· KLDP.org · KLDP.net · KLDP Wiki · KLDP BBS ·
OpenVPN/Solaris

Solaris 10 ¿¡¼­ openvpn ¼­¹ö ¼³Ä¡Çϱâ


ÃÖ±Ù solaris ȯ°æ¿¡ openvpn ¼­¹ö¸¦ ¼³Ä¡ÇÒ ±âȸ°¡ ÀÖ¾ú´Âµ¥, linux ¿¡¼­¿Í´Â ´Þ¸® ¾à°£ÀÇ »ðÁúÀÌ ÇÊ¿äÇß½À´Ï´Ù. ¹èÆ÷º»À¸·ÎºÎÅÍ ¹ÙÀ̳ʸ® ¹× ¼³Ä¡ ½ºÅ©¸³Æ®¸¦ Á¦°ø¹ÞÀ» ¼ö ¾ø¾î¼­, /dev/tun ÀåÄ¡ ÆÄÀÏ »ý¼ºÀ̳ª ip forwarding / NAT ¼³Á¤¿¡¼­ Á¶±Ý ¸Þ¸ðÇØ µÑ ÇÊ¿ä°¡ ÀÖ´Ù°í »ý°¢µÇ¾î ¾Æ·¡ ³»¿ëÀ» º¸ÃæÇØ µÓ´Ï´Ù.

ÀÛ¾÷Çß´ø ȯ°æÀº solaris 10 ÀÔ´Ï´Ù. solaris 9 ÀÌÇÏ¿¡¼­µµ ip filter ¼³Ä¡ ÀÌ¿Ü¿¡ Ưº°ÇÑ Â÷ÀÌ´Â ¾ø½À´Ï´Ù.
# uname -a
SunOS tomoko 5.10 Generic_127127-11 sun4v sparc SUNW,SPARC-Enterprise-T5220 Solaris

openvpn ¹ÙÀ̳ʸ® ¹× tun µå¶óÀ̹ö »ý¼º


º»¹®ÀÇ [http]1.4.1 ¼³Ä¡Çϱ⠿¡ ÇØ´çµÇ´Â ³»¿ëÀÔ´Ï´Ù.

¿ì¼± openvpn ¼Ò½ºÄڵ忡¼­ ÄÄÆÄÀÏÇÏÁö ¾ÊÀ¸¸é µÇÁö ¾ÊÀ¸¹Ç·Î, http://www.sunfreeware.com/ ¿¡¼­ gcc, libtool µîÀ» ¼³Ä¡ÇÏ¿© ±âº»ÀûÀÎ ÄÄÆÄÀÏ È¯°æÀ» °®Ãß¾î¾ß ÇÕ´Ï´Ù. ¶ÇÇÑ openvpn ÄÄÆÄÀϽÿ¡ ÇÊ¿äÇÑ openssl, lzo ¶óÀ̺귯¸®µµ ¹Ì¸® ¼³Ä¡ÇØ µÎ±â·Î ÇÕ´Ï´Ù. °¢ ÆÐÅ°Áö°¡ µ¿ÀÛÇϱâ À§ÇÑ ÀÇÁ¸¼ºÀÌ °É¸° ÆÐÅ°Áöµµ ¼³Ä¡µÇ¾î ÀÖÁö ¾Ê´Ù¸é ÇÔ²² ¼³Ä¡ÇØ ÁÖ¼¼¿ä.
# gzip -d gcc-3.4.6-sol10-sparc-local.gz
# pkgadd -d ./gcc-3.4.6-sol10-sparc-local
...
# pkgadd -d ./openssl-0.9.8h-sol10-sparc-local
# pkgadd -d ./lzo-2.03-sol10-sparc-local

ÀÌÁ¦ openvpn ¼Ò½ºÄڵ带 ÄÄÆÄÀÏÇÏ°Ô µÇ´Âµ¥, solaris 10 ¿¡´Â /dev/tun ÀåÄ¡°¡ »ý¼ºµÇ¾î ÀÖÁö ¾ÊÀ¸¹Ç·Î, ±×³É ÁøÇàÇÏ¸é ¾Æ·¡¿Í °°Àº ¿À·ù¸¦ ³»¸é¼­ ÄÄÆÄÀÏÀÌ Áߴܵ˴ϴÙ.
tun.c:1183:2: #error I need the symbol TUNNEWPPA from net/if_tun.h
tun.c: In function `open_tun':
tun.c:1245: error: `TUNNEWPPA' undeclared (first use in this function)
tun.c:1245: error: (Each undeclared identifier is reported only once
tun.c:1245: error: for each function it appears in.)
make[1]: *** [tun.o] Error 1
make[1]: Leaving directory `/data/pkg/openvpn/openvpn-2.0.9'

