Comments (4)
dguido
commented on May 10, 2024
So, one concrete issue that is resolved by building from source is that we get AES-NI support. AESNI is supported on DigitalOcean by default. It helps extremely low performance VPS providers avoid getting overwhelmed in CPU usage.
from algo.
tobiasbrunner
commented on May 10, 2024
So, one concrete issue that is resolved by building from source is that we get AES-NI support.
Enabling the aesni plugin (which I guess is what you are referring to) only has an effect on IKE traffic, of which there isn't a lot. So unless you use the kernel-libipsec plugin (userland IPsec stack) you need a kernel that supports AES-NI.
Some notes on the other options you listed there:
--enable-gcm
Not needed if the openssl plugin is enabled and the installed OpenSSL version supports AES-GCM.
--enable-rdrand
Only useful if the CPU actually supports it (similar to AES-NI).
--enable-conftest
This is a special testing framework that is of no use in production environments.
--enable-test-vectors
This only has an effect if tests are enabled (charon.crypto_test options in strongswan.conf) or when running the unit tests (make check).
--disable-ikev1
Not really a cipher, but if it's not used, disabling it sure makes sense.
--disable-des
--disable-md5
--disable-sha1
These are also provided by the openssl plugin (unless they are disabled in the OpenSSL library against which it is built, or specific OPENSSL_NO_* options were explicitly set when building the plugin). Anyway, some of them might be required (e.g. SHA-1 is required for IKEv2 itself, and some certificates/key formats might still use some of them).
from algo.
dguido
commented on May 10, 2024
Thanks for the tips @tobiasbrunner! My goal is to support only the features that Algo uses and none others. I will ultimately use this to make a PPA specifically for Algo in #194.
Here are my notes so far.
- The Debian Building Tutorial describes how to use all the deb packaging tools.
- The Ubuntu Packaging Guide has some fairly minor changes to the process and uses slightly different tools.
- Hardening Walkthrough describes some of the compiler options available to deb packages.
- 16.04 includes strongSwan 5.3.5 but you can clone their 5.5.1 package from
git://anonscm.debian.org/pkg-swan/strongswan.git
apt-get update
mkdir strongswan; cd strongswan
# dpkg-dev provides apt-get source
# devscripts provides debuild
# debian-keyring provides gpg keys needed to verify signing
apt-get install dpkg-dev devscripts debian-keyring
# Pull down the source and build dependencies from Debian
apt-get source strongswan; cd strongswan-5.3.5
apt-get build-dep strongswan
# modify debian/rules here
nano -w debian/rules
# binary only build, do not sign changes or source
# add -tc to clean build artifacts between builds
debuild -b -uc -us
Here is what I trimmed the Debian CONFIGUREARGS down to.
CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
--enable-acert \
--enable-addrblock \
--enable-aesni \
--enable-chapoly \
--enable-connmark \
--enable-coupling \
--enable-error-notify \
--enable-gcm \
--enable-integrity-test \
--enable-lookip \
--enable-openssl \
--disable-blowfish \
--disable-cmac \
--disable-des \
--disable-dnskey \
--disable-fast \
--disable-ikev1 \
--disable-md5 \
--disable-pkcs1 \
--disable-rc2 \
--disable-sha1 \
--disable-sshkey \
--disable-xcbc
This results in the following build configuration:
strongSwan will be built with the following plugins
-----------------------------------------------------
libstrongswan: pkcs11 aesni aes sha2 rdrand random nonce x509 revocation constraints acert pubkey pkcs7 pkcs8 pkcs12 pgp pem openssl af-alg fips-prf gmp chapoly hmac gcm
libcharon: attr resolve socket-default connmark farp stroke updown dhcp lookip error-notify coupling addrblock
libhydra: kernel-netlink
libtnccs:
Finally, the following entries need to be deleted from files in the debian directory:
libcharon-extra-plugins.install:
