13 Replies Latest reply: Jan 15, 2012 4:15 PM by 902160 RSS

    OpenConnect 3.14 VPN on Solaris 11 - Set up tun device failed

    Isti
      Hi,

      I just installed Solaris 11 (using the live CD) and then OpenConnect 3.14 (from ftp://ftp.infradead.org/pub/openconnect/openconnect-3.14.tar.gz). Then install looks fine (at least to me):

      root@isol:~# ldd /usr/local/sbin/openconnect
      +     libopenconnect.so.1 =>     /usr/local/lib/libopenconnect.so.1+
      +     libssl.so.1.0.0 =>     /lib/libssl.so.1.0.0+
      +     libcrypto.so.1.0.0 =>     /lib/libcrypto.so.1.0.0+
      +     libsocket.so.1 =>     /lib/libsocket.so.1+
      +     libnsl.so.1 =>     /lib/libnsl.so.1+
      +     libc.so.1 =>     /lib/libc.so.1+
      +     libxml2.so.2 =>     /lib/libxml2.so.2+
      +     libproxy.so.0 =>     /usr/lib/libproxy.so.0+
      +     libz.so.1 =>     /lib/libz.so.1+
      +     libgcc_s.so.1 =>     /usr/lib/libgcc_s.so.1+
      +     libmp.so.2 =>     /lib/libmp.so.2+
      +     libmd.so.1 =>     /lib/libmd.so.1+
      +     libpthread.so.1 =>     /lib/libpthread.so.1+
      +     libm.so.2 =>     /lib/libm.so.2+
      root@isol:~#

      However when I try to use openconnect I get:
      **open /dev/tun: No such file or directory**
      **Set up tun device failed**

      +root@isol:~# /usr/local/sbin/openconnect --script /home/xyz/Downloads/vpnc-script https://myaccess.oraclevpn.com+
      Attempting to connect to 193.9.13.212:443
      SSL negotiation with myaccess.oraclevpn.com
      Connected to HTTPS on myaccess.oraclevpn.com
      GET https://myaccess.oraclevpn.com/
      Got HTTP response: HTTP/1.0 302 Temporary moved
      Attempting to connect to 193.9.13.213:443
      SSL negotiation with london-twvpn-1.oraclevpn.com
      Connected to HTTPS on london-twvpn-1.oraclevpn.com
      GET https://london-twvpn-1.oraclevpn.com/
      Got HTTP response: HTTP/1.0 302 Object Moved
      SSL negotiation with london-twvpn-1.oraclevpn.com
      Connected to HTTPS on london-twvpn-1.oraclevpn.com
      GET https://london-twvpn-1.oraclevpn.com/webvpn+/index.html+
      Please enter your username and password.
      Username:xyz_cc
      Password:
      POST https://london-twvpn-1.oraclevpn.com/webvpn+/index.html+
      Got CONNECT response: HTTP/1.1 200 OK
      CSTP connected. DPD 30, Keepalive 20
      open /dev/tun: No such file or directory
      Set up tun device failed


      If I do a
      root@isol:~# ndd -get /dev/ip \?
      I get (read and write) for all parameters.

      Any hint/suggestion/assist is appreciated.
        • 1. Re: OpenConnect 3.14 VPN on Solaris 11 - Set up tun device failed
          User204400 -Oracle
          Hello

          from openconnect webpage you have this comment for solaris & MacOSX
          http://www.infradead.org/openconnect/building.html

          TUN/TAP driver
          Mac OS X users will also need to install the Mac OS X tun/tap driver, and Solaris/OpenIndiana users will need the Solaris one. Note that for IPv6 support, the Solaris tun/tap driver from 16th Nov 2009 or newer is required.

          I suppose this driver is missing

          Rgds
          • 2. Re: OpenConnect 3.14 VPN on Solaris 11 - Set up tun device failed
            Isti
            Hi,

            Thank you for taking the time to provide some advices.

