keyword: OPENSSL_CRYPTO_LIBS looks that this options is not properly configured.

I'm building version 2.5.8 and inside of my configure there is no OPENSSL_CRYPTO_LIBS or OPENSSL_CRYPTO_CFLAGS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment