starred/openvpn-otp
1
0
Fork 0
mirror of https://github.com/evgeny-gridasov/openvpn-otp.git synced 2026-04-25 05:15:57 +03:00
Code Issues 19 Projects Releases 1 Packages Wiki Activity

[GH-ISSUE #36] openvpn-otp didn't working on debian stretch #20

New issue
Closed
opened 2026-02-25 22:30:46 +03:00 by kerem · 6 comments
kerem commented 2026-02-25 22:30:46 +03:00
Owner
Copy link

Originally created by @unix196 on GitHub (Aug 17, 2020).
Original GitHub issue: https://github.com/evgeny-gridasov/openvpn-otp/issues/36

Good day. I receive this error after run openvpn server with plugin openvpn-otp:

/usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --reneg-sec 86400  --cd /etc/openvpn --config /etc/openvpn/server.conf

/var/log/openvpn/openvpn-server.log <==
Mon Aug 17 15:15:18 2020 PLUGIN_INIT: could not load plugin shared object /usr/lib/openvpn/openvpn-otp.so: /usr/lib/openvpn/openvpn-otp.so: undefined symbol: EVP_MD_CTX_free: No such file or directory (errno=2)
Mon Aug 17 15:15:18 2020 Exiting due to fatal error

Server config:

/etc/openvpn/server.conf:
...
plugin "/usr/lib/openvpn/openvpn-otp.so" otp_secrets=/etc/openvpn/otp_secrets

Verion OS: Debian GNU/Linux 9.12 (stretch)
openvpn-otp build as debian package.

dpkg -l | grep openvp
ii  openvpn                       2.4.8-stretch0                    amd64        virtual private network daemon
ii  openvpn-otp                   1.0-1~stretch                     amd64        This plug-in adds support for time based OTP (totp) and HMAC

dpkg -L openvpn-otp
/usr/lib/openvpn/openvpn-otp.la
/usr/lib/openvpn/openvpn-otp.so

dpkg -l | grep ssl
ii  libssl-dev:amd64              1.1.0l-1~deb9u1                   amd64        Secure Sockets Layer toolkit - development files
ii  libssl-doc                    1.1.0l-1~deb9u1                   all          Secure Sockets Layer toolkit - development documentation
ii  libssl1.0.2:amd64             1.0.2u-1~deb9u1                   amd64        Secure Sockets Layer toolkit - shared libraries
ii  libssl1.1:amd64               1.1.0l-1~deb9u1                   amd64        Secure Sockets Layer toolkit - shared libraries
ii  openssl                       1.1.0l-1~deb9u1                   amd64        Secure Sockets Layer toolkit - cryptographic utility


openssl version
OpenSSL 1.1.0l  10 Sep 2019

ldd /usr/lib/openvpn/openvpn-otp.so
	linux-vdso.so.1 (0x00007ffff62bd000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8afdbd3000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f8afe17b000)

I saw old issue with comment - https://github.com/evgeny-gridasov/openvpn-otp/issues/29#issuecomment-442696402, but I try install different verions of openvpn server (2.4.9, 2.4.8, 2.4.7 - use repo from openvpn ) - error is the same.
I suspect that trouble with openssl, but I don't know how fix that.