µû¶ó¼­ openvpn ¼³Ä¡ Àü¿¡ ¹Ì¸® tun µå¶óÀ̹ö¸¦ »ý¼ºÇØ µÓ´Ï´Ù. solaris ¼³Ä¡ ½Ãµð¿¡¼­ µå¶óÀ̹ö¸¦ ¼³Ä¡ÇÒ ¼ö ÀÖÀ» °Í °°±âµµ Çѵ¥, ±ÍÂú±âµµ ÇÏ°Å´Ï¿Í ¹æ¹ýµµ Àß ¸ð¸£°Ú°í Çؼ­ ±¸±Û¸µÇÑ °á°ú, ¾Æ·¡¿Í °°Àº ÇØ°áÃ¥À» ã¾Ò½À´Ï´Ù.

# wget http://vtun.sourceforge.net/tun/tun-1.1.tar.gz
# zcat tun-1.1.tar.gz | tar xvf -
# cd tun-1.1/solaris
# perl -pi~ -e 's;"TUN/TAP driver .*;"TUN/TAP driver 1.1",;' tun.c
# perl -pi~ -e 's/#define TUNSETPPA.*/$&\n\n#define TUN_VER "1.1"/' if_tun.h
# gcc -O2 -Wall -D_KERNEL -I. -m64 -mcpu=ultrasparc -c tun.c
# /usr/ccs/bin/ld -r -o tun tun.o
# file tun
tun:            ELF 64-bit MSB relocatable SPARCV9 Version 1, UltraSPARC1 Extensions Required
# cp tun /usr/kernel/drv/sparcv9/tun
# cp tun.conf /usr/kernel/drv/tun.conf
# cp if_tun.h /usr/include/net/if_tun.h
# chmod 755 /usr/kernel/drv/sparcv9/tun
# chown root:sys /usr/kernel/drv/sparcv9/tun /usr/kernel/drv/tun.conf
# chown root:bin /usr/include/net/if_tun.h
# rem_drv tun
# add_drv -v tun
# ls -als /dev/tun
1 lrwxrwxrwx 1 root sys 29 Oct 22 11:03 /dev/tun -> ../devices/pseudo/clone@0:tun

»ç¿ëÇÏ´Â ÀåºñÀÇ ¾ÆÅ°ÅØó¿¡ µû¶ó gcc ¿É¼Ç ¹× tun µå¶óÀ̹ö ¼³Ä¡ À§Ä¡¸¦ ÀûÀýÈ÷ º¯°æÇÏ¸é µÇ°Ú½À´Ï´Ù. Á¦´ë·Î µÇ¾ú´Ù¸é /dev/tun ij¸¯ÅÍ µð¹ÙÀ̽º°¡ »ý¼ºµË´Ï´Ù.

´ÙÀ½À¸·Î openvpn ¼Ò½ºÄÚµå ÄÄÆÄÀÏÀÔ´Ï´Ù. openssl ¹× lzo ¶óÀ̺귯¸® À§Ä¡¸¦ ÁöÁ¤ÇØ ÁÙ ÇÊ¿ä°¡ ÀÖ½À´Ï´Ù. ¾Æ¸¶µµ LD_LIBRARY_PATH ¿¡µµ ÁöÁ¤ÀÌ µÇ¾î ÀÖ¾î¾ß ÇÒ °Í °°½À´Ï´Ù. (±ÍÂú¾Æ¼­ ¹ÌÈ®ÀÎ)
# env | grep PATH
LD_LIBRARY_PATH=/usr/local/lib:/usr/local/ora:/usr/local/ssl/lib:/usr/openwin/lib:...
PATH=/usr/local/bin:/usr/local/ssl/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/ccs/bin:...
# ./configure --with-ssl-headers=/usr/local/ssl/include --with-ssl-lib=/usr/local/ssl/lib
# make
# make install
# ls -als /usr/local/sbin/openvpn
1504 -rwxr-xr-x 1 root root 1525160 Oct 22 14:57 /usr/local/sbin/openvpn

