Since I bought my HTC Hero two weeks ago I can't stop enjoing the device.
Except one thing: Currently no OpenVPN client exists yet for the Android platform.

While searching Google I could find people referring to successfull ports of openvpn, but all discussions were vague and all links were dead.


This resulted in the motivation to work on making openvpn available on Android.
For the last weeks I have been reading documentation and already started coding a very basic GUI. (listing and editing configuration files)

Being fairly novice to Android, and expecting I'm not the only one envying such functionality I am starting a Call for Participation trying to reach other developers interested to work on the project.

As structure of this application I see the following parts:
1) GUI stuff to manage configurations (view, create, edit and delete). Tunnel management (connect, disconnect, view log, view ip) would also be done here. (language: java)
2) background daemon sending notifications about the tunnel state (don't know if that's necessary) (language: java)
3) ported openvpn client that parses the config and does the real work. (language: c)

It looks like other projects already provide the necessary tun kernel drivers. Rooting your device will be necessary to be able to load the driver.

Being supportive to open source software I'd like to keep the code open.
Discussions about selling the (compiled) GUI on the Market are possible.


Interested developers can reply here or contact me at christophe@vandeplas.com.


Some interesting links:
http://openvpn.net/index.php/open-source/downloads.html
http://developer.android.com/sdk/ndk/1.5_r1/index.html
http://code.google.com/p/get-a-robot-vpnc/

Posted on xda-developers (http://forum.xda-developers.com/showthread.php?p=4387515) and MoDaCo (http://android.modaco.com/content/software/291919/openvpn-on-android/).

Please post if you find a openvpn GUI for the HTC Magic / Hero :)

Best regards

I saw one being developed in Singapore.
I think its featured by the codeandroid.org community.

Its in the Marketplace now, I guess?

I saw one being developed in Singapore.
I think its featured by the codeandroid.org community.

Its in the Marketplace now, I guess?

Searched for it in the SG App directory and couldn't find it there.

It doesn't show up either in the US Market. Could you please attach an apk for it?

Searched for it in the SG App directory and couldn't find it there.

It doesn't show up either in the US Market. Could you please attach an apk for it?

Can you go to codeandroid.org forums and open a thread to ask about it?

You'll find the port here:

http://github.com/fries

A port of liblzo, patches to openssl to support blowfish and openvpn 2.1 it self.

Precompiled binaries are available here:

http://github.com/fries/android-external-openvpn/downloads

There is currently no installer but you can copy the file to your device with the adb command.

I'm also working on an app to monitor and configure vpns.

Best Regards

Now there is also an android app to monitor the openvpn state.

http://github.com/fries/android-exte...nvpn/downloads

Now there is also an android app to monitor the openvpn state.

http://github.com/fries/android-exte...nvpn/downloads

Corrected link

http://github.com/fries/android-external-openvpn/downloads

ive installed openvpn successfully but the monitor application is just a black in black layout ?


ng

Corrected link
http://github.com/fries/android-external-openvpn/downloads

Hi.

I've installed both openvpn and Openvpn-Monitor.apk.
Monitor opens, but there is no way to configure vpn. I've tried to import a valid config file from my linux box but monitor says it's not a valid config file.

Any advices or docs?

Thanks in advance.

Hi.

I've installed both openvpn and Openvpn-Monitor.apk.
Monitor opens, but there is no way to configure vpn. I've tried to import a valid config file from my linux box but monitor says it's not a valid config file.



Been there. The Monitor doesn't even allow me to import a valid config. Save button is never enabled, but I've got the vpn up and running well from the command line.

Been there. The Monitor doesn't even allow me to import a valid config. Save button is never enabled, but I've got the vpn up and running well from the command line.

I haven't gotten it to work yet, still just a black screen for me also but I found out it connects to 127.0.0.1 7890 which I assume is supposed to be the management interface of openvpn.

I added "management 127.0.0.1 7890" to my openvpn config and can se the monitor app talking to it but still the black screen.

Just thought I should share it, perhaps someone else will figure out the next step in getting this working.

title says it all ...have installed the libs/bin in /system/lib and /system/bin (actually I already had libssl and libcrypto)

installed the monitor apk and everytime I got to settings import file -> Find the app force closes.. :-(

Can anyone help ?

Moved to the New Forum :)

Android software development

Im one of the opensource OpenVPN ALS developers ( used to be adito/ssl explorer ). If you need any help on RADIUS or something more basic just send me a pm.

the VPNMonitor even not works for me, it crashed if i'm trying to import a config file.
I wrote my own OpenVPN GUI and for about 4 hours it's on the android market.
More informations about it can be found on my page at http://www.blank-online.eu/android/openvpn_gui/

unfortunately my page only is in german so I'll give a short summary:

it asks you to download openvpn binary file incl. tun.ko module if needed.
then it may does a wget and chmod and ln -s (because of ifconfig and route)
You can edit the path to your openvpn file
yout can set the path where your configfiles are
and easily start/stop openvpn connections via checkboxes...

i think it became a very nice app :-)
i love it :-)

i'm looking forward to your feedback!!

Another discussion about this is going-on on MoDaCo.
http://android.modaco.com/content/software/291919/openvpn-on-android/

I also have released an OpenVPN GUI for Android.
The the code is completely opensource, so you can check that I added no backdoors, or you could help fixing bugs by sending patches ;-)

The application can currently:
- Create and edit configurations
- Connect / Disconnect
- View log and share it ( send by email or other means )
- tunnel notification/status in system tray

I am currently working on the implementation of a password prompt for certificate authentication and user/password authentication.
My goal is to release this feature in a week or so.

You can find a README and the openvpn binaries here: https://sourceforge.net/projects/tunneldroid/files/
(these binaries don't require the ugly 'bb' symlinks that the others published on Git do need (http://github.com/fries/android-external-openvpn)

TunnelDroid is published on the Android Market.
So just do a simple search for it. This will help you to follow the updates.

Please give feedback if it works/doesn't work on your phone.

If I start an openvpn connection via shell (using my config file) it works, however with your tool it starts to connect and it even establishes a connection, but only a few seconds later it disconnects with the following error:

event_wait_interrupted system call (code=4)
TCP/UDP: Closing socket
SIGTERM[hard] received, process exiting

If I start an openvpn connection via shell (using my config file) it works, however with your tool it starts to connect and it even establishes a connection, but only a few seconds later it disconnects with the following error:

event_wait_interrupted system call (code=4)
TCP/UDP: Closing socket
SIGTERM[hard] received, process exiting

I have the same problem.

lastConnection.log:
Thu Nov 12 17:17:37 2009 OpenVPN 2.1_rc15 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 1 2009
Thu Nov 12 17:17:37 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Nov 12 17:17:37 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Nov 12 17:17:37 2009 WARNING: file '/sdcard/openvpn/client.key' is group or others accessible
Thu Nov 12 17:17:37 2009 LZO compression initialized
Thu Nov 12 17:17:37 2009 Attempting to establish TCP connection with xx.xx.xx.xx:9000 [nonblock]
Thu Nov 12 17:17:38 2009 TCP connection established with xx.xx.xx.xx:9000
Thu Nov 12 17:17:38 2009 TCPv4_CLIENT link local: [undef]
Thu Nov 12 17:17:38 2009 TCPv4_CLIENT link remote: xx.xx.xx.xx:9000
Thu Nov 12 17:17:57 2009 [server] Peer Connection Initiated with xx.xx.xx.xx:9000
Thu Nov 12 17:17:59 2009 event_wait : Interrupted system call (code=4)
Thu Nov 12 17:17:59 2009 SIGTERM[hard,] received, process exiting

To prevent freezing your phone when openvpn fails to connect I implemented a 30 seconds connection timeout. (line 97 from the source (http://tunneldroid.svn.sourceforge.net/viewvc/tunneldroid/tunneldroid/src/net/sourceforge/tunneldroid/TunnelManager.java?revision=25&view=markup) )
TunnelDroid detects you are connected once the tun0 interface came up.
This will probably be where it has issues on your device.

Could you give me a directory listing of your /sys/class/net/ directory once the tunnel came up?
Once I get the info I'll upload a fixed version.

The good news is that I'm currently implementing openvpn-manager support. This means TunnelDroid will be able to interact with openvpn while it runs in the background and will be able to ask openvpn if he's connected.

The technical stuff on the side this means the following new features:
- prompt for certificate credentials
- prompt for auth credentials
- displaying the status of the connection (CONNECTING,WAIT,AUTH, GET_CONFIG, ASSIGN_IP, ADD_ROUTES, CONNECTED, RECONNECTING, EXITING)
- and probably other things ...

To prevent freezing your phone when openvpn fails to connect I implemented a 30 seconds connection timeout. (line 97 from the source (http://tunneldroid.svn.sourceforge.net/viewvc/tunneldroid/tunneldroid/src/net/sourceforge/tunneldroid/TunnelManager.java?revision=25&view=markup) )
TunnelDroid detects you are connected once the tun0 interface came up.
This will probably be where it has issues on your device.

Could you give me a directory listing of your /sys/class/net/ directory once the tunnel came up?
Once I get the info I'll upload a fixed version.

The good news is that I'm currently implementing openvpn-manager support. This means TunnelDroid will be able to interact with openvpn while it runs in the background and will be able to ask openvpn if he's connected.

The technical stuff on the side this means the following new features:
- prompt for certificate credentials
- prompt for auth credentials
- displaying the status of the connection (CONNECTING,WAIT,AUTH, GET_CONFIG, ASSIGN_IP, ADD_ROUTES, CONNECTED, RECONNECTING, EXITING)
- and probably other things ...

Ok.. Great!
I solved the problem, my interface is tap0, I replaced ..

Ok.. Great!
I solved the problem, my interface is tap0, I replaced ..

If you are using a tap interface you should not change the name in the configfile. The tun and taps are completely different things.

The good news is that I had the same bugreport on MoDaCo forums and I fixed this in the code. I just uploaded a new release with a fix.

thanks the update fixed the bug, now everything works fine, great tool keep the good work :)

Brilliant! Next feature I'd love is the ability to put a shortcut to an specific vpn config in the desktop (android intents, maybe?).
Also changing the Radio boxes with check boxes, and detecting the state when the app is (re)launched would be a plus.

I am currently working on implementing the authentication prompts.
Unfortunately my architectural design errors due to my lack of Android development start to come up. (inter-process-gui-events are not that simple when you dont know "the right way"). This results in not being able to show the password prompt the right way (and getting the data back).