            I did install previously "Universal TUN/TAP device driver(i386) 1.1,REV=2010.11.09.10.19+" using a tuntap-5.11-i386.1.1.pkg. I ende with "+Installation of <tuntap> was successful.+"
            I tried to install also the one suggested by the page referenced by you, but the 'make install' ended up in a warning:
            Driver (tun) successfully added to system but failed to attach

            root@isol:~/Downloads/kaizawa-tuntap-6ddbe04# ls
            configure configure.in if_tun.h install-sh Makefile.in README tap.conf tun.c tun.conf
            root@isol:~/Downloads/kaizawa-tuntap-6ddbe04# ./configure
            checking for gcc... gcc
            checking for C compiler default output file name... a.out
            checking whether the C compiler works... yes
            checking whether we are cross compiling... no
            checking for suffix of executables...
            checking for suffix of object files... o
            checking whether we are using the GNU C compiler... yes
            checking whether gcc accepts -g... yes
            checking for gcc option to accept ISO C89... none needed
            checking for a BSD-compatible install... /usr/bin/ginstall -c
            checking for isainfo... yes
            configure: creating ./config.status
            config.status: creating Makefile

            root@isol:~/Downloads/kaizawa-tuntap-6ddbe04# make
            gcc -DPACKAGE_NAME=\"\" -DPACKAGE_TARNAME=\"\" -DPACKAGE_VERSION=\"\" -DPACKAGE_STRING=\"\" -DPACKAGE_BUGREPORT=\"\" -DTUN_VER=\"1.2.0\ 11/17/2011\" -g -O2 -DSOL11 -Wall -m64 -mcmodel=kernel -mno-red-zone -D_KERNEL -I. -c tun.c -o tun.o -DTUNTAP_TUN
            ld -r -o tun tun.o
            gcc -DPACKAGE_NAME=\"\" -DPACKAGE_TARNAME=\"\" -DPACKAGE_VERSION=\"\" -DPACKAGE_STRING=\"\" -DPACKAGE_BUGREPORT=\"\" -DTUN_VER=\"1.2.0\ 11/17/2011\" -g -O2 -DSOL11 -Wall -m64 -mcmodel=kernel -mno-red-zone -D_KERNEL -I. -c tun.c -o tap.o -DTUNTAP_TAP
            ld -r -o tap tap.o

            root@isol:~/Downloads/kaizawa-tuntap-6ddbe04# make install
            /usr/bin/ginstall -c -d -m 0755 -o root -g bin /usr/include/net
            /usr/bin/ginstall -c -d -m 0755 -o root -g sys /usr/kernel/drv/amd64
            /usr/bin/ginstall -c -m 644 -o root -g root if_tun.h /usr/include/net
            /usr/bin/ginstall -c -m 644 -o root -g root tun /usr/kernel/drv/amd64
            /usr/bin/ginstall -c -m 644 -o root -g root tap /usr/kernel/drv/amd64
            /usr/bin/ginstall -c -m 644 -o root -g root tun.conf /usr/kernel/drv
            /usr/bin/ginstall -c -m 644 -o root -g root tap.conf /usr/kernel/drv
            [ -z "" ]&& /usr/sbin/rem_drv tun >/dev/null 2>&1
            [ -z "" ]&& /usr/sbin/rem_drv tap >/dev/null 2>&1
            [ -z "" ]&& /usr/sbin/add_drv tun     
            devfsadm: driver failed to attach: tun
            Warning: Driver (tun) successfully added to system but failed to attach
            [ -z "" ]&& /usr/sbin/add_drv tap
            devfsadm: driver failed to attach: tap
            Warning: Driver (tap) successfully added to system but failed to attach
            root@isol:~/Downloads/kaizawa-tuntap-6ddbe04#

            If I do:
            root@isol:~# /usr/sbin/add_drv -v tun
            Driver (tun) is already installed.
            root@isol:~# /usr/sbin/add_drv -v tap
            Driver (tap) is already installed.

            but openconnect still has the same issue. Any further thoughts on this?

            root@isol:~# uname -a
            SunOS isol 5.11 11.0 i86pc i386 i86pc
            • 3. Re: OpenConnect 3.14 VPN on Solaris 11 - Set up tun device failed
              901896
              Yes, I'm encountering the same issues.

