Fun with OpenSolaris and OpenVPN
Since it seems that my new neighbors run an unsecured wireless network (not that I’m one to talk, as I certainly don’t bother encrypting mine), I though I’d hop on. With names (I’m assuming by the same person) like Tubgirl.org and 2girls1cup I was a bit leery about them redirecting all my traffic, but it wasn’t to be the case. I have no problems doing anything, but I’m suspecting they ran an unsecured SMTP server which was used as a spam relay at some point. Port 25 is blocked. SSH port forwarding is apparently too complicated for Heather in the few times she can actually get on the networks (chalk that up to shitty transmission power and network code from Windows, since we have virtually identical laptops and I’ve got no issues in Solaris or OSX), so she can’t send anything.
I figured I’d set up a VPN server on the connection I still have at Steph’s house until such time as we actually get cable installed. I can’t do it myself, since I still have an account open with them. I could transfer the service, but then I wouldn’t get all the new subscriber deals, so…
Solaris doesn’t come with device nodes for tunneling IP connections (other than IPSEC, which I’m not going to set up due to the complexity involved for a short-term solution). It does have device nodes and drivers for bridging, but they’re kind of limited when it comes to pinging the host that initiated the tunnel from the client. A virtual ethernet adapter would get around that, but it’d be needlessly hacky.
For whatever reason, the tun/tap drivers didn’t want to compile. Well, it’s not “whatever reason.” It’s “developer doesn’t bother to check whether or not Solaris systems are 64 bit since he only gives a fuck about Linux.” Easy fix in the Makefile:
CFLAGS = $(DEFS) -O2 -Wall -D_KERNEL -I. -m64 -mcmodel=kernel -mno-red-zone
After compiling, more problems. The device didn’t want to attach. Kernel drivers for 64 bit x86 don’t go in /platform/i86pc/kernel/drv/amd64, they go in /usr/kernel/drv/amd64. Fixed and loaded. On to OpenVPN:
Compile and install. Generate SSL certificates, sign keys for VPN clients. Set up configuration:
local 192.168.0.8
port 443 #nobody's going to block outgoing HTTPS, and I'll never run an HTTPS server at home
proto udp
dev tun #L2 routing, not ethernet bridging. Clients don't need broadcast.
ca ca.crt
cert alucard.crt
key alucard.key
dh dh1024.pem #more encryption
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt #DHCP for the VPN
push "route 192.168.0.0 255.255.255.0" #routes to get to the rest of my networks
push "route 10.0.0.0 255.255.0.0"
push "redirect-gateway" #all traffic over the tunnel
push "dhcp-option DNS 192.168.0.1" #Windows needs this
push "dhcp-option WINS 192.168.0.2" #Also Windows
client-to-client #let clients see each other
keepalive 10 120 #send pings to keep the connection alive
tls-auth ta.key 0 #helps revent DoS
cipher BF-CBC #use Blowfish encryption
comp-lzo #compression
user nobody
group nobody #take away server priviledges
persist-key
persist-tun #keep keys and tunnels even after priviledge is disabled
status openvpn-status.log
log-append openvpn.log #don't overwrite logs on restart
verb 6 #verbosity for the log to diagnose connection problems
mute 20 #don't repeat more than 20 sequential messages in the log
Routes are set to let them see my network at home, but network clients need to know how to get back to them:
root@OpenWrt:~$ route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.0.8
root@OpenWrt:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.0 192.168.0.8 255.255.255.0 UG 0 0 0 br0
10.0.0.0 192.168.0.8 255.255.0.0 UG 0 0 0 br0
192.168.0.0 * 255.255.255.0 U 0 0 0 br0
24.118.228.0 * 255.255.254.0 U 0 0 0 vlan1
default c-3-0-ubr04.eag 0.0.0.0 UG 0 0 0 vlan1
default 192.168.0.1 0.0.0.0 UG 0 0 0 br0
root@OpenWrt:~$
Good so far. NAT would be a good thing, though. They can all appear to come from my server. Turning on the firewall?