Some serious refactoring is required, for example: I need to change the TunnelManager singleton to an Android Service.

Once the credentials dialog thingies are done and stable I'll work on your feature request.

Cheers

Good news, I just released version 0.7 supporting password prompts.
Update is available ont he Market as TunnelDroid.

To see it in action you will need to REMOVE your HARDCODED passwordfile from the configuration !

Check out the readme: https://sourceforge.net/projects/tunneldroi...README/download

Hi,

I installed TunnelDroid and tried my CyanogenMod's integrated OpenVPN Client. But it didnt worked... I then tried to install the binaries from the SourceForge site, but didn't work either (same output)...

Sat Nov 28 22:30:10 2009 OpenVPN 2.1_rc15 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 1 2009
Sat Nov 28 22:30:10 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Nov 28 22:30:10 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Nov 28 22:30:10 2009 Cannot load certificate file idlewild.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Sat Nov 28 22:30:10 2009 Exiting

Any idea?

Thanks
falstaff

OK I could solve the above problem by using absolut paths in the config file:

/sdcard/openvpn/whatever.file


Next problem:

Sat Nov 28 22:46:12 2009 TUN/TAP device tun0 opened
Sat Nov 28 22:46:12 2009 TUN/TAP TX queue length set to 100
Sat Nov 28 22:46:12 2009 /system/xbin/ifconfig tun0 192.168.X.Y pointopoint 192.168.X.Z mtu 1500
Sat Nov 28 22:46:12 2009 Linux ifconfig failed: could not execute external program
Sat Nov 28 22:46:12 2009 Exiting


I looked, there is no /system/xbin/ifconfig, I use CyanogenMod and took the binaries from sf...

Bye
falstaff

OK, solved that one too... I restored the original CyanogenMod binaries, they work fine now...

So another hint would be helpful: Do not use the binaries if you have CyanogenMod... :-)

Bye
falstaff

Any way of getting this to work on the Fuze running Android? I can't get adb to work since there is no USB debugging (yet).

I running into problems with cyanogenmod 4.2.6

In my openvpn config there is a tap0 interface configured (tap is needed for me). But there is no tap device at /dev/ (only tun) and also no tap.to at /system/lib/modules/.

So has someone a running openvpn with a tap device?

Hello,

Do I need to have root permissions in order to install OpenVPN on the TMobile myTouch 3G Smartphone?

If so, how do I get root permissions?

Thanks.....

I opened a new thread, but maybe someone can answer here... I am not an expert of vpns and networks...

Hero, OpenVPN, StrongVPN and the Big China Mistery

--------------------------------------------------------------------------------


"Well I searched the forums all over the interweb for a week now, and did not find an answer so I post.

I live in China and as part of the Expat Survival Kit I run an OpenVPN service to solve my facebooktwitteryoutoube problems. The provider is strongvpn.com, or other name reliablehosting.com - reliable, they are, and responsive and helpful and everything.

The VPN uses a San Francisco server, so anytime I fire it up on my PC, I have a USA IP, and can access Youtube, Facebook, Twitter, Pandora et al. Bingo.

I struggled days to hack this connection on my Hero, and finally managed, it works, it connects. Apparently.

Now here is the hick:

- I connect on the Hero with TunnelDroid, using my original StrongVPN config file. It takes some time, but usually connects, either WiFi and Edge.

- I check my external IP, it's the good old Frisco one, I seem good to go

- I can surf sites like e.g. Amnesty International, impossible without VPN. I can use Pandora, so definitely I have US IP. Eventually if there is an embedded Youtube vid somewhere, I even can see and try to start it (although it's dead slow)!

- But, none of the social integration features work. I can not log in into twitter, facebook etc, and when I try to visit those sites with the browser, I have the same result as without VPN, nada. Timeout, service unavailable, technical problem, you name it

Now, if there is any developer / network or VPN expert / GFW operator / Google guru around... I really want to understand exactly what the problem can be - that would help some fellow Hero owners here in China

I changed the "hosts" file that I found on some forums... I tried to boost the process with some web proxy... Tried everything - nothing works.

How is it possible that I'm behind a VPN, I have American IP reported by any software you can imagine, and still I'm blocked, while everything works fine on the PC with the same VPN connection???

I can live without these apps and sites on my Hero...but can not live without finding out the truth "

Thanks...

Has anyone documented the steps for installing wget? wget gets called by the openvpn gui when first run.

Do you have to go through the adp push foo, chmod foo bit? Can you lust create /usr/local/bin on the sdcard and add it to the path or something (copy binaries there)? I'm new to mucking with android....

Hi, I installed openssl binarys and got tunneldroid to connect to the server and verify the certs , but then it says linux ifconfig failed. So it seems that the ifconfig binarys are gone is that correct? Cant seem to find them (seems like others can find them in system/bin/ ). Where to get this then?

Got it , dont install the binaries. Damn mee should have read before i did that changes.

Now I get connected but the phone doesnt seem to have internet after this :S Is it because I use tap or something like that ? dont get any errors so doesnt know what the problem is (VPN server works greate from computers). Doesnt seem that it get dns servers properly....
Sun Dec 6 00:06:39 2009 Initialization Sequence Completed
Sun Dec 6 00:06:39 2009 MANAGEMENT: >STATE:1260054399,CONNECTED,SUCCESS,xxx.xxx.xxx.xxx ,xx.xxx.xxx.xxx
Sun Dec 6 00:08:11 2009 MANAGEMENT: Client disconnected


thats what it says in the end, just seems to disconet by no reason...

Hi.
Great to see the OpenVPN working on Android with a very nice GUI for such.
Anyhow, I have a tattoo phone with no option to root (yet?), so I'd like to ask:
Is there any chance to build the openVPN binary and GUI so that it does not require the root access?

GFW problem

They use several techniques to block traffic. VPN get's around most (filtering/ip blocking) but it may have an issue getting around DNS poisoning. All the sites you seem to have issues connecting to are DNS poisoned in one way or another. This means that all legit DNS servers in china give you a fake ip address for the host name.

To test this out try to manually set the ipaddress for the host login.facebook.com using your host file(the only host on facebook which is currently poisoned that I'm aware of). Alternatively you could ensure that DNS requests are being routed to a foreign dns server - over the vpn connection and find a way to flush your DNS cache after you've established the connection - or in some other manner. I'm new to android but I'll try to update this post when I discover android specific methods to solve this issue. Hope this helps.

Got it to work now (just wifi), but doesnt seem to work over 3g is that right?

yeah that happens for me too, i think its something to do with the system config when running off 3g. i was able to tether the phone to my laptop then vpn from there. but no go vpn+3g on the phone.

I opened a new thread, but maybe someone can answer here... I am not an expert of vpns and networks...

Hero, OpenVPN, StrongVPN and the Big China Mistery

--------------------------------------------------------------------------------


"Well I searched the forums all over the interweb for a week now, and did not find an answer so I post.

I live in China and as part of the Expat Survival Kit I run an OpenVPN service to solve my facebooktwitteryoutoube problems. The provider is strongvpn.com, or other name reliablehosting.com - reliable, they are, and responsive and helpful and everything.

The VPN uses a San Francisco server, so anytime I fire it up on my PC, I have a USA IP, and can access Youtube, Facebook, Twitter, Pandora et al. Bingo.

I struggled days to hack this connection on my Hero, and finally managed, it works, it connects. Apparently.

Now here is the hick:

- I connect on the Hero with TunnelDroid, using my original StrongVPN config file. It takes some time, but usually connects, either WiFi and Edge.

- I check my external IP, it's the good old Frisco one, I seem good to go

- I can surf sites like e.g. Amnesty International, impossible without VPN. I can use Pandora, so definitely I have US IP. Eventually if there is an embedded Youtube vid somewhere, I even can see and try to start it (although it's dead slow)!

- But, none of the social integration features work. I can not log in into twitter, facebook etc, and when I try to visit those sites with the browser, I have the same result as without VPN, nada. Timeout, service unavailable, technical problem, you name it

Now, if there is any developer / network or VPN expert / GFW operator / Google guru around... I really want to understand exactly what the problem can be - that would help some fellow Hero owners here in China

I changed the "hosts" file that I found on some forums... I tried to boost the process with some web proxy... Tried everything - nothing works.

How is it possible that I'm behind a VPN, I have American IP reported by any software you can imagine, and still I'm blocked, while everything works fine on the PC with the same VPN connection???

I can live without these apps and sites on my Hero...but can not live without finding out the truth "

Thanks...

I got it working, go to your router, then make the phone DMZ, which means it doesn't go through the routers DNS. (for me D-LINK has it in settings/firewall settings/ enable DMZ)
On your phone go to wireless settings and advanced, put the DNS 1 and 2 are 8.8.8.8 and 8.8.4.4 for google public dns, thats how fb and twitter are working perfect.

I just tried TunnelDroid and it works fine.

However, it seems to only route packet with VPN destination via OpenVPN. (Say 192.168.2.0/24) But all other traffics (google.com, yahoo.com) is still routed via phone's default.

Did I do something wrong, or is there anyway to get around this?

That's the way it's intended to be. If you want all your IP traffic going to the VPN just have a look at the routes and set the default gateway there.

not sure but isn't this fixed by adding
redirect-gateway def1
to the client config file?

Thanks for the tips. I didn't know about that config option.

I was able to push default gateway from the server. Now, the next problem is that when the connection is made with all packets routed via VPN, the default DNS on N1 is still T-Mobile 3G's (10.184.80.242:53) instead of VPN's.

I added

push "dhcp-option DNS 4.4.4.4"

to the server, but the phone still use T-Mo's.

Is there any way to get around this?

hi mushroom1, could you please share what exact line you added to your serverconfig file?
I'm interested to get the same thing working and thought the redirect gateway did the same (it's all kinda new to me :) )

Sure..

I added

push "redirect-gateway def1"

to server config file.

From what I understand, you should be able to add "redirect-gateway def1" into client config to get the same result. However, that doesn't seem to work with Tunneldroid/OpenVPN

thanks!

I was using the edit in the client file and it seemed to work ok
could you please tell me what I need to do to test if everything goes through the tunnel (.com, dns, ...).

thanks again and sorry for being a pain :)

try www.whatismyip.com

If it's showing T-Mo or your carrier's IP (use whois.sc to find out), then it means it's not going through your VPN. Otherwise, if it's going through your VPN, you'll see your VPN outbound IP

thanks for the reply!

