openVPN mit Android

Verbindung eines Samsung Galaxy (Stock Firmware 4.x gerootet) mit OpenVPN im Bridge-Modus (dev tap).

Installierte Pakete aus Google Market:

  • Busybox (Stephen Stericson)
  • openVPN Installer (Friedrich Schäuffelhut)
  • openVPN Settings (Friedrich Schäuffelhut)
  • SuperSU (ChainsDD)
  • QuickSSHD (Optional!)


 

1. Busybox Installer, installieren nach:

/system/xbin/busybox

2. OpenVPN Installer, installieren nach:

/system/xbin/openvpn

3. ifconfig und route, Symlink Kontrolle:

Nach der Installation von Busybox müssen die Pfade für “ifconfig” und “route” Command passen !

Sieht bei mir auf der SSH-Console des Android so aus:

root@android:/system/xbin # ls -la ifconfig
lrwxrwxrwx    1 0        0               20 Jan 31 15:22 ifconfig -> /system/xbin/busybox

root@android:/system/xbin # ls -la route
lrwxrwxrwx    1 0        0               20 Jan 31 15:22 route -> /system/xbin/busybox

 

4. OpenVPN Konfiguration und Zertifikate auf mobiles Gerät kopieren (/sdcard/openvpn)

root@android:/ # ls -la /sdcard/openvpn/
total 224
drwxrwxr-x    2 1000     1015         32768 Jan 31 15:24 .
drwxrwxr-x   32 1000     1015         32768 Jan 31 16:25 ..
-rwxrwxr-x    1 1000     1015          5963 Jan 31 16:10 openvpn.log
-rwxrwxr-x    1 1000     1015           467 Jan 31 15:26 openvpn.ovpn
-rwxrwxr-x    1 1000     1015          4057 Aug 20  2011 GalaxyS2.crt
-rwxrwxr-x    1 1000     1015           887 Aug 20  2011 GalaxyS2.key
-rwxrwxr-x    1 1000     1015          1428 Aug 20  2011 ca.crt

 

5. OpenVPN Settings

Prerequisites:

Kontrolle der Funktionen und Pfade (Success!)

Advanced:

Path to configurations: /sdcard/openvpn

Path to openvpn binary: /system/xbin/openvpn

Nach dem einrichten bzw. der Angabe der *.ovpn Konfiguration kann unter den Settings der Verbindung, noch das Logging eingeschaltet werden.

Da das pushen des DNS-Server Eintrags auf dem Android bei mir nicht funktioniert, habe ich auch noch die IP des internen DNS hier explizit angegeben, so funktioniert die Namensauflösung.

Inhalt der OpenVPN Konfigurationsdatei: (openvpn.ovpn)

client
pull
dev tap
proto tcp
remote myvpn.domain.net
port 443
remote-cert-tls server
script-security 2
redirect-gateway
resolv-retry infinite
nobind
persist-key
persist-tun
#Zertifikate
ca ca.crt
cert GalaxyS2.crt
key GalaxyS2.key
cipher AES-256-CBC         # Verschluesselung
comp-lzo                          # Komprimiernug
auth SHA1                       # Authentifizierungsmethode
verb 5                              # Log Aus=0, Default=1, bis 11
mute 20                          # Gleiche Meldungen ausblenden

 

Logfile der ersten erfolgreichen Verbindung:

Thu Jan 31 17:09:06 2013 MANAGEMENT: CMD ‘bytecount 0’
Thu Jan 31 17:09:06 2013 VERIFY OK: depth=1, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Thu Jan 31 17:09:06 2013 Validating certificate key usage
Thu Jan 31 17:09:06 2013 ++ Certificate has key usage  00a0, expects 00a0
Thu Jan 31 17:09:06 2013 VERIFY KU OK
Thu Jan 31 17:09:06 2013 Validating certificate extended key usage
Thu Jan 31 17:09:06 2013 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Jan 31 17:09:06 2013 VERIFY EKU OK
Thu Jan 31 17:09:06 2013 VERIFY OK: depth=0,
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Thu Jan 31 17:09:07 2013 Data Channel Encrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Thu Jan 31 17:09:07 2013 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Thu Jan 31 17:09:07 2013 Data Channel Decrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Thu Jan 31 17:09:07 2013 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Thu Jan 31 17:09:07 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jan 31 17:09:07 2013 [myvpn.domain.net] Peer Connection Initiated with XXXXXXXXXXXXX:443
Thu Jan 31 17:09:08 2013 MANAGEMENT: >STATE:1359648548,GET_CONFIG,,,
Thu Jan 31 17:09:08 2013 MANAGEMENT: CMD ‘bytecount 0’
Thu Jan 31 17:09:09 2013 SENT CONTROL [myvpn.domain.net]: ‘PUSH_REQUEST’ (status=1)
Thu Jan 31 17:09:09 2013 PUSH: Received control message: ‘PUSH_REPLY,route X.X.X.X 255.255.255.0,dhcp-option DNS X.X.X.X,dhcp-option DNS X.X.X.X,dhcp-option DOMAIN domain.net,route-gateway X.X.X.X,ping 10,ping-restart 60,ifconfig X.X.X.X 255.255.255.0’

Thu Jan 31 17:09:09 2013 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan 31 17:09:09 2013 OPTIONS IMPORT: –ifconfig/up options modified
Thu Jan 31 17:09:09 2013 OPTIONS IMPORT: route options modified
Thu Jan 31 17:09:09 2013 OPTIONS IMPORT: route-related options modified
Thu Jan 31 17:09:09 2013 OPTIONS IMPORT: –ip-win32 and/or –dhcp-option options modified
Thu Jan 31 17:09:09 2013 ROUTE default_gateway=X.X.X.X
Thu Jan 31 17:09:09 2013 TUN/TAP device tap0 opened
Thu Jan 31 17:09:09 2013 TUN/TAP TX queue length set to 100
Thu Jan 31 17:09:09 2013 MANAGEMENT: >STATE:1359648549,ASSIGN_IP,,X.X.X.X,
Thu Jan 31 17:09:09 2013 /system/xbin/busybox ifconfig tap0 X.X.X.X netmask 255.255.255.0 mtu 1500 broadcast X.X.X.255
Thu Jan 31 17:09:09 2013 /system/xbin/busybox route add -net X.X.X.X netmask 255.255.255.255 gw X.X.X.X
Thu Jan 31 17:09:10 2013 /system/xbin/busybox route del -net 0.0.0.0 netmask 0.0.0.0
Thu Jan 31 17:09:10 2013 /system/xbin/busybox route add -net 0.0.0.0 netmask 0.0.0.0 gw X.X.X.X
Thu Jan 31 17:09:10 2013 MANAGEMENT: >STATE:1359648550,ADD_ROUTES,,,

Thu Jan 31 17:09:10 2013 /system/xbin/busybox route add -net 192.168.0.0 netmask 255.255.255.0 gw X.X.X.X
hu Jan 31 17:09:10 2013 Initialization Sequence Completed
Thu Jan 31 17:09:10 2013 MANAGEMENT: >STATE:1359648550,CONNECTED,SUCCESS,X.X.X.X,X.X.X.X
Thu Jan 31 17:09:10 2013 MANAGEMENT: CMD ‘bytecount 0’
Thu Jan 31 17:09:10 2013 MANAGEMENT: CMD ‘bytecount 0’
Thu Jan 31 17:09:10 2013 MANAGEMENT: CMD ‘bytecount 3’

 

 

Schreibe einen Kommentar


error: Alert: Content selection is disabled!!