I got the OpenVPN client on the CyanogenMod 7.1.0-RC1 build working between my HTC Desire Z and a Debian virtual server running OpenVPN. I used the
tun interface type with TCP as the transport.
Packing Up the Client Key and CA Certificate in One Bundle
After following the instructions on Ubuntu’s OpenVPN page and creating brand new certificates/keys in
/etc/openvpn/easy-rsa/keys I needed a way of combining the CA (certificate authority) and client key into one file. Android will not let you install a client key on its own. It requires the PKCS bundle.
So with the CA certificate, client key, and client certificate ready to go, I needed the following command:
openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out pkcs.p12 -name "My OpenVPN Key"
pkcs.p12 to the SD card on the phone.
One issue that I had trying to make OpenVPN work was that I was observing the following log entries from the OpenVPN server:
Jul 29 15:05:23 myhost ovpn-server: TCP connection established with [AF_INET]x.x.x.x:pppp
Jul 29 15:05:23 myhost ovpn-server: TCPv4_SERVER link local: [undef]
Jul 29 15:05:23 myhost ovpn-server: TCPv4_SERVER link remote: [AF_INET]x.x.x.x:pppp
Jul 29 15:05:24 myhost ovpn-server: x.x.x.x:pppp TLS: Initial packet from [AF_INET]x.x.x.x:pppp, sid=8d42ad65 80905340
Jul 29 15:05:25 myhost ovpn-server: x.x.x.x:pppp Connection reset, restarting 
Jul 29 15:05:25 myhost ovpn-server: x.x.x.x:pppp SIGUSR1[soft,connection-reset] received, client-instance restarting
Basically this meant that the server was rejecting the initial TLS packet – in other words the certificate from the client was not matching the certificate on the server.
When I finally updated the server configuration to use the correct Certificate Authority (ca) certificate (
ca.crt) I got a log more like:
Jul 29 15:29:24 myhost ovpn-server: x.x.x.x:pppp TLS: Initial packet from [AF_INET]x.x.x.x:pppp, sid=9024cacf b8549982
Jul 29 15:29:28 myhost ovpn-server: x.x.x.x:pppp VERIFY OK: depth=1, /C=GB/ST=England/L=London/O=Me_Limited/CN=Me_Limited_CA/emailAddressemail@example.com
Jul 29 15:29:28 myhost ovpn-server: x.x.x.x:pppp VERIFY OK: depth=0, /C=GB/ST=England/L=London/O=Me_Limited/CN=client/emailAddressfirstname.lastname@example.org
NAT/Masquerade to the Internet
If, somewhere in your
/etc/openvpn/server.conf is an entry like
server 10.99.0.0 255.255.255.0 then you’ll likely want to enable the VPN user (like the phone) to get out into the Internet. If the Internet is attached to port
eth0 then add the following lines to your
[0:0] -A POSTROUTING -o eth0 -s 10.99.0.0/24 -j MASQUERADE