Hey guys,
I have successfully installed OpenVPN on my SGS I9000. Establishing a connection to the OpenVPN Server is no problem, but after this the traffic isn't routed through the VPN-connection and I don't know why
OpenVPN config:
Code:
client
dev tun
proto udp
remote 193.197.62.35 1195
remote 193.197.62.35 1196
remote 193.197.62.35 1197
remote 193.197.62.35 1198
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca dhbw-openvpnca.txt
comp-lzo
verb 3
auth-user-pass
Can someone help me please?
Does nobody have an idea?
Hi
I'm using openvpn in tap mode, I had problems trying to set it up as tun. This is how the server is configured:
Code:
port 1194
proto udp
dev tap
dev-node tap-bridge
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0 # This file is secret
dev-node tap-bridge
server-bridge 10.0.0.1 255.255.255.0 10.0.0.192 10.0.0.255
push "redirect-gateway def1"
keepalive 15 90
comp-lzo
persist-key
persist-tun
Modify server-bridge according to your local network configuration.
I excluded all certificate configuration
In addition to this I change the DNS after the VPN starts, otherwise I can't browse the internet. If you just need to connect to your local network the this is not required.
Client config is as follows:
Code:
client
dev tap
<connection>
remote VPN_IP 1194 udp
</connection>
nobind
user nobody
group nobody
persist-key
persist-tun
ca /sdcard/ca.crt
cert /sdcard/android.crt
key /sdcard/android.key
ns-cert-type server
tls-auth /system/etc/openvpn/ta.key 1
comp-lzo
Trouble routing traffic through OpenVPN
I have the same problem and need help resolving it. I use Samsung Infuse 4G, rooted, with the "Infused ROM" installed. I also installed OpenVPN by using "OpenVPN Installer" and use "OpenVPN Settings" for my connection settings. Everything seems to be nice and smooth. One thing I found is that on the Infused ROM, tun.ko that sits in /system/lib/modules does not work, but there is another one in /lib/modules/ which does work. Also, OpenVPN Settings inserts tun.ko module by using insmod, not modeprobe. If I tried to use modeprobe option, it is not working.
Anyway...
My OpenVPN connects without problems to my Tomato router at home. The problem is, that it does not route any traffic though the VPN tunnel. Any browsing that I do, I do outside of VPN, which is not what I expected.
I would appreciate any help with this.
The purpose of this post is to explain how to tether with openvpn, which will hopefully avoid ATT's all seeing eyes, as well as prevent any detection during tethering.
All ATT will ever see is encrypted traffic between a connection that is initiated from my phone and ends at my vpn server. So the only way they would be able to determine if you are tethering, is if they are spying on you ala CIQ directly on your device, or your device phones home and tattles on you. That would open up a different can of worms and a **** storm would ensue.
This method requires a number of things.
* Openvpn server (preferably running on a static address, but will work with dynamic DNS services) with a reliable connection. I use a VPS server for $25 a month, but it is fast and reliable.
* Openvpn on your phone (any will work as long as it has the tun driver or tun built into the kernel(
* Some sort of gateway (your openvpn server can be running on it as well, or a seperate host), I use Freebsd/Openbsd. For linux, your on your own to figure out NAT and gateway functions.
Really, that is about it.
My Openvpn server config, you can set it up any way you like, but certain statements are required, specifically those in the hashed out box if you want your subnets to talk to each other, and route the traffic
Code:
port ****
proto tcp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/vps.server.crt
key /usr/local/etc/openvpn/keys/vps.server.key
dh /usr/local/etc/openvpn/keys/dh2048.pem
server 192.168.150.0 255.255.255.0
ifconfig-pool-persist ipp.txt
mode server
client-to-client
client-config-dir ccd
###############################################
# my phone and home subnets, can be any RFC1918 address space
# Advertise and note your home subnets in this section, unless you
# do not want the various subnets to talk to each other, then you
# can also remove the client-to-client statements
###############################################
push "route 192.168.15.0 255.255.255.0"
push "route 192.168.43.0 255.255.255.0"
route 192.168.15.0 255.255.255.0
route 192.168.43.0 255.255.255.0
###############################################
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 4
My client config on my phone (change the remote statement to match your openvpn server host and port)
Code:
client
proto tcp
dev tun
remote vpn.example.com 1234
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
/usr/local/etc/openvpn/ccd is where I have my client specific configs (match the location to that identified in the server.conf file for your vpn server). I also use certificates unique to each host that connects to my vpn, the names of the files in the "ccd" directory must match the name you gave the device when you created your certificates. I use easy-ssl to manage my certs.
for my phone, which I named "galaxy_s" I have the following (note the DNS option is optional, I was having problems with it so I just hardcoded 8.8.8.8, googles dns server into my network settings on my laptop)
/usr/local/etc/openvpn/ccd/galaxy_s
The iroute statement just tells the openvpn server what subnets you have behind your device, in this case the phone. I am guessing all of the android phones use 192.168.43.x as the NAT'd subnet, otherwise change it to whatever your phone is assigning.
