OpenSolaris Tutorials
Installing and Configuring OpenVPN in OpenSolaris
Deploying OpenSolaris In Amazon EC2
Installing Postfix and Dovecot Under OpenSolaris

Installing and Configuring OpenVPN in OpenSolaris

Determine VPN network information

The first thing to do is decide whether to use a routed or bridged network. Unless you require broadcasting such as for IPX, routed is probably a better solution. Also you need to pick an IP range to be used. Select a range within 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 but avoid popular ranges such as 192.168.0.0/24 etc to avoid conflicts.

Setting up openvpn.conf

Copy /etc/csw/openvpn.conf.CSW to /etc/csw/openvpn.conf and create some symlinks.

# cd /etc/csw/openvpn
/etc/csw/openvpn# cp openvpn.conf.CSW openvpn.conf
/etc/csw/openvpn# ln -s easy-rsa/keys/dh1024.pem
/etc/csw/openvpn# ln -s easy-rsa/keys/server.crt
/etc/csw/openvpn# ln -s easy-rsa/keys/server.key
/etc/csw/openvpn# ln -s easy-rsa/keys/ca.crt

Important Settings in openvpn.conf

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0

Set the listening port to 1194. The proto statement sets the protocol to TCP or UDP. Use the dev statement to specify the tun/tap driver usage. This should be used in combination with the correct server or server-bridge statement. Use tun if you wish to use a routed network and tap if you are wanting a bridged network. The ca, cert, and key statemnts point to the CA key, server cert, and server key respectively. It's usually best to change those to the full path to the file or the symlinks we created. The dh points to the dh parameter file we created earlier.

The server or server-bridge line designates the internal VPN subnet for OpenVPN to use. The server command only requires the subnet and netmask. The server-bridge command needs the IP address for the bridge adapter followed by the subnet mask and the first and last IP in the subnet that can be given out to clients.

Solaris ipfilter configuration

If you are using ipfilter rules that could cause connectivity issues add the following to /etc/ipf/ipf.conf. This is being presented from a Xen instance, if using a physical interface replace xnf0 with the appropriate interface.

pass in quick on xnf0 proto udp from any to xnf0/32 port = 1194 keep state

Reload the ipfilter rules:

ipf -Fa -f /etc/ipf/ipf.conf

At this point OpenVPN is ready to go and can be started. The first time start openvpn in the foreground for debugging. Afterwards you can use the second command to start openvpn as a daemon.

# /opt/csw/sbin/openvpn /etc/csw/openvpn/openvpn.conf

Or

# /etc/init.d/openvpn start

Client configuration

The client needs to be configured similarly to the server. The client also needs to receive the client certificate and key we created earlier along with the certificate authority certificate. The client configuration file needs to have the same tun/tap settings as the server along with the same protocol and compression settings.

Example client configuration:

client
dev tun
proto tcp
remote vpn.server.hostname 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

This simple client configuration specifies tun (routing mode) over TCP. The remote statement is used to specity the openvpn server hostname or IP address and port. The resolv-retry line tells the openvpn client to infinitely retry to resolve the server hostname. Using nobind allows openvpn to pick a local port to use. The preserve-key and preserve-tun lines tell the client to attempt to preserve state across restarts. The ca, cert, and key lines point to the authentication keys for the connection. Finally comp-lzo enables the lzo encryption.

Installing OpenVPN And Setting Up SSL <<  1 2
New Content