Howto/20130118 Setup Routed Tun OpenVPN server on Ubuntu 12.04
Motivation
To be able to workaround Petro-Canada Mobility/7-11 Speakout's proxied 3g data connection so that I can make free calls to a landline using a voip app such as Fongo. My previous solution was to use another app Droidvpn but this had two issues: 1) it is only free for 100 megs/day and 2) it requires a rooted android phone. Setting up and using my own server therefore removes the 100 meg/day limit and does not require a rooted android phone. I initially did the following steps on my own home server as a test, but because it requires using port 443 which my webserver was already using, I ended up renting an unmanaged VPS for much cheaper than droidvpn charges (especially when it's split amongst me, the wife and my dad).
Source material
- OpenVPN howto: http://openvpn.net/index.php/open-source/documentation/howto.html
- Redflagdeals post: http://forums.redflagdeals.com/speakout-data-android-calling-all-users-tips-tricks-1053209/175/#post15982561
- My previous OpenVPN setup guide for bridged VPNs: Howto/Setup Bridged OpenVPN server on Ubuntu 10.04
My setup
- An android phone (tested with an Xperia Ray running stock Sony Android 4.0 ROM) with a proxied 3g data connection via Petro-Canada Mobility
- A server running Ubuntu 12.04 64-bit with port 443 available
- OpenVPN server configuration: tun, tcp, pre-shared key/cert authentication
- Ouput openvpn bytecounts to log server usage
The Steps
- Step 1) Install server software
sudo apt-get install openvpn iptables-persistent openssl
- Step 2) Obtain conf files
Copy sample conf files located in /usr/share/doc/openvpn/examples/sample-config-files/ to /etc/openvpn
- Step 3) Generate certificates and keys for the server and multiple clients
Follow guide @ http://openvpn.net/index.php/open-source/documentation/howto.html#pki Tip: You may need to rename the openssl-1.0.0.cnf file to openssl.cnf.
- Step 4) Edit the server.conf file.
Notes: Only tun is supported on android 4.0, port 443 and tcp rather than udp must be used for proxied openvpn connections.
port 443 proto tcp ;proto udp dev tun ;dev tap ca ca.crt # this was generated in previous step cert server.crt # this was generated in previous step key server.key # this was generated in previous step dh dh1024.pem # this was generated in previous step server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" push "dhcp-option DNS 8.8.8.8" duplicate-cn # it's not recommended for clients to share cert/keys, # but I'm gonna do it anyways user nobody group nogroup management localhost 8000 # enable management interface script-security 2 # to run scripts client-disconnect "scripts/client-disconnect.sh" # log bytecounts to a file
- Step 5) Enable ip forwarding
Edit /etc/sysctl.conf
net.ipv4.ip_forward=1
- Step 6) Route all traffic through the vpn using iptables
Note: 10.8.0.0 was defined in server.conf and eth0 is assumed to be the network device as defined in the output of ifconfig. Tip: Using iptables-save (iptables-persistent) will ensure that the settings are reloaded on next reboot.
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE sudo iptables-save > /etc/iptables/rules.v4
- Step 7) Log bytecounts to a file using a script
Every time a user disconnects, bytecounts will written to a file. Place the following script in /etc/openvpn/scripts/client-disconnect.sh
#!/bin/sh LOGGER=/usr/bin/logger SCRIPT=`basename $0` $LOGGER -s -plocal3.debug -t "[openvpn client-disconnect] `date`" NAME=${common_name} SENT/RECEIVED=${bytes_sent}/${bytes_received} VIRT_IP=${ifconfig_pool_remote_ip} REAL_IP=${untrusted_ip} 2>> /etc/openvpn/bytecounts.log
Change permissions of the script file and bytecounts.log file
sudo chmod a+x /etc/openvpn/scripts/client-disconnect.sh sudo touch /etc/openvpn/bytecounts.log && sudo chown nobody /etc/openvpn/bytecounts.log
- Step 8) Start the server
Simply rebooting should start the server.
sudo /etc/init.d/openvpn restart
Tip: Run the openvpn server manually rather than as a daemon to facilitate debugging as follows.
sudo openvpn --config server.conf
- Step 9) Copy necessary files to the openvpn client (the phone)
Copy the 4 following files: 1) ca*.crt the Root CA certificate, 2) client1*.crt the Client1 Certificate, 3) client1*.key the Client1 Key, 4) client*.conf the sample openvpn client config file which we shall modify next
- Step 10) Edit the openvpn client config file
Tip: It might be easier to edit the config file on a computer before transferring to the phone.
;dev tap dev tun proto tcp ;proto udp remote buffalo.interpause.com 443 # change this to the ip of your server resolv-retry infinite http-proxy 10.128.1.69 80 # this is petro-canada mobility's APN http proxy # more info: http://mobility.petro-canada.ca/en/questions/138.aspx ca ca.crt # this was generated previously and is the same file used by the server cert client.crt # this was generated previously key client.key # this was generated previously ;ns-cert-type server remote-cert-tls server
- Step 11) Install client software on phone
Two options for Android 4.0 that don't require root:
- Official (not yet tested): https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en
- Unofficial (tested): https://play.google.com/store/apps/details?id=de.blinkt.openvpn
For Android 2.3, root required and need both apps:
- OpenVPN Installer: https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn.installer&hl=en
- OpenVPN Settings: https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn&hl=en
- Step 12) Configure the app
Open the app, go to the vpn profiles page, open the client conf file, save the imported profile, update location of 3 client files (server cert, client cert and client key).
- Step 13) Start the client
Disable wifi, enable 3g, connect to the vpn. Most if not all apps should work as if the 3g data connection was not proxied.