[Q] Connect to OpenVPN + pem certificate + tap device - General Questions and Answers

I want to connect my android device (nexus 7 2013) to an openvpn server which is not administrated by me, meaning I have no access on the configuration.
On my windows7-pc, I do this with the windows version of openvpn, the provided settings file for the openvpn server and the also provided pem-certificate.
Since the server uses the tap device of openvpn, alternative clients like openvpn for android by arne schwabe[1] don't work (this app doesn't support tap).
Since I don't have a private key file (*.key), I cannot generate a p12-file[2] which could be imported by the official openvpn app[3].
The pem-fileformat is compatible to *.cer and *.crt, meaning, I can simply change the file extension to "convert" them. The crt-file can be imported by the android systems (security -> import), but this doesn't help openvpn as it seems to only use it's own certificates.
Any suggestions on how to achieve a successful connection?
[1]: play.google.com/store/apps/details?id=de.blinkt.openvpn
[2]: blog.max.berger.name/2010/01/pem-fromto-p12.html
[3]: play.google.com/store/apps/details?id=net.openvpn.openvpn

wifi
i think if you have ICS_P740AV1.0.0B07 + you can't find open hot spot and if you can see you can't connect.
Try to make one hostop secured with wpa2 and try it.

k0tsompakos said:
i think if you have ICS_P740AV1.0.0B07 + you can't find open hot spot and if you can see you can't connect.
Try to make one hostop secured with wpa2 and try it.
Click to expand...
Click to collapse
Whoa, i only understand half of it
I have android 4.3 JSS15Q rooted with flo (?). I have superSU and Busybox installed. I followed the default instructions of the nexus root toolkit. My wifi is connected for sure, but it has blocked ports (which is the reason for all this). However, since I'm failing at an earlier stage, and, since it works from my pc from the same network with the same openvpn on the same ports I suppose the error is not in the network settings...
The wifi i'm connected to has wpa2+pkip etc. but I'm not sure how this is relevant...

rom
you have installed a custom rom?
you have try to enable and disable airplane mode?
you have data conenction?

k0tsompakos said:
you have installed a custom rom?
you have try to enable and disable airplane mode?
you have data conenction?
Click to expand...
Click to collapse
I have stock android rooted. I only have wifi and the connection works perfectly, I tried rebooting the device, I consider this counts as "dis/enable airplane mode". I have good wifi signal strength.
I have no issues accessing websites over port 80/443, only the blocked ports don't work. The openvpn server is reachable on port 443 (it works from my pc).

Hello,
did you ever manage to solve this? I'm looking to configure my nexus 7 2013 to connect to an OpenVPN server using TAP and it doesn't seem to be working. I'm using OpenVPN settings with certificate-based authentification. I'm able to connect to my server, however I don't get a local IP address assigned and when I browse the internet, my IP is still showing up as from the original connection instead of the VPN endpoint. Computers with windows 7 can connect to the server no-problem and all their traffic is directed to the tunnel. Any ideas for guides and walkthroughs?
Thanks. Any help is very much appreciated.

