LINUXMIND.DEV

How to choose, use and configure a VPN in SmartOS (My opinion)

SmartOS, Joyent’s illumos‐based cloud‐optimised distro, isn’t your average Linux flavour. It runs on a ZFS root, employs pkgsrc (via pkgin) for package management, and leans heavily on Solaris-style SMF services rather than Systemd. Most users administer it via SSH in a global zone or in containerised SmartMachines only a handful spin up an Xfce or LXDE local zone for GUI work. Kernel module support is very limited, so user-space VPNs or pure-Go implementations are often the only way to go.

Given these peculiarities, we recommend these VPN clients for SmartOS:

  • OpenVPN – tried-and-trusted SSL/TLS solution, fully packaged in pkgsrc with an SMF manifest.
  • WireGuard (via wireguard-go) – modern, super-fast, all in user‐space.
  • OpenConnect – Cisco AnyConnect-compatible, light on dependencies.
  • SoftEther VPN – multi-protocol, but needs a source build on illumos.

VPN Comparison for SmartOS

VPN Protocol pkgsrc Official Kernel Modules Performance Ideal For
OpenVPN SSL/TLS (UDP/TCP) Yes (openvpn) No Good General purpose remote access
WireGuard WireGuard (UDP) Yes (wireguard-tools, wireguard-go) No (user-space) Excellent High throughput, low latency
OpenConnect AnyConnect SSL/TLS Yes (openconnect) No Good Corporate VPNs
SoftEther VPN SSL/TCP, L2TP/IPsec, OpenVPN Partially (manual build) No Good Multi-protocol flexibility

Installation Configuration

1. OpenVPN

OpenVPN is well supported in pkgsrc and comes with an SMF manifest. Perfect for classic site-to-site or remote-access setups.

Steps:

# pkgin update
# pkgin install openvpn
# cp /opt/local/share/examples/openvpn/server.conf /opt/local/etc/openvpn/server.conf
# vi /opt/local/etc/openvpn/server.conf      # adjust ports, certificates, keys
# svcadm enable pkgsrc:openvpn               # start OpenVPN service
# svcs -l pkgsrc:openvpn                     # verify status

The client config lives under /opt/local/etc/openvpn/client.conf, and can be launched via the same SMF service (replace server with client in service name) or run manually:

# openvpn --config /opt/local/etc/openvpn/client.conf

2. WireGuard (wireguard-go)

Since SmartOS won’t load unsigned kernel modules, we use wireguard-go for a pure user-space tunnel. It’s blisteringly fast and easy to script.

Steps:

# pkgin update
# pkgin install wireguard-tools wireguard-go
# mkdir -p /etc/wireguard
# cd /etc/wireguard
# wg genkey  tee privatekey  wg pubkey > publickey
# cat > wg0.conf ltlt EOF
[Interface]
Address = 10.0.0.2/24
PrivateKey = (paste your privatekey)

[Peer]
PublicKey = (paste peer publickey)
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0
EOF

# ifconfig wg0 create
# wg setconf wg0 /etc/wireguard/wg0.conf
# ifconfig wg0 up
# route add -net 0.0.0.0/0 -iface wg0

Drop these commands into an SMF manifest if you want auto-start otherwise wrap them in a simple init script under /opt/local/etc/rc.d/.

3. OpenConnect

OpenConnect excels when you need Cisco AnyConnect compatibility. No fuss, no kernel bits, just a single binary.

# pkgin update
# pkgin install openconnect

# openconnect --protocol=anyconnect vpn.company.local 
    --user=yourname --passwd-on-stdin ltlt EOF
yourpassword
EOF

Pin your password in a keychain or environment variable for automation. Use --background and --script=/opt/local/bin/vpnc-script to integrate with SMF or your own startup routines.

Download TXT




Powered by LinuxMind

Leave a Reply

Your email address will not be published. Required fields are marked *