[linuxkernelnewbies] TAP driver for Solaris

[Peter Teoh]

http://www.whiteboard.ne.jp/~admin2/tuntap/ TAP driver for Solaris used for OpenVPN This is a TAP driver for Solaris that can be used for OpenVPN The code is base on Universal TUN/TAP driver. I made changes somewhat and added some code to it for supporting Ethernet tunneling feature, since Universal TUN/TAP driver for Solaris only supports IP tunneling known as TUN. Since there has not been TAP driver for Solaris, OpenVPN does not have code for handling a TAP device for Solaris. So I also modified OpenVPN code somewhat, and made it work with this TAP driver. Also, I wrote bridge moduel for Solaris, so that you can configure Solaris as bridge server. TAP Driver Difference file for OpenVPN Bridge Module tunctl command for Solaris Tested Solaris Version Change Log TAP driver tuntap.tar.gz (Last Update: 25th Jun 2007) Source After extracting tuntap.tar.gz file, run './configure', 'make', and 'make install' as usual. Both 'tun' and 'tap' driver will be built and installed on your system. You can access these devices through /dev/tun and /dev/tap. Difference file for OpenVPN tun.c (Last Update: 5th Nov 2006) Put this file on the directory where you extracted source code of OpenVPN, and swap existing tun.c file for it. NOTE: This file is based on tun.c file included in OpenVPN version 2.0.7 and 2.0.9. so you might get error, if you try to build this code with the other source code of OpenVPN version than 2.0.7 or 2.0.9. Bridge module bridge.tar.gz (Last Update: 24th Sep 2007) Source After extracting bridge.tar.gz file, run './configure', 'make', and 'make install'. 'brdg' and brdgadm will be built and installed on your system. Where 'brdg' is a STREAMS module which enables briging 2 interfaces. And where 'brdgadm' is a configuration command to add/delete bridge interfaces. Usage: brdgadm [ -a interface | -d interface] Options: -a interface : Add interface as port -d interface : Delete interface from port list -l : List all interfaces in port list See following sample configuration. Network configuration HostB is a router which is connected to 2 networks. By installing TAP and OpenVPN on HostB and HostC, I try to join HostC to Network1 through OpenVPN. On HostB, install TAP driver and OpenVPN, and then configure it as bridging server using server-bridge option. ------------- dev tap proto tcp-server server-bridge 10.0.0.90 255.0.0.0 10.0.0.10 10.0.0.30 client-to-client ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/u1.crt key /etc/openvpn/keys/u1.key # This file should be kept secret dh /etc/openvpn/keys/dh1024.pem -------------- Then, run openvpn On HostB, make and install bridge module. Extrace bridge.tar.gz # gunzip -c bridge.tar.gz | tar xvf - Make bridge moduel(brdg) and control command(brdgadm) # ./configure # make # make install On HostB, setting up bridge. # /usr/local/bin/brdgadm -a tap0 # /usr/local/bin/brdgadm -a hme1 hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 172.29.73.90 netmask ffffff00 broadcast 172.29.73.255 ether 8:0:20:91:a6:90 hme1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 10.0.0.90 netmask ff000000 broadcast 10.255.255.255 ether 8:0:20:91:a6:90 tap0: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 0.0.0.0 netmask 0 ether a:0:20:14:32:52 where hme1 is a network interface connected with Network1. As a result, tap0 and hme1 is bridged. At this time, ifconfig looks like as below. On HostC, install TAP driver and openvpn, and configure it as a client. ------------ remote HostB proto tcp-client dev tap client persist-tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/onnv01.crt key /etc/openvpn/keys/onnv01.key ----------- hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 172.29.73.55 netmask ffffff00 broadcast 172.29.73.255 ether 8:0:20:c6:69:c7 tap0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 10.0.0.10 netmask ff000000 broadcast 10.255.255.255 ether a:0:20:53:71:52 Then, run openvpn. At this time, ifconfig on HostC looks like as below. Now, HostC joins Network1 via tap0 interface through openvpn. But, please note that there's some limitation.. HostC can't communicate with HostB using a bridged IP address on HostB. I mean, ping 10.0.0.90 on HostC won't work. Ethernet packet from OpenVPN headed to HostB is passed to TAP driver. TAP driver forwards packet to bridge module. Bridge module forwards packet to hme driver as RAW data. hme driver transfer the packet to the wire, but never forward it to IP module. Of course, HostC can communicate with all the other hosts on Network1, but.. it can't communicate with bridged IP address of bridge server. One more note. Once openvpn running on HostB is terminated, bridge setting will be invalidated. So, after executing 2nd openvpn on HostB, you need to re-setup the bridge again. First, you need to drop existing settings. # /usr/local/bin/brdgadm -d hme1 # /usr/local/bin/brdgadm -d tap0 # /usr/local/bin/brdgadm -a hme1 # /usr/local/bin/brdgadm -a tap0 Then, re-setup bridge. tunctl command for Solaris tunctl.tar.gz (Last Update: 24th Sep 2007) Source This is a Solaris version of tunctl command which was originally written by Jeff Dike. The tunctl command enables administrator to preconfigure a TUN/TAP device. This command would be useful for testing, or for those who wants to use tun/tap interface just as a virtual interface. After extracting tuncntl.tar.gz file, run './configure', 'make', and 'make install'. By default, tunctl command is installed in /usr/local/bin NOTE: This Solaris version of tunctl command doesn't support the -u option, which enables administrator to specify an user who can use the interface. Example) Create tap0 interface # /usr/local/bin/tunctl -t tap0 Set 'tap0' persistent # # /usr/local/bin/tunctl -d tap0 # Delete tap0 interface Tested Solaris versioin I've tested on following Solaris version and platform. 32 bit Solaris 9 on x86. 32 bit Solaris 9 on sparc. 64 bit Solaris 9 on sparc. 32 bit Solaris 10 on x86. 64 bit Solaris 10 on sparc. 64 bit Solaris 10 on x64 (*). (*) I've not done test, but some guys reported me that bridge module and tun/tap driver was able to be built and worked on x64 Solaris. Change log 05/08/2006 Modified tun_unitdata_req() to work on x86 Solaris 9 05/12/2006 Added tun_generate_mac_addr() to generate MAC address for tap device. 10/09/2006 Confirmed that the driver was able to work with OpenVPN 2.0.9. And also confirmed that tun.c file included in OpenVPN 2.0.9 has not been changed. So the above tun.c file can be compiled with OpenVPN 2.0.9 as well. 11/05/2006 In tun_ioctl() of tap driver, reverted to original TUN/TAP driver's code which retrieves ppa from user program. In open_tun() of openvpn, changed it to use I_STR ioctl command to pass ppa to tap driver. This will allow openvpn to specify instance number using 'dev' option, like "dev tap7". 01/03/2007 Added comments about bridge module. 02/21/2007 Modified brdgadm.c file to make it to be able to handle e1000g. Modified brdgadm.c file to make it to be able to handle instance number Modified configure script of both bridge module and tun/tap driver to be able to build modules on x64 Solaris. 03/22/2007 Removed unnecessary debug code from brdgadm.c. 06/25/2007 Added "-mno-red-zone" compile option for amd64. 09/24/2007 Modified Makefile.in for brdgadm command, so that it allows to specify installation directory by --prefix option of configure script. I wrote this just for fun. Since this has not been tested well, please DON'T install this on production system. Use this at your own risk. But your advice or comment would be appreciated. --- Kazuyoshi <[EMAIL PROTECTED]> 28th Apr 2006