OPENVPN under android 2.2

---

HOW TO MAKE A OPENVPN CONNECTION

(you must use latest kernel - since 2010-08-18 it is integrated (tun module must be integrated in kernel mdules)
-> system/lib/modules/tun.ko)

kernel: htc-msm-linux-20100818_135751-package.tar or newer needed (because there the tun module is included)

1.) install of "openvpn" binary.
we do this manually
a) download openvpn.zip and copy the file: "openvpn" to directory "/sdcard/openvpn"
b) then set the execute writes via:
chmod +x /system/bin/openvpn
2.) some special settings - i do it via a start script -> /sdcard/conf/froyo.user.conf
(see there for the custom_shells part ...)

Code:

# custom shell commands, these commands run last
custom_shells{
#openvpn (ifconfig and route is needed)
mkdir /system/xbin/bb 
ln -s /bin/busybox /system/xbin/ifconfig
ln -s /bin/busybox /system/xbin/bb/ifconfig
ln -s /system/bin/route /system/xbin/route
ln -s /system/bin/route /system/xbin/bb/route
#modprobe
modprobe tun
}

3.) copy your openvpn config files to directory /sdcard/openvpn
( my config file looks like: (for the client))

Code:

	dev tap
	dev-node /dev/tun
	proto tcp-client
	tls-client
	#your server ip + port
	remote 123.123.123.123 443 
	tls-auth /sdcard/openvpn/srv3.xxx.com_ta.key 1
	ca /sdcard/openvpn/srv3.xxx.com_ca.crt
	cert /sdcard/openvpn/srv3.xxx.com_rlt3.crt
	key /sdcard/openvpn/srv3.xxx.com_rlt3.key
	tun-mtu 1500
	tun-mtu-extra 32
	mssfix 1450
	pull
	redirect-gateway
	comp-lzo
	verb 3
	status /sdcard/openvpn/srv3.xxx.com_rlt3_status.log
	log-append /sdcard/openvpn/srv3.xxx.com_rlt3.log

only for your info (my server config)

Code:

port 443
dev tap0
proto tcp-server
mode server
tls-server
tls-auth /etc/openvpn/srv3.xxx.com_ta.key 0
ca /etc/openvpn/srv3.xxx.com_ca.crt
cert /etc/openvpn/srv3.xxx.com.crt
key /etc/openvpn/srv3.xxx.com.key
dh /etc/openvpn/srv3.xxx.com_dh1024.pem
crl-verify /etc/openvpn/srv3.xxx.com_crl.pem
client-config-dir client-config
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
keepalive 10 60
ping-timer-rem
persist-key
persist-tun
push "ping 10"
push "ping-restart 60"
push "ping-timer-rem"
mute 50
comp-lzo
status-version 2
status /var/log/openvpn/srv3.xxx.com_openvpn-status.log
log /var/log/openvpn/srv3.xxx.com_openvpn.log
verb 3
ifconfig 192.168.23.1 255.255.255.0
ifconfig-pool 192.168.23.2 192.168.23.9
push "route 192.168.23.0 255.255.255.0"
push "dhcp-option DNS 192.168.23.1"
push "dhcp-option DOMAIN vpn.xxx.com"
#Turn this on, if you want that all traffic goes over VPN
#push "route-gateway 192.168.23.1"
#push "redirect-gateway"
client-to-client
#using multiple cn's (no limited to single access via one cert files)
duplicate-cn

4.) install of "openvpn settings" from market place
then start app: "openvpn settings"
then configure there:
-> Load tun kernel adapter -> OFF
-> TUN modules settings: (not needed)
-> load module using -> modprobe (not needed)
-> path to tun module -> tun (not needed)
-> Path to configuration -> /sdcard/openvpn
-> Path to openvpn binary -> /sdcard/openvpn/openvpn
5.) Then you should see your config file and you can click it to start.

That's it

EDIT on 23.08.2010 + 30.08.2010

good article!

Quote:

Originally Posted by pride2

good article!

maybe it should not iunder HTC HD, but anyhow ... if someone need it, he will find it -> search function is your friend

Quote:

Originally Posted by pride2

good article!

Yeah it is a quite good article...
But there is one thing I don't understand... Or two...

Firstly... Why we have to link "route" and "ifconfig" twice?
Secondly... Why we have to link "/system/xbin/route" to "/system/xbin/route"?
In my opinion this will cause something like a loop which makes the command not executable... Could that be right?

Many regards

Quote:

Originally Posted by Crusoe86

Yeah it is a quite good article...
But there is one thing I don't understand... Or two...

Firstly... Why we have to link "route" and "ifconfig" twice?
Secondly... Why we have to link "/system/xbin/route" to "/system/xbin/route"?
In my opinion this will cause something like a loop which makes the command not executable... Could that be right?

Many regards

the route is used by hardcoded path "/system/xbin/bb" from static "openvpn"
so, i was not sure if it is system/xbin or /system/xbin/bb, so i prefer to make both lnk's.
but addtional - i madea mistake, it is changed on first posting.
the mistakes are:
1.) openvpn-installer doesn't install conrrectly -> so, i did it manually
now.work
2.) ln was wrong: now the correct lnk's are:
ln -s /bin/busybox /system/xbin/ifconfig
ln -s /bin/busybox /system/xbin/bb/ifconfig
ln -s /system/bin/route /system/xbin/route
ln -s /system/bin/route /system/xbin/bb/route

cu camel

I have the leaked 2.2 stock Froyo on my Incredible.

I get this after it authenticates:

FATAL: Cannot allocate TUN/TAP dev dynamically


Any ideas? I'm guessing it doesn't have the tun driver.

Quote:

Originally Posted by PokerMunkee

I have the leaked 2.2 stock Froyo on my Incredible.

I get this after it authenticates:

FATAL: Cannot allocate TUN/TAP dev dynamically


Any ideas? I'm guessing it doesn't have the tun driver.

EDIT:
please check my first posting (updated ...)

also as i can see - often the problem is to install the openvpn as executable, and also to "modprobe tun".
therefoore you can also add to your /sdcard/conf/froyo.user.conf like me:

(see there for the custom_shells part ...)

# custom shell commands, these commands run last
custom_shells{

#openvpn (ifconfig and route is needed)
mkdir /system/xbin/bb
ln -s /bin/busybox /system/xbin/ifconfig
ln -s /bin/busybox /system/xbin/bb/ifconfig
ln -s /system/bin/route /system/xbin/route
ln -s /system/bin/route /system/xbin/bb/route

#modprobe
modprobe tun

#map the executable openvpn file to /system/xbin or bin
mount --bind /sdcard/openvpn/openvpn /system/xbin/openvpn
}

############
sure maybe some links are not needed - not sure what you have set ..
and of course - you can make it more cleaner as me ... but it is working fine enough for me.

cu camel