[Christophe Vandeplas]

Since I bought my HTC Hero two weeks ago I can't stop enjoing the device.
Except one thing: Currently no OpenVPN client exists yet for the Android platform.

While searching Google I could find people referring to successfull ports of openvpn, but all discussions were vague and all links were dead.


This resulted in the motivation to work on making openvpn available on Android.
For the last weeks I have been reading documentation and already started coding a very basic GUI. (listing and editing configuration files)

Being fairly novice to Android, and expecting I'm not the only one envying such functionality I am starting a Call for Participation trying to reach other developers interested to work on the project.

As structure of this application I see the following parts:
1) GUI stuff to manage configurations (view, create, edit and delete). Tunnel management (connect, disconnect, view log, view ip) would also be done here. (language: java)
2) background daemon sending notifications about the tunnel state (don't know if that's necessary) (language: java)
3) ported openvpn client that parses the config and does the real work. (language: c)

It looks like other projects already provide the necessary tun kernel drivers. Rooting your device will be necessary to be able to load the driver.

Being supportive to open source software I'd like to keep the code open.
Discussions about selling the (compiled) GUI on the Market are possible.


Interested developers can reply here or contact me at [email protected]


Some interesting links:
http://openvpn.net/i.../downloads.html
http://developer.and...5_r1/index.html
http://code.google.c...t-a-robot-vpnc/

Posted on xda-developers and MoDaCo.

This post has been edited by Christophe Vandeplas: 23 August 2009 - 04:40 PM

[Sponsored Links]

[cyde]

well. If you now check the duplicate post on the XDA forum's you will see that some one has finally done it, but not provided any docs.

I tried to create an account there to follow up, but for some reason I am not getting the verify email from them, but here it works, so here I will post the step by step that I did to get it working.

First off, I gotta say, the modaco 2.2 rom for my HTC hero is great. Oh... and keep tun.ko present. its used with this.

2ndly, this is my first post, and hope it helps some one, feed back in thread would be nice.

... ok on with the openVPN.

Firstly I will describe that what I did with what tools/equip, so no assurances it will work on others the same way. TRY AT OWN RISK!!!! Lots of typing, no gui to start it up yet.

version of software OS used:

Android HTC Hero Build number 2.73.405.5 146733 (MCR2.2e)
Android system recover boot loader Build: CyanogenMod v1.4 + JF
(what ever android terminal program you prefer, I use connectbot)
PC - Asus 900 EEE (winXP)
Andriod SDK 1.5r3 (for ADB)
OpenVPN server - Astaro 7.4 home license. (I only have a wireless router in open access, connected in the DMZ port. Only way to connect internally is via OpenVPN [ssl] client - this is installed and confirmed working on my XP client - This is important as we will be using files from this install)

from the site: http://github.com/fr...envpn/downloads
down load the file openvpn-android-2.1.tar.bz2 and up zip it some where. (location used in step 3)

Step 1 - Take back and secure externally - optional, but always a good idea.

Step 2 - Reboot phone into recovery mode.
Powerdown Android. Power up holding Home and Power until recovery screen is displayed.
Have USB cable connected

Step 3 - Perform the following bold text commands at a command prompt
ADB shell mount /system
ADB shell
cd /system/lib
cp libcrypto.so libcrypto-orig.so
cp libssl.so libssl-orig.so
These last 2 entries are just a 2ndary backup. you can skip if you like
exit

From the unzipped fries download find all the files (should be 5 in total) and do
adb push libcrypto.so /system/lib/
adb push liblzo.so /system/lib/
adb push libssl.so /system/lib/
adb push openssl /system/bin/
adb push openvpn /system/bin/
adb shell chmod 4755 /system/bin/openssl
adb shell chmod 4755 /system/bin/openvpn
These last 2 commands I added at the time, but I am unsure if they are actually needed.

Now for some reason (as I spent 8 hours working all this out) the openvpn client doesn't have the correct path to the busy box tools, and tries to use /system/xbin/bb/ifconfig and route commands. on my Hero, this path doesn't exist its just /system/xbin/ifconfig. rather than stuff around trying to debug this, I instead did the following commands.

adb shell
cd /system/xbin
ln -s /system/xbin /system/xbin/bb
exit
if before you exit, you do a ls of bb you should see the same directory listing as xbin.

reboot back to the hero.

