OpenVPN now works with SS 5.0!

Discussion in 'ChevyNo1' started by iamgeniusrnti, Feb 21, 2011.

  1. iamgeniusrnti

    iamgeniusrnti Member

    Joined:
    Feb 22, 2010
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Ratings:
    +0
    Here's some quick news. I have an OpenVPN server running on an Amahi server. (amahi.org). I've always been able to get my ubuntu laptops to connect but never my Droid using Open VPN. The droid would connect but something in the OS would not route traffic thru the VPN.

    The server logs looked something like this:
    Code:
    31 23:54:17 localhost openvpn[1312]: MULTI: multi_create_instance called
    Jul 31 23:54:17 localhost openvpn[1312]: Re-using SSL/TLS context
    Jul 31 23:54:17 localhost openvpn[1312]: LZO compression initialized
    Jul 31 23:54:17 localhost openvpn[1312]: Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Jul 31 23:54:17 localhost openvpn[1312]: Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
    Jul 31 23:54:17 localhost openvpn[1312]: Local Options hash (VER=V4): '3e6d1056'
    Jul 31 23:54:17 localhost openvpn[1312]: Expected Remote Options hash (VER=V4): '31fdf004'
    Jul 31 23:54:17 localhost openvpn[1312]: TCP connection established with 97.242.112.229:42897
    Jul 31 23:54:17 localhost openvpn[1312]: Socket Buffers: R=[131072->131072] S=[131072->131072]
    Jul 31 23:54:17 localhost openvpn[1312]: TCPv4_SERVER link local: [undef]
    Jul 31 23:54:17 localhost openvpn[1312]: TCPv4_SERVER link remote: 97.242.112.229:42897
    Jul 31 23:54:18 localhost openvpn[1312]: 97.242.112.229:42897 TLS: Initial packet from 97.242.112.229:42897, sid=8da8656e 2eefdbfd
    Jul 31 23:54:22 localhost openvpn[1312]: 97.242.112.229:42897 VERIFY OK: depth=1, /C=US/ST=CA/L=SanJose/O=HomeHDA/OU=VPN/CN=yourhda.com/emailAddress=info@homehda.com
    Jul 31 23:54:22 localhost openvpn[1312]: 97.242.112.229:42897 VERIFY OK: depth=0, /C=US/ST=CA/L=SanJose/O=HomeHDA/OU=VPN/CN=client-tcheng/emailAddress=info@homehda.com
    Jul 31 23:54:23 localhost openvpn[1312]: 97.242.112.229:42897 PLUGIN_CALL: POST /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
    Jul 31 23:54:23 localhost openvpn[1312]: 97.242.112.229:42897 TLS: Username/Password authentication succeeded for username 'admin' 
    Jul 31 23:54:23 localhost openvpn[1312]: 97.242.112.229:42897 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul 31 23:54:23 localhost openvpn[1312]: 97.242.112.229:42897 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul 31 23:54:23 localhost openvpn[1312]: 97.242.112.229:42897 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul 31 23:54:23 localhost openvpn[1312]: 97.242.112.229:42897 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul 31 23:54:24 localhost openvpn[1312]: 97.242.112.229:42897 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Jul 31 23:54:24 localhost openvpn[1312]: 97.242.112.229:42897 [client-tcheng] Peer Connection Initiated with 97.242.112.229:42897
    Jul 31 23:54:24 localhost openvpn[1312]: client-tcheng/97.242.112.229:42897 PUSH: Received control message: 'PUSH_REQUEST'
    Jul 31 23:54:24 localhost openvpn[1312]: client-tcheng/97.242.112.229:42897 SENT CONTROL [client-tcheng]: 'PUSH_REPLY,route-gateway 192.168.1.1,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.10,dhcp-option DOMAIN home,route-gateway 192.168.1.10,ping 10,ping-restart 220,ifconfig 192.168.1.205 255.255.255.0' (status=1)
    Jul 31 23:54:25 localhost openvpn[1312]: client-tcheng/97.242.112.229:42897 MULTI: Learn: b2:fe:62:82:3c:48 -> client-tcheng/97.242.112.229:42897
    Jul 31 23:57:29 localhost openvpn[1312]: client-tcheng/97.242.112.229:42897 Connection reset, restarting [0]
    Jul 31 23:57:29 localhost openvpn[1312]: client-tcheng/97.242.112.229:42897 SIGUSR1[soft,connection-reset] received, client-instance restarting
    Jul 31 23:57:29 localhost openvpn[1312]: TCP/UDP: Closing socket
    Essentially, the Droid wasn't taking the PUSH request from the server. It would accept the IP address but wouldn't accept the ROUTE command. So I gave up.

    Then after reading the post regarding the CIFS not working in Chevy's network services, I was inspired to give it another whirl. For some reason, it actually works now!