openvpn ±âµ¿½Ã¿¡ LD_LIBRARY_PATH ÁöÁ¤ÇÏ´Â °ÍÀÌ ±ÍÂú´Ù¸é, ¹ÙÀ̳ʸ®¸¦ ¸µÅ©ÇÒ ¶§ rpath ÁöÁ¤ÇØ ÁÖ¸é Æí¸®ÇÕ´Ï´Ù. solaris ld ´Â rpath ÁöÁ¤ÇÏ´Â ¿É¼ÇÀÌ -R ÀÔ´Ï´Ù. rpath ÁöÁ¤ÇÏ´Â °ÍÀÌ ³ª»Ú´Ù´Â ÀÇ°ßµµ ÀÖÀ¸¹Ç·Î ¾Æ·¡´Â Âü°í·Î ÇÏ½Ã¸é µÇ°Ú½À´Ï´Ù.
# gcc  -g -O2  -L/usr/local/ssl/lib -R /usr/local/lib:/usr/local/ssl/lib -o openvpn            \
    base64.o buffer.o  crypto.o error.o event.o  fdmisc.o forward.o fragment.o  gremlin.o      \
    helper.o init.o  interval.o list.o lzo.o  manage.o mbuf.o misc.o  mroute.o mss.o mtcp.o    \
    mtu.o  mudp.o multi.o ntlm.o occ.o  openvpn.o options.o otime.o  packet_id.o perf.o ping.o \
    plugin.o pool.o proto.o  proxy.o push.o reliable.o  route.o schedule.o session_id.o        \
    shaper.o sig.o socket.o  socks.o ssl.o status.o  thread.o tun.o                            \
    -lssl -lcrypto -llzo2 -lnsl -lsocket
# env | grep LD_LIBRARY_PATH
(nothing found)
# ldd openvpn
        libssl.so.0.9.8 =>       /usr/local/ssl/lib/libssl.so.0.9.8
        libcrypto.so.0.9.8 =>    /usr/local/ssl/lib/libcrypto.so.0.9.8
        liblzo2.so.2 =>  /usr/local/lib/liblzo2.so.2
        libnsl.so.1 =>   /lib/libnsl.so.1
        libsocket.so.1 =>        /lib/libsocket.so.1
        libc.so.1 =>     /lib/libc.so.1
        libdl.so.1 =>    /lib/libdl.so.1
        libgcc_s.so.1 =>         /usr/local/lib/libgcc_s.so.1
        libmp.so.2 =>    /lib/libmp.so.2
        libmd.so.1 =>    /lib/libmd.so.1
        libscf.so.1 =>   /lib/libscf.so.1
        libdoor.so.1 =>  /lib/libdoor.so.1
        libuutil.so.1 =>         /lib/libuutil.so.1
        libgen.so.1 =>   /lib/libgen.so.1
        libm.so.2 =>     /lib/libm.so.2
        /platform/SUNW,SPARC-Enterprise-T5220/lib/libc_psr.so.1
        /platform/SUNW,SPARC-Enterprise-T5220/lib/libmd_psr.so.1

ip forwarding / NAT ¼³Á¤


º»¹®ÀÇ [http]1.6.2 ¼­¹öÂÊÀÇ ´Ù¸¥ ¼­¹öµé ¿¬°áÇϱ⠿¡ ÇØ´çÇÏ´Â ³»¿ëÀÔ´Ï´Ù.

solaris 10 À» ±âÁØÀ¸·Î ¼³¸íÇÕ´Ï´Ù. solaris 9 ÀÌÇÏ¿¡¼­´Â ¼³Á¤À» À§ÇÑ ¸í·É¾î°¡ ¾à°£ Â÷ÀÌ°¡ ÀÖ½À´Ï´Ù.

ip forwarding ±â´ÉÀ» È°¼ºÈ­ Çϱâ À§ÇÏ¿© routeadm ¸í·ÉÀ» »ç¿ëÇÕ´Ï´Ù. -u ¿É¼ÇÀ¸·Î ´ÙÀ½ ºÎÆýÿ¡µµ Àû¿ëµÇµµ·Ï µÈ´Ù°í ÇÕ´Ï´Ù. (¹ÌÈ®ÀÎ)
# routeadm -u -e ipv4-forwarding
# routeadm
              Configuration   Current              Current
                     Option   Configuration        System State
---------------------------------------------------------------
               IPv4 routing   disabled             disabled
               IPv6 routing   disabled             disabled
            IPv4 forwarding   enabled              enabled
            IPv6 forwarding   disabled             disabled

           Routing services   "route:default ripng:default"
...
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
tun0: flags=10011008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,ROUTER,IPv4,FIXEDMTU> mtu 1500 index 3
        inet 10.8.0.1 --> 10.8.0.2 netmask ffffffff
        ether 0
e1000g0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 5
        inet 210.103.xxx.xxx netmask fffffffc broadcast 210.103.xxx.xxx
        ether xx:xx:xx:xx:xx:xx

