This tutorial will help you to setup a VPN tunnel on your Android device using tomatousb (with openvpn) firmware on your router.
If you are lacking the tun/tap module, you need to find it and load it. This post links to a few places to find a tun.ko file. Commands something like the following:
You may also edit "vars" to put some common data to keys.
In the openssl you'll enter the password that is going to be used to open the certificate on the device.
This is what worked for me
Server config (openvpn.conf):
To setup the OpenVPN Server on your TomatoVPN:
In Keys, you have to copy&paste the content of the following files:
Add a OpenVPN in "Wireless & Networks"/"VPN Settings". Set the host (consider using a fixed ip or a dynamic dns system), add your certificates, and set the interface type and the protocol accordingly.
We assume you're running working in a shell on the phone, either by running a terminal app, ssh'ing into the phone or using adb.
Also make sure you have tun support either as a loadable module (and load in on boot) or build into the kernel.
from http://wiki.cyanogenmod.com/wiki/OpenVPN
Contents[hide] |
Setup
You need to pack your cert and keys and put it in SD card. Then, go to Security and import it. It will let you configure your OpenVPN.If you are lacking the tun/tap module, you need to find it and load it. This post links to a few places to find a tun.ko file. Commands something like the following:
//Copy the file to the phone's modules folder # cp <tun.ko file location> /system/lib/modules/tun.ko //Change permissions # chmod 644 /system/lib/modules/tun.ko //Load module # insmod /system/lib/modules/tun.koNow one should have a loaded tun/tap module. If there are errors, probably means the tun.ko file is the wrong one and you need a different one (different sys/kernel version). For example, the first tun.ko file worked for me on a droid x.
Autoload module on boot
su //Remount the system partition writeable mount -o remount,rw /systemCreate an init file e.g. /system/etc/init.d/99tunmodule with this content: insmod /system/lib/modules/tun.ko
//Change ownership and permissions chown root:shell /system/etc/init.d/99tunmodule chmod 750 /system/etc/init.d/99tunmodule mount -o remount,ro /systemReboot the phone and execute lsmod to check if you see the tun module.
Common issues
- read UDPv4 [ECONNREFUSED]: Connection refused (code=111): just change Device to use to tap instead of tun in Advanced
- Web pages partially load and then hang: Try "OpenVPN alternate config" below.
Certificates in Ubuntu
Answer yes to the last two y/n questions in ./build-key-server and ./build-keyYou may also edit "vars" to put some common data to keys.
In the openssl you'll enter the password that is going to be used to open the certificate on the device.
sudo apt-get install openvpn cp -fr /usr/share/doc/openvpn/examples/easy-rsa/2.0/ $HOME/easy-rsa cd $HOME/easy-rsa source ./vars ./clean-all ./build-ca ./build-key-server server ./build-key client ./build-dh openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out client.p12
Server
OpenVPN
One thing I would recommend is getting it working on a computer first, then you know your server config is sane since your phone will not give much output if errors occur.This is what worked for me
- port 12345
- proto tcp
- dev tun
- ca privnet/ca.crt
- cert privnet/server.crt
- key privnet/server.key
- dh privnet/dh1024.pem
- server 10.11.12.0 255.255.255.0
- ifconfig-pool-persist ipp.txt
- keepalive 10 120
- comp-lzo
- user nobody
- group nobody
- persist-key
- persist-tun
- status openvpn-status.log
- verb 3
- Enter your external ip address or hostname
- Create your certs.p12, place on the sdcard and use it as the CA cert and user cert in your client config.
- Do not check user authentication.
- Menu » Advanced
- I am using port 12345, make sure you set your port to whatever you are using
- Make sure you use the tcp protocol, tun device, and lzo compression on your client (if your server config is like mine).
OpenVPN alternate config
The above config worked with my Ubuntu client and server just fine, but when using it with my CyanogenMod 7.1 RC1 it appeared to work and then usually hung after partially loading web pages. It was recommended that it was an MTU issue, but it seemed critical to also push a local DNS address. The config is as follows.Server config (openvpn.conf):
- port 12345
- proto udp
- dev tun
- ca privnet/ca.crt
cert privnet/server.crt - key privnet/server.key
- dh privnet/dh1024.pem
server 10.11.12.0 255.255.255.0 - ifconfig-pool-persist ipp.txt
- keepalive 10 120
- comp-lzo
- user nobody
- group root
- persist-key
- persist-tun
- status openvpn-status.log
- verb 3
- mssfix 1200
- fragment 1200
- push "dhcp-option DNS 192.168.1.1"
- Modify config from first example.
