Thanx, I could make a test. Configured the zone with: add device set match=/dev/tun end booted the zone, and I could see the tun device in /dev. Configured openvpn, and I got this: Thu Oct 11 15:43:51 2012 TUN/TAP device tun0 opened Thu Oct 11 15:43:51 2012 /usr/sbin/ifconfig tun0 10.1.1.1 10.1.1.2 mtu 1500 up Thu Oct 11 15:43:51 2012 /usr/sbin/ifconfig tun0 netmask 255.255.255.255 Thu Oct 11 15:43:51 2012 /usr/sbin/route add 10.1.1.0 -netmask 255.255.255.0 10.1.1.2 add net 10.1.1.0: gateway 10.1.1.2 Thu Oct 11 15:43:51 2012 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Looks nice! Then ifconfig was showing the tun0: tun0: flags=10010008d1 mtu 1500 index 3 inet 10.1.1.1 --10.1.1.2 netmask ffff Well, my next question is: how can I have different zones run openvpn on tun? Will it let me add the device to more than one zone? If not, is there any chance to "make install" the tun driver with different names and instances, so I can bind each instance/name to different zones? Gabriele. PS: any chance to write or port the tun driver into the blowfish realm? ---------------------------------------------------------------------------------- Da: Jim Klimov A: [email protected] Cc: Gabriele Bulfon Data: 11 ottobre 2012 14.30.07 CEST Oggetto: Re: [discuss] Kazuyoshi tun0, zones, blowfish 2012-10-11 13:13, Gabriele Bulfon wrote: Hi, installing Kazuyoshi tun0 on illumos based distros looks to load fine (meant for openvpn). Can't say at the moment if it works once openvpn is started on it (I will test it later). Well, I have it working on an SXCE server (in global zone) with no hiccups, now that the faster 1.3.0 version of tun/tap driver got out ;) I did not yet try it on an illumos-based OS though, but I don't expect any problems. My real doubt is how I can give the tun0 to a zone, where I want openvpn to run. I doubt dladm can see and use tun0 to create vnic. Well, you can delegate a networking device to a zone "as is"... Possible problem is that OpenVPN AFAIK does its "plumb"/"unplumb" of the tunnel interface, which might fail in a zone (or work only once - to unplumb). I don't think you can use the tun/tap interfaces with dladm and vnics, and note that the subnet processing (the /30 nets for point-to-point links per VPN connection) is done by the OpenVPN software in charge of the interface. As far as the OS is concerned, the assigned larger nets (i.e. /24) that are dedicated to the VPN have a route through the tunnel interface and a service IP address on it. The rest is the tunnel's problem - it brings up IP addresses per connection (invisible to the OS) and forwards the packets encrypted by OpenVPN (calls to OpenSSL). It would be interesting to know if your experiment succeeds though ;) HTH, //Jim
------------------------------------------- illumos-discuss Archives: https://www.listbox.com/member/archive/182180/=now RSS Feed: https://www.listbox.com/member/archive/rss/182180/21175430-2e6923be Modify Your Subscription: https://www.listbox.com/member/?member_id=21175430&id_secret=21175430-6a77cda4 Powered by Listbox: http://www.listbox.com