I tested without tunnel and I got my carriers IP, then I tried with a tunnel without the "redirect-gateway" in client config and I still got my carriers IP.
Then I tested with a tunnel with "redirect-gateway" in client config and I got my home ISP IP address.

so for me it seems to work fine when only modifying the client config.

thanks again for the info!

I got "OpenVPN Settings" (merged Tunneldroid) installed successfully on a rooted HTC Hero (Android 1.5, original ROM 2.73.405.5 w/ busybox etc), but I fail to communicate with the gateway of the VPN.

The keys and passwords are in order, I have tested this on another machine. My setup is not trying to re-route default traffic. OpenVPN Settings says "Connected to XXX as YYY".

Any idea what might be wrong?

Attaching some verbose logs:


D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 PUSH: Received control
message: 'PUSH_REPLY,persist-key,persist-tun,route 5.6.0.0 255.255.255.0,topology net30,ping 8,ping-restart 32,ifconfig
5.6.0.6 5.6.0.5'
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 OPTIONS IMPORT: timers
and/or timeouts modified
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 OPTIONS IMPORT: --pers
ist options modified
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 OPTIONS IMPORT: --ifco
nfig/up options modified
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 OPTIONS IMPORT: route
options modified
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 ROUTE default_gateway=
192.168.2.1
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 TUN/TAP device tun0 op
ened
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 TUN/TAP TX queue lengt
h set to 100
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 MANAGEMENT: >STATE:127
2300504,ASSIGN_IP,,5.6.0.6,
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 /system/xbin/bb/ifconf
ig tun0 5.6.0.6 pointopoint 5.6.0.5 mtu 1500
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 MANAGEMENT: >STATE:127
2300504,ADD_ROUTES,,,
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 /system/xbin/bb/route
add -net 5.6.0.0 netmask 255.255.255.0 gw 5.6.0.5
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 Initialization Sequenc
e Completed
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 MANAGEMENT: >STATE:127
2300504,CONNECTED,SUCCESS,5.6.0.6,95.80.2.120
V/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-mgmt( 411): onState(">STATE:1272300504,ASSIGN_IP,,5.6.0.6,")
D/OpenVPN-Settings-getprop( 411): invoking external process: /system/bin/sh -s -x -i
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 MANAGEMENT: CMD 'bytec
ount 0'
D/OpenVPN-Settings-getprop-stderr( 411): sh: can't access tty; job control turned off
D/OpenVPN-Settings-getprop-stderr( 411): $ > + export PS1=SHELL-PROMPT-READY
D/OpenVPN-Settings-getprop-stderr( 411): SHELL-PROMPT-READY
D/OpenVPN-Settings-getprop( 411): exec getprop net.dnschange
D/OpenVPN-Settings-getprop-stderr( 411): + exec getprop net.dnschange
D/OpenVPN-Settings-getprop-stdout( 411): 19
I/OpenVPN-Settings-getprop-stdout( 411): terminated
I/OpenVPN-Settings-getprop-stderr( 411): terminated
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-mgmt( 411): =============> 0 == 19 resetting dns, leaving dns alone
D/OpenVPNDaemonEnabler( 411): Received OpenVPN network state changed from Get Config to Assign IP
V/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-mgmt( 411): onState(">STATE:1272300504,ADD_ROUTES,,,")
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 MANAGEMENT: CMD 'bytec
ount 0'
D/OpenVPN-Settings-getprop( 411): invoking external process: /system/bin/sh -s -x -i
D/OpenVPN-Settings-getprop-stderr( 411): sh: can't access tty; job control turned off
D/OpenVPN-Settings-getprop-stderr( 411): $ > + export PS1=SHELL-PROMPT-READY
D/OpenVPN-Settings-getprop-stderr( 411): SHELL-PROMPT-READY
D/OpenVPN-Settings-getprop( 411): exec getprop net.dnschange
D/OpenVPN-Settings-getprop-stderr( 411): + exec getprop net.dnschange
D/OpenVPN-Settings-getprop-stdout( 411): 19
I/OpenVPN-Settings-getprop-stdout( 411): terminated
I/OpenVPN-Settings-getprop-stderr( 411): terminated
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-mgmt( 411): =============> 0 == 19 resetting dns, leaving dns alone
D/OpenVPNDaemonEnabler( 411): Received OpenVPN network state changed from Assign IP to Add Routes
V/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-mgmt( 411): onState(">STATE:1272300504,CONNECTED,SUCCESS,5.6.0.6,95.
80.2.120")
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-daemon-stdout( 411): Mon Apr 26 18:48:24 2010 MANAGEMENT: CMD 'bytec
ount 3'
D/OpenVPNDaemonEnabler( 411): Received OpenVPN network state changed from Add Routes to Connected
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-mgmt( 411): SUCCESS: bytecount interval changed
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-mgmt( 411): SUCCESS: bytecount interval changed
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-mgmt( 411): SUCCESS: bytecount interval changed
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-mgmt( 411): up: 1.24 kBps - down: 1.35 kBps
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-mgmt( 411): up: 0.06 kBps - down: 0.0 kBps
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-mgmt( 411): up: 0.03 kBps - down: 0.03 kBps
D/OpenVPN-DaemonMonitor[/sdcard/vpn/net5/net5.conf]-mgmt( 411): up: 0.0 kBps - down: 0.06 kBps

The keys and passwords are in order, I have tested this on another machine. My setup is not trying to re-route default traffic. OpenVPN Settings says "Connected to XXX as YYY".


Do an ifconfig in the terminal emulator and ping both ends of the VPN. Leaveing default routes untouched doesn't mean the VPN routing is correctly stablished.

// gw
$ ping -c 3 -w 5 5.6.0.1
100% packet-loss

// ptp
$ ping -c 3 -w 5 5.6.0.5
100% packet-loss

// ext. net. test
$ ping -c 3 -w 5 external-VPN-IP
0% packet-loss




Do an ifconfig in the terminal emulator and ping both ends of the VPN. Leaveing default routes untouched doesn't mean the VPN routing is correctly stablished.

are the routes correct?

As far as I can see, yes.

# ./route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
5.6.0.5 * 255.255.255.255 UH 0 0 0 tun0
5.6.0.0 5.6.0.5 255.255.255.0 UG 0 0 0 tun0
192.168.10.0 * 255.255.255.0 U 0 0 0 tiwlan0
default 192.168.10.2 0.0.0.0 UG 0 0 0 tiwlan0

From the logs (manually bringing it up)

Wed Apr 28 10:57:30 2010 ROUTE default_gateway=192.168.10.2
Wed Apr 28 10:57:30 2010 TUN/TAP device tun0 opened
Wed Apr 28 10:57:30 2010 TUN/TAP TX queue length set to 100
Wed Apr 28 10:57:30 2010 /system/xbin/bb/ifconfig tun0 5.6.0.6 pointopoint 5.6.0.5 mtu 1500
Wed Apr 28 10:57:30 2010 /system/xbin/bb/route add -net 5.6.0.0 netmask 255.255.255.0 gw 5.6.0.5
Wed Apr 28 10:57:30 2010 Initialization Sequence Completed




are the routes correct?

I found that I needed to click the "Fix DNS" button every time I change GPRS network because the DNS settings are overwritten by T-mobile. For some reason the T-Mobile DNS Servers do not work while on a VPN connection.

So I wrote a simple shell script and assigned it to run on screen unlock event in Tasker. Maybe this can be of some use to other users as well.

#!/system/bin/sh
su -c "setprop net.dns1 8.8.8.8"
su -c "setprop net.dns2 8.8.4.4"
su -c "setprop net.rmnet0.dns1 8.8.8.8"
su -c "setprop net.rmnet0.dns2 8.8.4.4"
pid=$(ps|grep com.android.phone|awk '{print $2}')
su -c "setprop net.dns1.$pid 8.8.8.8"
su -c "setprop net.dns2.$pid 8.8.4.4"
unset $pid
exit()

After many hours I can finally surf using openVPN. Just wanted to spare anybody else the pain. Your mileage may vary. As usual, I am not responsible if you brick your phone.

My configuration uses TAP interface vs. TUN. I want to push ALL traffic through my VPN. The phone will essentially be connected to your internal network.

I assume you already have some knowledge of OpenVPN and have already suffered at least 1 successful client/server connection. Else, get something working on a laptop first, visit the HOW-TO (http://www.openvpn.net/howto.html).

Requirements:

OpenVPN-Settings-0.4.6.apk (http://code.google.com/p/android-openvpn-settings/downloads/list)
OpenVPN 2.1.1 statically linked against patched openssl (http://github.com/fries/android-external-openvpn/downloads)
Rooted FRF91 using MoDaCo's Kernel 2.6.32.9-27227-g3c98b0d (http://forum.xda-developers.com/showthread.php?t=702191)
Working version of tun.ko for your kernel (http://forum.xda-developers.com/showpost.php?p=7047385&postcount=46)

Problem:
OpenVPN binaries included in rom don't seem to work. It can't find ifconfig and/or route. When you run the command line you get Sat Jul 3 13:30:58 2010 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: route (2.1.1)
Sat Jul 3 13:30:58 2010 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:7: ifconfig (2.1.1)

Summary:
Install new OpenVPN binaries, install/configure OpenVPN-Settings, add symbolic links to allow openvpn binaries to call ifconfig and route, remove an un-needed route.

Implementation:

1. Unzip/copy openvpn-static-2.1.1 and tun.ko to files to device. (I renamed mine /system/xbin/openvpn)
adb remount
adb push openvpn /sdcard/xbin/
adb push tun.ko /system/lib/modules/
adb reboot
2. Make folder /system/xbin/bb
adb remount
adb shell mkdir /system/xbin/bb

3. Make symbolic links to ifconfig and route
adb shell ln -s /system/xbin/ifconfig /system/xbin/bb/ifconfig
adb shell ln -s /system/xbin/route /system/xbin/bb/route
4. Create a simple script to delete router. Example (/sdcard/openvpn/up.sh)
#!/system/bin/sh
/system/xbin/route del YOUR_VPN_INTERNET_IPADDRESS
5. Make the file executable. adb shell chmod +x /sdcard/openvpn/up.sh
6. Modify your openvpn.conf to call script after routing, or pass it in as a command line argument. I did the modification to script file.