Code:
push "redirect-gateway"
push "dhcp-option DNS 192.168.15.1"
iroute 192.168.43.0 255.255.255.0
The rest of the configurations are related to your primary gateway, which in my case also runs the openvpn server. I am using freebsd and pf, the configs needed for that are essentially natting statements, and firewall rules.
for pf, the following rules are what I use
I also trust all the traffic on my tun0 device, so I told pf to ignore it and pass all traffic
Code:
nat on $int from 192.168.150.0/24 to any -> $int/32
nat on $int from 192.168.43.0/24 to any -> $int/32
set skip on tun0
Hopefully this is useful to other folks, if not, let it be buried
THanks for an EXCELLENT guide!
Quick question. When I use this server conf file, my ssh on my local network hangs up and goes down.
In other words:
I am running openvpn on a home linux server. It is connected through a home router to the internet and has a network set up at 192.168.1.0.
Router is 192.168.1.1,
vpn server is on 192.168.1.51.
If I start openvpn, I cannot ssh from a local network (192.168.1.81) laptop. If I turn off openvpn I can. I changed your 192.168.15.0 addresses in server conf file to 192.168.1.0. I have a feeling it has to do with that.
Well, yes, you will need to modify the configs to suit your own address scheme. As for why you cannot ssh, I am not sure, is that .81 device on the same network as the openvpn server, or are you coming from a different network.
My setup has the gateway the same as the openvpn server simply due to the fact that I am using a Virtual Private Server (VPS) and I only have that as the 1 external static system.
I would check the route statements, I'm not sure, but you might have a routing loop that would be causing the problem, can you traceroute or ping, or use any other protocol/application to see if you can connect). If you set the default gateway of the openvpn server as the .1 address, and then you are trying to connect to another internal address, the .81, when you ssh from whatever device is connected to the openvpn server, it may attempt to connect to the gateway at .1 and then return back into your network to .81.
I could be wrong, it is hard to tell when you are not sitting at the actual systems.
Got it to work! Here's some tips for others
Thanks again for your help jvanbrecht. Last night I was able to sit down, get a better understanding of how it worked via openvpn's HOWTO, and get it running.
I did need to make a few mods for it to work in my configuration (as is expected since very few network configs are the same).
My configuration:
Single home network, say on 192.168.15.0.
Single router, at 192.168.15.1.
Home server hosting VPN on 192.168.15.51. It is running Ubuntu Maverick.
Skyrocket on subnet 192.168.43.0
My modifications:
Since I don't need direct access between VPN clients and my home subnetwork, in the server config I commented out:
Code:
#push "route 192.168.1.0 255.255.255.0"
#route 192.168.1.0 255.255.255.0
It was giving me some problems SSHing into my home server from a local network machine so this was the quick fix.
Initially it wasn't routing ALL traffic, just that directed from VPN client to the VPN server. So I added this to the server conf:
Code:
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.150.1"
In my home (tomato) router, I just port forwarded any TCP traffic on 1194 to the home server (192.168.15.51)
I think openvpn does this already. But just in case, I added an iptable nat entry to forward packet from VPN network to eth0 (my NIC). As root:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
And I added the following entry to /etc/rc.local so it persists on restart.
Code:
iptables -t nat -A POSTROUTING -s 192.168.150.0/24 -o eth0 -j MASQUERADE
Some debugging tips for others
Simplest way to verify HTTP traffic is being forwarded is, after connecting to vpn from phone, go to www.whatismyip.com. Make sure it matches your phone.
If you are having trouble connecting to the VPN, watch the openvpn log for errors. "tail -f /var/log/openvpn/openvpn.conf"
After connecting, make sure you can ping from your home server to the phone.
From Server: "ping 192.168.150.10"
From Phone: Open Terminal Emulator and type "ping 192.168.150.1"
You can also validate the traffic is forwarding through VPN by using traceroute. You can test both forwarding and DNS
From Phone: Open Terminal Emulator, type
Code:
su
For no-DNS test first:
Code:
traceroute 74.125.115.104
For DNS test:
Code:
traceroute www.google.com
For each, do your tests on the cell network (NOT home wifi) and verify that the route passes through your vpn server and doesn't bypass it completely.
