Choosing the Right VPN for NexentaStor
When you’re running NexentaStor in a data centre or as part of your storage infrastructure, you need a VPN solution that integrates seamlessly with its Illumos-based kernel, the pkg package manager, and the headless nature of the appliance. Unlike more desktop‐oriented Linux distros, NexentaStor often runs without a graphical environment, relying on SSH and a web UI for configuration. It doesn’t support Linux kernel modules like WireGuard, so we’re looking at purely user‐space or IPSec‐based solutions.
Our criteria:
- Compatibility with Illumos and
pkg. - CLI‐only or simple scriptable setup.
- No requirement for custom kernel modules.
- Strong encryption and active community support.
With that in mind, the top contenders are:
- OpenVPN – battle‐tested, user‐space, can run entirely from
/usr/bin. - strongSwan – a robust IPSec implementation that works well via CLI.
- Tinc – mesh VPN in user‐space, useful for clustering.
Comparison Table
| VPN | Protocol | Illumos Support | Interface | Encryption | Package Name |
|---|---|---|---|---|---|
| OpenVPN | SSL/TLS | Yes | CLI | AES‐256, TLS 1.2 | openvpn |
| strongSwan | IPSec (IKEv2) | Yes | CLI | AES‐256, SHA2 | strongswan |
| Tinc | Custom mesh | Yes | CLI | Blowfish, AES | tinc |
Installing and Configuring the Top VPNs
1. OpenVPN
OpenVPN is a versatile SSL‐based VPN that runs entirely in user‐space, making it perfect for NexentaStor.
Installation
# pkg refresh # pkg install openvpn
Basic Configuration
Create a client configuration in /opt/local/etc/openvpn/client.conf (adjust paths if required):
client dev tun proto udp remote vpn.example.com 1194 resolv-retry infinite nobind persist-key persist-tun ca /opt/local/etc/openvpn/ca.crt cert /opt/local/etc/openvpn/client.crt key /opt/local/etc/openvpn/client.key cipher AES-256-CBC auth SHA256 verb 3
To start the service:
# svccfg import /opt/local/etc/svc/manifest/openvpn.xml # svcadm enable network/openvpn:default
2. strongSwan
strongSwan is an IPSec solution favouring IKEv2, robust enough for production storage environments.
Installation
# pkg refresh # pkg install strongswan
Basic Configuration
Edit /etc/ipsec.conf:
config setup
charondebug=ike 2, knl 2, cfg 2
conn storage-vpn
keyexchange=ikev2
ike=aes256-sha2_256-modp2048
esp=aes256-sha2_256
left=%any
leftcert=serverCert.pem
leftid=@storage.example.com
leftsubnet=0.0.0.0/0
right=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
eap_identity=%identity
auto=add
Create /etc/ipsec.secrets for PSK or user credentials:
: RSA serverKey.pem user1 : EAP strongpassword
Enable and start the service:
# svcadm enable network/strongswan:default # ipsec statusall
3. Tinc (optional)
Tinc is ideal for mesh topologies between multiple NexentaStor nodes.
Installation
# pkg refresh # pkg install tinc
Basic Configuration
Create a network directory /etc/tinc/storagenet:
# mkdir -p /etc/tinc/storagenet/hosts # cd /etc/tinc/storagenet # tincd -n storagenet -K4096
Edit tinc.conf:
Name = storagenode1 Interface = tun0
In hosts/storagenode1:
Address = 203.0.113.10 Port = 655 -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEA... -----END RSA PUBLIC KEY-----
Start tinc:
# tincd -n storagenet # tincctl -n storagenet connect storagenode2
Conclusion
For NexentaStor’s headless, Illumos‐based environment, OpenVPN and strongSwan stand out as the most robust and package‐friendly choices. Tinc offers an interesting mesh option for multi‐node clusters. Each integrates well with pkg and the service management framework, making them ideal for secure storage networks in production.
Leave a Reply