Related

Cisco VPN on Nexus One

Dear all, I got my new Nexus One, rooted, with recovery ROM and with Modaco Custom ROM installed (without Add-On installed).
I installed also the VPN Connection but I cannot get it to work!
Anyone was succesfully get it to work on N1?
Or any other idea to get a VPN connection with a Cisco concentrator?
thank you
I would like that one as well!
I've installed the VPN connection from the market on top of Cyanogen's Baconmod and it worked the first time. I'm going back to my companies Cisco concentrator also.
I'm using a group password - make sure you set that up correctly... Connects over WiFi or 3G with no issues. I'm not certain if it works well with certificates.
I am unlocked, rooted, RA Recover, and N1 Addon. Once you get all of that setup then go to the market and download "VPN Connections - root".
It should work barring any unforeseen configuration on your work side like TCP vs UDP, connections port changes, or anything else that would be propagated by a configuration file.
But if you unlock, root, and have Cyanogen's N1 Addon you should be fine unless you have a config challenge.
Ntwrkwizard
Cisco VPN works but has issues
Nexus is my first Android phone and I just rooted and baconized. I was so conflicted, but I told myself it was inevitable. The phone has been solid for a week and I knew that when the first ROM dropped with multi-touch, I wouldn't be able to resist. Might as well get a head start, right?
First thing I did was install VPN Connections from the Market and setup a connection to my company Cisco ASA. I was totally stoked when I was able to connect and VNC into my office PC. After I was done. I went back into VPN Connections and disconnected from the VPN. My Internet (WIFI) access did not come back. Next I tried disabling the VPN from within the app. No dice. I then forced VPN Connections closed and still no good. I ended up disabling and re-enabling WIFI to get it my net connection back. Is this normal?
networking hosed after disconnecting VPN...
Posted this over in the apps section, before I saw this thread:
Nexus is my first Android phone and I just rooted and baconized. I was so conflicted, but I told myself it was inevitable. The phone has been solid for a week and I knew that when the first ROM dropped with multi-touch, I wouldn't be able to resist. Might as well get a head start, right?
First thing I did was install VPN Connections from the Market and setup a connection to my company Cisco ASA. I was totally stoked when I was able to connect and VNC into my office PC. After I was done. I went back into VPN Connections and disconnected from the VPN. My Internet (WIFI) access did not come back. Next I tried disabling the VPN from within the app. No dice. I then forced VPN Connections closed and still no good. I ended up disabling and re-enabling WIFI to get it my net connection back. Is this normal?
Does this program place a .pcf file anywhere on the phone? I have a pcf file from my work VPN, and the options that are in the UI are not quite enough to cover what all I need to enter. I looked all over the place for a pcf file, but couldn't find one. I know that the get-a-robot initial version of this program had one, but I don't know where this new version keeps it (if it does at all).
jchap2k
Cisco VPN
I have a question about Cisco VPN. i've not tried using it on an android phone, because I wasn't sure if the way my company's VPN works is supported. My company uses a token file that needs to be "installed" on the computer for the Cisco VPN. So the question is, would the Cisco VPN solution for Android support this?
Thank you
Using CM beta 4 rom with update from Google and this program FCs when trying to connect to vpn.
Any helpful hints would be great.
not sure on the fc, maybe try another rom/kernel.
i wasn't able to get this to work using any of the cyan roms so i must be doing something wrong.
my vpn works fine with the settings i've used for both vpn client (windows cisco client) and vpnc (fedora linux client) but when i press connect on android it will instantly say failed, is there a log available for this application?

Android not working on wifi at school

So my school just got net books for everyone and also WiFi, but the problem is that my android phone can connect but it cant use it. at first i thought they somehow banned everything but the net books but when i brought my laptop it connected just fine:. so what do you think they did. do you think it could be the mac?
p.s. i can only use internet explorer on my laptop and not firefox.
Just found out that i am in the wrong sub forum can an awesome mod move for me? thanks
It depends of a lot of settings.
What is the encryption mode used on this network? (open, WEP, WPA, WPA2-TKIP, WPA2-AES)
Is the laptop owned or managed by the establishment? (ie: is it registered on an Active Directory domain?)
Is it using an enterprise authentication method (ie: 802.1x)?
If so, which authentication type is it using (ie: TTLS, PEAP) and the inner authentication protocol (ie: MS-CHAPv2, GTC)?
You might have to put your network credentials in order to connect to the wireless if they are using 802.1x.
For your Firefox issue, maybe you could try setting it to use your Internet Explorer's proxy settings and see if that fix the problem.
Something similar happens to me at work, but in this case they are using an automatic configuration scrip to connect to the web.
How can I use the configuration script in my android device
j0an said:
Something similar happens to me at work, but in this case they are using an automatic configuration scrip to connect to the web.
How can I use the configuration script in my android device
Click to expand...
Click to collapse
You cannot. Find out the proxy address and port and download something like TransProxy.

TUN/TAP driver for openvpn available yet?

As the subject states, non of the current roms/kernels appear to have the TUN/TAP driver to run openvpn.
Side note.. ATT pissed me off today (okay so I had it coming for tethering but still..) So, new solution is to run openvpn and force all the traffic through my openvpn gateway, this will keep ATT from spying, and also prevent them from using TTL (still speculation, but one of the methods to detect tethering)
Just out of curiosity, how did you confirm that the TUN/TAP driver was non-existant or not operating properly on the skyrocket?
I'm in the midst of doing the same ... installing openvpn. I have the server set up on my home PC and verified through another laptop off-network. But I have problems when trying to run openvpn settings. Here is what I did:
1) Copied .ovpn file, ca.crt, client1.crt, client1.key, ta.key FROM server TO /sdcard/openvpn directory on skyrocket
2) Installed busybox
3) Installed openvpn installer
4) Installed openvpn using #3
5) Installed and opened openvpn settings
6) Under "OpenVPN Settings" I checked the box saying "OpenVPN"
7) Under "OpenVPN Configurations", I selected my .ovpn file's checkbox
8) The .ovpn checkbox immediately disables and I have no openvpn
Was your approach similar?
I just checked via lsmod. I did not bother going through the process of moving my config files from my captivate to the skyrocket.
Samsung does not include the tun/tap driver in the stock kernel, so it will require a custom kernel, or at least someone to create the module with the same libraries as the stock kernel and just the tun.ko module file to copy across to our current phones.
Actually TUN/TAP is compiled directly into the stock kernel and not compiled as a module so you won't find it with lsmod. You also don't need to do an insmod to use it. I'm running openvpn just fine in tap mode.
There IS a bug in the OpenVPN Installer though that requires you to have ifconfig and route in /system/xbin/bb. It won't work if you select anything else during the openvpn install.
Here's what I did...
Install busybox to /system/xbin
Install openvpn to /system/xbin and select /system/xbin/bb as the location of ifconfig/route
adb shell or use a terminal on the device and do a su.
mount -o rw,remount /dev/block/mmcblk0p24 /system
mkdir /system/xbin/bb
cd /system/xbin/bb
ln -s ../busybox ifconfig
ln -s ../busybox route
mount -o ro,remount /dev/block/mmcblk0p24 /system
Configure and start openvpn.
Good to know.
Will try it in abit, I tried to run openvpn, but it failed on the tun driver, which is why I stopped, but I did not link bb, will give that a try when I get a chance... stupid ATT busted me for unauthorized tethering again.. so cannot get my existing openvpn config from my server yet...
gtj0:
I tried the directions you provided but with using tun and no luck. I'll try and reconfigure my openvpn server to run tap and will try agian.
jvanbrecht:
let me know if you make any progress
plarser48 said:
gtj0:
I tried the directions you provided but with using tun and no luck. I'll try and reconfigure my openvpn server to run tap and will try agian.
jvanbrecht:
let me know if you make any progress
Click to expand...
Click to collapse
I just reconfigured my server over to tun mode and it's still working fine.
Can you try running openvpn from a command line and see what errors it spits out?
I.E. openvpn --config server.ovpn
Also can you check if /dev/tun exists?
edit.....
Here's my config...
client
dev tun0
proto udp
float
remote vpn.example.com 21194
resolv-retry infinite
nobind
persist-key
persist-tun
ca vpn.example.com.ca.crt
cert zzz.crt
key zzz.key
tls-auth vpn.example.com.ta.key 1
cipher AES-256-CBC
comp-lzo
verb 4
mute 20
plarser48 said:
gtj0:
I tried the directions you provided but with using tun and no luck. I'll try and reconfigure my openvpn server to run tap and will try agian.
jvanbrecht:
let me know if you make any progress
Click to expand...
Click to collapse
I had no problems getting it to work, I borrowed my co workers usb modem to pull down my configs from my old Captivate (I use ssl-admin and store the configs with the certificates in zip format).
The problem I am having at the moment is getting tethering to work while openvpn is running.
Laptop can talk to the phone (using wifi tethering, usb tethering kills the adb session, but I suspect it would work just fine), and phone can talk to the world, but laptop will not connect to the world.
The routes are in place, I checked the sysctl options, and ip forwarding is enabled. Just no traffic will pass... it is driving me nuts... heh.
Success for me too! Not sure what was wrong. The server was always working no problem and was always able to connect directly over home wifi from laptop. But I wasn't able to connect on the Skyrocket.
But I used gtj0's config file, changed the remote ip address/port, and worked perfectly. Thanks!
jvanbrecht: I haven't tried it with tethering yet and probably won't get to until at least a few days. Hope to be able to help by trying on my phone sometime soon.
Everyone: Any idea if it is better to run tun or tap for mobile phone openvpn? Regarding tethering, do both tap and tun hide detectable elements like TTL at the IP layer?
EDIT: VPN Not Porting Properly?
Hmm. It seems I am able to connect no problem and openvpn on the phone says it's connected. But when I go to www.whatismyip.com from my phone, it still says an AT&T address. I expected with openvpn running that it should show my home server ip address no? Also, openvpn on skyrocket indicates that it is connected as 10.3.0.6. But if I try to ping 10.3.0.6 from the server I get no response. Is that expected?
plarser48 said:
Success for me too! Not sure what was wrong. The server was always working no problem and was always able to connect directly over home wifi from laptop. But I wasn't able to connect on the Skyrocket.
But I used gtj0's config file, changed the remote ip address/port, and worked perfectly. Thanks!
jvanbrecht: I haven't tried it with tethering yet and probably won't get to until at least a few days. Hope to be able to help by trying on my phone sometime soon.
Everyone: Any idea if it is better to run tun or tap for mobile phone openvpn? Regarding tethering, do both tap and tun hide detectable elements like TTL at the IP layer?
EDIT: VPN Not Porting Properly?
Hmm. It seems I am able to connect no problem and openvpn on the phone says it's connected. But when I go to www whatismyip com from my phone, it still says an AT&T address. I expected with openvpn running that it should show my home server ip address no? Also, openvpn on skyrocket indicates that it is connected as 10.3.0.6. But if I try to ping 10.3.0.6 from the server I get no response. Is that expected?
Click to expand...
Click to collapse
TAP provides a bridged connection so broadcasts on the server's network are propagated across the connection. For network-to-network connections this may be needed for things like dhcp and windows networking. For end users, this usually isn't a good thing because it eats up bandwidth. TUN, which is routed instead of bridged, is the better way to go.
My config only routes traffic destined for the server's LAN over the vpn connection so the behavior you see with whatsmyip is normal. Check openvpn's config file paramters to make the vpn the default route for all traffic.
See my other post. I included my configs.
Just add redirect-gateway option to your client configuration, or the server side client configuration in the ccd directory.
I have everything working. As for what att will see. Only an encrypted tunnel initiated from you phone to your vpn server. Ttl, ip options etc will not be visible to att.
Sent from my SAMSUNG-SGH-I727 using XDA App
Cool thanks again. I'll try updating my configs and trying again tonight. I'm sure not being able to ping across the tunnel was probably a configure issue a well.
You also need the Client to Client option enabled if you want the openvpn server to advertise routes to other vpn client devices and their associated networks. That would be another reason why you cannot ping across the tunnel if you are trying to ping another vpn device.
jvanbrecht:
I'm not seeing your config files on the board here. I'm fairly new here so maybe I'm not looking at the right place. But I didn't see an attachment.
The configs are posted in my other thread.
http://forum.xda-developers.com/showthread.php?t=1378970
Thank you. I'll try out the details in that post. If I have any questions I am going to post over there from now on because that post is more closely aligned with my goal and thus more relevant.