Lastly to make sure traffic is being piped, you can monitor VPN traffic from your openvpn server by typing:
Code:
tcpdump -i tun0
jvanbrecht:
Do you have any recommendations about dropped connections? I noticed while testing that sometimes my openvpn connection would drop and my phone browsing would immediately default to the direct default cell provider connection.
Of course if tethering, this could be very bad.
Any tips on ensuring that if VPN is enabled, but no connection, that it won't ever try and route around it?
would using any vpn do the same thing? or something making this special ? any one tested this ?
It's been a few weeks since I tried the openvpn app. Back then everything seemed to be working well. But I tried again today and am having problems.
- I can access everything fine via vpn if my phone is connected to my local wifi where the vpn server resides.
- I can access IP addresses (e.g. the ip address of google.com) if connected to vpn via AT&T's 3G network
- I CANNOT access websites by their name (e.g. www.google.com) anymore.
It seems the DNS forwarding over VNC is messed up. Any tips on what the problem could be?
I still have the same settings as above, e.g. push "dhcp-option DNS 192.168.150.1"
Is it possible I need to do any additional configuration on my phone?
Is it possible to replace my router DNS address with a public one like google's "8.8.8.8" or "4.2.2.2"?
Any tips greatly appreciated!
Deleted. Please ignore. Still having issues.
So I had the opportunity to play around with my config (listed above) a bit more this evening. I was at a location where I had good external WiFi (Panera) along with 3G.
If I connect from my phone to my home VPN server over EXTERNAL WIFI (Panera), I have no problems with VPN. everything works flawlessly.
If I connect from my phone to my home VPN server over AT&T 3G network, it fails. Essentially it can't resolve any DNS queries. I can type in a website's IP address and surf that way, but I can't say type in "www.cnn.com" and get a page to load.
For the latter, when I watch the web queries using "tcpdump -i tun0", I see the requests go out from my phone to the websites, but they don't come back. For example, I see:
"192.168.150.10 > a.b.c.d (www.cnn.com)",
but I don't see:
"a.b.c.d (www.cnn.com) > 192.168.150.10"
Is it possible that AT&T is somehow blocking VPN via DNS? At first I thought my openvpn dns settings were messed up ... but it works across external wifi no problem.
---------- Post added at 01:24 AM ---------- Previous post was at 01:07 AM ----------
For those that are interested in the future, I think I narrowed down the issue:
It seems VPN connectivity is dependent on the AT&T Access Point Network (APN)
By default for my Skyrocket I was on the AT&T PTA APN wit settings:
Code:
APN: pta
MMSC: http://mmsc.mobile.att.net
MMS proxy: proxy.mobile.att.net
MMS Port: 80
...
I then switched to what is called the "AT&T Expanded" APN with settings:
Code:
APN: wap.cingular
User Name: [email protected]
(rest of settings somewhere here on xda ...)
... and that one worked perfectly.
I switched back and forth a few tiimes to confirm. It seems on pta, I can't resolve DNS over VPN. For the wap.cingular, I have no problems.
Anyone else can confirm this is most likely the issue I am seeing and that it can possibly make sense?
I suspect I'm not the only person with a wired network adapter - and some of us may be trying to do things like configure routers, etc, where there's no active DHCP server.
I was in this situation a couple of days ago, configuring a dd-wrt box with DHCP turned off.
The best how-to I found was at this entry at HeadlessAndroid
This could be "old hat" to everybody here (other than me), but, for most of my android devices, if I'm in the terminal, I'm connected via "adb terminal" so I've never needed to do this - and ifcfg does not work the way I'd have expected.
Hope this helps someone...
Networking on a Headless Android System
Android isn't the most intuitive environment for setting up networking on the command line. After playing with several different options here's what I've found.
Summary
# netcfg eth0 dhcp
# route add default gw 192.168.0.1 dev eth0
# setprop net.dns1 208.67.222.222
# setprop net.dns2 208.67.222.220
Details
The Android tools are quite different from the tools found on other embedded Linux systems, so most people I've talked to have had difficulty figuring out what utilities to use and how to use them. The most interesting one is ifconfig. When you type ifconfig on an Android system nothing happens. On a standard busybox or gnu based Linux system you will see the available networking interfaces and their associated settings (ok, technically ifconfig -a will show you that information). Since ifconfig doesn't show anything, most people assume (incorrectly) that it doesn't work.
On my development platform, to set a static IP address, I did the following:
# ifconfig eth0 192.168.0.84 netmask 255.255.255.0
Which didn't give any response, but DID show the following when I did netcfg.