tun0, e1000g0 ÀÎÅÍÆäÀ̽º »óÅ¿¡ ROUTER °¡ Ãß°¡µÇ¾ú½À´Ï´Ù. »ó±â ¼³Á¤À¸·Î openvpn ¼­¹ö´Â ¶ó¿ìÅÍÀÇ ¿ªÇÒÀ» ÇÏ°Ô µÇ°í, openvpn Ŭ¶óÀ̾ðÆ®·ÎºÎÅÍ tun0 ¸¦ ÅëÇØ Àü´Þ¹ÞÀº ÆÐŶÀ» ¿ÜºÎ·Î »Ñ·ÁÁÙ ¼ö ÀÖ°Ô µË´Ï´Ù. ÇÏÁö¸¸ ÆÐŶÀÇ source ip °¡ openvpn Ŭ¶óÀ̾ðÆ®ÀÇ »ç¼³ ip ÀÎ »óÅÂÀ̹ǷÎ, Ŭ¶óÀ̾ðÆ®°¡ vpn À» ÅëÇØ ´Ù¸¥ ¼­¹ö¿Í Åë½ÅÇÒ ¼ö´Â ¾ø½À´Ï´Ù. µû¶ó¼­ Ãß°¡ÀûÀ¸·Î NAT ¼³Á¤À» ÇØ ÁÖ¾î¾ß ÇÕ´Ï´Ù.

linux ÀÇ iptables ¿¡ ´ëÀÀÇÏ¿© solaris ¿¡´Â ip filter °¡ ÀÖ½À´Ï´Ù. solaris 10 ºÎÅÍ´Â ±âº»ÀûÀ¸·Î ¼³Ä¡µÇ¾î ÀÖ°í, solaris 9 ÀÌÇÏ¿¡¼­´Â º°µµ·Î ¼³Ä¡ÇØ¾ß ÇÕ´Ï´Ù. ¼³Ä¡ ¹æ¹ýÀº ¾î·ÆÁö ¾Ê´Ù°í ÇÏ´Ï ±¸±ÛÀÇ µµ¿òÀ» ¹Þµµ·Ï ÇսôÙ. ¼³Ä¡°¡ µÇ¾ú´Ù¸é nat ¼³Á¤À» Ãß°¡ÇÏ°í(ipnat.conf), ¼³Á¤À» Àû¿ëÇÒ ³×Æ®¿÷ µð¹ÙÀ̽º¸¦ ÁöÁ¤ÇÕ´Ï´Ù(pfil.ap). ipf ¼³Á¤Àº º¸´Ù º¹ÀâÇÏ°Ô ÇÒ ¼ö ÀÖÁö¸¸, ¿©±â¼­´Â openvpn Ŭ¶óÀ̾ðÆ®ÀÇ ÁÖ¼ÒÁö(10.8.0.0/24)¿¡¼­ µé¾î¿Â ÆÐŶÀ» ¿ÜºÎ ÀÎÅͳÝ(e1000g)À¸·Î ¿¬°áÇϵµ·Ï °£´ÜÇÏ°Ô ÇÑ ÁÙ¸¸ Ãß°¡ÇÕ´Ï´Ù.
# echo "map e1000g0 10.8.0.0/24 -> 0/32" >> /etc/ipf/ipnat.conf
# echo "e1000g -1 0 pfil" >> /etc/ipf/pfil.ap
# ifconfig e1000g0 down
# ifconfig e1000g0 unplumb
# ifconfig e1000g0 plumb
# ifconfig e1000g0 210.103.xxx.xxx netmask 255.255.255.252 up

pfil.ap ¼³Á¤À» Àû¿ëÇϱâ À§Çؼ­´Â ³×Æ®¿÷ µð¹ÙÀ̽º¸¦ ³»·È´Ù ¿Ã·Á¾ß ÇÔ¿¡ À¯ÀÇÇÏ°í, ¿©±â±îÁö µÇ¾ú´Ù¸é pfil, ipfilter ¼­ºñ½º¸¦ ±¸µ¿ÇÏ¿© »óŸ¦ È®ÀÎÇÕ´Ï´Ù.
# svcadm enable svc:/network/pfil
# svcadm enable svc:/network/ipfilter
# ipf -V
ipf: IP Filter: v4.1.9 (592)
Kernel: IP Filter: v4.1.9
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x107

openvpn Ŭ¶óÀ̾ðÆ®¿¡¼­ ÀÎÅͳÝÀ» Á¢¼ÓÇÒ ¶§ vpn ¼­¹öÀÇ ip °¡ ¹¯¾î ³ª°¡´Â °ÍÀÌ È®ÀÎµÇ¸é ¿Ï·áÀÔ´Ï´Ù. :-)

ID
Password
Join
Be careful how you get yourself involved with persons or situations that can't bear inspection.


sponsored by andamiro
sponsored by cdnetworks
sponsored by HP

Valid XHTML 1.0! Valid CSS! powered by MoniWiki
last modified 2008-10-31 08:44:53
Processing time 0.0042 sec