Configuration:
alucard[/]# cat /etc/ipf/ipnat.conf
map bge0 10.8.0.0/24 -> 0/32 portmap tcp/udp auto
map bge0 10.8.0.0/24 -> 0/32
alucard[/]#ipnat -f /etc/ipf/ipnat.conf
alucard[/]# ipnat -l
List of active MAP/Redirect filters:
map bge0 10.8.0.0/24 -> 0.0.0.0/32 portmap tcp/udp auto #change source port to random between 10000 and 20000
map bge0 10.8.0.0/24 -> 0.0.0.0/32 #catch everything else. ICMP/etc
List of active sessions:
alucard[/]#svcadm restart ipfilter
alucard[/]#/etc/init.d/openvpn start
Starting OpenVPN…
alucard[/]#ifconfig tun0
tun0: flags=10011008d1
inet 10.8.0.1 –> 10.8.0.2 netmask ffffffff
ether 3c:7:0:ff:ff:ff
Tunnel’s up with the right address. Client config:
client
dev tun
proto udp
remote my.dyndns.address 443
resolv-retry infinite #never give up
nobind #don't bind to local address and port
persist-key
persist-tun
ca ca.crt
cert heather.crt
key heather.key
comp-lzo
verb 5
tls-auth ta.key 1
pull #gets everything with a "push" directive in the server's conf file
Connecting a client and testing:
ryan@xerxes ~ $ ping 10.8.0.1
10.8.0.1 is alive
ryan@xerxes ~ $ ping 192.168.0.2
192.168.0.2 is alive
ryan@xerxes ~ $ ping google.com
google.com is alive
ryan@xerxes ~ $ traceroute google.com
traceroute: Warning: google.com has multiple addresses; using 72.14.207.99
traceroute: Warning: Multiple interfaces found; using 192.168.0.8 @ bge0
traceroute to google.com (72.14.207.99), 30 hops max, 40 byte packets
1 10.8.0.1 (10.8.0.1) 8.643 ms 8.704 ms 8.412 ms
2 192.168.0.1 (192.168.0.1) 5.602 ms 1.691 ms 1.458 ms
3 73.237.96.1 (73.237.96.1) 10.583 ms 12.434 ms 18.580 ms
4 ge-1-40-ur01.webster.mn.minn.comcast.net (68.87.179.189) 10.214 ms 11.131 ms *
5 te-8-1-ur02.minnehaha.mn.minn.comcast.net (68.87.174.149) 10.884 ms 11.120 ms *
6 te-8-3-ur01.minnehaha.mn.minn.comcast.net (68.87.174.145) 11.021 ms 12.867 ms *
7 * te-8-1-ar02.roseville.mn.minn.comcast.net (68.87.174.141) 105.276 ms *
8 te-0-0-0-0-cr01.omaha.ne.ibone.comcast.net (68.86.84.29) 27.271 ms 26.469 ms 26.695 ms
9 COMCAST-IP.car2.Denver1.Level3.net (4.79.82.58) 35.925 ms 37.085 ms 43.306 ms
10 te-3-4.car2.Denver1.Level3.net (4.79.82.57) 35.323 ms 40.357 ms 37.765 ms
11 ae-32-56.ebr2.Denver1.Level3.net (4.68.107.190) 50.018 ms 48.416 ms 37.038 ms
12 ae-3.ebr3.Chicago1.Level3.net (4.69.132.62) 44.406 ms 47.588 ms 40.422 ms
13 ae-68.ebr1.Chicago1.Level3.net (4.69.134.57) 42.095 ms 43.703 ms 36.046 ms
14 ae-2.ebr2.NewYork1.Level3.net (4.69.132.66) 74.493 ms 67.525 ms 69.368 ms
15 ae-82-82.csw3.NewYork1.Level3.net (4.69.134.90) 66.745 ms 65.820 ms 69.375 ms
16 ae-33-89.car3.NewYork1.Level3.net (4.68.16.133) 63.640 ms * *
17 GOOGLE-INC.car3.NewYork1.Level3.net (4.71.172.82) 64.239 ms 65.020 ms 65.755 ms
18 72.14.236.215 (72.14.236.215) 68.622 ms 66.218 ms 65.106 ms
19 72.14.233.113 (72.14.233.113) 79.852 ms 78.445 ms 81.719 ms
20 66.249.94.92 (66.249.94.92) 79.104 ms 83.073 ms 81.338 ms
21 72.14.236.134 (72.14.236.134) 89.334 ms 83.721 ms 66.249.94.50 (66.249.94.50) 81.548 ms
22 eh-in-f99.google.com (72.14.207.99) 80.819 ms 79.071 ms 83.579 ms