# netcfg
lo UP 127.0.0.1 255.0.0.0 0x00000049
eth0 UP 192.168.0.84 255.255.255.0 0x00001043
usb0 DOWN 0.0.0.0 0.0.0.0 0x00001002
tunl0 DOWN 0.0.0.0 0.0.0.0 0x00000080
gre0 DOWN 0.0.0.0 0.0.0.0 0x00000080
sit0 DOWN 0.0.0.0 0.0.0.0 0x00000080
So what about DHCP you may ask?
# netcfg eth0 dhcp
Which yields the following.
# netcfg
lo UP 127.0.0.1 255.0.0.0 0x00000049
eth0 UP 192.168.0.227 255.255.255.0 0x00001043
usb0 DOWN 0.0.0.0 0.0.0.0 0x00001002
tunl0 DOWN 0.0.0.0 0.0.0.0 0x00000080
gre0 DOWN 0.0.0.0 0.0.0.0 0x00000080
sit0 DOWN 0.0.0.0 0.0.0.0 0x00000080
Just because you have an IP address now doesn't mean the applications on your Android device can get to the network. For that you have to set a default route and set the DNS resolver addresses. Again, with route keep in mind it won't show the usual output that a standard busybox or gnu based embedded Linux system would show.
To set the default route:
# route add default gw 192.168.0.1 dev eth0
And to set the DNS (I'm using OpenDNS addresses here):
# setprop net.dns1 208.67.222.222
# setprop net.dns2 208.67.222.220
And that allows the holy grail of a DNS resolved ping to a domain on the Internet.
# ping google.com
PING google.com (74.125.224.134) 56(84) bytes of data.
64 bytes from nuq04s09-in-f6.1e100.net (74.125.224.134): icmp_seq=1 ttl=57 time=41.5 ms
64 bytes from nuq04s09-in-f6.1e100.net (74.125.224.134): icmp_seq=2 ttl=57 time=43.2 ms
References
I found some great information in the following links.
http://www.anddev.org/advanced_networking_with_android-linux-t155.html
http://elinux.org/Android_Networking
Click to expand...
Click to collapse
I'm trying to set up a lollipop-TV-box with wlan and lan adapter as a router the way I did it with a Linux-box, but it doesn't work
I tried it the Linux-way on a linux-Machine with a shell-script. The wlan-net is 192.168.0.x the lan is 192.168.1.x. The wlan-ip in the Android/Linux router is 192.168.0.13 the lan in the same device is 192.168.1.2, the connected lan-client-ip is 192.168.2.4
the routing is Internet-(Wifi)-Gateway 192.168.0.1->Android/Linux-Box 192.168.0.13/192.168.1.2->192.168.2.4 and vice-versa
on lan-client:
ip route:
default via 192.168.1.2 dev eth0 proto static metric 1024
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.4
on Android/Linux-Router
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.13 metric 600
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 metric 100
I also enabled forwarding and set the forward-tables with iptables
With the Linux-Box as a router everything works like a charm, with Android not, when I ping the lan-ip of the client from the Android box (ping 192.168.1.4) the reply is network unreachable from the external internet-server
PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data.
From 84.116.198.82: icmp_seq=7 Destination Net Unreachable
From 84.116.198.82: icmp_seq=8 Destination Net Unreachable
From 84.116.198.82: icmp_seq=17 Destination Net Unreachable
I have to specify the interface with ping -I eth0 192.168.1.4, then it works, although this should already be specified by the local routes, like if the local request is routed over the public gateway. Looks like in Android the local routing is overriden by a hidden route to the default gateway.
So, what is the difference?
Hello there!
I have android 10 based device and I have troubles with configuring usbnet device automatically.
I've modified kernel config, added `CONFIG_USB_USBNET=y` etc. Now I have usb0 device, and I can assign ip and routing to it, but it seems that there is another layer of networking setup in android: utility named ndc.
I tried next script:
```
ip link set usb0 up
ip addr add 192.168.1.2/24 dev usb0
ndc network create 101
ndc network interface add 101 usb0
ndc network route add 101 usb0 192.168.1.0/24
ndc network default set 101
```
Now I can ping device on the other side of usb0 interface but I'm losing wlan0 connection. Sure I can do next:
```
ndc network interface add 101 wlan0
ndc network route add 101 wlan0 0.0.0.0/0 10.0.0.1
ndc resolver setifdns wlan0 8.8.8.8 8.8.4.4
```
I also tried to modify default ROM:
uncomment in frameworks/base/core/res/res/values/config.xml
```
<string translatable="false" name="config_usb_ethernet_iface_regex">usb\\d</string>
<!-- Configuration of Ethernet interfaces in the following format:
<interface name|mac address>;[Network Capabilities];[IP config];[Override Transport]
Where
[Network Capabilities] Optional. A comma seprated list of network capabilities.
