OpenVPN on android

[Guest Christophe Vandeplas]

Since I bought my HTC Hero two weeks ago I can't stop enjoing the device.

Except one thing: Currently no OpenVPN client exists yet for the Android platform.

While searching Google I could find people referring to successfull ports of openvpn, but all discussions were vague and all links were dead.

This resulted in the motivation to work on making openvpn available on Android.

For the last weeks I have been reading documentation and already started coding a very basic GUI. (listing and editing configuration files)

Being fairly novice to Android, and expecting I'm not the only one envying such functionality I am starting a Call for Participation trying to reach other developers interested to work on the project.

As structure of this application I see the following parts:

1) GUI stuff to manage configurations (view, create, edit and delete). Tunnel management (connect, disconnect, view log, view ip) would also be done here. (language: java)

2) background daemon sending notifications about the tunnel state (don't know if that's necessary) (language: java)

3) ported openvpn client that parses the config and does the real work. (language: c)

It looks like other projects already provide the necessary tun kernel drivers. Rooting your device will be necessary to be able to load the driver.

Being supportive to open source software I'd like to keep the code open.

Discussions about selling the (compiled) GUI on the Market are possible.

Interested developers can reply here or contact me at [email protected].

Some interesting links:

http://openvpn.net/index.php/open-source/downloads.html

http://developer.android.com/sdk/ndk/1.5_r1/index.html

http://code.google.com/p/get-a-robot-vpnc/

Posted on xda-developers and MoDaCo.

Edited August 23, 2009 by Christophe Vandeplas

[Guest cyde]

well. If you now check the duplicate post on the XDA forum's you will see that some one has finally done it, but not provided any docs.

I tried to create an account there to follow up, but for some reason I am not getting the verify email from them, but here it works, so here I will post the step by step that I did to get it working.

First off, I gotta say, the modaco 2.2 rom for my HTC hero is great. Oh... and keep tun.ko present. its used with this.

2ndly, this is my first post, and hope it helps some one, feed back in thread would be nice.

... ok on with the openVPN.

Firstly I will describe that what I did with what tools/equip, so no assurances it will work on others the same way. TRY AT OWN RISK!!!! Lots of typing, no gui to start it up yet.

version of software OS used:

Android HTC Hero Build number 2.73.405.5 146733 (MCR2.2e)

Android system recover boot loader Build: CyanogenMod v1.4 + JF

(what ever android terminal program you prefer, I use connectbot)

PC - Asus 900 EEE (winXP)

Andriod SDK 1.5r3 (for ADB)

OpenVPN server - Astaro 7.4 home license. (I only have a wireless router in open access, connected in the DMZ port. Only way to connect internally is via OpenVPN [ssl] client - this is installed and confirmed working on my XP client - This is important as we will be using files from this install)

from the site: http://github.com/fries/android-external-openvpn/downloads

down load the file openvpn-android-2.1.tar.bz2 and up zip it some where. (location used in step 3)

Step 1 - Take back and secure externally - optional, but always a good idea.

Step 2 - Reboot phone into recovery mode.

Powerdown Android. Power up holding Home and Power until recovery screen is displayed.

Have USB cable connected

Step 3 - Perform the following bold text commands at a command prompt

ADB shell mount /system

ADB shell

cd /system/lib

cp libcrypto.so libcrypto-orig.so

cp libssl.so libssl-orig.so

These last 2 entries are just a 2ndary backup. you can skip if you like

exit

From the unzipped fries download find all the files (should be 5 in total) and do

adb push libcrypto.so /system/lib/

adb push liblzo.so /system/lib/

adb push libssl.so /system/lib/

adb push openssl /system/bin/

adb push openvpn /system/bin/

adb shell chmod 4755 /system/bin/openssl

adb shell chmod 4755 /system/bin/openvpn

These last 2 commands I added at the time, but I am unsure if they are actually needed.

Now for some reason (as I spent 8 hours working all this out) the openvpn client doesn't have the correct path to the busy box tools, and tries to use /system/xbin/bb/ifconfig and route commands. on my Hero, this path doesn't exist its just /system/xbin/ifconfig. rather than stuff around trying to debug this, I instead did the following commands.

adb shell

cd /system/xbin

ln -s /system/xbin /system/xbin/bb

exit

if before you exit, you do a ls of bb you should see the same directory listing as xbin.

reboot back to the hero.

Step 4 - copy over the vpn config files

now, you will need your open ssl vpn/certs/etc, and since I know my openvpn client on my XP works, I use those. from the local PC (for the Astaro installation) C:\Program Files\Astaro\Astaro SSL VPN Client\config\<whatever>\* (should be 2 .crt files, 1 .key file, and 1 .ovpn file). Copy these over to your android all in the same place, I used /sdcard and copied them via USBmount process. keep them in the same location

Step 5 - Create the username/password file

Yeah, I dont like storing passwords in clear text, but I still havent figured out how to prompt for the password

create a text file (using what ever method you prefer) with your openvpn user name on the first line, and your openvpn password on the second line. save it in the same location as step 4 on your android and note down the name.

Step 6 - Edit the ovpn file on your Android.

I am not sure if this is needed, but through my 8 hours of trying to get this to work, I made this change.

Find the line and change it so that it reads (you may need to remove comment characters).

dev-node /dev/tun

Save this change.

You can unplug the USB cable now (to insure no false positives occur)

Step 7 - start your network connection on your Android

This can be your wireless, or your roaming data. your choice. Just try to remember, this should be the same way your vpn is known to work with your config file from earlier (ie, if you use astaro VPN via public internet - use roaming, if you are connecting via DMZ/private subnet - use wireless).

Step 8 - Open the android console for starting up the VPN

I use connectbot in local mode, but its your choice. Now at this point, I am going to do things the long way (short way is you should be able to figure out) to show one of the errors and how to fix it.

peform the following bolded commands.

su -

cd /sdcard

or cd to where ever you stored your certs/key/ovpn and password file.

openvpn --config <yourconfigfilename>.ovpn --auth-user-pass <your password file filename>

for me this resulted in error:

<date/time> Cannot open TUN/TAP dev /dev/tun: no such file or directory (errno=2)

To fix this enter the following command

insmod /system/lib/modules/tun.ko

Then try this command again

openvpn --config <yourconfigfilename>.ovpn --auth-user-pass <your password file filename>

This then results in a success message (and for some reason no return to command prompt) of:

Mon Sep 28 23:52:14 2009 TUN/TAP device tun0 opened

Mon Sep 28 23:52:14 2009 TUN/TAP TX queue length set to 100

Mon Sep 28 23:52:14 2009 /system/xbin/bb/ifconfig tun0 10.242.2.6 pointopoint 10.242.2.5 mtu 1500

Mon Sep 28 23:52:14 2009 /system/xbin/bb/route add -net 10.242.2.1 netmask 255.255.255.255 gw 10.242.2.5

Mon Sep 28 23:52:14 2009 /system/xbin/bb/route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.242.2.5

Mon Sep 28 23:52:14 2009 Initialization Sequence Completed

As you can see above, it tries to use the xbin/bb path... dont know why.

To test this, I used AndroidVNC to remote control one of my internal Guest VM's I used for development. This worked perfectly.

This concludes the 8 step program..

Now if only some one would (a) write a nice app/GUI front end for this to save the typing, and (b) write a nice GUI app to allow you to set the proxy for browsing. So far I havnt found any such free app in the store, but I only have had my HTC Hero for under 5 weeks.

- Randy

[Guest arnaud atoch]

Bonjour,

Worked nicely on my T Mobile G1.

The only comment I have is about the ln -s command.