#remember that I use tap, I don't know about tun
dev tap
route-up "/system/bin/sh /sdcard/openvpn/up.sh"

7. Install/Configure OpenVPN-Settings-0.4.6.apk.
7.0 Install OpenVPN-Settings-0.4.6.apk. Market or adb install OpenVPN-Settings-0.4.6.apk
7.1 On device, launch OpenVPN Settings.
7.2 Long press openvpn.conf, Preferences.
7.3 Check "Use VPN DNS Server"
7.4 Enter your VPN DNS Server
7.5 Script Security Level Select Built-in + scripts
7.5 press back
7.6 Click click the sub-menu option select Advanced
7.7 Load tun kernel module and make it 'insmod /system/lib/modules/tun.ko' before starting openvpn.
7.8 Change path to openvpn binary to /system/xbin/openvpn

Enjoy!

-LamaZ

Links:
Idea about deleting route entries courtesy of:
Fnorder (http://forum.xda-developers.com/member.php?u=1333094) http://forum.xda-developers.com/showpost.php?p=3395349&postcount=25
http://code.google.com/p/android-openvpn-installer/issues/detail?id=2

LamaZ

Thanks for the tips. You pointed me in the right direction. However I think you over-complicated this a little bit.

I am on N1 Froyo (FRF91) with BusyBox and root.

This is what I did:

Install openvpn-installer (it installs the binary). During installation point to busybox (ifconfig/route) at: /system/xbin/bb

Create the symbolic links that you mentioned:

./adb shell ln -s /system/xbin/ifconfig /system/xbin/bb/ifconfig
./adb shell ln -s /system/xbin/route /system/xbin/bb/route


I did not need to copy the binary like you suggested.

I did everything else required for openvpn-settings (conf and keys in /sdcard/openvpn, tun.ko in a reachable location).

I am not sure why you are deleting a route. A route is there either because your server or your client request it.

I am also not sure why you needed tun.ko if you're using tap. I'm using tun.

Everything works, just needed the symbolic links!

After many hours I can finally surf using openVPN. Just wanted to spare anybody else the pain.

This is what I did

thanks a lot to both for your replies this will surely come in handy the next time I have a rom that doesn't have OpenVPN in it!

LamaZ

Thanks for the tips. You pointed me in the right direction. However I think you over-complicated this a little bit.

I am on N1 Froyo (FRF91) with BusyBox and root.

This is what I did:

Install openvpn-installer (it installs the binary). During installation point to busybox (ifconfig/route) at: /system/xbin/bb

Create the symbolic links that you mentioned:

./adb shell ln -s /system/xbin/ifconfig /system/xbin/bb/ifconfig
./adb shell ln -s /system/xbin/route /system/xbin/bb/route


I did not need to copy the binary like you suggested.

I did everything else required for openvpn-settings (conf and keys in /sdcard/openvpn, tun.ko in a reachable location).

I am not sure why you are deleting a route. A route is there either because your server or your client request it.

I am also not sure why you needed tun.ko if you're using tap. I'm using tun.

Everything works, just needed the symbolic links!

Glad to see it worked for you. I tried using the openvpn-installer with no success. I tried installing it in various locations. I'm glad to see there was an easier route.

The reason I had to delete a route is probably due to my server configuration file which will push DNS, dhcp and force all traffic through it. I noticed that my Mac and Linux Machines didn't have that route entry after connecting. If I leave the route I cannot connect anywhere.

The tun.ko is absolutely necessary for a tap device. You will get errors without it.

Glad to help out

-LamaZ

My tap connection is connecting, but the phone is not setting it's IP right.
I can see my vpn server telling the phone what to do, but the phone seems to have some weird issue.
Anyone every run in to this?
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/Plutoserver.ovpn]-daemon-stdout( 923):Thu Jul 15 00:52:27 2010 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.100.100.200,ping 10,ping-restart 120,ifconfig 10.100.100.204 255.255.255.0'
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/Plutoserver.ovpn]-daemon-stdout( 923):Thu Jul 15 00:52:27 2010 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: ifconfig (2.1.1)
In the OVPN Settings panel under my connection it says "Connected to xx.xx.xx.xx as" and it's just blank after the as. I am pretty sure that is where it should be listing the IP, but for some reason it isn't setting right.

Tried a tun connection, same issue :(
Connects, but the address doesn't assign

I was having the same problem, but finally figured it out. It seems the binary from OpenVPN installer has a bug or incompatibility with the stock FRF91.

1) Download github.com/downloads/fries/android-external-openvpn/openvpn-static-2.1.1.bz2

2) Extract and rename the file to openvpn

3) use adb push to copy the file from your computer to your phone's /system/xbin directory (I extracted to c:\temp on my local, so you will need to change the c:\temp\ part to your local directory)
adb push c:\temp\openvpn /system/xbin

4) open up an adb shell

5) make the newly copied openvpn executable
chmod 777 /system/xbin/openvpn

6) this openvpn looks for the system binaries in the /system/xbin/bb directory, so create a symlink to where they are really located at on your phone.
ln -s /system/xbin /system/xbin/bb


I found the info for the above solution from code.google.com/p/android-openvpn-settings/issues/detail?id=26


This binary does seem to have a problem with passphase protected certificates, but worked fine with a certificate without a passphase. After a reboot it seems to work fine with both passphase and non-passphase certificates.

I was having the same problem, but finally figured it out. It seems the binary from OpenVPN installer has a bug or incompatibility with the stock FRF91.

1) Download github.com/downloads/fries/android-external-openvpn/openvpn-static-2.1.1.bz2

2) Extract and rename the file to openvpn

3) use adb push to copy the file from your computer to your phone's /system/xbin directory (I extracted to c:\temp on my local, so you will need to change the c:\temp\ part to your local directory)
adb push c:\temp\openvpn /system/xbin

4) open up an adb shell

5) make the newly copied openvpn executable
chmod 777 /system/xbin/openvpn

6) this openvpn looks for the system binaries in the /system/xbin/bb directory, so create a symlink to where they are really located at on your phone.
ln -s /system/xbin /system/xbin/bb



I did all of the above (download openvpn-static;rename;push to /system/xbin; make 777; created symlink), but keep getting "FATAL: Cannot allocate TUN/TAP dev dynamically"

I'm using a TAP interface on rooted, (otherwise) stock Froyo N1 with busbybox installed.

Sadly, I don't know OpenVPN much, so might someone be able to suggest something I'm missing?

You are missing the tun.ko (or is it tap.ko when using tap ? i only use tun , not sure) module. You need to find one that works with your kernel, and push it to /system/lib/modules (or elsewhere actually) then set in the openvpn config the options to load it (or load manually in console as root: insmod <path>/tun.ko)

Ah, I forgot to mention that I did push tun.ko to /system/lib/modules as lamaz says in post #59, even though I'm using tap. But I will try adding a path to the config before searching for a different tun.ko

Then does the module loads ?

Try in a console:
su
insmod /system/lib/modules/tun.ko

If it loads it then appears in:
lsmod

You are missing the tun.ko (or is it tap.ko when using tap ? i only use tun , not sure) module. You need to find one that works with your kernel, and push it to /system/lib/modules (or elsewhere actually) then set in the openvpn config the options to load it (or load manually in console as root: insmod <path>/tun.ko)

You rock.
Issuing the commands worked (sort of, more later) and it's only after doing so that I realized that OpenVPN Settings has an "advanced" settings area that allows loading the tun kernel, loading it using insmod, and selecting the path as /system/lib/modules/tun.ko

Though I get an internal address and OpenVPN Settings allows me to set DNS, nothing is getting routed and there is no address resolution. Not even direct ping to 8.8.8.8 works. My config file worked before under Eclair, so where should I look for the problem?

Depends, what ROM/device are you using ?

Check the routes are ok in the console (as root), what's the output of:
route
ip ro
ip ru

Nexus One
2.6.32.9-27227-g3c98b0d
android-build@apa26 #1

Without OpenVPN, route gives me "Invalid Argument". I have busybox and it is in /system/bin as well as /system/xbin, both places as 777, so I don't know why it doesn't run.
ip rule comes up empty
ip route
192.168.0.0/24 dev eth0 src 192.168.0.44
default via 192.168.0.1 dev eth0

And there's a difference in OpenVPN binaries between what is posted in lamaz's post. (http://forum.xda-developers.com/showpost.php?p=7132889&postcount=56)

***********
With Install OpenVPN's binary, I get a connection to the VPN, don't get internal address message (Just like GldRush98, apparently).
ip route
xxx.78.98.149 via 192.168.0.1 dev eth0
67.207.131.118 via 192.168.0.1 dev eth0
192.168.0.0/24 dev eth0 src 192.168.0.44
default via 192.168.0.1 dev eth0

There is address resolution, and ping works, but apparently I'm not really connected or something, because facebook.com still gives me round-robin bogus IPs (yes, I am in China, too).

***********
With Lamaz's link, I do get an internal address, ip rule is empty, and
ip route
xxx.78.98.149 via 192.168.0.1 dev eth0
192.168.0.0/24 dev eth0 src 192.168.0.44
10.0.0.0/8 dev tap0 src 10.19.99.255
0.0.0.0/1 via 10.19.96.1 dev tap0
128.0.0.0/1 via 10.19.96.1 dev tap0
default via 192.168.0.1 dev eth0

There's no address resolution and pinging 8.8.8.8 returns a message from the 10-net that the destination host is unreachable.
************

I assume "default via" should have that 10-net address after it, but don't understand why it's not happening.

Well the last ip route results looks good. Do not worry about the default route, i have the same (set to my wifi router), instead the 0.0.0.0 via your vpn gateway will take precedence as it is before it on the list.

So i guess your end of the vpn works, since your phone tries to route your 8.8.8.8 ping to the 10-net as it should. But your VPN gateway is not set to route your traffic to external networks.

You may want to recheck your VPN server configuration to allow that.

Ok, so if I understand this correctly, then really everything is fine on my, the client, -side. It is the server config that needs checking. But the problem is that this is the same config file I've been using since Eclair and is essentially the same config I am using (sans a passfile.txt call) on a Windows machine (and on the same network, no less). Worse, the server side is a pay-for outfit in the US, so their servers are not likely wrong.

Could there be some other service or something that is somehow blocking my routing? Does the fact that i can't even call "route" as a command make any difference?

So the same config works on other machine of yours if i understand properly...

Ok then can you compare the routing table on those machine that works ?
Can you try a traceroute to some ip addresses from the phone ? and same from the working machine ?

Yeah, that's right. From a windows machine with the same config file, I get

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 128.0.0.0 10.19.96.1 10.19.96.131 1
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.45 25
10.19.96.0 255.255.252.0 10.19.96.131 10.19.96.131 30
10.19.96.131 255.255.255.255 127.0.0.1 127.0.0.1 30
10.255.255.255 255.255.255.255 10.19.96.131 10.19.96.131 30
XXX.207.131.118 255.255.255.255 192.168.0.1 192.168.0.45 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
128.0.0.0 128.0.0.0 10.19.96.1 10.19.96.131 1
192.168.0.0 255.255.255.0 192.168.0.45 192.168.0.45 25
192.168.0.45 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.0.255 255.255.255.255 192.168.0.45 192.168.0.45 25
224.0.0.0 240.0.0.0 10.19.96.131 10.19.96.131 30
224.0.0.0 240.0.0.0 192.168.0.45 192.168.0.45 25
255.255.255.255 255.255.255.255 10.19.96.131 10006 1
255.255.255.255 255.255.255.255 10.19.96.131 3 1
255.255.255.255 255.255.255.255 10.19.96.131 10.19.96.131 1
255.255.255.255 255.255.255.255 192.168.0.45 192.168.0.45 1
Default Gateway: 10.19.96.1
================================================== =========================
Persistent Routes:
None

A tracert to 8.8.8.8 is no problem at all; the first hop goes to 10.19.96.1, and everything after that is US-based.

On the phone, the traceroute gets nothing but stars and eventually winds up at 10.19.99.255

Well the routes are different.
In the phone you have 10.0.0.0/8 via 99.255 which I wonder where it came from...
Also I don't the equivalent to the .131 there.

I guess you can try removing that and manually add routes to be similar to the windows ones.

But if your service is paid for, you ask there support. Then can check the logs and tell you if there is any thing wrong with your client.

Yes, I think I see the point now. I will try their support forums, but I sort of doubt they'll be able to see any problems because it seems that they'd be sending me all necessary information, but it's getting altered on my end so that no data I send/recv ever reaches them.

Well, my provider's troubleshooting admin wasn't able to figure out the cause of the problem. For some inexplicable reason, everything is getting routed to the broadcast address of 10.19.99.255.

At first, I thought there was a difference in openvpn binaries, so I tried Friedrich's 2.1 version and got the same result.
The symbolic links for bb to get ifconfig and route are there;
busybox says it's installed;
I re-pushed tun.ko from here (http://forum.xda-developers.com/showpost.php?p=7047385&postcount=46)apparently appropriate for my kernel (2.6.32.9-27227-g3c98b0d).

How are you guys getting this working?

So you should be able to manually set the correct routes.

For me it works as it should, but i manually configured my vpn server :)
Perhaps you can try to use "adb logcat" while connected to your PC and check the routes that openvpn is getting. I am still thinking your server is doing strange things that confuses openvpn somehow.

Or perhaps this is because your tap, can you switch to using tun instead ?

adb logcat... quite a raft of information and I have no idea how to parse it for useful information. The only thing remotely relevant I saw was:

D/OpenVPN-Settings-getallprop-stdout( 5330): [net.dnschange]: [514]
D/OpenVPN-Settings-getallprop-stdout( 5330): [dhcp.eth0.result]: [ok]
D/OpenVPN-Settings-getallprop-stdout( 5330): [init.svc.dhcpcd]: [running]
D/OpenVPN-Settings-getallprop-stdout( 5330): [dhcp.eth0.pid]: [5352]
D/OpenVPN-Settings-getallprop-stdout( 5330): [dhcp.eth0.reason]: [BOUND]
D/OpenVPN-Settings-getallprop-stdout( 5330): [dhcp.eth0.dns1]: [8.8.8.8]
D/OpenVPN-Settings-getallprop-stdout( 5330): [dhcp.eth0.dns2]: [208.67.220.220]
D/OpenVPN-Settings-getallprop-stdout( 5330): [dhcp.eth0.dns3]: []
D/OpenVPN-Settings-getallprop-stdout( 5330): [dhcp.eth0.dns4]: []
D/OpenVPN-Settings-getallprop-stdout( 5330): [dhcp.eth0.ipaddress]: [192.168.0.44]
D/OpenVPN-Settings-getallprop-stdout( 5330): [dhcp.eth0.gateway]: [192.168.0.1]
D/OpenVPN-Settings-getallprop-stdout( 5330): [dhcp.eth0.mask]: [255.255.255.0]
D/OpenVPN-Settings-getallprop-stdout( 5330): [dhcp.eth0.leasetime]: [-1]
D/OpenVPN-Settings-getallprop-stdout( 5330): [dhcp.eth0.server]: [192.168.0.1]
D/OpenVPN-Settings-getallprop-stdout( 5330): [ro.runtime.firstboot]: [1279951685501]
D/OpenVPN-Settings-getallprop-stdout( 5330): [net.dns1]: [8.8.8.8]
D/OpenVPN-Settings-getallprop-stdout( 5330): [net.dns2]: [208.67.220.220]
D/OpenVPN-Settings-getallprop-stdout( 5330): [gsm.network.type]: [EDGE]
D/OpenVPN-Settings-getallprop-stdout( 5330): [net.gprs.http-proxy]: []
D/OpenVPN-Settings-getallprop-stdout( 5330): [net.rmnet0.dns1]: [211.136.192.6]
D/OpenVPN-Settings-getallprop-stdout( 5330): [net.rmnet0.dns2]: [211.139.163.6]
D/OpenVPN-Settings-getallprop-stdout( 5330): [net.rmnet0.gw]: [10.6.100.193]
D/OpenVPN-Settings-getallprop-stdout( 5330): [gsm.defaultpdpcontext.active]: [true]
D/OpenVPN-Settings-getallprop-stdout( 5330): [net.dns1.82]: []
D/OpenVPN-Settings-getallprop-stdout( 5330): [net.dns2.82]: []
D/OpenVPN-Settings-getallprop-stdout( 5330): [sys.settings_system_version]: [17]
D/OpenVPN-Settings-getallprop-stdout( 5330): [adb.connected]: [1]
I/OpenVPN-Settings-getallprop-stdout( 5330): terminated
D/OpenVPN-Settings-getprop( 5330): invoking external process: /system/bin/sh
D/OpenVPN-Settings-getprop-stdout( 5330): 514
I/OpenVPN-Settings-getprop-stderr( 5330): terminated
I/OpenVPN-Settings-getprop-stdout( 5330): terminated
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/AlwaysVPN-Compatible.ovpn]-mgmt(5330):
=============> 0 == 514
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/AlwaysVPN-Compatible.ovpn]-mgmt(5330):
=============> applying new dns server
D/OpenVPN-Settings-setprop( 5330): invoking external process: /system/bin/su
W/Parcel ( 82): Attempt to read object from Parcel 0x4f9a3de0 at offset 492 that is not in the object list
D/SuRequest( 5395): Sending result: ALLOW
D/su ( 5438): 10068 de.schaeuffelhut.android.openvpn executing 0 /system/bin/sh using shell /system/bin/sh : sh
I/OpenVPN-Settings-setprop-stdout( 5330): terminated
I/OpenVPN-Settings-setprop-stderr( 5330): terminated
D/OpenVPN-Settings-getprop( 5330): invoking external process: /system/bin/sh
D/OpenVPN-Settings-getprop-stdout( 5330): 514
I/OpenVPN-Settings-getprop-stderr( 5330): terminated
I/OpenVPN-Settings-getprop-stdout( 5330): terminated
D/OpenVPN-Settings-setprop( 5330): invoking external process: /system/bin/su
W/Parcel ( 82): Attempt to read object from Parcel 0x46495de0 at offset 492 that is not in the object list
D/SuRequest( 5395): Sending result: ALLOW
D/su ( 5446): 10068 de.schaeuffelhut.android.openvpn executing 0 /system/bin/sh using shell /system/bin/sh : sh
I/OpenVPN-Settings-setprop-stdout( 5330): terminated
I/OpenVPN-Settings-setprop-stderr( 5330): terminated
D/OpenVPNDaemonEnabler( 5330): Received OpenVPN network state changed from Assign IP to Connected

It's not likely that the provider is going to change settings for my sake, especially seeing as how things used to work fine before Froyo. Still, I am working with them and can only hope for some eureka moment.

I don't see anything useful ... normally you should see the pushed routes, and where the 255 gateway is set.

Yeah, I'm an idiot. The logcat spilled past the buffer the first time around, but I caught it this time:

I trimmed out a bunch of stuff and it looks like:

TUN/TAP TX queue length set to 100
D/Tethering( 82): tap0 is not a tetherable iface, ignoring

MANAGEMENT: >STATE:1280163071,ASSIGN_IP,,10.19.96.98,

/system/xbin/bb/ifconfig tap0 10.19.96.98 netmask 255.255.252.0 mtu 1500 broadcast 10.19.99.255

/system/xbin/bb/route add -net xxx.78.98.149 netmask 255.255.255.255 gw 192.168.0.1

/system/xbin/bb/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.19.96.1

/system/xbin/bb/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.19.96.1

Initialization Sequence Completed

MANAGEMENT: >STATE:1280163071,CONNECTED,SUCCESS,10.19.96.98,xxx .78.98.149
-mgmt(12314):onState(">STATE:1280163071,ASSIGN_IP,,10.19.96.98,")
D/OpenVPN-Settings-getprop(12314): invoking external process: /system/bin/sh

MANAGEMENT: CMD 'bytecount 0'
D/OpenVPN-Settings-getprop-stdout(12314): 621
I/OpenVPN-Settings-getprop-stderr(12314): terminated
I/OpenVPN-Settings-getprop-stdout(12314): terminated
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/Compatible.ovpn]-mgmt(12314):
=============> 0 == 621 resetting dns, leaving dns alone
D/OpenVPNDaemonEnabler(12314): Received OpenVPN network state changed from Get Config to Assign IP
-mgmt(12314):onState(">STATE:1280163071,CONNECTED,SUCCESS,10.19.96.98,xxx .78.98.149")

MANAGEMENT: CMD 'bytecount 3'