usr/lib/ipsec/plugins/libstrongswan-dhcp.so
usr/lib/ipsec/plugins/libstrongswan-certexpire.so
usr/lib/ipsec/plugins/libstrongswan-eap*.so
usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so
usr/lib/ipsec/plugins/libstrongswan-led.so
usr/lib/ipsec/plugins/libstrongswan-unity.so
usr/lib/ipsec/plugins/libstrongswan-xauth-*.so
usr/share/strongswan/templates/config/plugins/certexpire.conf
usr/share/strongswan/templates/config/plugins/eap-*.conf
usr/share/strongswan/templates/config/plugins/kernel-libipsec.conf
usr/share/strongswan/templates/config/plugins/led.conf
usr/share/strongswan/templates/config/plugins/unity.conf
usr/share/strongswan/templates/config/plugins/xauth-*.conf
etc/strongswan.d/charon/certexpire.conf
etc/strongswan.d/charon/eap-*.conf
etc/strongswan.d/charon/kernel-libipsec.conf
etc/strongswan.d/charon/led.conf
etc/strongswan.d/charon/unity.conf
etc/strongswan.d/charon/xauth-*.conf
usr/lib/ipsec/libipsec.so*
usr/lib/ipsec/libpttls.so*
usr/lib/ipsec/libradius.so*
usr/lib/ipsec/libsimaka.so*
usr/lib/ipsec/libtls.so*
usr/lib/ipsec/pt-tls-client
libstrongswan.install:
usr/lib/ipsec/plugins/libstrongswan-ccm.so
usr/lib/ipsec/plugins/libstrongswan-dnskey.so
usr/lib/ipsec/plugins/libstrongswan-md4.so
usr/lib/ipsec/plugins/libstrongswan-md5.so
usr/lib/ipsec/plugins/libstrongswan-pkcs1.so
usr/lib/ipsec/plugins/libstrongswan-rc2.so
usr/lib/ipsec/plugins/libstrongswan-sha1.so
usr/lib/ipsec/plugins/libstrongswan-sshkey.so
usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
usr/lib/ipsec/plugins/libstrongswan-xcbc.so
usr/share/strongswan/templates/config/plugins/dnskey.conf
usr/share/strongswan/templates/config/plugins/md4.conf
usr/share/strongswan/templates/config/plugins/md5.conf
usr/share/strongswan/templates/config/plugins/pkcs1.conf
usr/share/strongswan/templates/config/plugins/rc2.conf
usr/share/strongswan/templates/config/plugins/sha1.conf
usr/share/strongswan/templates/config/plugins/sshkey.conf
usr/share/strongswan/templates/config/plugins/test-vectors.conf
usr/share/strongswan/templates/config/plugins/xcbc.conf
etc/strongswan.d/charon/dnskey.conf
etc/strongswan.d/charon/md4.conf
etc/strongswan.d/charon/md5.conf
etc/strongswan.d/charon/pkcs1.conf
etc/strongswan.d/charon/rc2.conf
etc/strongswan.d/charon/sha1.conf
etc/strongswan.d/charon/sshkey.conf
etc/strongswan.d/charon/test-vectors.conf
etc/strongswan.d/charon/xcbc.conf
libstrongswan-extra-plugins.install:
usr/lib/ipsec/plugins/libstrongswan-attr-sql.so
usr/lib/ipsec/plugins/libstrongswan-bliss.so
usr/lib/ipsec/plugins/libstrongswan-cmac.so
usr/lib/ipsec/plugins/libstrongswan-ctr.so
usr/lib/ipsec/plugins/libstrongswan-curl.so
usr/lib/ipsec/plugins/libstrongswan-dnscert.so
usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
usr/lib/ipsec/plugins/libstrongswan-ipseckey.so
usr/lib/ipsec/plugins/libstrongswan-ldap.so
usr/lib/ipsec/plugins/libstrongswan-load-tester.so
usr/lib/ipsec/plugins/libstrongswan-mysql.so
usr/lib/ipsec/plugins/libstrongswan-ntru.so
usr/lib/ipsec/plugins/libstrongswan-radattr.so
usr/lib/ipsec/plugins/libstrongswan-soup.so
usr/lib/ipsec/plugins/libstrongswan-sqlite.so
usr/lib/ipsec/plugins/libstrongswan-sql.so
usr/lib/ipsec/plugins/libstrongswan-systime-fix.so
usr/lib/ipsec/plugins/libstrongswan-unbound.so
usr/lib/ipsec/plugins/libstrongswan-whitelist.so
usr/share/strongswan/templates/config/plugins/attr-sql.conf
usr/share/strongswan/templates/config/plugins/ccm.conf
usr/share/strongswan/templates/config/plugins/bliss.conf
usr/share/strongswan/templates/config/plugins/cmac.conf
usr/share/strongswan/templates/config/plugins/ctr.conf
usr/share/strongswan/templates/config/plugins/curl.conf
usr/share/strongswan/templates/config/plugins/dnscert.conf
usr/share/strongswan/templates/config/plugins/gcrypt.conf
usr/share/strongswan/templates/config/plugins/ipseckey.conf
usr/share/strongswan/templates/config/plugins/ldap.conf
usr/share/strongswan/templates/config/plugins/load-tester.conf
usr/share/strongswan/templates/config/plugins/mysql.conf