- Edit VPN network
- Menu » Advanced
- Change Protocal to udp
- Scroll down to Extra arguments
- Enter: --mssfix 1200 --fragment 1200
- Select OK
- Back out two screens and it should save the settings.
DD-WRT
Waiting for contributors...TomatoVPN
TomatoVPN is a modification of the Tomato Firmware (an alternative Firmware for the Linksys WRT54G/GL/GS Router) which supports OpenVPN. Get TomatoVPN here.To setup the OpenVPN Server on your TomatoVPN:
- Go to the Management-Webinterface
- Go to VPN Tunneling » Server » Server 1
- Start with WAN to checked
- Interface type to "TAP"
- Protocol to "TCP"
In Keys, you have to copy&paste the content of the following files:
- Optional: at Static Key insert the content of
static.key
(pre-shared static key) - at Certificate Authority insert the content of
$HOME/easy-rsa/keys/ca.crt
- at Server Certificate insert the content of
$HOME/easy-rsa/keys/server.crt
- at Server Key insert the content of
$HOME/easy-rsa/keys/server.key
- at Diffie Hellman parameters insert the content of
$HOME/easy-rsa/keys/dh1024.pem
Client
CyanogenMod 6 & 7
Copy client.p12 to sdcard root directory Go to "Location & Security" and then "Install from SD"Add a OpenVPN in "Wireless & Networks"/"VPN Settings". Set the host (consider using a fixed ip or a dynamic dns system), add your certificates, and set the interface type and the protocol accordingly.
Tun module
In "CyanogenMod 6.1.0 DS" the tun module is compiled into the kernel and does not need to be loaded any more.TLS Auth
If you want to use tls-auth, copy your ta.key to your preferred $LOCATION (e.g. /sdcard/ta.key) and add '--tls-auth $LOCATION 1' (eg: --tls-auth /sdcard/ta.key 1) as an extra option in your advanced vpn configuration.Debugging
Add '--verb 8' to the extra arguments in your advanced vpn configuration settings and run adb logcatExisting Issues
In "CyanogenMod 6.1.0 DS" the option --lladdr does not work due to lack of support for the 'ether' keyword in ifconfig.OpenVPN as a Service
This setup is a lot more like regular OpenVPN setups, please see the OpenVPN Documentation for configuration options/example.We assume you're running working in a shell on the phone, either by running a terminal app, ssh'ing into the phone or using adb.
Also make sure you have tun support either as a loadable module (and load in on boot) or build into the kernel.
Step 1: Files & Directories
- Create the directory /data/openvpn (mkdir /data/openvpn)
- Place all your up/down scripts, certificate files(client & ca), client key and possibly your tls-auth key in /data/openvpn
Step 2: Configuration
- Make sure all file paths in your configuration are absolute (e.a. /data/openvpn/client.crt)
- Set user and group to 'vpn'
- if you run into problems with cyanogenmods ifconfig and configuration, you can use 'ifconfig-noexec' to let the 'up' script handle ip assignments to the interface.
Step 3: Testing
- Make sure your OpenVPN server is working correctly
- Test your client vpn setup by running '/system/xbin/openvpn --config /data/client.conf'
- Adjust verbosity level with --verb if you run into problems (e.a. --verb 8).
Step 4: Startup on boot / Daemonizing
- Remount /system read/write with 'mount -o remount,rw /dev/block/mtdblock3 /system'
- open /system/etc/init.local.rc with your favorite editor (e.a. vim or cat)
- add the following lines to the file:
service openvpn /system/xbin/openvpn --config /data/openvpn/puscii.conf --daemon user root group root oneshot
- Remount /system readonly with 'mount -o remount,ro /dev/block/mtdblock3 /system'
Step 5: Reboot & Test
- You now have OpenVPN running on boot as a background service on your android device!
See Also
OpenVPN Manualsfrom http://wiki.cyanogenmod.com/wiki/OpenVPN