toby's Journal: installing OpenVPN on Solaris 10 (amd64)

1. install LZO

Download & untar sources. Configure like this:

INSTALL=/usr/ucb/install ./configure

make & make install

2. install tun driver

Download (1.1), unpack, ./configure

Then edit one line of the solaris/Makefile as follows:

CFLAGS = -m64 -mcmodel=kernel -mno-red-zone -ffreestanding $(DEFS) -O2 -Wall -D_KERNEL -I.

make & make install

Move the file 'tun' from /usr/kernel/drv/ into /usr/kernel/drv/amd64

Run:

devfsadm -i tun

3. install OpenVPN

Download & unpack.

./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib

make & make install.

4. Make it run at startup

This is the quick and dirty way (legacy rc script). The nice way would be SMF (there's probably an SMF manifest for it out there somewhere).

I put the following as file openvpn in /etc/init.d and put a link to it in /etc/rc3.d:

#!/bin/sh

case "$1" in
'start')
# Start daemon
cd /etc/openvpn && /usr/local/sbin/openvpn --config server.conf --daemon
;;

'stop')
# Stop daemon.
kill `cat /var/run/openvpn.pid`
;;

*)
# usage
echo "Usage: $0 start|stop"
exit 1
;;
esac

The reference to pid file corresponds to a pidfile directive given in /etc/openvpn/server.conf:

;local IP.ADDRESS.GOES.HERE ; optional bind address
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server SUBNET.ADDRESS.GOES.HERE 255.255.255.0
ifconfig-pool-persist ipp.txt
;client-config-dir /etc/openvpn/ccd ; if used
route SUBNET.ADDRESS.GOES.HERE 255.255.255.0
client-to-client ; if desired
keepalive 10 120
;tls-auth ta.key 0 # if used; This file is secret
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4
mute 20
writepid /var/run/openvpn.pid
down "ifconfig tun0 unplumb"

A client config looks more like this (e.g. for OS X, Linux, or Solaris):

remote SERVER.ADDRESS.GOES.HERE
proto udp
dev tun0
#ping 15
comp-lzo
client
ca /etc/openvpn/ca.crt ; certificate authority's CA cert
cert /etc/openvpn/CLIENT.cert.pem ; client cert as signed by CA
key /etc/openvpn/CLIENT.key.pem ; client key as signed by CA
;tls-auth ta.key 1 ; if used
;ns-cert-type server ; if this attribute set on server certificate
#status /etc/openvpn/openvpn-status.log
#log /var/log/openvpn.log
verb 3

Client - SMF method script (put in /lib/svc/method/openvpn-client):

#!/bin/sh

case "$1" in
'start') # Start daemon
cd /etc/openvpn && /usr/local/sbin/openvpn --config openvpn.conf --daemon
;;

'stop') # Stop daemon.
kill `cat /var/run/openvpn.pid`
;;

'refresh') # Stop daemon.
kill -HUP `cat /var/run/openvpn.pid`
;;

*) # Usage
echo "Usage: $0 start|stop"
exit 1
;;
esac

Client Manifest (install with svccfg import openvpn-client.xml):

<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">

<service_bundle type='manifest' name='OVPNopenvpn:openvpn-client'>

<service name='network/openvpn-client' type='service' version='1'>

<create_default_instance enabled='false' />

<dependency name='net-loopback'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/network/loopback' />
</dependency>

<dependency name='net-physical'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/network/physical' />
</dependency>

<dependency name='config_data'
grouping='require_all'
restart_on='restart'
type='path'>
<service_fmri
value='file://localhost/etc/openvpn/openvpn.conf' />
</dependency>

<exec_method type='method'
name='start'
exec='/lib/svc/method/openvpn-client start'
timeout_seconds='60'/>

<exec_method type='method'
name='stop'
exec='/lib/svc/method/openvpn-client stop'
timeout_seconds='60' />

<exec_method type='method'
name='refresh'
exec='/lib/svc/method/openvpn-client refresh'
timeout_seconds='60' />
<template>
<common_name>
<loctext xml:lang='C'>
OpenVPN client
</loctext>
</common_name>
</template>

</service>
</service_bundle>