              It's worth noting that after upgrading a machine with S11 Express to S11, tun/tap continued to work, although installing it fresh on 11/11 claims to be successful, but /dev/tun is missing.
              • 4. Re: OpenConnect 3.14 VPN on Solaris 11 - Set up tun device failed
                902160
                Hi Isti,

                These forums have been down for the last week so I responded here (not the top post; the sixth or seventh comment):

                https://m.google.com/app/plus/mp/784/#~loop:aid=z13uhtggbxatdfycw22rudxazuevzbgns&view=activity
                • 5. Re: OpenConnect 3.14 VPN on Solaris 11 - Set up tun device failed
                  901896
                  Hi 899157,

                  Did you find a solution for this problem? I do not have a google account, nor do I wish to accept their terms for using my location data, or sell them my mothers kidney... but I would very much like to find a resolution to this issue.

                  Thanks
                  M.
                  • 6. Re: OpenConnect 3.14 VPN on Solaris 11 - Set up tun device failed
                    902160
                    Sorry, wrong. URL. This one should not require login...
                    https://plus.google.com/113990329890790578682/posts/5qpUJD3ukXV
                    • 8. Re: OpenConnect 3.14 VPN on Solaris 11 - Set up tun device failed
                      901896
                      That'd explain it...

                      Nov 25 23:05:54 lolly genunix: [ID 819705 kern.notice] /kernel/drv/amd64/tun: undefined symbol
                      Nov 25 23:05:54 lolly genunix: [ID 826211 kern.notice] 'ddi_power'
                      Nov 25 23:05:54 lolly genunix: [ID 472681 kern.notice] WARNING: mod_load: cannot load module 'tun'
                      Nov 25 23:05:54 lolly genunix: [ID 819705 kern.notice] /kernel/drv/amd64/tap: undefined symbol
                      Nov 25 23:05:54 lolly genunix: [ID 826211 kern.notice] 'ddi_power'
                      Nov 25 23:05:54 lolly genunix: [ID 472681 kern.notice] WARNING: mod_load: cannot load module 'tap'

                      The module isn't loading.
                      • 9. Re: OpenConnect 3.14 VPN on Solaris 11 - Set up tun device failed
                        902160
                        Since this forum seems to be down every time I try to log in, I responded again at the G+ link above. Please post there or use email if you reply.
                        • 10. Re: OpenConnect 3.14 VPN on Solaris 11 - Set up tun device failed
                          User13154322-Oracle
                          Isn't tun a default driver in solaris (iptun) ?

                          Edited by: user13154322 on Dec 9, 2011 7:11 AM
                          • 11. Re: OpenConnect 3.14 VPN on Solaris 11 - Set up tun device failed
                            901896
                            Yeah, it turns out you need to recompile on the latest version - and you need to use Sun Studio cc and manually modify the Makefile to add the CC flag -xmodel=kernel for AMD machines.

                            I got there in the end :)
                            • 12. Re: OpenConnect 3.14 VPN on Solaris 11 - Set up tun device failed
                              user13512673
                              Here you can find a how to configure OpenConnect in Solaris 11.

                              *1. Install Solaris 11 11/11 Developer Tools*


                              *1.1 Environment*

                              root@pegasus:/home/marco/Downloads# cat /etc/release
                              Oracle Solaris 11 11/11 X86
                              Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights reserved.
                              Assembled 18 October 2011

                              root@pegasus:/home/marco/Downloads# uname -a
                              SunOS pegasus 5.11 11.0 i86pc i386 i86pc

                              root@pegasus:/home/marco/Downloads# isainfo -n
                              amd64

                              root@pegasus:/home/marco/Downloads#

                              root@pegasus:~# pkg publisher
                              PUBLISHER TYPE STATUS URI
                              solaris origin online file:///export/repoSolaris11/
                              root@pegasus:~#

