<html> <head> <title> TAP driver for Solaris </title> </head> <body> <table border="0" style="width:100%"> <tr><td> <h1><b>TAP driver for Solaris used for OpenVPN<br> and any other virtual network solution. </b></h1> </td> <td align="right"> </td></tr></table> <p> This is a TAP driver for Solaris that can be used for <a href="http://openvpn.net/">OpenVPN</a>, <a href="http://www.infradead.org/openconnect.html">OpenConnect</a>, <a href="http://www.unix-ag.uni-kl.de/~massar/vpnc/">vpnc</a><br> The code is based on <a href="http://vtun.sourceforge.net/tun/"> Universal TUN/TAP driver</a>. I made changes somewhat and added some code to it for supporting Ethernet tunneling feature, since Universal TUN/TAP driver for Solaris only supports IP tunneling known as TUN. <br><br> <S>Since there has not been TAP driver for Solaris, OpenVPN does not have code for handling a TAP device for Solaris. So I also modified OpenVPN code somewhat, and made it work with this TAP driver.<br></S> OpenVPN patch has been merged into OpenVPN 2.2.0.(2011.04.28).<P> Also, I wrote bridge moduel for Solaris, so that you can configure Solaris as bridge server. <blockquote> <ul> <li><a href="#tap">TAP Driver</a><br> <li><a href="#openvpn">Patch for OpenVPN</a><br> <li><a href="#bridge">Bridge Module</a><br> <li><a href="#tunctl">tunctl command for Solaris</a><br> <br> <li><a href="#test">Tested Solaris Version</a><br> <li><a href="#change">Change Log</a><br> </ul> </blockquote> <hr> <a name="tap"><h3>TAP driver </h3></a> <ul> <li><a href="https://github.com/kaizawa/tuntap/tarball/master">tuntap.tar.gz</a> (Last Update: 17th Jul 2012) <li><a href="http://github.com/kaizawa/tuntap">Source</a><p> After extracting tuntap.tar.gz file, run './configure', 'make', and 'make install' as usual.<br> Both 'tun' and 'tap' driver will be built and installed on your system. You can access these devices through /dev/tun and /dev/tap. <br><br> </ul> <p> <hr> <a name="openvpn"><h3>Patch for OpenVPN</h3></a> Patch for OpenVPN has been merged into OpenVPN 2.2.0. (2011.04.28).<br> So if you are going to use OpenVPN 2.2.0 or later, you don't need to apply following patch.<p> <ul> <li>tun.c <br><br> <table border="1"> <tr> <td>OpenVPN Version</td><td>Modified file</td><td>patch(diff -u ouputs)</td><td>Last Update</td> </tr> <tr> <td>2.0.7, 2.0.9</td><td><a href="http://github.com/downloads/kaizawa/openvpn-patch/tun.c.2.0.9">tun.c.2.0.9</a></td> <td><a href="http://github.com/downloads/kaizawa/openvpn-patch/patch.openvpn-2.0.9.tun.c">patch.openvpn-2.0.9.tun.c</td> <td>20th May 2009</td> </tr> <tr> <td>2.1.1</td><td><a href="http://github.com/downloads/kaizawa/openvpn-patch/tun.c.2.1.1">tun.c.2.1.1</a></td> <td><a href="http://github.com/downloads/kaizawa/openvpn-patch/patch.openvpn-2.1.1.tun.c">patch.openvpn-2.1.1.tun.c</a></td> <td>29th Apr 2010</td> </tr> <tr> <td>2.1.3</td><td><a href="http://github.com/downloads/kaizawa/openvpn-patch/tun.c.2.1.3">tun.c.2.1.3</a></td> <td><a href="http://github.com/downloads/kaizawa/openvpn-patch/patch.openvpn-2.1.3.tun.c">patch.openvpn-2.1.3.tun.c</a></td> <td>31th Aug 2010</td> </tr> <tr> <td>2.2.0 -</td><td>n/a</td> <td>n/a</a></td> <td></td> </tr> </table> <br> <li>How to apply <br><br> <ul> <li><b>By replacing file</b> <br> Put tun.c on the directory where you extracted source code of OpenVPN, and swap existing tun.c file for it.<br> Please note that you should rename tun.c.<version> to tun.c file. <br> <li><b>By patch(1) command</b> <br> If you want to apply patch(1), put patch.openvpn-xxx.tun.c on the directory where you extracted source code of OpenVPN, and run patch(1) command like as below.