Everything looks as it should, plus it’s routed through the VPN. Good. Well, good other than Comcast’s bullshit. What the fuck, 4 connections in Minnesota. I’m getting an extra 10 seconds of latency in minnehaha in (presumably) the same datacenter? I can’t fathom why it wouldn’t just immediately go to Roseville, and that 106ms latency in Roseville is ridiculous. Level 3 I’ll forgive because they’re a backbone provider. Comcast, not so much.
I know nobody else will really be interested in reading this, so it’s more for my own benefit should I need to duplicate it than anything, but… Should you need to set up a VPN server, you know who to call.
As an aside, my fileserver’s going to get an exciting 8 port PCI-X SATA card and 8 500GB drives. Another 7.5TB should hold me for a while, plus it’s a lot more spindles for performance. I’m really considering just getting Sun Rays (thin clients) instead of using a full-fledged desktop (they’ll do multi-head, too), and just turning on my Wintendo for games.
6 Comments
Other Links to this Post
RSS feed for comments on this post. TrackBack URI
Leave a comment
You must be logged in to post a comment.
By garnser, January 19, 2009 @ 3:56 pm
Hi Ryan,
I’m currently working on a deployment where support for OpenSolaris has been requested. We’ve decided to run with tap interfaces (long story), after doing a bunch of reading I figured that there seams to be some flaws, an example which I have is the push of IP’s to the client, I’ve tried to remediate this using an up-script assigning the created tap interface an IP, however, when I run ifconfig tapX up it wont execute, I’ve similar issues if I try to add additional routes, what could the cause of this be?
By Ryan, January 20, 2009 @ 3:19 pm
I assume you’re at least a little familiar with Solaris. You didn’t specify, whether this is on the server or the client, thouh. As a general rule, your steps will run something like:
With any brdgeadm stuff thrown in as necessary. If that doesn’t work, see if you have /dev/tun. If not, try “devfsadm -a”.
What are you passing as arguments to “route”?
By garnser, January 21, 2009 @ 10:30 am
Hi again,
This is on the client-side. I don’t seam to have the tunctl binary, the tap interface is created though.
If possible, can you email me on jpetersson [at] garnser [dot] se ? Thanks
By gsta, March 26, 2009 @ 8:57 am
garnser,
Probably a bit late but for OpenVPN TAP support check out http://www.whiteboard.ne.jp/~admin2/tuntap/ This should compile both TUN and TAP support drivers for Solaris and has the utilities you mentioned you’re missing. Also plenty of examples. Cheers.
By Ryan, March 27, 2009 @ 9:10 am
Ironically, those are the tun/tap modules I used. Maybe they’ve improved since then and actually compile.
By msd, May 21, 2009 @ 4:41 pm
Ryan, Maybe you could answer a couple things for me? I’m using a very similar setup to yours. I have two actual interfaces. ce0 (public) and qfe0 (private). I have openvpn setup over the public interface. outside clients can connect, but thats about as far as it goes. i can ping my private ip from the remote vpn client, but none of the other servers on my private network, and i cannot seem to route though the server from the client. i have ipfil setup and ipnat like you have shown here. but my connection doesn’t make it passed the server. any suggestions?