    Here is my server's config file:
    Code:
    port 1194
    proto tcp
    dev tap
    #dev tun
    mode server
    tls-server
    dev tap0
    ca /etc/openvpn/amahi/ca.crt
    cert /etc/openvpn/amahi/server.crt
    # This file should be kept secret
    key /etc/openvpn/amahi/server.key
    dh /etc/openvpn/amahi/dh1024.pem
    #server 10.8.0.0 255.255.255.0
    #ifconfig-pool-persist /var/run/openvpn-ipp.cache
    server-bridge 192.168.1.10 255.255.255.0 192.168.1.205 192.168.1.210
    push "route-gateway 192.168.1.1"
    push "route 192.168.1.0 255.255.255.0"
    push "dhcp-option DNS 192.168.1.10"
    #push "dhcp-option WINS 192.168.1.10"
    push "dhcp-option DOMAIN home"
    keepalive 10 220
    comp-lzo
    persist-key
    persist-tun
    status /var/log/openvpn-status.log
    verb 3
    ;mute 20
    plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so "login login USERNAME password PASSWORD
    "

    And the phone's config:
    Code:
    ##############################################
    # Sample client-side OpenVPN 2.0 config file #
    # for connecting to multi-client server.     #
    #                                            #
    # This configuration can be used by multiple #
    # clients, however each client should have   #
    # its own cert and key files.                #
    #                                            #
    # On Windows, you might want to rename this  #
    # file so it has a .ovpn extension           #
    ##############################################
    
    # Specify that we are a client and that we
    # will be pulling certain config file directives
    # from the server.
    client
    
    # Use the same setting as you are using on
    # the server.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
    #dev tap
    dev tun
    
    # Windows needs the TAP-Win32 adapter name
    # from the Network Connections panel
    # if you have more than one.  On XP SP2,
    # you may need to disable the firewall
    # for the TAP adapter.
    #;dev-node MyTap
    
    # Are we connecting to a TCP or
    # UDP server?  Use the same setting as
    # on the server.
    proto tcp
    #proto udp
    
    # The hostname/IP and port of the server.
    # You can have multiple remote entries
    # to load balance between the servers.
    remote XXX.XXX.net 1194
    
    
    # Choose a random host from the remote
    # list for load-balancing.  Otherwise
    # try hosts in the order specified.
    #;remote-random
    
    # Keep trying indefinitely to resolve the
    # host name of the OpenVPN server.  Very useful
    # on machines which are not permanently connected
    # to the internet such as laptops.
    resolv-retry infinite
    
    # Most clients don't need to bind to
    # a specific local port number.
    nobind
    
    # Downgrade privileges after initialization (non-Windows only)
    ;user nobody
    ;group nobody
    
    # Try to preserve some state across restarts.
    #persist-key
    #persist-tun
    
    # If you are connecting through an
    # HTTP proxy to reach the actual OpenVPN
    # server, put the proxy server/IP and
    # port number here.  See the man page
    # if your proxy server requires
    # authentication.
    #;http-proxy-retry # retry on connection failures
    #;http-proxy [proxy server] [proxy port #]
    
    # Wireless networks often produce a lot
    # of duplicate packets.  Set this flag
    # to silence duplicate packet warnings.
    #;mute-replay-warnings
    
    # SSL/TLS parms.
    # See the server config file for more
    # description.  It's best to use
    # a separate .crt/.key file pair
    # for each client.  A single ca
    # file can be used for all clients.
    ca /sdcard/openvpn/ca-cert.crt
    cert /sdcard/openvpn/AmahiHDAClient.crt
    key /sdcard/openvpn/AmahiHDAClient.key
    auth-user-pass /sdcard/openvpn/passfile
    
    # Verify server certificate by checking
    # that the certicate has the nsCertType
    # field set to "server".  This is an
    # important precaution to protect against
    # a potential attack discussed here:
    #  http://openvpn.net/howto.html#mitm
    #
    # To use this feature, you will need to generate
    # your server certificates with the nsCertType
    # field set to "server".  The build-key-server
    # script in the easy-rsa folder will do this.
    #;ns-cert-type server
    
    # If a tls-auth key is used on the server
    # then every client must also have the key.
    #;tls-auth ta.key 1
    
    # Select a cryptographic cipher.
    # If the cipher option is used on the server
    # then you must also specify it here.
    #;cipher x
    
    # Enable compression on the VPN link.
    # Don't enable this unless it is also
    # enabled in the server config file.
    # comp-lzo
    
    # Set log file verbosity.
    verb 3
    
    # Silence repeating messages
    #;mute 20
    Hope this helps someone out.
     
  2. ChevyNo1

    ChevyNo1 Premium Member
    Premium Member Developer

    Joined:
    Dec 28, 2009
    Messages:
    5,354
    Likes Received:
    5
    Trophy Points:
    153
    Ratings:
    +5
    I have TUN built into the kernel now - that is probably why you now have success! dancedroid
     
  3. yakitori

    yakitori Premium Member
    Theme Developer Premium Member

    Joined:
    Sep 7, 2010
    Messages:
    2,548
    Likes Received:
    10
    Trophy Points:
    103
    Location:
    DFW Texas
    Ratings:
    +10
    what does this mean exactly? Does this give you access to a server from your phone? Like...a server for work, you can access from your phone?

    Just curious. I think it would be awesome if I had access to a server from my phone.
     
  4. ChevyNo1

    ChevyNo1 Premium Member
    Premium Member Developer

    Joined:
    Dec 28, 2009
    Messages:
    5,354
    Likes Received:
    5
    Trophy Points:
    153
    Ratings:
    +5
    I have not used it myself - but yes, that is the purpose - to VPN say into work
     
  5. iamgeniusrnti

    iamgeniusrnti Member

    Joined:
    Feb 22, 2010
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Ratings:
    +0
    Yes. I have various servers at my house sitting behind a Smoothwall. They don't actually do anything but make a lot of noise but that's my hobby.

    If I wanted to access them from my phone before, I would've either opened ports and forwarded them to the servers (less secure) or use SSH (secure shell) with an app called Connectbot and then forward ports over that (more secure as I only need one port, 22 for example but more tedious).

    With OpenVPN, the phone literally joins my homenetwork; I can open one port on the firewall, acquire an IP address off my DNS server and ALL traffic routes back thru the firewall filters as though I was sitting in my livingroom. Added bonus: when a VPN negotiates a connection, the traffic is inherently encrypted.

    Sent from my Droid using DroidForums App
     
  6. yakitori

    yakitori Premium Member
    Theme Developer Premium Member

    Joined:
    Sep 7, 2010
    Messages:
    2,548
    Likes Received:
    10
    Trophy Points:
    103
    Location:
    DFW Texas
    Ratings:
    +10
    would like to do this, but think my company's servers are too secure. Dont even know where to begin.
     
  7. atek3

    atek3 New Member

    Joined:
    Jan 14, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Ratings:
    +0
    iamgeniusrnti this is almost exactly what I want to do.

    I have a droid X, an Amahi server, and a router running DD-WRT (with OpenVPN).

    I'd like to generate my keys on the HDA, run openVPN server in TUN mode on the router, and connect remotely with my Rooted DX.

    Seems pretty straightforward, but it's hard.

    I've used easy-rsa to create the keys. I've put the relevant keys on dd-wrt using the gui config.

    any advice on installing OpenVPN client on my DX?
     
    #7 atek3, Jul 4, 2011
    Last edited: Jul 5, 2011
  8. iamgeniusrnti

    iamgeniusrnti Member

    Joined:
    Feb 22, 2010
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Ratings:
    +0
    I don't understand DD-WRT's role in this... Are you trying to use the GUI from outside? What would the OpenWRT client be doing?

    I don't use my wireles router as a gateway, I use Smoothwall. And the DNS server on my network is Amahi. So when I remote in, Amahi is dishing out the network configs and IP. The router's only involvement is forwarding port 1194 (TCP OR UDP) to the server. I want to help, but I'm confused.

    Once the router forwards the ports, the only players should be the configs inside the phone and the configs on your Amahi. Can you expound a little more on your issue?
     
  9. atek3

    atek3 New Member

    Joined:
    Jan 14, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Ratings:
    +0
    I wrote OpenWRT when I meant to write OpenVPN...I edited my original post.

    Long story short I want my connection to look like this

    Droid X (OpenVPN TUN client)-> VZN 3G -> my WNR-3500L (running dd-wrt and OpenVPN Server) -> my HDA.

    Right now I've installed busybox on my DX, and I'm trying to find the TUN driver before I install OpenVPN.

    thanks
    atek3
     
  10. iamgeniusrnti

    iamgeniusrnti Member

    Joined:
    Feb 22, 2010
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Ratings:
    +0
    The TUN driver was built into Chevy's kernel, I think. But you can also use an app called OpenVPN Settings, which I believe install the TUN driver for you.

    I don't know how to use DD-WRT's open VPN as I bypassed the router and used Amahi's OpenVPN server (which is always running anyway).

    Good luck!
     
  11. atek3

    atek3 New Member

    Joined:
    Jan 14, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Ratings:
    +0
    ah, thanks, I was hoping to stick with a stock kernel, but if its a big fiasco to install tun.ko, I guess i'll use a ROM with TUN pre-installed like Chevy's.

    thanks,
    atek3
     
Search tags for this page

amahi openvpn bridge

,
amahi.ovpn
,
dd-wrt amahi
,

ddwrt openvpn s4

,
open vpn how use android with ss
,
openvpn config file for ss
,
openvpn droid
,
pam droid roms
,
ss5 client for android
,
what is the password recovery o connect amahi vpn