Step 4 - copy over the vpn config files
now, you will need your open ssl vpn/certs/etc, and since I know my openvpn client on my XP works, I use those. from the local PC (for the Astaro installation) C:\Program Files\Astaro\Astaro SSL VPN Client\config\<whatever>\* (should be 2 .crt files, 1 .key file, and 1 .ovpn file). Copy these over to your android all in the same place, I used /sdcard and copied them via USBmount process. keep them in the same location

Step 5 - Create the username/password file

Yeah, I dont like storing passwords in clear text, but I still havent figured out how to prompt for the password


create a text file (using what ever method you prefer) with your openvpn user name on the first line, and your openvpn password on the second line. save it in the same location as step 4 on your android and note down the name.

Step 6 - Edit the ovpn file on your Android.

I am not sure if this is needed, but through my 8 hours of trying to get this to work, I made this change.
Find the line and change it so that it reads (you may need to remove comment characters).
dev-node /dev/tun
Save this change.

You can unplug the USB cable now (to insure no false positives occur)

Step 7 - start your network connection on your Android

This can be your wireless, or your roaming data. your choice. Just try to remember, this should be the same way your vpn is known to work with your config file from earlier (ie, if you use astaro VPN via public internet - use roaming, if you are connecting via DMZ/private subnet - use wireless).

Step 8 - Open the android console for starting up the VPN

I use connectbot in local mode, but its your choice. Now at this point, I am going to do things the long way (short way is you should be able to figure out) to show one of the errors and how to fix it.
peform the following bolded commands.

su -
cd /sdcard
or cd to where ever you stored your certs/key/ovpn and password file.
openvpn --config <yourconfigfilename>.ovpn --auth-user-pass <your password file filename>
for me this resulted in error:
<date/time> Cannot open TUN/TAP dev /dev/tun: no such file or directory (errno=2)

To fix this enter the following command
insmod /system/lib/modules/tun.ko
Then try this command again

openvpn --config <yourconfigfilename>.ovpn --auth-user-pass <your password file filename>
This then results in a success message (and for some reason no return to command prompt) of:

Mon Sep 28 23:52:14 2009 TUN/TAP device tun0 opened
Mon Sep 28 23:52:14 2009 TUN/TAP TX queue length set to 100
Mon Sep 28 23:52:14 2009 /system/xbin/bb/ifconfig tun0 10.242.2.6 pointopoint 10.242.2.5 mtu 1500
Mon Sep 28 23:52:14 2009 /system/xbin/bb/route add -net 10.242.2.1 netmask 255.255.255.255 gw 10.242.2.5
Mon Sep 28 23:52:14 2009 /system/xbin/bb/route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.242.2.5
Mon Sep 28 23:52:14 2009 Initialization Sequence Completed

As you can see above, it tries to use the xbin/bb path... dont know why.

To test this, I used AndroidVNC to remote control one of my internal Guest VM's I used for development. This worked perfectly.

This concludes the 8 step program..

Now if only some one would (a) write a nice app/GUI front end for this to save the typing, and (b) write a nice GUI app to allow you to set the proxy for browsing. So far I havnt found any such free app in the store, but I only have had my HTC Hero for under 5 weeks.

- Randy

[arnaud atoch]

Bonjour,

Worked nicely on my T Mobile G1.
The only comment I have is about the ln -s command.
The one that worked on my phone was :

ln -s /system/bin /system/xbin/bb

I'm still looking for a GUI to start Stop the VPN as OpenVPN-Monitor.apk fails finding my opvn files (in /sdcard/keys)

Arnaud Atoch

[Christophe Vandeplas]

Good news, as I finally have a working tun driver I can continue my work on a GUI.

The current version is very alpha, but can start/stop an openvpn tunnel and edit the config files on my hero.
Before it's usable I will need to add a notification when the tunnel comes up,
and a way to display the tunnel logfile.

The code will be available here: http://tunneldroid.svn.sourceforge.net/vie...id/tunneldroid/

I will post binaries/packages once I need testers.

[Chris Cureau]

Very, very, very interested in this! Might be able to help with the coding as well. Contact me if you're interested.

