Pages

Friday, 28 September 2012

setup a VPN tunnel on your Android device using tomatousb (with openvpn) firmware on your router

This tutorial will help you to setup a VPN tunnel on your Android device using tomatousb (with openvpn) firmware on your router.

Contents

[hide]

Setup

You need to pack your cert and keys and put it in SD card. Then, go to Security and import it. It will let you configure your OpenVPN.
If you are lacking the tun/tap module, you need to find it and load it. This post links to a few places to find a tun.ko file. Commands something like the following:
//Copy the file to the phone's modules folder
# cp <tun.ko file location> /system/lib/modules/tun.ko

//Change permissions
# chmod 644 /system/lib/modules/tun.ko

//Load module
# insmod /system/lib/modules/tun.ko
Now one should have a loaded tun/tap module. If there are errors, probably means the tun.ko file is the wrong one and you need a different one (different sys/kernel version). For example, the first tun.ko file worked for me on a droid x.

Autoload module on boot

su
//Remount the system partition writeable
mount -o remount,rw /system
Create an init file e.g. /system/etc/init.d/99tunmodule with this content: insmod /system/lib/modules/tun.ko
//Change ownership and permissions
chown root:shell /system/etc/init.d/99tunmodule
chmod 750 /system/etc/init.d/99tunmodule
mount -o remount,ro /system
Reboot the phone and execute lsmod to check if you see the tun module.

Common issues

  • read UDPv4 [ECONNREFUSED]: Connection refused (code=111): just change Device to use to tap instead of tun in Advanced
  • Web pages partially load and then hang: Try "OpenVPN alternate config" below.

Certificates in Ubuntu

Answer yes to the last two y/n questions in ./build-key-server and ./build-key
You may also edit "vars" to put some common data to keys.
In the openssl you'll enter the password that is going to be used to open the certificate on the device.
sudo apt-get install openvpn
cp -fr /usr/share/doc/openvpn/examples/easy-rsa/2.0/ $HOME/easy-rsa
cd $HOME/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client
./build-dh
openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out client.p12

Server

OpenVPN

One thing I would recommend is getting it working on a computer first, then you know your server config is sane since your phone will not give much output if errors occur.
This is what worked for me
port 12345
proto tcp
dev tun
ca privnet/ca.crt
cert privnet/server.crt
key privnet/server.key
dh privnet/dh1024.pem
server 10.11.12.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
Client Config (on phone):
Enter your external ip address or hostname
Create your certs.p12, place on the sdcard and use it as the CA cert and user cert in your client config.
Do not check user authentication.
Menu » Advanced
I am using port 12345, make sure you set your port to whatever you are using
Make sure you use the tcp protocol, tun device, and lzo compression on your client (if your server config is like mine).

OpenVPN alternate config

The above config worked with my Ubuntu client and server just fine, but when using it with my CyanogenMod 7.1 RC1 it appeared to work and then usually hung after partially loading web pages. It was recommended that it was an MTU issue, but it seemed critical to also push a local DNS address. The config is as follows.
Server config (openvpn.conf):
port 12345
proto udp
dev tun
ca privnet/ca.crt
cert privnet/server.crt
key privnet/server.key
dh privnet/dh1024.pem
server 10.11.12.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group root
persist-key
persist-tun
status openvpn-status.log
verb 3
mssfix 1200
fragment 1200
push "dhcp-option DNS 192.168.1.1"
Client config:
Modify config from first example.
Edit VPN network
Menu » Advanced
Change Protocal to udp
Scroll down to Extra arguments
Enter: --mssfix 1200 --fragment 1200
Select OK
Back out two screens and it should save the settings.

DD-WRT

Waiting for contributors...

TomatoVPN

TomatoVPN is a modification of the Tomato Firmware (an alternative Firmware for the Linksys WRT54G/GL/GS Router) which supports OpenVPN. Get TomatoVPN here.
To setup the OpenVPN Server on your TomatoVPN:
  1. Go to the Management-Webinterface
  2. Go to VPN Tunneling » Server » Server 1
In Basic, set:
  • Start with WAN to checked
  • Interface type to "TAP"
  • Protocol to "TCP"
In Advanced, you can set specific openvpn config-settings.
In Keys, you have to copy&paste the content of the following files:
  • Optional: at Static Key insert the content of static.key (pre-shared static key)
  • at Certificate Authority insert the content of $HOME/easy-rsa/keys/ca.crt
  • at Server Certificate insert the content of $HOME/easy-rsa/keys/server.crt
  • at Server Key insert the content of $HOME/easy-rsa/keys/server.key
  • at Diffie Hellman parameters insert the content of $HOME/easy-rsa/keys/dh1024.pem

Client

CyanogenMod 6 & 7

Copy client.p12 to sdcard root directory Go to "Location & Security" and then "Install from SD"
Add a OpenVPN in "Wireless & Networks"/"VPN Settings". Set the host (consider using a fixed ip or a dynamic dns system), add your certificates, and set the interface type and the protocol accordingly.

Tun module

In "CyanogenMod 6.1.0 DS" the tun module is compiled into the kernel and does not need to be loaded any more.

TLS Auth

If you want to use tls-auth, copy your ta.key to your preferred $LOCATION (e.g. /sdcard/ta.key) and add '--tls-auth $LOCATION 1' (eg: --tls-auth /sdcard/ta.key 1) as an extra option in your advanced vpn configuration.

Debugging

Add '--verb 8' to the extra arguments in your advanced vpn configuration settings and run adb logcat

Existing Issues

In "CyanogenMod 6.1.0 DS" the option --lladdr does not work due to lack of support for the 'ether' keyword in ifconfig.

OpenVPN as a Service

This setup is a lot more like regular OpenVPN setups, please see the OpenVPN Documentation for configuration options/example.
We assume you're running working in a shell on the phone, either by running a terminal app, ssh'ing into the phone or using adb.
Also make sure you have tun support either as a loadable module (and load in on boot) or build into the kernel.

Step 1: Files & Directories

  • Create the directory /data/openvpn (mkdir /data/openvpn)
  • Place all your up/down scripts, certificate files(client & ca), client key and possibly your tls-auth key in /data/openvpn

Step 2: Configuration

  • Make sure all file paths in your configuration are absolute (e.a. /data/openvpn/client.crt)
  • Set user and group to 'vpn'
  • if you run into problems with cyanogenmods ifconfig and configuration, you can use 'ifconfig-noexec' to let the 'up' script handle ip assignments to the interface.
For specifics please see the openvpn documentations.

Step 3: Testing

  • Make sure your OpenVPN server is working correctly
  • Test your client vpn setup by running '/system/xbin/openvpn --config /data/client.conf'
  • Adjust verbosity level with --verb if you run into problems (e.a. --verb 8).

Step 4: Startup on boot / Daemonizing

  • Remount /system read/write with 'mount -o remount,rw /dev/block/mtdblock3 /system'
  • open /system/etc/init.local.rc with your favorite editor (e.a. vim or cat)
  • add the following lines to the file:
 service openvpn /system/xbin/openvpn --config /data/openvpn/puscii.conf --daemon
   user root
   group root
   oneshot
  • Remount /system readonly with 'mount -o remount,ro /dev/block/mtdblock3 /system'

Step 5: Reboot & Test

  • You now have OpenVPN running on boot as a background service on your android device!

See Also

OpenVPN Manuals

from http://wiki.cyanogenmod.com/wiki/OpenVPN