Originally created by @unix196 on GitHub (Aug 17, 2020). Original GitHub issue: https://github.com/evgeny-gridasov/openvpn-otp/issues/36 Good day. I receive this error after run openvpn server with plugin openvpn-otp: ``` /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --reneg-sec 86400 --cd /etc/openvpn --config /etc/openvpn/server.conf /var/log/openvpn/openvpn-server.log <== Mon Aug 17 15:15:18 2020 PLUGIN_INIT: could not load plugin shared object /usr/lib/openvpn/openvpn-otp.so: /usr/lib/openvpn/openvpn-otp.so: undefined symbol: EVP_MD_CTX_free: No such file or directory (errno=2) Mon Aug 17 15:15:18 2020 Exiting due to fatal error ``` Server config: ``` /etc/openvpn/server.conf: ... plugin "/usr/lib/openvpn/openvpn-otp.so" otp_secrets=/etc/openvpn/otp_secrets ``` Verion OS: `Debian GNU/Linux 9.12 (stretch)` openvpn-otp build as debian package. ``` dpkg -l | grep openvp ii openvpn 2.4.8-stretch0 amd64 virtual private network daemon ii openvpn-otp 1.0-1~stretch amd64 This plug-in adds support for time based OTP (totp) and HMAC dpkg -L openvpn-otp /usr/lib/openvpn/openvpn-otp.la /usr/lib/openvpn/openvpn-otp.so ``` ``` dpkg -l | grep ssl ii libssl-dev:amd64 1.1.0l-1~deb9u1 amd64 Secure Sockets Layer toolkit - development files ii libssl-doc 1.1.0l-1~deb9u1 all Secure Sockets Layer toolkit - development documentation ii libssl1.0.2:amd64 1.0.2u-1~deb9u1 amd64 Secure Sockets Layer toolkit - shared libraries ii libssl1.1:amd64 1.1.0l-1~deb9u1 amd64 Secure Sockets Layer toolkit - shared libraries ii openssl 1.1.0l-1~deb9u1 amd64 Secure Sockets Layer toolkit - cryptographic utility openssl version OpenSSL 1.1.0l 10 Sep 2019 ldd /usr/lib/openvpn/openvpn-otp.so linux-vdso.so.1 (0x00007ffff62bd000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8afdbd3000) /lib64/ld-linux-x86-64.so.2 (0x00007f8afe17b000) ``` I saw old issue with comment - https://github.com/evgeny-gridasov/openvpn-otp/issues/29#issuecomment-442696402, but I try install different verions of openvpn server (2.4.9, 2.4.8, 2.4.7 - [use repo from openvpn](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos?__cf_chl_jschl_tk__=cb9c41c05348063072ccdfa3fbfdde80fe83a710-1597657763-0-AdELvO4iH5FH8Kra4ODxlNmtt7z6T-aQZMYpLDtKLR8AGerEa7YjdcgnKC-ZI6LXDXnl8m5YaFCoSbxlgJLfnqg2rm5AGGm19ow4JKtvV0CiO8X2SVo2mD4d8ytlvRQHyPzJckpDOQb5RwX2u1U8PTW3Oanko3RKLjc_NcfVTnqpoiryeBk1ac8j_OdRwCVTiJ5PLRxlbD_wg_lzXtqzZHCSVyf72PEkCpc2LpExTDQ90scURviN-aalYjdwGo8IReKIxoNZPn2OurZWy5heLyVoQLef_vRBpuUj4RXLvhoDlDxIuiFpmPUJUtFdbS9DlA) ) - error is the same. I suspect that trouble with openssl, but I don't know how fix that.
kerem closed this issue 2026-02-25 22:30:46 +03:00
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@evgeny-gridasov commented on GitHub (Aug 17, 2020):

Hi unix196,
Have you tried compiling it from source? I'm not sure what the package maintainers did to compile it, so it is difficult to tell what is going on. It is OpenSSL related. EVP_MD_CTX_free is available from OpenSSL 1.1.0, not sure why it is not available in your build of OpenSSL.

Could you please run ldd against openvpn binary and provide results here?