Christophe Vandeplas, on Oct 27 2009, 14:17, said:

Good news, as I finally have a working tun driver I can continue my work on a GUI.

The current version is very alpha, but can start/stop an openvpn tunnel and edit the config files on my hero.
Before it's usable I will need to add a notification when the tunnel comes up,
and a way to display the tunnel logfile.

The code will be available here: http://tunneldroid.svn.sourceforge.net/vie...id/tunneldroid/

I will post binaries/packages once I need testers.

[chefcb_2]

there is another OpenVPN App on Android market named OpenVPN GUI,
it allows you to set the path to your config files and the openvpn binary file.
You can easily start/stop vpns via checkboxes. It's very usefull if you have a few VPN's which shouldn't be open all the time, so that you're in need of start/stop them often.
Some more informations can be found at the Developer's page at http://www.blank-onl...id/openvpn_gui/ but unfortunately only in german...
just have a look at the market, it pays :-)

[cyde]

well, I just tried this new appliation (and no, it wasnt there ages ago).

Using MDC 2.8 Tech kernal 1.3

I can successfully run the openvpn command with my options file perfectly well from the command line (via connectbot).

however this app.... not the best.
I can set the folder that countains me config, This works.
I can set the location of the openvpn binary. This works.
I can set the last characters of my config file. This works. So it now displays my list of various .opvn files I use/tested with.
Show debug tick box. This.. ticks but doesnt work as expected.

When I attempt to connect with a VPN connection using this gui, I get the standard root request, and approve, but it then errors for some reason, and the error box that displays last like 2 secs. or some rediculous short time, not enough to read it.

A good start.

-Randy

[cyde]

okay.. got the newer gui update version 1.1 ( I hope you are reading this).

good to have the ability to turn modprobe off. Thanks!

Got a different error this time with modprobe off. lasted <2secs on screen (you need to change that) but the message was shorter this time. I was able to read it and it said could not find file.

The file it could not find was in my case /sdcard/my3.vpn and while from the gui screen I had selected my3, but in the settings I had set the file extension to .ovpn, hence it correctly populated the GUI, but then the writer has hard coded .vpn into the scripting. he needs to fix that.

Once I copied my3.ovpn to my3.vpn, it worked. or atleast when I checked in connectbot I can see the full route table I expected to. Its midnight so I am to tired to test it all. will do a more in depth test tomorrow.

Also to note, I had to include my password file reference/setting into the .ovpn settings file. there is no where to we are prompted at the GUI for a username/password to use at connect time. while for me its not such an issue, but I think this should be addressed some time in the future.

-Randy

[Christophe Vandeplas]

Hello Everyone,


I have good news, my OpenVPN GUI is ready to be released to a wider test audience.
As explained in a previous post the code is completely opensource, so you can check that I added no backdoors, or you could help fixing bugs by sending patches ;-)

The application can currently:
- Create and edit configurations
- Connect / Disconnect
- View log and share it ( send by email or other means )

Future releases will:
- show the status of the connection, your assigned IP,...
- prompt for username/password instead of including passwordfiles in your configuration


You can find a README and the openvpn binaries (working on the Hero) here:
https://sourceforge....neldroid/files/

(these binaries don't require the ugly symlinks that the others published on Git do need (http://github.com/fr...xternal-openvpn)

TunnelDroid is published on the Android Market.
So just do a simple search for it. This will help you to follow the updates.

Please give feedback if it works/doesn't work on your phone. It works like a charm on my Hero running MoDaCo 2.9 Hero Rom.

[cyde]

hi chris,

Just to advise, I downloaded Tunneldroid from market place and tried it out.

It crashes as it starts. I did a power down/restart to see if a reboot was required. Nope. same problem.

Specs on my hero are: MDC 2.8 Tch kernal 1.3

Error that displays is:

/!\ Sorry!

