OpenVPN is a SSL based open source VPN solution supporting a number of different authentication tokens including username/password, certificates, and smart-cards. The OpenVPN Solaris packages are provided through the Blastware repository. There are three major packages that must be installed, tun, tap, and openvpn along with any additional dependencies.
# /opt/csw/bin/pkgutil -i tun tap # /opt/csw/bin/pkgutil -i openvpn
Use the Blastwave pkgutil program to download and install the tun and tap network drivers along with the OpenVPN package.
The first thing to do is setup a complete SSL Certificate Authority (CA). For a full explanation of certificate authorities see Creating OpenSSL Certificates and Certificate Authorities article. The OpenVPN server will have a certificate/key pair signed by the CA. Each client also has a keypair used to authenticate that will also be signed by the CA. The OpenVPN server will only allow certificates signed by the CA to be used, and a certificate revocation list (CRL) will be used to invalidate compromised/expired certificates.
Bundled set of scripts to create certificates is included in /etc/csw/openvpn/easy-rsa.
# cd /etc/csw/openvpn/easy-rsa # source vars NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/csw/openvpn/easy-rsa/keys # ./clean-all # ./build-ca Generating a 1024 bit RSA private key .++++++ ...........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [TX]: Locality Name (eg, city) [AUSTIN]: Organization Name (eg, company) [HIGHERPASS]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:higherpass.com Email Address [me@myhost.mydomain]:
This will created the ca.key and ca.crt files for the certificate authority. Source the vars script to setup the environment variables, then run clean-all to clean up the key/certificate storage directory. Next run build-ca to build the CA.
root@ip-10-250-139-210:/etc/csw/openvpn/easy-rsa# ./build-key-server server Generating a 1024 bit RSA private key ......................................................++++++ ....................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [TX]: Locality Name (eg, city) [AUSTIN]: Organization Name (eg, company) [HIGHERPASS]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:higherpass.com Email Address [me@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/csw/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'TX' localityName :PRINTABLE:'AUSTIN' organizationName :PRINTABLE:'HIGHERPASS' commonName :PRINTABLE:'higherpass.com' emailAddress :IA5STRING:'me@myhost.mydomain' Certificate is to be certified until Nov 20 18:10:50 2019 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
The build-key-server server command builds the server.key and server.crt files for the OpenVPN server and signs then with the CA keypair.
# ./build-key client1 # ./build-key client2
Build the signed keys to distribute to the clients.
/etc/csw/openvpn/easy-rsa# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .................................................+.................