Step 1: Install the TAP driver.
# git clone https://github.com/kaizawa/tuntap.git # ./configure # gmake # sudo gmake install
- The full output of running those commands, if you are in any way possibly curious.
Step 2: Install the LZO compression library.
# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.09.tar.gz # tar -zxvf lzo-2.09.tar.gz # cd lzo-2.09 # ./configure # gmake # gmake check # sudo gmake install
- More full output of running those commands, if you are in any way possibly curious.
Step 3: Install OpenVPN.For OpenVPN, we modify CFLAGS and LDFLAGS, to let OpenVPN find the LZO library we just installed, and we add '--enable-password-save', which will allow us to store the username and password for the VPN in a file.
# wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.6.tar.gz # tar -zxvf openvpn-2.3.6.tar.gz # cd openvpn-2.3.6 # CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" ./configure --with-gnu-ld --enable-password-save # gmake # sudo gmake install
- Yet again, even more full output of running those commands, if you are in any way possibly curious.
Once OpenVPN is installed, configuring it for use with Solaris is relatively straight forward. PrivateInternetAccess have a bunch of OpenVPN configuration files, with some very useful defaults. Since I'm on the East coast of the US, I started with the "US East.ovpn" file:
client dev tun proto udp remote us-east.privateinternetaccess.com 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt tls-client remote-cert-tls server auth-user-pass comp-lzo verb 1 reneg-sec 0 crl-verify crl.pemTo which I added a few options of my own:
auth-user-pass .pia.login script-security 2 route-delay 2 route-up route-up.sh route-noexecThe
auth-user-pass .pia.loginline tells the OpenVPN client to read your username and from a file in the current directory called '.pia.login' (Make sure your path is correct if you have issues). The contents of that file are your username by itself on line 1, and your password by itself on line 2.
supertim MySup3rS3cr3tP@ssw0rdThe rest of the lines all affect how routing is done for the VPN. Left to it's own devices, OpenVPN doesn't have the code necessary to automatically manage routes. For example, it can't automatically determine the default gateway, and modify that route to update the default gateway to the VPN's default gateway.
Wed Apr 8 00:54:10 2015 NOTE: unable to redirect default gateway -- Cannot read current default gateway from systemThe solution for that is to use a
route-upscript to handle the routing. In order for OpenVPN to use the script, you need to set
script-security 2, or you see show-stopping warnings such as:
Wed Apr 8 01:09:00 2015 WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info. Wed Apr 8 01:09:00 2015 WARNING: Failed running command (--route-up): external program fork failedWith script-security set to a reasonable level to allow OpenVPN client to run scripts, we use
route-delay 2to tell the client to give the client 2 full seconds to get the VPN tunnel set up before doing anything with routing, and
route-noexectells the client not to make any direct changes to the routing tables, and the
route-up route-up.shtells the client to run a script, which I very imaginatively called
route-up.sh, during the
route-upphase of client activity. The contents of the script look like:
#!/usr/bin/env ksh # OpenVPN passes the remote gateway in as $route_vpn_gateway. /usr/sbin/route add 0.0.0.0/1 $route_vpn_gateway /usr/sbin/route add 220.127.116.11/1 $route_vpn_gatewaySince more specific routes are always preferred over less specific routes, setting these two routes allows us to route