Original info:
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/Compatible.ovpn]-daemon-stdout
(12314): Tue Jul 27 00:51:11 2010 TUN/TAP TX queue length set to 100
D/Tethering( 82): tap0 is not a tetherable iface, ignoring
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/Compatible.ovpn]-daemon-stdout
(12314): Tue Jul 27 00:51:11 2010 MANAGEMENT: >STATE:1280163071,ASSIGN_IP,,10.19.96.98,
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/Compatible.ovpn]-daemon-stdout
(12314): Tue Jul 27 00:51:11 2010 /system/xbin/bb/ifconfig tap0 10.19.96.98 netmask 255.255.252.0 mtu 1500 broadcast 10.19.99.255
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/Compatible.ovpn]-daemon-stdout
(12314): Tue Jul 27 00:51:11 2010 /system/xbin/bb/route add -net xxx.78.98.149 netmask 255.255.255.255 gw 192.168.0.1
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/Compatible.ovpn]-daemon-stdout
(12314): Tue Jul 27 00:51:11 2010 /system/xbin/bb/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.19.96.1
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/Compatible.ovpn]-daemon-stdout
(12314): Tue Jul 27 00:51:11 2010 /system/xbin/bb/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.19.96.1
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/Compatible.ovpn]-daemon-stdout
(12314): Tue Jul 27 00:51:11 2010 Initialization Sequence Completed
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/Compatible.ovpn]-daemon-stdout
(12314): Tue Jul 27 00:51:11 2010 MANAGEMENT: >STATE:1280163071,CONNECTED,SUCCESS,10.19.96.98,xxx .78.98.149
V/OpenVPN-DaemonMonitor[/sdcard/openvpn/Compatible.ovpn]-mgmt(12314):onState(">STATE:1280163071,ASSIGN_IP,,10.19.96.98,")
D/OpenVPN-Settings-getprop(12314): invoking external process: /system/bin/sh
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/Compatible.ovpn]-daemon-stdout
(12314): Tue Jul 27 00:51:11 2010 MANAGEMENT: CMD 'bytecount 0'
D/OpenVPN-Settings-getprop-stdout(12314): 621
I/OpenVPN-Settings-getprop-stderr(12314): terminated
I/OpenVPN-Settings-getprop-stdout(12314): terminated
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/Compatible.ovpn]-mgmt(12314):
=============> 0 == 621 resetting dns, leaving dns alone
D/OpenVPNDaemonEnabler(12314): Received OpenVPN network state changed from Get Config to Assign IP
V/OpenVPN-DaemonMonitor[/sdcard/openvpn/Compatible.ovpn]-mgmt(12314):onState(">STATE:1280163071,CONNECTED,SUCCESS,10.19.96.98,xxx .78.98.149")
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/Compatible.ovpn]-daemon-stdout
(12314): Tue Jul 27 00:51:11 2010 MANAGEMENT: CMD 'bytecount 3'

I'm not sure, but that seems to look consistent with the Windows routing and what one would expect, yes?

Yes, seems alright. Maybe it is simply confused by the broadcast address ?
I dont see why you would have:
10.0.0.0/8 dev tap0 src 10.19.99.255
instead of
10.0.0.0/8 dev tap0 src 10.19.96.1

If you manually remove that route and create the correct one would the VPN routing work ?

FIXED!

Ever since you asked for the output of "route", which never gave me anything, I'd suspected something was amiss, especially since I could now see from "logcat" that route was what was actually being called to perform the routing (duh, I know now) and suspected that there was something wrong with it (for whatever reason).

Uninstalled busybox and reinstalling it didn't do anything, so I deleted "route" and "ifconfig" and reinstalled busybox. It didn't put those binaries back in place. So, I backed up busybox, uninstalled it, then ran it again, but this time denied it "su" until the INSTALL button showed up. Ran the install, checked OpenVPN Settings' advanced bit and determined that one absolutely HAD to select /system/xbin/bb as the location for ifconfig+route. After that, it worked!


THANK YOU VERY MUCH jwickers1234 FOR YOUR HELP!!!

Well good to hear, although i am not sure what you did to fix it, was the route binary not the good one ? i would have though openvpn would just failed miserably if those were missing.

yeah, it doesn't make sense that the route binary would sort of work, but that seems to be what happened: the binaries were all there, but I could never call them from the command line, though there were otherwise no other errors. After I forced BusyBox to put things back, everything magically worked without any tweaks.

Hello
Trying to install Openvpn on HTC Desire rootet with 20/Jul r5 - MoDaCo Custom ROM for HTC Desire with Online Kitchen - Froyo with Sense (FRF91)
I have downloaded openvpn and tun.ko to my win computer (doesnt I need some TAP driver? i use TAP config on my openvpn server)

But I Cant copy the files to system/bin(openvpn) system/lib/modules(tun.ko) because of directory rights, I use teminal emulator from marked:
su chmod 777 /system/lib/modules
"permission denied"

su cp /sdcard/tun.ko /system/lib/modules/tun.ko
"permission denied"

Openvpn support was the main reason for rooting the device but I cant work this one out.
All help are very much appreciated :)

try doing "su" first, when you get proper superuser access, then cp and chmod the files

No this does not work on a Desire, /system is protected. You need to put those files in recovery mode using adb push (look for how to push files from your PC to the phone if you do not know how to use adb)

No this does not work on a Desire, /system is protected. You need to put those files in recovery mode using adb push (look for how to push files from your PC to the phone if you do not know how to use adb)

Okay, learning something new every day with this phone :)
SDK and adb installed, but somethings not working. I still do not have the premission top copy the file:

"c:\android-sdk-windows\tools>adb push y:\appz\htc\tun.ko /system/lib/modules

failed to copy 'y:\appz\htc\tun.ko' to '/system/lib/modules/tun.ko': Read-only f
ile system
"

Am I doing it wrong, any ideas guys?

Have tryed some more..
Boot the phone on recovery mode with usb too pc.

It says transfer ok:
"c:\android-sdk-windows\tools>adb push y:\appz\htc\tun.ko /system/lib/modules/tun
.ko
1706 KB/s (202759 bytes in 0.116s)"

but when i reboot the phone I cannot find the file in system/lib/modules.

Strange?

Okay, learning something new every day with this phone :)
SDK and adb installed, but somethings not working. I still do not have the premission top copy the file:

"c:\android-sdk-windows\tools>adb push y:\appz\htc\tun.ko /system/lib/modules

failed to copy 'y:\appz\htc\tun.ko' to '/system/lib/modules/tun.ko': Read-only f
ile system
"

Am I doing it wrong, any ideas guys?

Try doing one of these before the "adb push" command:
adb remountadb shell mount -a
adb shell mount -o remount,rw /system

Try doing one of these before the "adb push" command:
adb remountadb shell mount -a
adb shell mount -o remount,rw /system
Thank you very much that did the trick :)

wasnt that easy to connect to my server :(
Have put my openvpn files in /sdcard/openvpn
The program OpenVPN finds the config(tomato router.ovpn)

When i try to connect it only says:
"OpenVPN Settings has been granted Superuser permission"

And after this nothings happend, no connection fail or errors display it just wouldnt connect

config file:
dev tap
proto udp
dev-node dev/tun
remote 192.168.10.10 1194
tls-client
keepalive 15 120
verb 3
ca ca.crt
cert xxx.crt
key xxx.key
tls-auth ta.key 1
ns-cert-type server
cipher AES-128-CBC
nobind
explicit-exit-notify 3
#comp-lzo
#fragment 1500

OpenVPN settings:
Path to configurations: /sdcard/openvpn/
Path to openvpn binary: /system/xbin/openvpn
Load module using: modprooe
Path to tun module: /system/liv/modules/tun.ko

Not making any sense to me, are there any obvious mistake her?

You have: remote 192.168.10.10, so you use your VPN on your local net only ?

You have: remote 192.168.10.10, so you use your VPN on your local net only ?
No this its just for testing I have 2 openvpn locations :)

Normally you should see the status in Openvpn Settings (either Wait / Auth / Get Config / Connected / .. etc ...)

You may want to check if the tun modules is indeed properly loaded (in console: 'su' then 'lsmod').
Else whatever it is doing should be in your openvpn server logs.

Normally you should see the status in Openvpn Settings (either Wait / Auth / Get Config / Connected / .. etc ...)

You may want to check if the tun modules is indeed properly loaded (in console: 'su' then 'lsmod').
Else whatever it is doing should be in your openvpn server logs.

I certain that Openvpn doesnt connect, it doesnt says it is connected in OpenVPN setting ether, nothing happens when i push connect, no activity at all and the green V isnt showing on the config file.


lsmod:
bcm4329 211631 0 - Live 0xbf000000

I have copied tun.ko to system/lib/modules but it does not show in lsmod.

Is anything else i need to setup?

try manually loading the module from the console, normally i use insmod instead of modprobe:

insmod /system/lib/modules/tun.ko

try manually loading the module from the console, normally i use insmod instead of modprobe:

insmod /system/lib/modules/tun.ko

Thanx for helping :)

insmod: can`t insert system/lib/modules/tun.ko: in valid module format

I reflashed with this new rom:
[ROM] Official 2.2, with: busybox, old A2SD+, OpenVPN (TUN), EXT4 support, 802.11N

And it worked instantly :)


New problem :p
My OpenVPN server pushes DHCP IP addresses, this works great on win pc.

But the android phone doesn't get IP from the server?

Have you tried to check remote set addresses on the openvpn app on the phone. Also setting dhcp won't enable you to get vpn ip addresses by itself.

Sent from my HTC Dream using XDA App

Have you tried to check remote set addresses on the openvpn app on the phone. Also setting dhcp won't enable you to get vpn ip addresses by itself.

Sent from my HTC Dream using XDA App
What do you mean? VPN DNS preferences can`t help me here?
Remote adress are set in openvpn client config file and works fine as its connect to server.
Openvpn server push dhcp but the phone does not recieve dhcp from server.
On Pc this works fine.

I do not need DNS as I only access to my home and work network. Openvpn server
dont push internet traffic just local access.

Openvpn server: 192.168.10.1
Gateway: 192.168.10.1
DHCP range: 192.168.10.100-192.168.10.200

In Win 7 Openvpn create a virtuell network adapter that get IP from Openvpn server, maybe i need to config TUN to recieve ip from server?

Admit that i am on thin ice here, but hope someone understand my problem and have a solution?

What do you mean? VPN DNS preferences can`t help me here?
Remote adress are set in openvpn client config file and works fine as its connect to server.
Openvpn server push dhcp but the phone does not recieve dhcp from server.
On Pc this works fine.

I do not need DNS as I only access to my home and work network. Openvpn server
dont push internet traffic just local access.

Openvpn server: 192.168.10.1
Gateway: 192.168.10.1
DHCP range: 192.168.10.100-192.168.10.200

In Win 7 Openvpn create a virtuell network adapter that get IP from Openvpn server, maybe i need to config TUN to recieve ip from server?

Admit that i am on thin ice here, but hope someone understand my problem and have a solution?