                              root@pegasus:~# pkg search developer-gnu
                              INDEX ACTION VALUE PACKAGE
                              pkg.fmri set solaris/group/feature/developer-gnu pkg:/group/feature/developer-gnu@0.5.11-0.175.0.0.0.2.2576

                              root@pegasus:~# pkg install developer-gnu

                              root@pegasus:~# pkg info developer-gnu
                              Name: group/feature/developer-gnu
                              Summary: GNU Development Tools for Oracle Solaris
                              Description: Provides a set of GNU tools for developing C, C++, Fortran and
                              Objective C programs on Oracle Solaris
                              Category: Development/C (org.opensolaris.category.2008)
                              Development/C++ (org.opensolaris.category.2008)
                              Development/Fortran (org.opensolaris.category.2008)
                              Development/GNU (org.opensolaris.category.2008)
                              Development/Objective C (org.opensolaris.category.2008)
                              Development/Suites (org.opensolaris.category.2008)
                              Meta Packages/Group Packages (org.opensolaris.category.2008)
                              State: Installed
                              Publisher: solaris
                              Version: 0.5.11
                              Build Release: 5.11
                              Branch: 0.175.0.0.0.2.2576
                              Packaging Date: October 20, 2011 06:36:03 AM
                              Size: 5.45 kB
                              FMRI: pkg://solaris/group/feature/developer-gnu@0.5.11,5.11-0.175.0.0.0.2.2576:20111020T063603Z
                              root@pegasus:~#

                              *2. Install Tun/Tap - tuntap.tar.gz (Last Update: 6th Dec 2011)*

                              tar zxvf kaizawa-tuntap-v1.2.2-0-gaa5a0e3.tar.gz
                              cd kaizawa-tuntap-aa5a0e3
                              +./configure+
                              make
                              make install

                              Nota: Ignore the errors in the install process.

                              *3. Install OpenConnect 3.15*

                              cd openconnect-3.15
                              +./configure --disable-nls+
                              make
                              make install

                              *4. Configure OpenConnect*

                              chmod +x vpnc-script
                              mv vpnc-script /usr/local/sbin

                              Add the following line to .profile

                              alias oracle_vpn='/usr/local/sbin/openconnect script /usr/local/sbin/vpnc-script user=USERNAME https://myaccess.oraclevpn.com'

                              Them run .profile

                              . .profile

                              Now just run the alias like this:

                              oracle_vpn

                              Edited by: Marco Trujillo C. on Jan 27, 2012 6:01 PM
                              • 13. Re: OpenConnect 3.14 VPN on Solaris 11 - Set up tun device failed
                                902160
                                Thanks for writing that up.

                                However, as a general rule it's better to make sure you get software from the original location, and check its signature if possible. That way, you're less likely to end up running 'trojaned' software. That's especially true for something security-related like VPN software.

                                Of course, I'm not suggesting that the version you've put on your(?) site is hacked, as far as I can tell it's perfectly fine at least for the moment. But it makes me cringe a little if you 'educate' users to do something unsafe. It's like when banks send email that isn't S/MIME-signed; they are actively training their customers to succumb to phishing fraud.

                                So I'd prefer that the instructions used the original URL ftp://ftp.infradead.org/pub/openconnect/openconnect-3.15.tar.gz and perhaps also advised people to fetch the openconnect-3.15.tar.gz.asc file containing the PGP signature, and check it thus:

                                $ gpg --verify openconnect-3.15.tar.gz.asc
                                gpg: Signature made Sat 26 Nov 2011 03:41:33 EST using RSA key ID 67E2F359
                                gpg: Good signature from "David Woodhouse <dwmw2@infradead.org>"
                                gpg: aka "David Woodhouse <david@woodhou.se>"
                                gpg: aka "David Woodhouse <dwmw2@kernel.org>"
                                gpg: aka "David Woodhouse <dwmw2@exim.org>"

                                Edited by: 899157 on Jan 15, 2012 2:14 PM