OpenSolaris Tutorials
Installing and Configuring OpenVPN in OpenSolaris
Deploying OpenSolaris In Amazon EC2
Installing Postfix and Dovecot Under OpenSolaris

Installing and Configuring OpenVPN in OpenSolaris

OpenVPN Introduction

OpenVPN is a SSL based open source VPN solution supporting a number of different authentication tokens including username/password, certificates, and smart-cards. The OpenVPN Solaris packages are provided through the Blastware repository. There are three major packages that must be installed, tun, tap, and openvpn along with any additional dependencies.

# /opt/csw/bin/pkgutil -i tun tap
# /opt/csw/bin/pkgutil -i openvpn

Use the Blastwave pkgutil program to download and install the tun and tap network drivers along with the OpenVPN package.

Configuring OpenVPN

Setting up SSL

The first thing to do is setup a complete SSL Certificate Authority (CA). For a full explanation of certificate authorities see Creating OpenSSL Certificates and Certificate Authorities article. The OpenVPN server will have a certificate/key pair signed by the CA. Each client also has a keypair used to authenticate that will also be signed by the CA. The OpenVPN server will only allow certificates signed by the CA to be used, and a certificate revocation list (CRL) will be used to invalidate compromised/expired certificates.

Bundled set of scripts to create certificates is included in /etc/csw/openvpn/easy-rsa.

Creating Certificate Authority

# cd /etc/csw/openvpn/easy-rsa
# source vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/csw/openvpn/easy-rsa/keys
# ./clean-all 
# ./build-ca 
Generating a 1024 bit RSA private key
.++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [TX]:
Locality Name (eg, city) [AUSTIN]:
Organization Name (eg, company) [HIGHERPASS]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:higherpass.com
Email Address [me@myhost.mydomain]:

This will created the ca.key and ca.crt files for the certificate authority. Source the vars script to setup the environment variables, then run clean-all to clean up the key/certificate storage directory. Next run build-ca to build the CA.

Generate server keypair

root@ip-10-250-139-210:/etc/csw/openvpn/easy-rsa# ./build-key-server server
Generating a 1024 bit RSA private key
......................................................++++++
....................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [TX]:
Locality Name (eg, city) [AUSTIN]:
Organization Name (eg, company) [HIGHERPASS]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:higherpass.com
Email Address [me@myhost.mydomain]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/csw/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'TX'
localityName          :PRINTABLE:'AUSTIN'
organizationName      :PRINTABLE:'HIGHERPASS'
commonName            :PRINTABLE:'higherpass.com'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Nov 20 18:10:50 2019 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

The build-key-server server command builds the server.key and server.crt files for the OpenVPN server and signs then with the CA keypair.

Generate client keypairs

# ./build-key client1
# ./build-key client2

Build the signed keys to distribute to the clients.

Generate Diffie/Hellman (DH) parameters

/etc/csw/openvpn/easy-rsa# ./build-dh 
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.................................................+.................
 1 2  >> Configuring The OpenVPN Server And Clients
New Content