I also want to know how to get the traffic going trough OVPN.. :rolleyes:

I also want to know how to get the traffic going trough OVPN.. :rolleyes:

Do you want to know how to route the full traffic (Internet etc. to the VPN tunnel)?

ATTENTION!!! You have to modifiy the adresses to fit in your system :)

dhcp-option DNS 192.168.1.1 (it sets the DNS to the specified address)
route-gateway 192.168.1.1 (this sets the gateway address)
redirect-gateway def1 (and this one routes the full traffic (including Internet) through the VPN tunnel)

I use this parameters in my Win7 config and it works well. These commands are available in Linux, too.

I hope this was what you searching for :)

BTW: I want to buy a Desire (with Froyo) and play with andriod on my HD2.
Is the "recovery mode" or what you all talking about also available on the "HD2 MOD". Or is this not possible? I mean these "adb" commands.

I need OpenVPN because my APN "wap.vodafone.de" is not support all needed features of the Desire (like HTC Weather for e.g.). On WM 6.5 I use "ProxyCap" but that is not available for Android. It makes the proxy available for all apps, also those who have no own proxysettings (like Live Messenger (please no alternatives to messengers with proxysupport ;))
If somebody has an alternative, then OpenVPN has a lower priority for me :p

[QUOTE=Crusoe86;7547611]Do you want to know how to route the full traffic (Internet etc. to the VPN tunnel)?

ATTENTION!!! You have to modifiy the adresses to fit in your system :)

dhcp-option DNS 192.168.1.1 (it sets the DNS to the specified address)
route-gateway 192.168.1.1 (this sets the gateway address)
redirect-gateway def1 (and this one routes the full traffic (including Internet) through the VPN tunnel)

I use this parameters in my Win7 config and it works well. These commands are available in Linux, too.

I hope this was what you searching for :)
/QUOTE]
Hello
I need only access to the LAN side of network as mention earlier in this thread.
The openvpn connects but i do not access the LAN, properly because it do not get IP adresses from the OPENVPN server.

My LAN setup:
Openvpn server: 192.168.10.10
Gateway: 192.168.10.1
DHCP range: 192.168.10.100-192.168.10.200

Is this correct?:
dhcp-option DNS 192.168.10.1
route-gateway 192.168.10.1
redirect-gateway def1: can I drop this if do not need internet to redirect?

Some question:
What about android device IP? doesnt it need IP in the same range(192.168.10.x) not joust gateway or DNS
This commands, in console? And before or after Openvpn connects?
Maybe it is possible to create a script every time openvpn starts, and run this commands?

Many question, hope you understand me.
Thanx

Seems like i have an odd issue -- my browser seems to be the only thing that doesn't work right now. Emails, the XDA app, etc.. all work fine, just not the browser app..

traceroute is valid too, and the gateway is setup properly. On my laptop, using the same setup, it can access http just fine (and the XDA app shows that my phone is doing it fine too).

any suggestions? Could it be related to apn settings?

I also want to know how to get the traffic going trough OVPN.. :rolleyes:

Hey :)
Take a look at my tutorial (http://forum.xda-developers.com/showthread.php?p=7683773#post7683773) :)
Maybe it helps you with your configuration :)

Hi, I'm having a rather strange problem with OpenVPN-settings on OpenDesire 4.0.x. Openvpn works fine through Wifi, but it fails when I try to connect through 2G/3G. It seems like it has something to do with DNS resolving of the Openvpn monitor interface, but I don't know how to resolve it. Here's the relevant logcat part:
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/myserver.ovpn]-mgmt( 833): attach():using management port at 53105
E/OpenVPN-DaemonMonitor[/sdcard/openvpn/myserver.ovpn]-mgmt( 833): attaching to OpenVPN daemon
E/OpenVPN-DaemonMonitor[/sdcard/openvpn/myserver.ovpn]-mgmt( 833): java.net.UnknownHostException: localhost
E/OpenVPN-DaemonMonitor[/sdcard/openvpn/myserver.ovpn]-mgmt( 833): at java.net.InetAddress.lookupHostByName(InetAddress. java:504)
E/OpenVPN-DaemonMonitor[/sdcard/openvpn/myserver.ovpn]-mgmt( 833): at java.net.InetAddress.getLocalHost(InetAddress.java :459)
E/OpenVPN-DaemonMonitor[/sdcard/openvpn/myserver.ovpn]-mgmt( 833): at de.schaeuffelhut.android.openvpn.service.Managemen tThread.attach(DaemonMonitor.java:4
05)
E/OpenVPN-DaemonMonitor[/sdcard/openvpn/myserver.ovpn]-mgmt( 833): at de.schaeuffelhut.android.openvpn.service.Managemen tThread.run(DaemonMonitor.java:351)

V/OpenVPN-DaemonMonitor[/sdcard/openvpn/myserver.ovpn]-mgmt( 833): Could not attach to OpenVPN monitor port
D/OpenVPNDaemonEnabler( 833): Received OpenVPN daemon state changed from Unknown to Disabled
D/OpenVPN-DaemonMonitor[/sdcard/openvpn/myserver.ovpn]-mgmt( 833): terminated
It fails on a "java.net.UnknownHostException: localhost", so it looks like disabling Wifi is breaking DNS (even for localhost) resolving? It works fine when I start OpenVPN-settings when Wifi is connected, then disable wifi and enable 'myserver.ovpn' in the app, but fails when wifi hasn't been connected. There is an entry linking 127.0.0.1 to 'localhost' in /etc/hosts.

Any help is very much appreciated!

EDIT: this was solved by removing the line "::1 localhost" from both /etc/hosts and /system/etc/hosts, I'm not sure why it's there but it solves my issue.

EDIT: this was solved by removing the line "::1 localhost" from both /etc/hosts and /system/etc/hosts, I'm not sure why it's there but it solves my issue.

FYI, ::1 is the IPv6 version of the local loopback address.
If the ::1 localhost definition was the only one and your kernel doesn't have IPv6 support, name resolution will fail.

After several hours work, I get OpenVPN work on my ME501. lamaz 's post help me lot when I working on it. Thanks! lamaz.

Following are operations I've done excepted those mentioned by lamaz.

1. create the link to "busybox cp" in bin folder. ME501 doesn't have the cp command there. It is needed by the OpenVPN installer.


2. change the link destination of "ifconfig" and "route". On ME501, they are linked to "toolbox" instead of "busybox". The ifconfig came with phone is can't assign IP to tun0 interface properly.

Hi,
New to android and would like to know if you can get a VPN client solution for android? Tried to search the forum and this thread is the closest I get.
What I want is to use a HTC Desire Z and get access to a server through a VPNtunnel.

cyanogenmod has built-in support for openvpn.

Working flawlessly when using tcp, over 3g or wifi.

but when changing proto to udp, it works once, but 50 times it doesn't "reset, reboot, re-install, restart server daemon, change network connection...etc", the thing is, it works sometimes!! so my config should be right, right? especially it *always* works if TCP.

The status just stops at "Wait" .... forever, tried 3g and wifi "two different networks".

Please help, since tcp is S..L..O..W.
Thanks for the tool by the way.

Galaxy tab
openvpn 2.1.1
busybox 1.17.1
working fine with TCP!


---------client.conf---------
client
dev tun
proto udp
remote 123.123.123.123 1194
nobind
persist-key
persist-tun
mute-replay-warnings
ca /sdcard/openvpn/ca.crt
cert /sdcard/openvpn/wolf.crt
key /sdcard/openvpn/wolf.key
ns-cert-type rnicrosoft
tls-auth /sdcard/openvpn/ta.key 1
cipher AES-128-CBC
comp-lzo
verb 0

----------openvpn.log "failed UDP connection"-------------

Wed Feb 2 06:00:16 2011 us=498083 11.11.11.11:51035 Re-using SSL/TLS context
Wed Feb 2 06:00:16 2011 us=498136 11.11.11.11:51035 LZO compression initialized
Wed Feb 2 06:00:16 2011 us=498416 11.11.11.11:51035 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Feb 2 06:00:16 2011 us=498441 11.11.11.11:51035 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Feb 2 06:00:16 2011 us=498523 11.11.11.11:51035 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Feb 2 06:00:16 2011 us=498539 11.11.11.11:51035 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Feb 2 06:00:16 2011 us=498575 11.11.11.11:51035 Local Options hash (VER=V4): 'a2e63101'
Wed Feb 2 06:00:16 2011 us=498596 11.11.11.11:51035 Expected Remote Options hash (VER=V4): '272f1b58'
RWed Feb 2 06:00:16 2011 us=498684 11.11.11.11:51035 TLS: Initial packet from 11.11.11.11:51035, sid=63543461 c093b2b6
WRWWRWRWWWRWWRWWRWWRWWRWRWWRWWRWWRWWRWWRWWRWWRWWRW WRWWRWRWWWRWWRWWRWWRWRWWRWWRWWRWWWed Feb 2 06:01:16 2011 us=954631 11.11.11.11:51035 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Feb 2 06:01:16 2011 us=954687 11.11.11.11:51035 TLS Error: TLS handshake failed
Wed Feb 2 06:01:16 2011 us=954781 11.11.11.11:51035 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed Feb 2 06:01:17 2011 us=987640 MULTI: multi_create_instance called
Wed Feb 2 06:01:17 2011 us=987708 11.11.11.11:51045 Re-using SSL/TLS context
Wed Feb 2 06:01:17 2011 us=987739 11.11.11.11:51045 LZO compression initialized
Wed Feb 2 06:01:17 2011 us=987817 11.11.11.11:51045 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Feb 2 06:01:17 2011 us=987833 11.11.11.11:51045 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Feb 2 06:01:17 2011 us=987872 11.11.11.11:51045 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Feb 2 06:01:17 2011 us=987901 11.11.11.11:51045 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Feb 2 06:01:17 2011 us=987926 11.11.11.11:51045 Local Options hash (VER=V4): 'a2e63101'
Wed Feb 2 06:01:17 2011 us=987952 11.11.11.11:51045 Expected Remote Options hash (VER=V4): '272f1b58'
RWed Feb 2 06:01:17 2011 us=988005 11.11.11.11:51045 TLS: Initial packet from 11.11.11.11:51045, sid=356e5456 1f824040
WWRWWRWWRWWRWWRWWRWWRWWRWWRW