The application TunnelDroid (process net.sourceforge.tunneldroid) has stopped unexpectedly. Please try again.

~~~~~

The OpenVPN GUI client, is now up to version 1.3 Now works. it no longer has hard coding to the .vpn extension even when not selected. It successfully brings up and down a VPN connection (with the relevant prompts for root).

what I did find lacking is to see the log/status of the VPN connection when I go in/out of range. but you cant have everything.

Good work to both of you.

-Randy

[Christophe Vandeplas]

cyde, on Nov 8 2009, 06:14, said:

It crashes as it starts. I did a power down/restart to see if a reboot was required. Nope. same problem.

This is because your openvpn dir didn't exist on the sdcard.
v0.5 now automagically creates the config-dir
Check the market for update

PS: Two good reasons to use TunnelDroid :-)
1/ I will never add ads in the application
2/ it's completely opensource, so you can check if it doesn't do evil things, and you can help adding new features

I will continue working on new features,
please please report bugs so I can fix them.

This post has been edited by Christophe Vandeplas: 08 November 2009 - 10:27 AM

[cyde]

Tunneldroid it is!

newer version 0.5 I just tried, and it works fine now. dropped my .ovpn files into the require folder, and now I can see it connects and see the log!. just great. running on MDC 2.8. tch 1.3 kernel

As you say, still some things to do, like to show status of the vpn.

If we are adding to wish list, then maybe a icon in the top system tray ( like when data/wireless is running) and some way within the VPN icon to ID data going out/in. (Thats the one thing I miss dislike about the wireless icon, you cant see when traffic is happening, where as mobile data you can).

Greatwork Chris. I will be recommending it to my follow VPN users.

-Randy.

This post has been edited by cyde: 08 November 2009 - 11:44 AM

[Christophe Vandeplas]

cyde, on Nov 8 2009, 13:39, said:

If we are adding to wish list, then maybe a icon in the top system tray ( like when data/wireless is running) and some way within the VPN icon to ID data going out/in. (Thats the one thing I miss dislike about the wireless icon, you cant see when traffic is happening, where as mobile data you can).

Btw, we're already at version 0.6, with a rewrite of the logging-system.
I planned to add a permanent notification in the notification area, just like the music player does.
This should be added in the release of 0.7 if no major bug is reported.

The biggest work to come is the implementation of the user/pass prompt as I will need to plug into the management interface of openvpn. That's more a milestone for v1.0.

Keep on giving feedback and don't forget to rate the app on the market ! ;-)


Cheers

[cyde]

Another error/issue and resulting workaround for this:

System: MDC 2.8 Tch Kernal 1.3
Tunneldroid Version 0.6

Issue:

My .ovpn files has 2 entries for REMOTE parameter. This should allow me to check/attempt VPN connections with the same CERT & credentials to multiple VPN Endpoints. In my case, the first endpoint is my home 10.x.y.z wireless network on my DMZ port of my Firewall system. The second IP is my External internet based IP.

When I run openvpn via connectbot command prompt with this config file in either wireless, or via data plan, it connects and I can VPN into my systems.

However When using tunneldroid, I can successfully connect via home WiFi, but when I try via my dataplan connection, it doesnt connect.

To test this, I made a copy of my .ovpn config file, and then in the copy I only made 1 change, commenting out the first REMOTE entry, so that this .ovpn config will try the internet based address first. This works perfectly. I then disconnect and try the first one (with wifi first then internet 2nd) and it still fails.

In the log (Thanks for that feature Chris), I get the follow entries at the end. (italics information I have commented out for security reasons)

Mon Nov 9 13:48:21 2009 OpenVPN 2.1_rc15 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Sep 15 2009
..... [stuff in between removed]
Mon Nov 9 13:48:50 2009 Data Channel Encrypt: Cipher blah blah blah
Mon Nov 9 13:48:50 2009 Data Channel Encrypt: Using blah blah blah
Mon Nov 9 13:48:50 2009 Data Channel Decrypt: Cipher blah blah blah
Mon Nov 9 13:48:50 2009 Data Channel Decrypt: Using blah blah blah
Mon Nov 9 13:48:50 2009 Control Channel: TLSv1, cipher blah blah blah
Mon Nov 9 13:48:50 2009 [ASTARO-MACHINE-NAME] Peer Connection Initiated with WW.XX.YY.ZZ:443
Mon Nov 9 13:48:51 2009 SENT CONTROL [ASTARO-MACHINE-NAME]: 'PUSH_REQUEST' (status=1)
Mon Nov 9 13:48:51 2009 event_wait : Interrupted system call (code=4)
Mon Nov 9 13:48:51 2009 TCP/UDP: Closing socket
Mon Nov 9 13:48:51 2009 SIGTERM[hard,] received, process exiting

Now based on the start and end time, I see 30 seconds, so I am guessing that Chris has a hard coded 30 second time out. Might be good to know, and to advise only 1 REMOTE option per config. Or a change to the code to fix this.

This post has been edited by cyde: 09 November 2009 - 03:08 AM

[Christophe Vandeplas]

cyde, on Nov 9 2009, 05:02, said:

To test this, I made a copy of my .ovpn config file, and then in the copy I only made 1 change, commenting out the first REMOTE entry, so that this .ovpn config will try the internet based address first. This works perfectly. I then disconnect and try the first one (with wifi first then internet 2nd) and it still fails.
...
Now based on the start and end time, I see 30 seconds, so I am guessing that Chris has a hard coded 30 second time out. Might be good to know, and to advise only 1 REMOTE option per config. Or a change to the code to fix this.

Your assumptions are correct. Check line 94 to 126 of the source
The timeout is set on 30 seconds.

Openvpn might, for whatever reasons, not be able to connect. I need to have a way to stop openvpn if it can't connect as it will otherwise continue. Do you have any other ideas to solve this issue? Maybe show a prompt to ask the user if he still wants to try?

[cyde]

Christophe Vandeplas, on Nov 10 2009, 03:58, said:

Your assumptions are correct. Check line 94 to 126 of the source
The timeout is set on 30 seconds.

Openvpn might, for whatever reasons, not be able to connect. I need to have a way to stop openvpn if it can't connect as it will otherwise continue. Do you have any other ideas to solve this issue? Maybe show a prompt to ask the user if he still wants to try?

hmmm.

Maybe prior to connecting, the file is parsed for for all uncommented REMOTE entries and 30 seconds (which is a good figure) is allocated per entry. This should time it right.

-Randy

[Christophe Vandeplas]

cyde, on Nov 9 2009, 20:18, said:

Maybe prior to connecting, the file is parsed for for all uncommented REMOTE entries and 30 seconds (which is a good figure) is allocated per entry. This should time it right.

I am currently working on the support of an username and password prompt (well, in fact it's a kind of management socket).
As this will take place in the same code as the timeout thing that is currently implemented, and as that part will be completely refactored I will delay this feature request until the basics of the user/pass prompt is implemented.

For those interested, here's the document explaining the features of the openvpn management socket: http://pastebin.ch/4660

As you can expect this will take more than a few days to implement. (as I'm not a professional programmer and code this in my free time)

I already implemented the tunnel-active notification, I'll upload a minor release to the market for that feature.

[cyde]

Chris,

Gotta say that the bells and whistles are now coming out.

Nice new features you have with 0.6.2,such as the tunnel Icon on the status bar tray. as well as the "ongoing" feature in the drag down notification area.

Gotta say I am now getting way impressed with this.

Keep up the good work.

-Randy

[gascharlie65]

I have an HTC Tattoo with donut and I could not find in the market your application. Is it only for Android 1.5?

Christophe Vandeplas, on Nov 7 2009, 21:50, said:

Hello Everyone,


I have good news, my OpenVPN GUI is ready to be released to a wider test audience.
As explained in a previous post the code is completely opensource, so you can check that I added no backdoors, or you could help fixing bugs by sending patches ;-)

The application can currently:
- Create and edit configurations
- Connect / Disconnect
- View log and share it ( send by email or other means )

Future releases will:
- show the status of the connection, your assigned IP,...
- prompt for username/password instead of including passwordfiles in your configuration


You can find a README and the openvpn binaries (working on the Hero) here:
https://sourceforge....neldroid/files/

(these binaries don't require the ugly symlinks that the others published on Git do need (http://github.com/fr...xternal-openvpn)

TunnelDroid is published on the Android Market.
So just do a simple search for it. This will help you to follow the updates.

Please give feedback if it works/doesn't work on your phone. It works like a charm on my Hero running MoDaCo 2.9 Hero Rom.

[cyde]

if you cant find it in the market place try the QR barcode for it. (you do have Barcode scanner don't you?)

TunnelDroid QR

Thanks to Androlib.com

-R

[Sponsored Links]