<!-- gh-comment-id:674823754 --> @evgeny-gridasov commented on GitHub (Aug 17, 2020): Hi unix196, Have you tried compiling it from source? I'm not sure what the package maintainers did to compile it, so it is difficult to tell what is going on. It is OpenSSL related. EVP_MD_CTX_free is available from OpenSSL 1.1.0, not sure why it is not available in your build of OpenSSL. Could you please run ldd against openvpn binary and provide results here?
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@unix196 commented on GitHub (Aug 17, 2020):

openvpn --version
OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 30 2019
library versions: OpenSSL 1.0.2u  20 Dec 2019, LZO 2.08

Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no

ldd /usr/sbin/openvpn
	linux-vdso.so.1 (0x00007ffd94ddd000)
	libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007fc230433000)
	libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fc23021b000)
	liblzo2.so.2 => /lib/x86_64-linux-gnu/liblzo2.so.2 (0x00007fc22fff3000)
	liblz4.so.1 => /usr/lib/x86_64-linux-gnu/liblz4.so.1 (0x00007fc22fddb000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fc22fbbb000)
	libpkcs11-helper.so.1 => /usr/lib/x86_64-linux-gnu/libpkcs11-helper.so.1 (0x00007fc22f99b000)
	libcrypto.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.2 (0x00007fc22f533000)
	libssl.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 (0x00007fc22f2c3000)
	libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0 (0x00007fc230a9b000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc22f0bb000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc22ed1b000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fc230913000)
	libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fc22eaf3000)
	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fc22e8eb000)
	liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fc22e6c3000)
	libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007fc22e3b3000)
	libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fc22e13b000)
	libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007fc22df23000)

Have you tried compiling it from source

I think that maintain my version openssl in production - not a good idea. This option would be possible if I run openvpn in docker, but in future I plan run it on hardware server.

<!-- gh-comment-id:674829622 --> @unix196 commented on GitHub (Aug 17, 2020): ``` openvpn --version OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 30 2019 library versions: OpenSSL 1.0.2u 20 Dec 2019, LZO 2.08 Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no ldd /usr/sbin/openvpn linux-vdso.so.1 (0x00007ffd94ddd000) libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007fc230433000) libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fc23021b000) liblzo2.so.2 => /lib/x86_64-linux-gnu/liblzo2.so.2 (0x00007fc22fff3000) liblz4.so.1 => /usr/lib/x86_64-linux-gnu/liblz4.so.1 (0x00007fc22fddb000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fc22fbbb000) libpkcs11-helper.so.1 => /usr/lib/x86_64-linux-gnu/libpkcs11-helper.so.1 (0x00007fc22f99b000) libcrypto.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.2 (0x00007fc22f533000) libssl.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 (0x00007fc22f2c3000) libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0 (0x00007fc230a9b000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc22f0bb000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc22ed1b000) /lib64/ld-linux-x86-64.so.2 (0x00007fc230913000) libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fc22eaf3000) librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fc22e8eb000) liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fc22e6c3000) libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007fc22e3b3000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fc22e13b000) libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007fc22df23000) ``` >Have you tried compiling it from source I think that maintain my version openssl in production - not a good idea. This option would be possible if I run openvpn in docker, but in future I plan run it on hardware server.
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@evgeny-gridasov commented on GitHub (Aug 17, 2020):

This is where your problem is. OpenVPN is linked against libssl 1.0.2 but should be 1.1

libssl.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 (0x00007fc22f2c3000)

You need to either recompile OpenVPN against libssl 1.1 or recompile the plugin against the version you have installed.
I would also suggest you send an email to package maintainers to fix that.
Can I ask, where did you get the openvpn-otp deb file, is it part of Debian now?

<!-- gh-comment-id:674852846 --> @evgeny-gridasov commented on GitHub (Aug 17, 2020): This is where your problem is. OpenVPN is linked against libssl 1.0.2 but should be 1.1 ``` libssl.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 (0x00007fc22f2c3000) ``` You need to either recompile OpenVPN against libssl 1.1 or recompile the plugin against the version you have installed. I would also suggest you send an email to package maintainers to fix that. Can I ask, where did you get the openvpn-otp deb file, is it part of Debian now?
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@unix196 commented on GitHub (Aug 17, 2020):