----------openvpn.log "successful TCP connection"-------------
Wed Feb 2 06:13:29 2011 us=101201 Re-using SSL/TLS context
Wed Feb 2 06:13:29 2011 us=101305 LZO compression initialized
Wed Feb 2 06:13:29 2011 us=101631 Control Channel MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ]
Wed Feb 2 06:13:29 2011 us=101682 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Feb 2 06:13:29 2011 us=101771 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Feb 2 06:13:29 2011 us=101786 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Feb 2 06:13:29 2011 us=101825 Local Options hash (VER=V4): 'a642654b'
Wed Feb 2 06:13:29 2011 us=101846 Expected Remote Options hash (VER=V4): '0bdd0804'
Wed Feb 2 06:13:29 2011 us=101882 TCP connection established with 11.11.11.11:51268
Wed Feb 2 06:13:29 2011 us=101905 Socket Buffers: R=[131072->131072] S=[131072->131072]
Wed Feb 2 06:13:29 2011 us=101922 TCPv4_SERVER link local: [undef]
Wed Feb 2 06:13:29 2011 us=101938 TCPv4_SERVER link remote: 11.11.11.11:51268
RWed Feb 2 06:13:29 2011 us=938176 11.11.11.11:51268 TLS: Initial packet from 11.11.11.11:51268, sid=223d6876 14d07a22
WRRWWWWRWRWRWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRR RRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWed Feb 2 06:13:35 2011 us=576045 11.11.11.11:51268 VERIFY OK: depth=1, /C=US/ST=NY/L=REDMOND/O=microsoft/CN=microsoft_CA/emailAddress=root@microsoft.com
Wed Feb 2 06:13:35 2011 us=576367 11.11.11.11:51268 VERIFY OK: depth=0, /C=US/ST=NY/L=REDMOND/O=microsoft/CN=billgates/emailAddress=root@microsoft.com
WRWRWRWRWRWRWRWed Feb 2 06:13:36 2011 us=442620 11.11.11.11:51268 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Feb 2 06:13:36 2011 us=442653 11.11.11.11:51268 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 2 06:13:36 2011 us=442666 11.11.11.11:51268 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Feb 2 06:13:36 2011 us=442697 11.11.11.11:51268 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WWWRRWed Feb 2 06:13:37 2011 us=20535 11.11.11.11:51268 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Feb 2 06:13:37 2011 us=20596 11.11.11.11:51268 [billgates] Peer Connection Initiated with 11.11.11.11:51268
Wed Feb 2 06:13:37 2011 us=20664 billgates/11.11.11.11:51268 MULTI: Learn: 10.8.0.2 -> billgates/11.11.11.11:51268
Wed Feb 2 06:13:37 2011 us=20678 billgates/11.11.11.11:51268 MULTI: primary virtual IP for billgates/11.11.11.11:51268: 10.8.0.2
RWed Feb 2 06:13:39 2011 us=348364 billgates/11.11.11.11:51268 PUSH: Received control message: 'PUSH_REQUEST'
Wed Feb 2 06:13:39 2011 us=348430 billgates/11.11.11.11:51268 SENT CONTROL [billgates]: 'PUSH_REPLY,route-gateway 123.123.123.123,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' (status=1)
WWWWRRRwrWRwrWRwrWR



---------iptables-save--------
root@bt:/etc/openvpn# iptables-save | grep -v # | grep -v :
*raw
COMMIT
*nat
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
*mangle
COMMIT
*filter
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
COMMIT

It seems that it could be a MTU problem with UDP configuration. Try to make --udp-mtu larger or smaller than the default, and test again.

Glad to see it worked for you. I tried using the openvpn-installer with no success. I tried installing it in various locations. I'm glad to see there was an easier route.

The reason I had to delete a route is probably due to my server configuration file which will push DNS, dhcp and force all traffic through it. I noticed that my Mac and Linux Machines didn't have that route entry after connecting. If I leave the route I cannot connect anywhere.

The tun.ko is absolutely necessary for a tap device. You will get errors without it.

Glad to help out

-LamaZ


hi guys, i need to retrieve the dns settings pushed by the server into my android phone. Anyone has managed to do so?

Hi,

I successfully connected to the VPN server. However the tap doesn't seems to retrieve the IP address from the DHCP at the server. So, every time I connect to the VPN, I'll need to manually refresh the tap device ip manually by running "netcfg tap0 dhcp" using Terminal.

I tried putting in this line in the conf file,
up "netcfg tap0 dhcp"

but it doesn't run.

Any help would be greatly appreciated.

so i had another random question. i am using my htc thunderbolt in a 4G area and when connected to my vpn using vpn settings the data is a lot slower than usual. I also then tested it by wifi tethering to the computer and using my computer to connect to the same vpn server and saw much higher speed results. BTW the server is on a 1Gbps up/down line. any ideas why the openvpn software on the phone is limiting the speeds. with it on i get 4-5mbps without it close to 15

Hope this is the right thread,dont shoot :p
Have a open vpn account and have the client.ovpn file on my phone (desire Z running ILWT CM 7) and the openvpn installer app,it says no tap/tun module installed,how to install this as I thought CM 7 had support built in,and what are the settings if I wanted to enter them manually,already searched,albeit not thorough ly,Thanks for any help with this matter

Any help chaps?

Just curious. Has anyone been able to consistently use an openvpn connection over AT&T 3G networks?

I ask because I've been experimenting a lot lately and discovered that some networks work well for VPN (wap.cingular) while others do not allow DNS resolving (pta APN).

How have you experiences been?

does any one know...how to save the Username and password in OpenVPN ?..
Am using OpenVPN in CM7 nightly

does any one know...how to save the Username and password in OpenVPN ?..
Am using OpenVPN in CM7 nightly

just create a file named 'pass.txt' then enter your username and password like this:

John
1234

place the file inside the same folder with config

then on your config, add this line:

auth-user-pass pass.txt

I hope that might help :)

I'm trying to connect to an openvpn connection via the openvpn app available on the market. I'm running an Archos 70IT rooted with churli's root. When I try using a tcp connection, the status in the app switches to unknown and stays that way until timeout. If I try using a udp connection, I get "error: Cannot allocate TUN/TAP dynamically".

According to the installer app I have tun.ko installed, and I know that I have busy box installed. I've looked all over the place trying to find an answer to this and i'm stumped. Can anyone help me out?

I'm trying to connect to an openvpn connection via the openvpn app available on the market. I'm running an Archos 70IT rooted with churli's root. When I try using a tcp connection, the status in the app switches to unknown and stays that way until timeout. If I try using a udp connection, I get "error: Cannot allocate TUN/TAP dynamically".

According to the installer app I have tun.ko installed, and I know that I have busy box installed. I've looked all over the place trying to find an answer to this and i'm stumped. Can anyone help me out?


have you tried to check "load the tunko modules" and choose "load tun.ko modules" -> insmod

and set the tun.ko location to "tun" (default)

if you have tried that but this's still not working, I guess the problem's because ifconfig and route didn't symlinked with busybox

try this:

- mount your /system/xbin (using root explorer)

- then, try to execute this command on terminal emulator:


mkdir /system/xbin/bb
ln -s /system/xbin/busybox /system/xbin/bb/ifconfig
ln -s /system/xbin/busybox /system/xbin/bb/route

- then unmount your /system/xbin

hope this helps :)

I did as you instructed, and saw a few different things

1. When I tried the module instructions, end result was an error message saying it couldn't load the module. Despite this error the connection process seemed to continue.

2. I setup the linkages that you typed out and it seemed to help somewhat. Now with both TCP and UDP connections I get a "reconnecting due to tls-error" which I wasn't getting before.

3. The handshake thus far goes like this now Startup--->User/Pass--->Unknown(sometimes)--->Wait--->Auth--->tls error or Unknown again--->Wait--->Auth. Then the cycle loops.

Thank you for your help thus far, still stumped though.

I did as you instructed, and saw a few different things

1. When I tried the module instructions, end result was an error message saying it couldn't load the module. Despite this error the connection process seemed to continue.

2. I setup the linkages that you typed out and it seemed to help somewhat. Now with both TCP and UDP connections I get a "reconnecting due to tls-error" which I wasn't getting before.

3. The handshake thus far goes like this now Startup--->User/Pass--->Unknown(sometimes)--->Wait--->Auth--->tls error or Unknown again--->Wait--->Auth. Then the cycle loops.

Thank you for your help thus far, still stumped though.


hmm.. I think "tls" error caused by your config (maybe).. could you post your config here?

before that, try to uncheck "load tun modules" that should load tun.ko which's device's preloaded tun.ko

What config info do you want exactly?

What config info do you want exactly?

entire field inside the config that you use to connect to openvpn

example: servername.ovpn

Ok, here's an example of the TCP config file I use


##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

auth-user-pass
#management-query-passwords
#management-hold

# Disable management port for debugging port issues
#management 127.0.0.1 13010

ping 5
ping-exit 30

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
#;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
# All VPN Servers are added at the very end
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
# We order the hosts according to number of connections.
# So no need to randomize the list
# remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ./keys/ca.crt
cert ./keys/hmauser.crt
key ./keys/hmauser.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

# Detect proxy auto matically
#auto-proxy

# Need this for Vista connection issue
route-metric 1

# Get rid of the cached password warning
#auth-nocache

#show-net-up
#dhcp-renew
#dhcp-release
#route-delay 0 120

# added to prevent MITM attack
ns-cert-type server

#
# Remote servers added dynamically by the master server
# DO NOT CHANGE below this line
#
remote 180.189.157.78:443 443 # 0


And here's an example of a UDP file that I use

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

auth-user-pass
#management-query-passwords
#management-hold

# Disable management port for debugging port issues
#management 127.0.0.1 13010

ping 5
ping-exit 30

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
#;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
# All VPN Servers are added at the very end
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
# We order the hosts according to number of connections.
# So no need to randomize the list
# remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert hmauser.crt
key hmauser.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

# Detect proxy auto matically
#auto-proxy

# Need this for Vista connection issue
route-metric 1

# Get rid of the cached password warning
#auth-nocache

#
# Remote servers added dynamically by the master server
# DO NOT CHANGE below this line
#
remote 72.55.153.75 53 # 0

^ thats not what I mean. the config you attached was a config that comes with the installer. that absolutely won't work even you've tried to connect 1000 times :D

here I give you an example on the attachment..
read inside the config carefully, and place them on /sdcard/openvpn
dont forget to add ca.crt on the same folder.. ;)

Randrew2, take a closer look at the two files I pasted. Those are config files, and they do work, otherwise I couldn't access this forum to talk to you. Do you need the keys and ca file or can you work from the config files?