OpenVPN with Root - Updated 8/19

fang0654

Member
Mar 18, 2008
17
0
0
Sounds like something isn't set up right with your routing rules.

You may want to run openvpn manually from adb shell just to see if anything funky is happening.

adb shell
su
/data/openvpn/openvpn --config /sdcard/openvpn/client.conf

This will let you see if anything is failing.
 

PokerMunkee

Senior Member
Jun 18, 2010
55
1
0
This is what I get using the command line:

# /data/openvpn/openvpn --config /sdcard/openvpn/FW1.config
/data/openvpn/openvpn --config /sdcard/openvpn/FW1.config
Mon Jun 21 07:28:52 2010 OpenVPN 2.1.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] bu
ilt on Jun 14 2010
Enter Auth Username:eharris
eharris
Mon Jun 21 07:28:54 2010 WARNING: No server certificate verification method has
been enabled.
Mon Jun 21 07:28:54 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig
her to call user-defined scripts or executables
Mon Jun 21 07:28:54 2010 LZO compression initialized
Mon Jun 21 07:28:54 2010 UDPv4 link local: [undef]
Mon Jun 21 07:28:54 2010 UDPv4 link remote: 72.16.x.x:1194
Mon Jun 21 07:28:54 2010 WARNING: this configuration may cache passwords in memo
ry -- use the auth-nocache option to prevent this
Mon Jun 21 07:28:56 2010 [127.0.0.1] Peer Connection Initiated with 72.16.x.x
:1194
Mon Jun 21 07:28:58 2010 AUTH: Received AUTH_FAILED control message
Mon Jun 21 07:28:58 2010 SIGTERM[soft,auth-failure] received, process exiting
#

Doesn't prompt me for a password. I get prompted and connected using the GUI. Any ideas?

When connecting with OpenVPN Settings, it connects to the server just fine. Seems like a routing issue. Is there no route or ifconfig on the device? (doesn't work from the shell). I get a Desination Host Unreachable when trying to ping my OpenVPN's internal IP from the adb shell.
 
Last edited:

PokerMunkee

Senior Member
Jun 18, 2010
55
1
0
It's me again. I'm desperate to get this working.....losing sleep over it :D

Here is the routing tables on my android when i'm connected:

# ip route
ip route
97.185.13.204/30 dev rmnet0 proto kernel scope link src 97.185.13.206
172.30.20.0/24 via 172.30.100.150 dev tap0
172.30.100.0/24 via 172.30.100.150 dev tap0
172.30.30.0/24 via 172.30.100.150 dev tap0
192.168.157.0/24 via 172.30.100.150 dev tap0
172.30.10.0/24 via 172.30.100.150 dev tap0
172.30.0.0/16 dev tap0 proto kernel scope link src 172.30.100.255
default via 97.185.13.205 dev rmnet0
#

I'm unable to ping 172.30.100.150 which is my openvpn server.

:(
 
Last edited:

PokerMunkee

Senior Member
Jun 18, 2010
55
1
0
Do you have /system/bin/ifconfig and /system/bin/route?

Try this:

adb shell
su
busybox which ifconfig
busybox which route
Yes, both ifconfig and route are in /system/bin.

If I type in busybox, I get "not found".

I believe busybox was installed when I first rooted the phone, since I pushed a busybox.zip file.

C:\sdk\tools>adb shell
$ su
su
# busybox which ifconfig
busybox which ifconfig
busybox: not found
 

fang0654

Member
Mar 18, 2008
17
0
0
I got busybox from the latest payload, but this was working before hand, so it shouldn't matter.

I'm not too familiar with the tap interface. Is it supposed to have an ip address?

For me, ip route gives my tun0 device the following:

10.112.0.69 dev tun0 proto kernel scope link src 10.112.0.70

10.112.0.70 being the local ip.

What does the following yield:

ifconfig tap0
 

PokerMunkee

Senior Member
Jun 18, 2010
55
1
0
# ifconfig tap0
ifconfig tap0
tap0: ip 172.30.100.255 mask 255.255.0.0 flags [up broadcast running multicast]
#

It's not getting a valid IP?

Hrm.
 

PokerMunkee

Senior Member
Jun 18, 2010
55
1
0
I typed in "ifconfig tap0 172.30.100.199 255.255.255.0" and i was able to connect to my LAN instantly.

Any ideas why it's doing this? Is there an easy way to make a script that does this from my phone?

Sooooooooooo CLOSE!
 

fang0654

Member
Mar 18, 2008
17
0
0
Can you post a censored version of your config?