<br> <pre> $ patch -p1 < patch.openvpn-xxxx.tun.c </pre> </ul> NOTE: Please download appropriate file which correspond to the version of OpenVPN.<br> Otherwise, you'll get an error while building a openvpn binary. </ul> <hr> <a name="bridge"><h3>Bridge module</h3></a> <ul> <li><a href="https://github.com/kaizawa/bridge/tarball/master">bridge.tar.gz</a> (Last Update: 14 Dec 2009) <li><a href="http://github.com/kaizawa/bridge">Source</a><p> After extracting bridge.tar.gz file, run './configure', 'make', and 'make install'. 'brdg' and brdgadm will be built and installed on your system.<br> Where 'brdg' is a STREAMS module which enables briging 2 interfaces. And where 'brdgadm' is a configuration command to add/delete bridge interfaces. <pre> Usage: brdgadm [ -a interface | -d interface] Options: -a interface : Add interface as port -d interface : Delete interface from port list -l : List all interfaces in port list </pre> See following sample configuration. <h4>Network configuration</h4> <img src="./network_config.png"><br> HostB is a router which is connected to 2 networks. By installing TAP and OpenVPN on HostB and HostC, I try to join HostC to Network1 through OpenVPN.<p> <ol> <li> On HostB, install TAP driver and OpenVPN, and then configure it as bridging server using server-bridge option. <pre> ------------- dev tap proto tcp-server server-bridge 10.0.0.90 255.0.0.0 10.0.0.10 10.0.0.30 client-to-client ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/u1.crt key /etc/openvpn/keys/u1.key # This file should be kept secret dh /etc/openvpn/keys/dh1024.pem -------------- </pre> Then, run openvpn </li> <li>On HostB, make and install bridge module. <ol> <li>Extrace bridge.tar.gz <pre> # gunzip -c bridge.tar.gz | tar xvf - </pre> </li> <li>Make bridge moduel(brdg) and control command(brdgadm) <pre> # ./configure # make # make install </pre> </li> </ol> </li> <li>On HostB, setting up bridge. <pre> # /usr/local/bin/brdgadm -a tap0 # /usr/local/bin/brdgadm -a hme1 </pre> where hme1 is a network interface connected with Network1. As a result, tap0 and hme1 is bridged. At this time, ifconfig looks like as below. <pre> hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 172.29.73.90 netmask ffffff00 broadcast 172.29.73.255 ether 8:0:20:91:a6:90 hme1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 10.0.0.90 netmask ff000000 broadcast 10.255.255.255 ether 8:0:20:91:a6:90 tap0: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 0.0.0.0 netmask 0 ether a:0:20:14:32:52 </pre></li> <li>On HostC, install TAP driver and openvpn, and configure it as a client. <pre> ------------ remote HostB proto tcp-client dev tap client persist-tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/onnv01.crt key /etc/openvpn/keys/onnv01.key ----------- </pre> Then, run openvpn. At this time, ifconfig on HostC looks like as below. <pre> hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 172.29.73.55 netmask ffffff00 broadcast 172.29.73.255 ether 8:0:20:c6:69:c7 tap0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 10.0.0.10 netmask ff000000 broadcast 10.255.255.255 ether a:0:20:53:71:52 </pre></li> </ol> Now, HostC joins Network1 via tap0 interface through openvpn.<P> <b>But, please note that there's some limitation.. HostC can't communicate with HostB using a bridged IP address on HostB.</b> I mean, ping 10.0.0.90 on HostC won't work. <p> <img src="./brdg_issue_en.png"> <ol> <li>Ethernet packet from OpenVPN headed to HostB is passed to TAP driver. <li>TAP driver forwards packet to bridge module. <li>Bridge module forwards packet to hme driver as RAW data. <li>hme driver transfer the packet to the wire, but never forward it to IP module. </ol><p> Of course, HostC can communicate with all the other hosts on Network1, but.. it can't communicate with bridged IP address of bridge server.<p> One more note. Once openvpn running on HostB is terminated, bridge setting will be invalidated. So, after executing 2nd openvpn on HostB, you need to re-setup the bridge again.<p> First, you need to drop existing settings. <pre> # /usr/local/bin/brdgadm -d hme1 # /usr/local/bin/brdgadm -d tap0 </pre> Then, re-setup bridge. <pre> # /usr/local/bin/brdgadm -a hme1 # /usr/local/bin/brdgadm -a tap0 </pre> </ul> <hr> <a name="tunctl"><h3>tunctl command for Solaris</h3></a> <ul> <li><a href="https://github.com/kaizawa/tunctl/tarball/master">tunctl.tar.gz (v0.1.0)</a> (Last Update: 27th Nov 2011) <li><a href="http://github.com/kaizawa/tunctl">Source</a><p> This is a Solaris version of tunctl command which was originally written by Jeff Dike.<br> The tunctl command enables administrator to preconfigure a TUN/TAP device. This command would be useful for testing, or for those who wants to use tun/tap interface just as a virtual interface.<br><br> After extracting tuncntl.tar.gz file, run './configure', 'make', and 'make install'.<br> By default, tunctl command is installed in /usr/local/bin<br><br> NOTE:<br> This Solaris version of tunctl command doesn't support the -u option, which enables administrator to specify an user who can use the interface.<br><br> Example)<br> Create tap0 interface <pre> # /usr/local/bin/tunctl -t tap0 Set 'tap0' persistent # </pre> Delete tap0 interface <pre> # /usr/local/bin/tunctl -d tap0 # </pre> </pre> </ul> <hr> <a name="test"><h3>Tested Solaris versioin</h3></a> I've tested on following Solaris version and platform. <ul> <li>32 bit Solaris 9 on x86. <li>32 bit Solaris 9 on sparc. <li>64 bit Solaris 9 on sparc. <li>32 bit Solaris 10 on x86. <li>64 bit Solaris 10 on sparc. <li>64 bit Solaris 10 on x64. <li>32 bit OpenSolaris snv_101b on x86. <li>64 bit OpenSolaris snv_101b on sparc. <li>64 bit OpenSolaris snv_101b on x64. <li>32 bit Solaris 11 Express on x86. <li>32 bit OpenIndiana oi_148 on x86. <li>64 bit Solaris 11 Early Adoper svn_173 on x64. <li>64 bit Solaris 11 on x64. <li>64 bit Solaris 11 on sparc. </ul> <hr> <a name="change"><h3>Change log</h3></a> <ul> <li>05/08/2006<br> <ul> <li>Modified tun_unitdata_req() to work on x86 Solaris 9 </ul> <li>05/12/2006<br> <ul> <li>Added tun_generate_mac_addr() to generate MAC address for tap device. </ul> <li>10/09/2006<br> <ul> <li>Confirmed that the driver was able to work with OpenVPN 2.0.9.<br> And also confirmed that tun.c file included in OpenVPN 2.0.9 has not been changed. <br> So the above tun.c file can be compiled with OpenVPN 2.0.9 as well. </ul> <li>11/05/2006<br> <ul> <li>In tun_ioctl() of tap driver, reverted to original TUN/TAP driver's code which retrieves ppa from user program. <li>In open_tun() of openvpn, changed it to use I_STR ioctl command to pass ppa to tap driver. <br> This will allow openvpn to specify instance number using 'dev' option, like "dev tap7". </ul> <li>01/03/2007<br> <ul> <li>Added comments about bridge module. </ul> <li>02/21/2007<br> <ul> <li>Modified brdgadm.c file to make it to be able to handle e1000g. <li>Modified brdgadm.c file to make it to be able to handle instance number <li>Modified configure script of both bridge module and tun/tap driver to be able to build modules on x64 Solaris. </ul> <li>03/22/2007<br> <ul> <li>Removed unnecessary debug code from brdgadm.c. </ul> <li>06/25/2007<br> <ul> <li>Added "-mno-red-zone" compile option for amd64. </ul> <li>09/24/2007<br> <ul> <li>Modified Makefile.in for brdgadm command, so that it allows to