[Q] How to connect to wifi 802.1x EAP ?

help me connect to eduroam pls
when i try to connect it says : "scanning ...."then "connecting ...." then "saved, secured with 802.1x"
Sensation XE
fw 3.25
rom : ARHD 6.2.1
ICS
same for me Sony
seems to be an android bug
-scanning-connecting-searching---- "disabled, secured with 802.1x eap"
this is my loop, and no connection at all
Same here :-(
iPhone users can connect fine to my company's 802.1x wifi network, but i can't from my android phones (SE Xperia X10 on Gingerbread & HTC Sensation on ICS)
A google search shows a lot of users having issue in connecting to 802.1x networks since Froyo (Android 2.2). There are worksrounds suggested, but they don't appear to work for me.
It seems the issue still exists in ICS as well :-(
Try LEAP WiFi free (it is in the market) or try to find one app for your comapny.
Leap WiFi works fine for me on IBM EAP APs.
Delete your old saved setting, before creating a new with Leap WiFi.
davebugyi said:
Try LEAP WiFi free (it is in the market) or try to find one app for your comapny.
Leap WiFi works fine for me on IBM EAP APs.
Delete your old saved setting, before creating a new with Leap WiFi.
Click to expand...
Click to collapse
will tests that
hope it will work
Huck33 said:
will tests that
hope it will work
Click to expand...
Click to collapse
Must be a bug in CM9, I'm having the same issue. Thinking about going back to CM7
bomczz said:
help me connect to eduroam pls
when i try to connect it says : "scanning ...."then "connecting ...." then "saved, secured with 802.1x"
Sensation XE
fw 3.25
rom : ARHD 6.2.1
ICS
Click to expand...
Click to collapse
Finally, I've defeated my CiSCO EAP-FAST corporate wifi network and now all our Android devices are able to connect to it.
The walkaround I've performed in order to gain access to this kind of networks from an Android device are easiest that you can imagine.
I'am a BES, MDM and Lotus Administrator, and btw and iOS lover.
Many of my colleages are Android users, and their claim is always the same.
Why iOS and BB users are able to connect to the corporate wireless network by chosing only WPA2 Enterprise and only needs the network SSID and their Active Directory Credentials?
2 years has passed since I heard this claim from my colleagues for the first time , and until yesterday, all of them remained disconnected even when they had ICS on their devices.
This things made me think about the Android and iOS system differences, and the way the OS developer thinks.
A wireless chipSet is a wireless chipset, and it not depends of the OS installed in a mobile device to have a better compatibility.( not like servers or routers ).
When you setup a Corporate wifi network on iPhone, basically you command the system to use some protocols to connect to, included in the WPA2 Enterprise cabinet. the system check all of the until find the right one to connect.
Android doesn't have the same protocols defined in his WPA2 Enterprise system definitions, so if you try to connect to it by using the main Android interface, you will have an authentication error.
There's a Wifi Config Editor in the Google Play Store you can use to "activate" the secondary CISCO Protocols when you are setting up a EAP wifi connection.
It's name is Wifi Config Advanced Editor.
Firstable you have to setup your wireless network manually as seemful as you can to your "official" corporate wifi parameters.
Save it.
Go to the WCE and edit the parameters of the network you have created in the previous step.
There are 3 or 4 series of settings you should activate in order to force the Android device to use them as a way to connect (the main site I think you want to visit is Enterprise Configuration, but don't forget to check all the parameters to change them if needed.
As a suggestion, even if you have a WPA2 EAP-FAST Cipher, try LEAP in your setup.
It worked for me as a charm.
When you finished to edit the config, go to the main Android wifi controller, and force to connect to this network.
DO NOT Edit the network again with the Android wifi interface.
Tested on Samsung Galaxy 1, 2 and Note mobile devices and on a Lenovo Thinkpad Tablet.
Gingerbread, Honeycomb and ICS.
May the force be with you, my young Padawan
Regards
Try the "Leap WIFI free" app from Play Store
Try the "Leap WIFI free" app from Play Store. Its an app provided by a developer called "OneGuyInABasement".
I was having the same issue where I couldn't connect to the (802.1x EAP based) Wifi network at my workplace.
I configured the network through this app and now I can connect just fine.
Leap WIFI free not working with JB 4.2.1
I have tried using Leap WIFI free on my Asus TF700T running the latest OTA update to JB (4.2.1).
While the tool seems to create a network profile, it does not even connect.
Trying to connect to a wifi network that shows up as Cisco EAP-FAST when I connect via my windows laptop
I've tried creating the profile using the built in wifi config editor as well, unfortunately it defaults to PEAP and while it connects and gets an IP address I do not have actual network access (e.g. web browsing fails).
The wifi ACE tool has not been updated to support JB yet either.
Any other suggestions?

How to route all Android traffic through VPN -> Proxy -> Internet

Hello all,
I am trying to route all of my Android traffic through a VPN and then afterwards through a proxy.
I tried several methods to get this to work:
1. USB Tethering and Windows laptop mobile hotspot
I tried to use the connection of my laptop where I configured VPN and Proxy connection with proxifier through USB tethering and mobile hotspot on my laptop. Unfortunately my smartphone (Huawei Nova 2i) is only using the normal wifi connection, not the connection through proxifier, even though I set all system proxification within Proxifier.
2. Proxydroid
I tried to achieve this by using ProxiDroid. Unfortunately I canĀ“t unlock the bootloader of my Huawei phone. If there is no way to do this with an unrooted phone, I would buy a new phone. It would be nice if there is an option to do this with an unrooted phone.
3. Mozilla addon
I could install an addon for mozilla to set a proxy connection there. I did not do this, because this would only work for the browser and I want it system wide.
3. OpenVPN + SandroProxy
This is the best option in my opinion, but I did not figure out how to do it properly. The idea is to use OpenVPN as a system wide VPN. All traffic would be routed through the VPN. Then in the next step I would route the traffic of OpenVPN through my proxy network.
This should work somehow I think, but I did not figure out how. Any information on how to achieve this setup would be welcome.
Best regards
XDandroidsecurity

Categories

Resources