The one that worked on my phone was :

ln -s /system/bin /system/xbin/bb

I'm still looking for a GUI to start Stop the VPN as OpenVPN-Monitor.apk fails finding my opvn files (in /sdcard/keys)

Arnaud Atoch

[Guest Christophe Vandeplas]

Good news, as I finally have a working tun driver I can continue my work on a GUI.

The current version is very alpha, but can start/stop an openvpn tunnel and edit the config files on my hero.

Before it's usable I will need to add a notification when the tunnel comes up,

and a way to display the tunnel logfile.

The code will be available here: http://tunneldroid.svn.sourceforge.net/vie...id/tunneldroid/

I will post binaries/packages once I need testers.

[Guest Chris Cureau]

Very, very, very interested in this! Might be able to help with the coding as well. Contact me if you're interested.

Good news, as I finally have a working tun driver I can continue my work on a GUI.

The current version is very alpha, but can start/stop an openvpn tunnel and edit the config files on my hero.

Before it's usable I will need to add a notification when the tunnel comes up,

and a way to display the tunnel logfile.

The code will be available here: http://tunneldroid.svn.sourceforge.net/vie...id/tunneldroid/

I will post binaries/packages once I need testers.

[Guest chefcb_2]

there is another OpenVPN App on Android market named OpenVPN GUI,

it allows you to set the path to your config files and the openvpn binary file.

You can easily start/stop vpns via checkboxes. It's very usefull if you have a few VPN's which shouldn't be open all the time, so that you're in need of start/stop them often.

Some more informations can be found at the Developer's page at http://www.blank-online.eu/android/openvpn_gui/ but unfortunately only in german...

just have a look at the market, it pays :-)

[Guest cyde]

well, I just tried this new appliation (and no, it wasnt there ages ago).

Using MDC 2.8 Tech kernal 1.3

I can successfully run the openvpn command with my options file perfectly well from the command line (via connectbot).

however this app.... not the best.

I can set the folder that countains me config, This works.

I can set the location of the openvpn binary. This works.

I can set the last characters of my config file. This works. So it now displays my list of various .opvn files I use/tested with.

Show debug tick box. This.. ticks but doesnt work as expected.

When I attempt to connect with a VPN connection using this gui, I get the standard root request, and approve, but it then errors for some reason, and the error box that displays last like 2 secs. or some rediculous short time, not enough to read it.

A good start.

-Randy

[Guest cyde]

okay.. got the newer gui update version 1.1 ( I hope you are reading this).

good to have the ability to turn modprobe off. Thanks!

Got a different error this time with modprobe off. lasted <2secs on screen (you need to change that) but the message was shorter this time. I was able to read it and it said could not find file.

The file it could not find was in my case /sdcard/my3.vpn and while from the gui screen I had selected my3, but in the settings I had set the file extension to .ovpn, hence it correctly populated the GUI, but then the writer has hard coded .vpn into the scripting. he needs to fix that.

Once I copied my3.ovpn to my3.vpn, it worked. or atleast when I checked in connectbot I can see the full route table I expected to. Its midnight so I am to tired to test it all. will do a more in depth test tomorrow.

Also to note, I had to include my password file reference/setting into the .ovpn settings file. there is no where to we are prompted at the GUI for a username/password to use at connect time. while for me its not such an issue, but I think this should be addressed some time in the future.

-Randy

[Guest Christophe Vandeplas]

Hello Everyone,

I have good news, my OpenVPN GUI is ready to be released to a wider test audience.

As explained in a previous post the code is completely opensource, so you can check that I added no backdoors, or you could help fixing bugs by sending patches ;-)

The application can currently:

- Create and edit configurations

- Connect / Disconnect

- View log and share it ( send by email or other means )

Future releases will:

- show the status of the connection, your assigned IP,...

- prompt for username/password instead of including passwordfiles in your configuration

You can find a README and the openvpn binaries (working on the Hero) here:

https://sourceforge.net/projects/tunneldroid/files/

(these binaries don't require the ugly symlinks that the others published on Git do need (http://github.com/fries/android-external-openvpn)

TunnelDroid is published on the Android Market.

