- The Best VPN Services Updated for 2017
- http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs
- A bit outdated for 2017: http://lifehacker.com/5935863/five-best-vpn-service-providers
Step 1: Install the TAP driver.
# git clone https://github.com/kaizawa/tuntap.git # ./configure # gmake # sudo gmake install
- The full output of running those commands, if you are in any way possibly curious.
Step 2: Install the LZO compression library.
# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.09.tar.gz # tar -zxvf lzo-2.09.tar.gz # cd lzo-2.09 # ./configure # gmake # gmake check # sudo gmake install
- More full output of running those commands, if you are in any way possibly curious.
Step 3: Install OpenVPN.
For OpenVPN, we modify CFLAGS and LDFLAGS, to let OpenVPN find the LZO library we just installed, and we add '--enable-password-save', which will allow us to store the username and password for the VPN in a file.# wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.6.tar.gz # tar -zxvf openvpn-2.3.6.tar.gz # cd openvpn-2.3.6 # CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" ./configure --with-gnu-ld --enable-password-save # gmake # sudo gmake install
- Yet again, even more full output of running those commands, if you are in any way possibly curious.
Once OpenVPN is installed, configuring it for use with Solaris is relatively straight forward. PrivateInternetAccess have a bunch of OpenVPN configuration files, with some very useful defaults. Since I'm on the East coast of the US, I started with the "US East.ovpn" file:
client dev tun proto udp remote us-east.privateinternetaccess.com 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt tls-client remote-cert-tls server auth-user-pass comp-lzo verb 1 reneg-sec 0 crl-verify crl.pemTo which I added a few options of my own:
auth-user-pass .pia.login script-security 2 route-delay 2 route-up route-up.sh route-noexecThe
auth-user-pass .pia.login
line tells the OpenVPN client to read your username and from a file in the current directory called '.pia.login' (Make sure your path is correct if you have issues). The contents of that file are your username by itself on line 1, and your password by itself on line 2. supertim MySup3rS3cr3tP@ssw0rdThe rest of the lines all affect how routing is done for the VPN. Left to it's own devices, OpenVPN doesn't have the code necessary to automatically manage routes. For example, it can't automatically determine the default gateway, and modify that route to update the default gateway to the VPN's default gateway.
Wed Apr 8 00:54:10 2015 NOTE: unable to redirect default gateway -- Cannot read current default gateway from systemThe solution for that is to use a
route-up
script to handle the routing. In order for OpenVPN to use the script, you need to set script-security 2
, or you see show-stopping warnings such as: Wed Apr 8 01:09:00 2015 WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info. Wed Apr 8 01:09:00 2015 WARNING: Failed running command (--route-up): external program fork failedWith script-security set to a reasonable level to allow OpenVPN client to run scripts, we use
route-delay 2
to tell the client to give the client 2 full seconds to get the VPN tunnel set up before doing anything with routing, and route-noexec
tells the client not to make any direct changes to the routing tables, and the route-up route-up.sh
tells the client to run a script, which I very imaginatively called route-up.sh
, during the route-up
phase of client activity. The contents of the script look like: #!/usr/bin/env ksh # OpenVPN passes the remote gateway in as $route_vpn_gateway. /usr/sbin/route add 0.0.0.0/1 $route_vpn_gateway /usr/sbin/route add 128.0.0.0/1 $route_vpn_gatewaySince more specific routes are always preferred over less specific routes, setting these two routes allows us to route
Thanks for this.
ReplyDeleteThanks a lot for the guide. Have you by chance repeated this on Solaris 11.3? I am trying to do so in order to connect to NordVPN, but while I can build OpenVPN and LZO OK, and connect using NordVPN's provided config files, I am finding OpenVPN core dumps as soon as I attempt to use the connection.
ReplyDeleteOpenVPN also core dumps during a couple of its test cases (make check), although that appears related to one particular crypto algorithm - AES-128-GCM - and my config file is using AES-256-CBC. Nonetheless, I have a feeling OpenVPN isn't liking the updated OpenSSL in Solaris 11.3.
If you've replicated your steps in 11.3 and have more success than I've so far managed, I'd be very grateful for any advice. Thanks.
Actually.. it's working! I followed your steps exactly, including using the older versions of LZO and in particular OpenVPN (I had been trying with the latest, 2.4.2). And I also used a default Solaris 11.3 install, without applying the latest FOSS updates which also update OpenSSL.
DeleteSo one or more of those changes has given me a working OVPN! I will now work out which one :)
Thanks again for the guide - I'm now confident I can get a working setup, one way or another!
OK it's the difference between OpenVPN version 2.3 and 2.4. I can use the latest 2.3 - 2.3.16 - no problem. But 2.4.0 and up segfault in the checks and in use. I will raise this with OpenVPN, they seem to be saying it's a problem with OpenSSL on Solaris and not OVPN.
DeleteEither way, I'm fine with a working 2.3.x so all is good for me for now.
Thanks again for the post.
I'm glad you got it working, Tom! Thanks for following up with your solution.
Delete