When I was recompiling the OpenVPN Settings app, it said something about the default ifconfig not being feature rich enough, and needing to use the busybox version, but I didn't have any problem. Maybe that is the issue?
 

PokerMunkee

Senior Member
Jun 18, 2010
55
1
0
I really appreciate your help!!

Here is my client config

client
dev tap
proto udp
remote 72.16.x.x
resolv-retry infinite
nobind
persist-key
persist-tun
ca mr0-fw1.cer
auth-user-pass
comp-lzo

Server config

; daemon configuration
daemon
mode server
tls-server
proto udp
port 1194
multihome
user openvpn
group openvpn

cd /var/openvpn
client-config-dir clients


; tunnel configuration

dev tap1
server-bridge 172.30.100.151 255.255.255.0 172.30.100.220 172.30.100.230
push "route-gateway 172.30.100.151"

push "route 172.30.100.0 255.255.255.0"

passtos
comp-lzo
management 127.0.0.1 5555
keepalive 8 30

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

persist-key
persist-tun
persist-local-ip
persist-remote-ip


; logging and status

writepid /var/run/openvpn/openvpn.pid
ifconfig-pool-persist openvpn.leases
status /var/log/openvpn/openvpn-status.log
verb 1


client-connect "/usr/local/bin/dir.d-exec /etc/openvpn/client-connect.d/"
client-disconnect "/usr/local/bin/dir.d-exec /etc/openvpn/client-disconnect.d/"


; certificates and authentication

dh /var/efw/openvpn/dh1024.pem
pkcs12 /var/efw/openvpn/pkcs12.p12

client-cert-not-required
auth-user-pass-verify "/usr/bin/openvpn-auth" via-file
username-as-common-name

client-to-client
I'm using ENDIAN 2.2 that OpenVPN built into it.
 

fang0654

Member
Mar 18, 2008
17
0
0
Looks fine to me. Do you have any other clients connected? (Only 10 addresses in range, run out perhaps?) When you try to connect, anything regarding remote ip in the openvpn.log?
 

PokerMunkee

Senior Member
Jun 18, 2010
55
1
0
I installed GScript and just run a script with "ifconfig tap0 172.30.100.199 255.255.255.0" and I can then RDP into my work computer. I'm happy with that!

I do wish I couild find out why it doesn't assign the correct IP, but I'm not going to waste anymore time on it.

Thanks for your help, I am so relieved to again have access to work on my phone. No more stressing out when I don't bring the laptop!
 

wraithdu

Senior Member
Aug 28, 2008
284
111
0
I had the same problem, and it's due to the built in versions of ifconfig and route I think. I did this:

1) installed busybox 1.15.3 to /system/xbin and installed the links (busybox --install .)
2) reboot into recovery
3) mount /system and adb shell:
# cd /system/bin
mv ifconfig ifconfigoff
mv route routeoff
ln -s /system/xbin/busybox ./ifconfig
ln -s /system/xbin/busybox ./route
4) reboot

This creates the busybox ifconfig and route symlinks in /system/bin. After this, OpenVPN Settings works perfectly. Since OpenVPN uses hardcoded paths, this is the only workaround I can think of.
 
Last edited:

wraithdu

Senior Member
Aug 28, 2008
284
111
0
Modified instructions above to create symlinks instead of hardlinks. I'm not sure if it matters, but it's how the ifconfig links are done in CM.
 

wraithdu

Senior Member
Aug 28, 2008
284
111
0
busybox is installed by the latest rooting process, but it's not a full install, ie it does not create all the command links. I got the file from the Titanium Backup site:

www.matrixrewriter.com/android/files/busybox-1.15.3.zip

To install:

1) extract and push busybox to your sdcard, reboot into recovery
2) mount /system
3) if you don't have /system/xbin (you should), create it
adb shell:
# mkdir /system/xbin (if necessary)
dd if=/sdcard/busybox of=/system/xbin/busybox
cd /system/xbin
chmod 755 busybox
./busybox --install .
4) reboot and done

OPTIONAL - before rebooting replace the busybox installed by the root process in /system/bin
1) mv /system/bin/busybox /system/bin/busybox.bak
2) cp /system/xbin/busybox /system/bin/busybox
 
Last edited:

fang0654

Member
Mar 18, 2008
17
0
0
I can upload another version of openvpn pointing to /system/xbin instead of /system/bin. The path for ifconfig and route are hardcoded into the binary, so have to be set before compile. I just moved, so my main machine is still in boxes, but once it is back up I'll update the first post with an updated binary and your additional instructions.
 
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone