Sonntag, 3. März 2013

OpenVPN and Android

Last week I finally got around to set up a working VPN for my android phone. I can now not only securely connect to my hone network and access my NAS, satellite receiver, mail server, etc. but also route the phones internet traffic through my home router and thus use any (open) WiFi without fearing that someone can steal my data.

 This is how I did it:
  1. Server
    I've been using OpenVPN for some quite time to connect to a friend and my companies server so I did not need to set up a server. It's running on a linux box that runs all the time so the VPN is always available. Setting up OpenVPN is quite easy - I used the Ubuntu package and customized it to my needs. In essence it contains these entries:

    proto udp
    dev tun
    ca /etc/openvpn/server/2.0/keys/    myvpn_ca.crt
    cert /etc/openvpn/server/2.0/keys/myvpn.crt
    key /etc/openvpn/server/2.0/keys/    myvpn.key
    dh /etc/openvpn/server/2.0/keys/dh1024.pem
    server 10.10.1.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "route 192.168.10.0 255.255.255.0"
    comp-lzo
    user openvpn
    group openvpn
    persist-key
    persist-tun

    I 've generated a key for my phone to access the VPN some time ago and don not remember how, but as I recall that was not a problem either

    The ticky part, besides configuring the phone, was to set up routing and the firewall correctly.
    I have a hardware firewall behind my DSL routers so I first had to set up port forwarding for UDP port 1194 to the firewall. Since the firewall was configured to log dropped packets it was not hard to find out how to configure the firewall. And finally I had to create a static route to the VPN via the linux box so the hosts on my LAN find the phone.
  2. Client i.e. phone
    On the phone I use OpenVPN Connect to access the VPN. I've created a configuration file (must end in .ovpn) which in essence contains these entries:

    client
    dev tun
    proto udp
    redirect-gateway def1 bypass-dhcp
    dhcp-option DNS 192.168.10.1
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca     myvpn_ca.crt
    cert     myvpn_phone.crt
    key     myvpn_phone.key
    comp-lzo

    I copied the certs, keys and config to a directory on the phones SD card and the imported the .ovpn file into OpenVPN Connect.
    The redirect-gateway option makes the VPN server the default gateway i.e. routes all traffic through the VPN tunnel. The dhcp-option DNS sets the DNS server to that in my LAN so I can access my private hosts by their names. The rest is standard setup.

    Besides checking if I can reach hosts and services on my LAN by their name, I used http://http://ct.de/ip to check if all traffic is routed via the VPN.
    Once that all worked I was happy :)

at
Labels:

Keine Kommentare:

Kommentar veröffentlichen

Abonnieren Kommentare zum Post (Atom)