toto (owner)

Revisions

gist: 132609 Download_button fork
public
Description:
OpenVPN gets you out of your HTTP-Proxy misery (With some OpenSolaris specific details)
Public Clone URL: git://gist.github.com/132609.git
Embed All Files: show embed
bridge-reset.sh #
raw 
1
2
3
4
5
6
7
8
9
10
11
12

#!/bin/sh
# For OpenSolaris
# The Bridge module from http://www.whiteboard.ne.jp/~admin2/tuntap/
# brings a brdgadm tool
# Removing 
# $1 is the interface which will be brought up
pfexec /usr/local/bin/brdgadm -d $1 
# the Network card name your system uses to connect to your local network
pfexec /usr/local/bin/brdgadm -d rge0 
pfexec /usr/local/bin/brdgadm -a $1 
pfexec /usr/local/bin/brdgadm -a rge0 
 
openvpn-http-proxy-client.conf #
raw 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

# your home connection needs some kind of DynDNS
remote your.dyndns.org 443
 
# for HTTP-Proxy support we need to use tcp-client mode
proto tcp-client
# Tap is used so we avoid routing configuration
dev tap
client
nobind
persist-key
persist-tun
 
# use the easy-rsa script to generate those
# details here: http://openvpn.net/index.php/open-source/documentation/howto.html#pki
ca ./ca.crt
cert ./client.crt
key ./client.key
ns-cert-type server
 
# accept config options from the server
pull
# compress everything. CPU is cheap, bandwidth is not
comp-lzo
# can be turned down if everything is working, produces less output
verb 3
# mute repeating messages after 20 occurances
mute 20
# always retry resolving the remote hostname
resolv-retry infinite
 
 
# Your http proxy (that needs to support CONNECT-Method, fortunately most do)
http-proxy 23.42.23.42 8080 
# retry on connection failures
http-proxy-retry 
# fake Safari, just to be sure
http-proxy-option AGENT "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7; de-de) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Safari/530.17"
 
openvpn-http-proxy-server.conf #
raw 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

# Tap is used so we avoid routing configuration
dev tap
 
# for HTTP-Proxy support we need to use tcp-server mode
proto tcp-server
 
# the first IP is the one of the gateway in your home network, the second the subnetmask
# the last two are the range from which OpenVPN hands out IPs, theses should be outside
# of your servers range
server-bridge 192.168.1.1 255.255.255.0 192.168.1.223 192.168.1.233
# required so we can execute scripts lik e
script-security 3
# this is dependent on you OS. 
# you need to reset the bridge device here 
# Linux howto: 
# http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html
# I will include my OpenSolaris version in this Gist
up "./bridge-reset.sh"
 
# Well, it's supposed to be a server isn't it.
# For debugging comment this out.
daemon
 
# use the easy-rsa script to generate those
# details here: http://openvpn.net/index.php/open-source/documentation/howto.html#pki
ca/etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
 
# I would not use keepalive, but if you have a 
# time based connection you can hardly avoid it.
#keepalive 10 60
 
# change the IPs to the ones of your local router
push "route-gateway 192.168.1.1"
push "dhcp-option DNS 192.168.1.1"
 
# if set to 5 it loggs every time Tx/Rx a packet, useful to debug
verb 3 
comp-lzo
 
# Logging and PIDs (note that the log will be overwritten each time. 
# log-append will append not overwrite
log /var/log/openvpn.log
writepid /var/run/openvpn.pid
 
 
 
openvpn-manifest.xml #
raw 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="manifest" name="openvpn">
  <service name="application/network/openvpn" type="service" version="1">
    <dependency name="network" grouping="require_all" restart_on="none" type="service">
      <service_fmri value="svc:/milestone/network:default"/>
    </dependency>
    <exec_method type="method" name="start" exec="/lib/svc/method/openvpn %m" timeout_seconds="2"/>
    <exec_method type="method" name="stop" exec=":kill" timeout_seconds="2">
    </exec_method>
 
    <instance name="vpn_bridge" enabled="false">
      <method_context>
        <method_credential user="root" group="root"/>
      </method_context>
      <property_group name="openvpn" type="application">
        <propval name="config_file" type="astring" value="/usr/local/etc/openvpn/server.conf" />
      </property_group>
    </instance>
    <stability value="Evolving"/>    
    <template>
      <common_name>
        <loctext xml:lang="C">OpenVPN</loctext>
      </common_name>
      <documentation>
        <manpage title="openvpn" section="1"/>
        <doc_link name="openvpn.org" uri="http://openvpn.org"/>
      </documentation>
    </template>
  </service>
</service_bundle>
 
openvpn-svc-method.sh #
raw 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

#!/bin/sh
 
. /lib/svc/share/smf_include.sh
 
getproparg() { 
val=`svcprop -p $1 $SMF_FMRI` 
[ -n "$val" ] && echo $val 
} 
 
if [ -z "$SMF_FMRI" ]; then 
echo "SMF framework variables are not initialized." 
exit $SMF_EXIT_ERR 
fi
 
OPENVPNBIN='/usr/local/sbin/openvpn'
CONFIG_FILE=`getproparg openvpn/config_file`
 
if [ -z "$CONFIG_FILE" ]; then 
    echo "openvpn/config_file property not set" 
    exit $SMF_EXIT_ERR_CONFIG 
fi
 
 
 
case "$1" in 
'start') 
    # This needs to be done to allow reloading tun and tap drivers
    # TODO: Enumerate all tun/tap devices 
    ifconfig tun0 unplumb 2>/dev/null
    ifconfig tap0 unplumb 2>/dev/null
    $OPENVPNBIN --config  $CONFIG_FILE
;; 
 
'stop') 
echo "not implemented"
;; 
 
'refresh') 
echo "not implemented"
;; 
 
*) 
echo $"Usage: $0 {start|refresh}" 
exit 1 
;; 
 
esac 
exit $SMF_EXIT_OKt