So just do a simple search for it. This will help you to follow the updates.

Please give feedback if it works/doesn't work on your phone. It works like a charm on my Hero running MoDaCo 2.9 Hero Rom.

[Guest cyde]

hi chris,

Just to advise, I downloaded Tunneldroid from market place and tried it out.

It crashes as it starts. I did a power down/restart to see if a reboot was required. Nope. same problem.

Specs on my hero are: MDC 2.8 Tch kernal 1.3

Error that displays is:

/!\ Sorry!

The application TunnelDroid (process net.sourceforge.tunneldroid) has stopped unexpectedly. Please try again.

~~~~~

The OpenVPN GUI client, is now up to version 1.3 Now works. it no longer has hard coding to the .vpn extension even when not selected. It successfully brings up and down a VPN connection (with the relevant prompts for root).

what I did find lacking is to see the log/status of the VPN connection when I go in/out of range. but you cant have everything.

Good work to both of you.

-Randy

[Guest Christophe Vandeplas]

It crashes as it starts. I did a power down/restart to see if a reboot was required. Nope. same problem.

This is because your openvpn dir didn't exist on the sdcard.

v0.5 now automagically creates the config-dir

Check the market for update

PS: Two good reasons to use TunnelDroid :-)

1/ I will never add ads in the application

2/ it's completely opensource, so you can check if it doesn't do evil things, and you can help adding new features

I will continue working on new features,

please please report bugs so I can fix them.

Edited November 8, 2009 by Christophe Vandeplas

[Guest cyde]

Tunneldroid it is!

newer version 0.5 I just tried, and it works fine now. dropped my .ovpn files into the require folder, and now I can see it connects and see the log!. just great. running on MDC 2.8. tch 1.3 kernel

As you say, still some things to do, like to show status of the vpn.

If we are adding to wish list, then maybe a icon in the top system tray ( like when data/wireless is running) and some way within the VPN icon to ID data going out/in. (Thats the one thing I miss dislike about the wireless icon, you cant see when traffic is happening, where as mobile data you can).

Greatwork Chris. I will be recommending it to my follow VPN users.

-Randy.

Edited November 8, 2009 by cyde

[Guest Christophe Vandeplas]

If we are adding to wish list, then maybe a icon in the top system tray ( like when data/wireless is running) and some way within the VPN icon to ID data going out/in. (Thats the one thing I miss dislike about the wireless icon, you cant see when traffic is happening, where as mobile data you can).

Btw, we're already at version 0.6, with a rewrite of the logging-system.

I planned to add a permanent notification in the notification area, just like the music player does.

This should be added in the release of 0.7 if no major bug is reported.

The biggest work to come is the implementation of the user/pass prompt as I will need to plug into the management interface of openvpn. That's more a milestone for v1.0.

Keep on giving feedback and don't forget to rate the app on the market ! ;-)

Cheers

[Guest cyde]

Another error/issue and resulting workaround for this:

System: MDC 2.8 Tch Kernal 1.3

Tunneldroid Version 0.6

Issue:

My .ovpn files has 2 entries for REMOTE parameter. This should allow me to check/attempt VPN connections with the same CERT & credentials to multiple VPN Endpoints. In my case, the first endpoint is my home 10.x.y.z wireless network on my DMZ port of my Firewall system. The second IP is my External internet based IP.

When I run openvpn via connectbot command prompt with this config file in either wireless, or via data plan, it connects and I can VPN into my systems.

However When using tunneldroid, I can successfully connect via home WiFi, but when I try via my dataplan connection, it doesnt connect.

To test this, I made a copy of my .ovpn config file, and then in the copy I only made 1 change, commenting out the first REMOTE entry, so that this .ovpn config will try the internet based address first. This works perfectly. I then disconnect and try the first one (with wifi first then internet 2nd) and it still fails.