usr/share/strongswan/templates/config/plugins/ntru.conf
usr/share/strongswan/templates/config/plugins/radattr.conf
usr/share/strongswan/templates/config/plugins/soup.conf
usr/share/strongswan/templates/config/plugins/sql.conf
usr/share/strongswan/templates/config/plugins/sqlite.conf
usr/share/strongswan/templates/config/plugins/systime-fix.conf
usr/share/strongswan/templates/config/plugins/unbound.conf
usr/share/strongswan/templates/config/plugins/whitelist.conf
usr/share/strongswan/templates/database/sql/mysql.sql
usr/share/strongswan/templates/database/sql/sqlite.sql
etc/strongswan.d/charon/attr-sql.conf
etc/strongswan.d/charon/ccm.conf
etc/strongswan.d/charon/bliss.conf
etc/strongswan.d/charon/cmac.conf
etc/strongswan.d/charon/ctr.conf
etc/strongswan.d/charon/curl.conf
etc/strongswan.d/charon/dnscert.conf
etc/strongswan.d/charon/gcrypt.conf
etc/strongswan.d/charon/ipseckey.conf
etc/strongswan.d/charon/ldap.conf
etc/strongswan.d/charon/load-tester.conf
etc/strongswan.d/charon/mysql.conf
etc/strongswan.d/charon/ntru.conf
etc/strongswan.d/charon/radattr.conf
etc/strongswan.d/charon/soup.conf
etc/strongswan.d/charon/sql.conf
etc/strongswan.d/charon/sqlite.conf
etc/strongswan.d/charon/systime-fix.conf
etc/strongswan.d/charon/unbound.conf
etc/strongswan.d/charon/whitelist.conf
usr/lib/ipsec/load-tester
usr/lib/ipsec/whitelist
libstrongswan-standard-plugins.install:
usr/lib/ipsec/plugins/libstrongswan-agent.so
usr/share/strongswan/templates/config/plugins/agent.conf
etc/strongswan.d/charon/agent.conf
strongswan-starter.install:
usr/lib/ipsec/pool
usr/share/strongswan/templates/config/strongswan.d/pool.conf
etc/strongswan.d/pool.conf
rm strongswan-tnc-ifmap.install
rm strongswan-tnc-base.install
rm strongswan-tnc-client.install
rm strongswan-tnc-pdp.install
rm strongswan-tnc-server.install
charon-cmd.install:
usr/sbin/charon-cmd
usr/share/man/man8/charon-cmd.8
add to libstrongswan-extra-plugins:
usr/share/strongswan/templates/config/plugins/aesni.conf
usr/lib/ipsec/plugins/libstrongswan-aesni.so
etc/strongswan.d/charon/aesni.conf
Suggestions to trim this down further are welcome!
from algo.
tobiasbrunner
commented on May 10, 2024
You might want to consider using --disable-defaults and then explicitly enable all the features you want. That way new stuff won't get enabled automatically.
from algo.
Related Issues (20)
- Vultr deployment does not work at all before specifying API key step HOT 2
- Deploying Algo vpn server with my existing droplet. Got error of permission denied..
- Error with BlobServiceClient from azure.storage.blob during deployment to Azure (on Windows with WSL2 running Ubuntu 22 LTS) HOT 2
- what is the process to switch to a different port? HOT 1
- algo scripts fails with a couple of errors on Debian 12.4 minimal net install HOT 3
- Installation failure "Deploy from script or cloud-init", Hostinger VPS Ubuntu 22.04 x64
- msg": "The 'file' lookup had an issue accessing the file 'configs/20.22.44.75/wireguard//.pki//private/phone'. file not found, use -vvvvv to see paths searched HOT 3
- After connecting Algo-VPN with Wireguard client from windows/linux/macos internet becomes very slow HOT 2
- Add support for MacOS Deployment
- algo installation failled to Save private keys
- Configuring Algo Server with NTP Daemon with firewalls to allow access only through the VPN tunnels.
- Installation fails under Ansible 9.1.0 with Hetzner Cloud HOT 1
- ansible 9.1.0 not available on gcloud shell
- consider updating gce warning about python 3.8
- ssh-tunnel per user ssh configs don't specify the custom algo port
- Azure Deployment ModuleNotFoundError: No module named 'azure.mgmt.rdbms.postgresql_flexibleservers' HOT 1
- ERROR! couldn't resolve module/action 'vultr_firewall_group'.
- Algo fails to deploy on OpenStack (DreamCompute optimised) HOT 1
- algo fails to deploy on Vultr HOT 1
- Error creating Vultr server in non-default region
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from algo.