[geeks] OpenVPN on Solaris

Micah R Ledbetter vlack-lists at vlack.com
Wed Mar 21 01:18:03 CDT 2007 

This is a followup to a post I made last month:

On Feb 22, 2007, at 01:48, Micah R Ledbetter wrote:
> I currently have a Solaris Express machine (Sun Blade 100) sharing
> 500GB of storage via NFS. I'm on a pretty open network (one house
> with 25 people and a shared wireless network - yes, really), and I'd
> like to secure the access to the Solaris machine. The only clients I
> have (for now) are Mac OS X clients.

I received a lot of comments and helpful suggestions - thanks,  
everyone :).
  - sshfs in fink (on Mac OS X, of course) instead of MacFUSE, as it  
is likely more robust; however, it is without a GUI.
  - Kerberized NFS (Secure RPC), which should work under at least  
Solaris, Linux, and OS X.
  - AFS
  - An IPsec implementation of some kind, which I could then use with  
any networked filesystem I wanted.
  - Coda

I looked the hardest at AFS. the openafs.org implementation says that  
it supports Solaris, but I eventually gave up because I couldn't get  
it to compile (one note, though: *don't* try to compile with GCC on  
Solaris! Use Sun's cc instead). I'd like to try it because it seems  
cool, but I eventually went with...

OpenVPN, since I (theoretically) know how it works, since I've used  
it for another job. Here are the gotchas I found for OpenVPN under  
Solaris:
  - According to some unofficial documentation^W^W blog post I read,  
the tap driver for Solaris[0] doesn't support bridging AKA trunking  
AKA bonding. This may be fixed here[1], but the code is alpha.  
Another solution - the one I chose - is to use routing instead of  
bridging when setting up openvpn.
  - I created an SMF manifest[2]. (I'm using the term "created"  
pretty loosely, since what I did could be accomplished by downloading  
someone else's rsync.xml and 'M-x replace-string rsync openvpn', but  
hey, it worked.) It could be nicer... for one thing, you may need to  
unplumb the tun interface to restart it.
  - If you like, you can also see my server config[3]...
  - ...and my Mac OS X client config[4] which I use with tunnelblick[5].

Again, thanks for all the help that ya'll gave.

  - Micah

[0] htt[://vtun.sf.net; available in blastwave as 'tun'
[1] http://www.whiteboard.ne.jp/~admin2/tuntap/
[2] http://vlack.com/etc/ovpn-solaris/openvpn.xml
[3] http://vlack.com/etc/ovpn-solaris/openvpn-solaris_server.conf
[4] http://vlack.com/etc/ovpn-solaris/openvpn-macosx_client.conf
[5] http://www.tunnelblick.net/

More information about the geeks mailing list