In the log (Thanks for that feature Chris), I get the follow entries at the end. (italics information I have commented out for security reasons)

Mon Nov 9 13:48:21 2009 OpenVPN 2.1_rc15 i686-pc-linux-gnu [sSL] [LZO2] [EPOLL] built on Sep 15 2009

..... [stuff in between removed]

Mon Nov 9 13:48:50 2009 Data Channel Encrypt: Cipher blah blah blah

Mon Nov 9 13:48:50 2009 Data Channel Encrypt: Using blah blah blah

Mon Nov 9 13:48:50 2009 Data Channel Decrypt: Cipher blah blah blah

Mon Nov 9 13:48:50 2009 Data Channel Decrypt: Using blah blah blah

Mon Nov 9 13:48:50 2009 Control Channel: TLSv1, cipher blah blah blah

Mon Nov 9 13:48:50 2009 [ASTARO-MACHINE-NAME] Peer Connection Initiated with WW.XX.YY.ZZ:443

Mon Nov 9 13:48:51 2009 SENT CONTROL [ASTARO-MACHINE-NAME]: 'PUSH_REQUEST' (status=1)

Mon Nov 9 13:48:51 2009 event_wait : Interrupted system call (code=4)

Mon Nov 9 13:48:51 2009 TCP/UDP: Closing socket

Mon Nov 9 13:48:51 2009 SIGTERM[hard,] received, process exiting

Now based on the start and end time, I see 30 seconds, so I am guessing that Chris has a hard coded 30 second time out. Might be good to know, and to advise only 1 REMOTE option per config. Or a change to the code to fix this.

Edited November 9, 2009 by cyde

[Guest Christophe Vandeplas]

To test this, I made a copy of my .ovpn config file, and then in the copy I only made 1 change, commenting out the first REMOTE entry, so that this .ovpn config will try the internet based address first. This works perfectly. I then disconnect and try the first one (with wifi first then internet 2nd) and it still fails.

...

Now based on the start and end time, I see 30 seconds, so I am guessing that Chris has a hard coded 30 second time out. Might be good to know, and to advise only 1 REMOTE option per config. Or a change to the code to fix this.

Your assumptions are correct. Check line 94 to 126 of the source

The timeout is set on 30 seconds.

Openvpn might, for whatever reasons, not be able to connect. I need to have a way to stop openvpn if it can't connect as it will otherwise continue. Do you have any other ideas to solve this issue? Maybe show a prompt to ask the user if he still wants to try?

[Guest cyde]

Your assumptions are correct. Check line 94 to 126 of the source

The timeout is set on 30 seconds.

Openvpn might, for whatever reasons, not be able to connect. I need to have a way to stop openvpn if it can't connect as it will otherwise continue. Do you have any other ideas to solve this issue? Maybe show a prompt to ask the user if he still wants to try?

hmmm.

Maybe prior to connecting, the file is parsed for for all uncommented REMOTE entries and 30 seconds (which is a good figure) is allocated per entry. This should time it right.

-Randy

[Guest Christophe Vandeplas]

Maybe prior to connecting, the file is parsed for for all uncommented REMOTE entries and 30 seconds (which is a good figure) is allocated per entry. This should time it right.

I am currently working on the support of an username and password prompt (well, in fact it's a kind of management socket).

As this will take place in the same code as the timeout thing that is currently implemented, and as that part will be completely refactored I will delay this feature request until the basics of the user/pass prompt is implemented.

For those interested, here's the document explaining the features of the openvpn management socket: http://pastebin.ch/4660

As you can expect this will take more than a few days to implement. (as I'm not a professional programmer and code this in my free time)

I already implemented the tunnel-active notification, I'll upload a minor release to the market for that feature.

[Guest cyde]

Chris,

Gotta say that the bells and whistles are now coming out.

Nice new features you have with 0.6.2,such as the tunnel Icon on the status bar tray. as well as the "ongoing" feature in the drag down notification area.

Gotta say I am now getting way impressed with this.

Keep up the good work.

-Randy

[Guest gascharlie65]

