newspaint

Documenting Problems That Were Difficult To Find The Answer To

Creating a Client Certificate for Android CyanogenMod OpenVPN

I got the OpenVPN client on the CyanogenMod 7.1.0-RC1 build working between my HTC Desire Z and a Debian virtual server running OpenVPN. I used the tun interface type with TCP as the transport.

Packing Up the Client Key and CA Certificate in One Bundle

After following the instructions on Ubuntu’s OpenVPN page and creating brand new certificates/keys in /etc/openvpn/easy-rsa/keys I needed a way of combining the CA (certificate authority) and client key into one file. Android will not let you install a client key on its own. It requires the PKCS bundle.

So with the CA certificate, client key, and client certificate ready to go, I needed the following command:

cd /etc/openvpn/easy-rsa/keys
openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out pkcs.p12 -name "My OpenVPN Key"

Then copied pkcs.p12 to the SD card on the phone.

Issues

One issue that I had trying to make OpenVPN work was that I was observing the following log entries from the OpenVPN server:


Jul 29 15:05:23 myhost ovpn-server[24069]: TCP connection established with [AF_INET]x.x.x.x:pppp
Jul 29 15:05:23 myhost ovpn-server[24069]: TCPv4_SERVER link local: [undef]
Jul 29 15:05:23 myhost ovpn-server[24069]: TCPv4_SERVER link remote: [AF_INET]x.x.x.x:pppp
Jul 29 15:05:24 myhost ovpn-server[24069]: x.x.x.x:pppp TLS: Initial packet from [AF_INET]x.x.x.x:pppp, sid=8d42ad65 80905340
Jul 29 15:05:25 myhost ovpn-server[24069]: x.x.x.x:pppp Connection reset, restarting [0]
Jul 29 15:05:25 myhost ovpn-server[24069]: x.x.x.x:pppp SIGUSR1[soft,connection-reset] received, client-instance restarting

Basically this meant that the server was rejecting the initial TLS packet – in other words the certificate from the client was not matching the certificate on the server.

When I finally updated the server configuration to use the correct Certificate Authority (ca) certificate (ca.crt) I got a log more like:


Jul 29 15:29:24 myhost ovpn-server[24606]: x.x.x.x:pppp TLS: Initial packet from [AF_INET]x.x.x.x:pppp, sid=9024cacf b8549982
Jul 29 15:29:28 myhost ovpn-server[24606]: x.x.x.x:pppp VERIFY OK: depth=1, /C=GB/ST=England/L=London/O=Me_Limited/CN=Me_Limited_CA/emailAddress=notmyemail@mailinator.com
Jul 29 15:29:28 myhost ovpn-server[24606]: x.x.x.x:pppp VERIFY OK: depth=0, /C=GB/ST=England/L=London/O=Me_Limited/CN=client/emailAddress=notmyemail@mailinator.com

NAT/Masquerade to the Internet

If, somewhere in your /etc/openvpn/server.conf is an entry like server 10.99.0.0 255.255.255.0 then you’ll likely want to enable the VPN user (like the phone) to get out into the Internet. If the Internet is attached to port eth0 then add the following lines to your /var/lib/iptables/active file:


*nat
[0:0] -A POSTROUTING -o eth0 -s 10.99.0.0/24 -j MASQUERADE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: