Verbindung eines Samsung Galaxy (Stock Firmware 4.x gerootet) mit OpenVPN im Bridge-Modus (dev tap).
Installierte Pakete aus Google Market:
- Busybox (Stephen Stericson)
- openVPN Installer (Friedrich Schäuffelhut)
- openVPN Settings (Friedrich Schäuffelhut)
- SuperSU (ChainsDD)
- QuickSSHD (Optional!)
1. Busybox Installer, installieren nach:
/system/xbin/busybox
2. OpenVPN Installer, installieren nach:
/system/xbin/openvpn
3. ifconfig und route, Symlink Kontrolle:
Nach der Installation von Busybox müssen die Pfade für “ifconfig” und “route” Command passen !
Sieht bei mir auf der SSH-Console des Android so aus:
root@android:/system/xbin # ls -la ifconfig
lrwxrwxrwx 1 0 0 20 Jan 31 15:22 ifconfig -> /system/xbin/busybox
root@android:/system/xbin # ls -la route
lrwxrwxrwx 1 0 0 20 Jan 31 15:22 route -> /system/xbin/busybox
4. OpenVPN Konfiguration und Zertifikate auf mobiles Gerät kopieren (/sdcard/openvpn)
root@android:/ # ls -la /sdcard/openvpn/
total 224
drwxrwxr-x 2 1000 1015 32768 Jan 31 15:24 .
drwxrwxr-x 32 1000 1015 32768 Jan 31 16:25 ..
-rwxrwxr-x 1 1000 1015 5963 Jan 31 16:10 openvpn.log
-rwxrwxr-x 1 1000 1015 467 Jan 31 15:26 openvpn.ovpn
-rwxrwxr-x 1 1000 1015 4057 Aug 20 2011 GalaxyS2.crt
-rwxrwxr-x 1 1000 1015 887 Aug 20 2011 GalaxyS2.key
-rwxrwxr-x 1 1000 1015 1428 Aug 20 2011 ca.crt
5. OpenVPN Settings
Prerequisites:
Kontrolle der Funktionen und Pfade (Success!)
Advanced:
Path to configurations: /sdcard/openvpn
Path to openvpn binary: /system/xbin/openvpn
Nach dem einrichten bzw. der Angabe der *.ovpn Konfiguration kann unter den Settings der Verbindung, noch das Logging eingeschaltet werden.
Da das pushen des DNS-Server Eintrags auf dem Android bei mir nicht funktioniert, habe ich auch noch die IP des internen DNS hier explizit angegeben, so funktioniert die Namensauflösung.
Inhalt der OpenVPN Konfigurationsdatei: (openvpn.ovpn)
client
pull
dev tap
proto tcp
remote myvpn.domain.net
port 443
remote-cert-tls server
script-security 2
redirect-gateway
resolv-retry infinite
nobind
persist-key
persist-tun
#Zertifikate
ca ca.crt
cert GalaxyS2.crt
key GalaxyS2.key
cipher AES-256-CBC # Verschluesselung
comp-lzo # Komprimiernug
auth SHA1 # Authentifizierungsmethode
verb 5 # Log Aus=0, Default=1, bis 11
mute 20 # Gleiche Meldungen ausblenden
Logfile der ersten erfolgreichen Verbindung:
Thu Jan 31 17:09:06 2013 MANAGEMENT: CMD ‘bytecount 0’
Thu Jan 31 17:09:06 2013 VERIFY OK: depth=1, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Thu Jan 31 17:09:06 2013 Validating certificate key usage
Thu Jan 31 17:09:06 2013 ++ Certificate has key usage 00a0, expects 00a0
Thu Jan 31 17:09:06 2013 VERIFY KU OK
Thu Jan 31 17:09:06 2013 Validating certificate extended key usage
Thu Jan 31 17:09:06 2013 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Jan 31 17:09:06 2013 VERIFY EKU OK
Thu Jan 31 17:09:06 2013 VERIFY OK: depth=0,
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Thu Jan 31 17:09:07 2013 Data Channel Encrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Thu Jan 31 17:09:07 2013 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Thu Jan 31 17:09:07 2013 Data Channel Decrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Thu Jan 31 17:09:07 2013 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Thu Jan 31 17:09:07 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jan 31 17:09:07 2013 [myvpn.domain.net] Peer Connection Initiated with XXXXXXXXXXXXX:443
Thu Jan 31 17:09:08 2013 MANAGEMENT: >STATE:1359648548,GET_CONFIG,,,
Thu Jan 31 17:09:08 2013 MANAGEMENT: CMD ‘bytecount 0’
Thu Jan 31 17:09:09 2013 SENT CONTROL [myvpn.domain.net]: ‘PUSH_REQUEST’ (status=1)
Thu Jan 31 17:09:09 2013 PUSH: Received control message: ‘PUSH_REPLY,route X.X.X.X 255.255.255.0,dhcp-option DNS X.X.X.X,dhcp-option DNS X.X.X.X,dhcp-option DOMAIN domain.net,route-gateway X.X.X.X,ping 10,ping-restart 60,ifconfig X.X.X.X 255.255.255.0’Thu Jan 31 17:09:09 2013 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan 31 17:09:09 2013 OPTIONS IMPORT: –ifconfig/up options modified
Thu Jan 31 17:09:09 2013 OPTIONS IMPORT: route options modified
Thu Jan 31 17:09:09 2013 OPTIONS IMPORT: route-related options modified
Thu Jan 31 17:09:09 2013 OPTIONS IMPORT: –ip-win32 and/or –dhcp-option options modified
Thu Jan 31 17:09:09 2013 ROUTE default_gateway=X.X.X.X
Thu Jan 31 17:09:09 2013 TUN/TAP device tap0 opened
Thu Jan 31 17:09:09 2013 TUN/TAP TX queue length set to 100
Thu Jan 31 17:09:09 2013 MANAGEMENT: >STATE:1359648549,ASSIGN_IP,,X.X.X.X,
Thu Jan 31 17:09:09 2013 /system/xbin/busybox ifconfig tap0 X.X.X.X netmask 255.255.255.0 mtu 1500 broadcast X.X.X.255
Thu Jan 31 17:09:09 2013 /system/xbin/busybox route add -net X.X.X.X netmask 255.255.255.255 gw X.X.X.X
Thu Jan 31 17:09:10 2013 /system/xbin/busybox route del -net 0.0.0.0 netmask 0.0.0.0
Thu Jan 31 17:09:10 2013 /system/xbin/busybox route add -net 0.0.0.0 netmask 0.0.0.0 gw X.X.X.X
Thu Jan 31 17:09:10 2013 MANAGEMENT: >STATE:1359648550,ADD_ROUTES,,,Thu Jan 31 17:09:10 2013 /system/xbin/busybox route add -net 192.168.0.0 netmask 255.255.255.0 gw X.X.X.X
hu Jan 31 17:09:10 2013 Initialization Sequence Completed
Thu Jan 31 17:09:10 2013 MANAGEMENT: >STATE:1359648550,CONNECTED,SUCCESS,X.X.X.X,X.X.X.X
Thu Jan 31 17:09:10 2013 MANAGEMENT: CMD ‘bytecount 0’
Thu Jan 31 17:09:10 2013 MANAGEMENT: CMD ‘bytecount 0’
Thu Jan 31 17:09:10 2013 MANAGEMENT: CMD ‘bytecount 3’