1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
<h1>OpenVPN-NL</h1>
<p>
This is an overlay voor the Gentoo Linux distribution, it provides ebuilds for
<a href="https://openvpn.fox-it.com">OpenVPN-NL</a>.
</p>
<h2>Why this overlay?</h2>
<p>
When i was experimenting with hardware security tokens and OpenVPN i got
really bad performance, tunnel setup took multiple minutes. When i found
OpenVPN-NL and tried it, it worked a lot better. So i initually
created this overlay for personal use, and now hope it will be useful for
others too. My forum topic on this subject can be found
<a href="https://forums.gentoo.org/viewtopic-t-1114346.html">here</a>.
</p>
<h2>What is in this overlay?</h2>
<p>
This overlay carries a single package: net-vpn/openvpn-nl. OpenVPN-NL is
modified version of OpenVPN made by and for the Dutch government (hence the
-NL). The modifications to both mbed TLS and OpenVPN include disabling of
insecure configurations and ciphers. I did a full diff on the packages and
their originals and there's no backdoor-ish stuff. Of course you don't have
to beleve me, all the source is out there.
</p>
<p>
The package has a single USE flag: the use-expanded CPU_FLAGS_X86 flag aes.
The official way of using OpenVPN-NL prohibits using hardware accelerated
crypto, for private use you can of course change that. If this flag is set it
will enable AES-NI support in mbet TLS, allowing hardware acceleration.
</p>
<p>
All files and directories with "openvpn" in their names have been
renamed to "openvpn-nl", this ensures the OpenVPN and OpenVPN-NL
can both be installed at the same time.
</p>
<p>
You might notice that the package does not specify any dependencies, this is
because they are not specified and we'll have to find out while we're going.
On my system I also have OpenVPN installed which will take care of most
dependencies.
</p>
<h2>How to use this overlay?</h2>
<p>
First you'll have to clone this overlay on a place you like, a common place
these days is <b>/var/db/repos</b>. So cd into that directory and use
<b>git clone https://code.pa4wdh.nl.eu.org/gentoo/openvpn-nl</b>, this will
create a directory called openvpn-nl with the overlay in it.
</p>
<p>
Next you have to make portage aware of the repo, for that you'll have to
create a config file under <b>/etc/portage/repos.conf</b>. Create a file
called <b>openvpn-nl.conf</b> and give it these contents:
</p>
<pre>
[openvpn-nl]
location = /var/db/repos/openvpn-nl
sync-type = git
sync-uri = https://code.pa4wdh.nl.eu.org/gentoo/openvpn-nl
</pre>
<p>
If you placed the overlay on a different place than <b>/var/db/repos</b> make
sure to adapt the <b>location</b> line to your needs.
</p>
<h2>What can i do with this?</h2>
<p>
For me this is the best way to get OpenVPN running with hardware crypto
tokens. If that's what you like, or if you'd simply like to run OpenVPN-NL
instead of OpenVPN on Gentoo, this is the easiest way.
</p>
<p>
If you have any feedback on this overlay, you're quite likely to find me on
the <a href="https://forums.gentoo.org">Gentoo forums</a>.
</p>
<p>
Have fun!
</p>
|