specify installation directory by --prefix option of configure script. </ul> <li>12/07/2008<br> <ul> <li>Modified tun.c file of OpenVPN file to make it be able to be compiled with openvpn 2.1. </ul> <li>04/30/2009<br> <ul> <li>Modified Makefile.in and configure.in script to check whether ld is GNU ld or Solaris bundled ld command. <li>Modified configure.in script to be able to build 32bit module on 64bit environment using --disable-64bit. <li>Modified Makefile.in to be able to specify target directory using DESTDIR macro. </ul> <li>05/20/2009<br> <ul> <li>Modified configure.in and changed the way of checking GNU ld because latest OpenSolaris ld has --version option. <li>Modified openvpn patch file(tun.c) and make openvpn commnad won't fail because of failure of I_POP ioctl command. </ul> <li>06/07/2009<br> <ul> <li>Modified configure.in, Makefile.in and make it be able to build using Sun Studio Compiler.(Tested on Sun Studio 12) </ul> <li>09/14/2009<br> <ul> <li>Added -xmodel=kernel option for Sun Studio compiler on amd64 platform.</br> (Formerly loading the driver failed with relocation error) </ul> <li>11/16/2009<br> <ul> <li>Added ipv6 support to tun driver as required by <a href="http://www.infradead.org/openconnect.html">OpenConnect VPN Client</a><br> </ul> <li>11/18/2009<br> <ul> <li>Modified tun.c of OpenVPN 2.1_rc21 and set ipv6_explicitly_supported to true for Solaris.<br> </ul> <li>12/14/2009<br> <ul> <li>Added -xmodel=kernel option to configure script of bridge module for Sun Studio compiler on amd64 platform. </ul> <li>04/29/2010<br> <ul> <li>Merged chages on tun.c of OpenVPN 2.1.1.<br> </ul> <li>08/31/2010<br> <ul> <li>Merged chages on tun.c of OpenVPN 2.1.3.<br> </ul> <li>09/17/2010<br> <ul> <li>Moved all download files to github repository. </ul> <li>04/29/2011<br> <ul> <li>Tested on Oracle Solaris 11 Express and OpenIndiana 148. </ul> <li>06/11/2011<br> <ul> <li>Set default prefix for tun/tap driver, so that files would be copied to right directory. </ul> <li>09/19/2011<br> <ul> <li>brdgadm: replaced strncpy with strlcpy. </ul> <li>10/23/2011<br> <ul> <li>tuntap: Changed tun.c configure.in to be able to build on Solaris 11 EA (snv_173).<br> Because snv_173 doesn't have ddi_power kernel function and DDI_PM_SUSPEND macro. </ul> <li>11/16/2011<br> <ul> <li>tuntap: Changed configure.in to use uname -r for version checking instead of uname -v. </ul> <li>11/27/2011<br> <ul> <li>tunctl: Stopped using text file to store muxid, instead store muxid to ip module by SIOCSLIFMUXID ioctl command. </ul> <li>12/06/2011<br> <ul> <li>tuntap: Modified configure scrip to use -mcmodel=large for gcc-45. This enable driver compiled by gcc-45 to be loaded to the system without err(e.g relocation error: R_AMD64_32) </ul> <li>07/17/2012<br> <ul> <li>tuntap: Improved throughput perfomance by increasing q_hiwat of read side stream head queue.<br> </ul> <li>07/07/2013<br> <ul> <li>tuntap: Changed option for GNU ld, from elf_x86_64 to elf_x86_64_sol2 <li>tuntap: Added test script </ul> <li>12/14/2014<br> <ul> <li>tunctl: Fixed to make tunctl bring tap interface up. </ul> <hr> <br> I wrote this just for fun. Since this has not been tested well, please DON'T install this on production system. Use this at your own risk.<br> But your advice or comment would be appreciated. <p> <p> ---<br> Kazuyoshi Aizawa <admin2@whiteboard.ne.jp><br> 28th Apr 2006 ---<br> This page and illustrations above were downloaded for packaging from <a href="http://www.whiteboard.ne.jp/~admin2/tuntap/">http://www.whiteboard.ne.jp/~admin2/tuntap/</a> on 19th Nov 2016 and mildly modified (removed ad scripts and added this footer). <hr> </body> </html>