I have an HTC Tattoo with donut and I could not find in the market your application. Is it only for Android 1.5?

Hello Everyone,

I have good news, my OpenVPN GUI is ready to be released to a wider test audience.

As explained in a previous post the code is completely opensource, so you can check that I added no backdoors, or you could help fixing bugs by sending patches ;-)

The application can currently:

- Create and edit configurations

- Connect / Disconnect

- View log and share it ( send by email or other means )

Future releases will:

- show the status of the connection, your assigned IP,...

- prompt for username/password instead of including passwordfiles in your configuration

You can find a README and the openvpn binaries (working on the Hero) here:

https://sourceforge.net/projects/tunneldroid/files/

(these binaries don't require the ugly symlinks that the others published on Git do need (http://github.com/fries/android-external-openvpn)

TunnelDroid is published on the Android Market.

So just do a simple search for it. This will help you to follow the updates.

Please give feedback if it works/doesn't work on your phone. It works like a charm on my Hero running MoDaCo 2.9 Hero Rom.

[Guest cyde]

if you cant find it in the market place try the QR barcode for it. (you do have Barcode scanner don't you?)

TunnelDroid QR

Thanks to Androlib.com

-R

[Guest gascharlie65]

I am afraid not, but usually when I cannot find in the market an app that is available for other android versions, it means that it does not work on the mine...

[Guest Christophe Vandeplas]

I have an HTC Tattoo with donut and I could not find in the market your application. Is it only for Android 1.5?

From what I read your phone should support TunnelDroid.

The requirements re min-sdk = 3 , this means it's for SDKv1.5 or newer.

This post kinda confirms what I think: http://www.mail-archive.com/android-beginn...m/msg15715.html

[Guest bukington]

Hi Chris,

Thanks for your application. It seems to work well on my Galaxy except that I use bridge networking and thus, the tap device instead of tun.

I saw in your source code that you're looking for /sys/class/net/tun0. In my case, that's /sys/class/net/tap0 that shows up.

This result in a timeout and the connection is closed despite the fact that the tunnel is fine.

Can you make a fix for this ?

Thanks

[Guest Christophe Vandeplas]

Thanks for your application. It seems to work well on my Galaxy except that I use bridge networking and thus, the tap device instead of tun.

I saw in your source code that you're looking for /sys/class/net/tun0. In my case, that's /sys/class/net/tap0 that shows up.

This result in a timeout and the connection is closed despite the fact that the tunnel is fine.

Can you make a fix for this ?

The good news is that I'm completely rewriting that part with the implementation of the openvpn management socket/interface.

This means TunnelDroid will be able to interact with openvpn while it runs in the background and will be able to ask openvpn if he's connected and not rely on an ugly hack like it's done now. (previous versions matched strings from the logfile).

The technical stuff on the side this means the following new features:

- prompt for certificate credentials

- prompt for auth credentials

- displaying the status of the connection (CONNECTING,WAIT,AUTH, GET_CONFIG, ASSIGN_IP, ADD_ROUTES, CONNECTED, RECONNECTING, EXITING)

- and probably other things ...

I'm submitting a new release this evening (European time) with a fix for your configuration so you can still connect in the meantime.

[Guest gascharlie65]

Many thanks.

Anyway, I am still trying to get the recovery boot; in tattoo it seems that for acccessing the recovery boot you have to presso start + back button but when I select recovery boot an alert icon appears and the phone is stalled (I have to remove the battery).

So at the moment I am still stopped at the first step.

Carlo

From what I read your phone should support TunnelDroid.

The requirements re min-sdk = 3 , this means it's for SDKv1.5 or newer.

This post kinda confirms what I think: http://www.mail-archive.com/android-beginn...m/msg15715.html