Oh, I think I started to understand where the problem is - I build deb on one VM, then clone this VM and install assembled deb package. From documentation I need install libssl-dev/openssl-devel/libressl-devel, on build machine I setup libssl-dev:

dpkg -l | grep ssl
ii  libssl-dev:amd64              1.1.0l-1~deb9u1                   amd64        Secure Sockets Layer toolkit - development files
ii  libssl-doc                    1.1.0l-1~deb9u1                   all          Secure Sockets Layer toolkit - development documentation
ii  libssl1.0.2:amd64             1.0.2u-1~deb9u1                   amd64        Secure Sockets Layer toolkit - shared libraries
ii  libssl1.1:amd64               1.1.0l-1~deb9u1                   amd64        Secure Sockets Layer toolkit - shared libraries
ii  openssl                       1.1.0l-1~deb9u1                   amd64        Secure Sockets Layer toolkit - cryptographic utility

I don't really understand how to fix it yet, but I figured out where to dig.

<!-- gh-comment-id:674885649 --> @unix196 commented on GitHub (Aug 17, 2020): Oh, I think I started to understand where the problem is - I build deb on one VM, then clone this VM and install assembled deb package. From documentation I need install `libssl-dev/openssl-devel/libressl-devel`, on build machine I setup `libssl-dev`: ``` dpkg -l | grep ssl ii libssl-dev:amd64 1.1.0l-1~deb9u1 amd64 Secure Sockets Layer toolkit - development files ii libssl-doc 1.1.0l-1~deb9u1 all Secure Sockets Layer toolkit - development documentation ii libssl1.0.2:amd64 1.0.2u-1~deb9u1 amd64 Secure Sockets Layer toolkit - shared libraries ii libssl1.1:amd64 1.1.0l-1~deb9u1 amd64 Secure Sockets Layer toolkit - shared libraries ii openssl 1.1.0l-1~deb9u1 amd64 Secure Sockets Layer toolkit - cryptographic utility ``` I don't really understand how to fix it yet, but I figured out where to dig.
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@unix196 commented on GitHub (Aug 18, 2020):

You need to either recompile OpenVPN against libssl 1.1 or recompile the plugin against the version you have installed.

I'm all the same not clear understand what should be done: on my distro - debian 9 stretch, all version openvpn use libssl.so.1.0.2 ( ldd /usr/sbin/openvpn), though on server I have also installed package libssl1.1. I did make install plugin openvpn-otp, apt-get install openvpn and receive the same error (EVP_MD_CTX_free: No such file or...) (all action I do on one machine).
Can I get along without recompile OpenVPN against libssl 1.1? ( because on production it will require build my deb package openvpn, maintain it).

<!-- gh-comment-id:675427027 --> @unix196 commented on GitHub (Aug 18, 2020): >You need to either recompile OpenVPN against libssl 1.1 or recompile the plugin against the version you have installed. I'm all the same not clear understand what should be done: on my distro - debian 9 stretch, all version `openvpn` use `libssl.so.1.0.2` (` ldd /usr/sbin/openvpn`), though on server I have also installed package `libssl1.1`. I did `make install` plugin openvpn-otp, `apt-get install openvpn` and receive the same error (`EVP_MD_CTX_free: No such file or...`) (all action I do on one machine). Can I get along without `recompile OpenVPN against libssl 1.1`? ( because on production it will require build my deb package openvpn, maintain it).
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@unix196 commented on GitHub (Aug 20, 2020):

figured out:

apt-get install libssl1.0-dev
The following packages will be REMOVED:
  libssl-dev
The following NEW packages will be installed:
  libssl1.0-dev

Package libssl-dev no need to install on build machine, needed libssl1.0-dev

<!-- gh-comment-id:677513337 --> @unix196 commented on GitHub (Aug 20, 2020): figured out: ``` apt-get install libssl1.0-dev The following packages will be REMOVED: libssl-dev The following NEW packages will be installed: libssl1.0-dev ``` Package `libssl-dev` no need to install on build machine, needed `libssl1.0-dev`
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.0
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/openvpn-otp#20
No description provided.