Values must be from NetworkCapabilities#NET_CAPABILITIES_* constants.
[IP config] Optional. If empty or not specified - DHCP will be used, otherwise
use the following format to specify static IP configuration:
ip=<ip-address/mask> gateway=<ip-address> dns=<comma-sep-ip-addresses>
domains=<comma-sep-domains>
[Override Transport] Optional. An override network transport type to allow
the propagation of an interface type on the other end of a local Ethernet
interface. Value must be from NetworkCapabilities#TRANSPORT_* constants. If
left out, this will default to TRANSPORT_ETHERNET.
-->
<string-array translatable="false" name="config_ethernet_interfaces">
<!--
<item>eth1;12,13,14,15;ip=192.168.0.10/24 gateway=192.168.0.1 dns=4.4.4.4,8.8.8.8</item>
<item>eth2;;ip=192.168.0.11/24</item>
<item>eth3;12,13,14,15;ip=192.168.0.12/24;1</item>
-->
<item>usb0;13,14,15;ip=192.168.1.2/24;8</item> #this line
</string-array>
```
But no luck usb0 interface remain unconfigured after boot.
After that I can ping both usb0 peer and wlan0 direct gateway but default route(0.0.0.0/0) not working. Don't understand why...
In general, I have 2 questions:
1. how to automate IP configuration for usb0 network in time of building ROM?
2. how to make usb0 and wlan0 play well together? Ideally without creating new network via ndc etc.
Are there any manuals about network configuration?
swexru said:
Hello there!
I have android 10 based device and I have troubles with configuring usbnet device automatically.
I've modified kernel config, added `CONFIG_USB_USBNET=y` etc. Now I have usb0 device, and I can assign ip and routing to it, but it seems that there is another layer of networking setup in android: utility named ndc.
I tried next script:
```
ip link set usb0 up
ip addr add 192.168.1.2/24 dev usb0
ndc network create 101
ndc network interface add 101 usb0
ndc network route add 101 usb0 192.168.1.0/24
ndc network default set 101
```
Now I can ping device on the other side of usb0 interface but I'm losing wlan0 connection. Sure I can do next:
```
ndc network interface add 101 wlan0
ndc network route add 101 wlan0 0.0.0.0/0 10.0.0.1
ndc resolver setifdns wlan0 8.8.8.8 8.8.4.4
```
I also tried to modify default ROM:
uncomment in frameworks/base/core/res/res/values/config.xml
```
<string translatable="false" name="config_usb_ethernet_iface_regex">usb\\d</string>
<!-- Configuration of Ethernet interfaces in the following format:
<interface name|mac address>;[Network Capabilities];[IP config];[Override Transport]
Where
[Network Capabilities] Optional. A comma seprated list of network capabilities.
Values must be from NetworkCapabilities#NET_CAPABILITIES_* constants.
[IP config] Optional. If empty or not specified - DHCP will be used, otherwise
use the following format to specify static IP configuration:
ip=<ip-address/mask> gateway=<ip-address> dns=<comma-sep-ip-addresses>
domains=<comma-sep-domains>
[Override Transport] Optional. An override network transport type to allow
the propagation of an interface type on the other end of a local Ethernet
interface. Value must be from NetworkCapabilities#TRANSPORT_* constants. If
left out, this will default to TRANSPORT_ETHERNET.
-->
<string-array translatable="false" name="config_ethernet_interfaces">
<!--
<item>eth1;12,13,14,15;ip=192.168.0.10/24 gateway=192.168.0.1 dns=4.4.4.4,8.8.8.8</item>
<item>eth2;;ip=192.168.0.11/24</item>
<item>eth3;12,13,14,15;ip=192.168.0.12/24;1</item>
-->
<item>usb0;13,14,15;ip=192.168.1.2/24;8</item> #this line
</string-array>
```
But no luck usb0 interface remain unconfigured after boot.
After that I can ping both usb0 peer and wlan0 direct gateway but default route(0.0.0.0/0) not working. Don't understand why...
In general, I have 2 questions:
1. how to automate IP configuration for usb0 network in time of building ROM?
2. how to make usb0 and wlan0 play well together? Ideally without creating new network via ndc etc.
Are there any manuals about network configuration?
Click to expand...
Click to collapse
Note: Questions go in Q&A Forum
If you are posting a Question Thread post it in the Q&A forum. Technical discussion of Android development and hacking. No noobs, please. Device-specific releases should go under the appropriate device forum...
forum.xda-developers.com