Tag Archives: openvpn

Android OpenVPN & Jelly Bean

Last night my Galaxy Nexus finally got the Jelly Bean update pushed to it via Over-The-Air – I’m not sure why it’s taken until now to get it, but ICS has been working fine so I never bothered to build Android from source again.

It was slightly disturbing that the update came down over 3G data, whilst I have a fair bit of cap, a lot of NZders are on pretty low cellphone datacaps and the update is around 160MB.

The upgrade was pretty seamless, however it broke my Openvpn for Android setup, preventing me from connecting to any of my servers or email. According to the application, there is a known issue that when the OS updates, you need to re-establish the trust relationship with the Android keystore, which you can do by editing the VPN and re-selecting the certificate and selecting “allow”.

Unfortunately, that didn’t work for me, it would keep repeating the error and refusing to run.  There wasn’t much useful in adb logcat either:

I/ActivityManager(  303): Displayed de.blinkt.openvpn/.MainActivity: +213ms
I/ActivityManager(  303): START {act=android.intent.action.MAIN cmp=de.blinkt.openvpn/.LaunchVPN (has extras) u=0} from pid 4071
I/ActivityManager(  303): START {flg=0x20000 cmp=de.blinkt.openvpn/.LogWindow u=0} from pid 4071
I/keystore(  130): uid: 1000 action: t -> 1 state: 1 -> 1 retry: 4
I/keystore(  130): uid: 1000 action: x -> 1 state: 1 -> 1 retry: 4
V/OpenSSL-keystore( 4071): keystore_bind_fn
V/OpenSSL-keystore( 4071): keystore_engine_setup
V/OpenSSL-keystore( 4071): keystore_loadkey(0x5c30c3d0, "1000_USRPKEY_mobile-jethro", 0x0, 0x0)
I/keystore(  130): uid: 10067 action: b -> 7 state: 1 -> 1 retry: 4
W/keystore_client( 4071): Error from keystore: 7
V/OpenSSL-keystore( 4071): Cannot get public key for 1000_USRPKEY_mobile-jethro

I had a read and came across this bug report in Android, suggesting that the names of some certificates could be a problem.

My certificate was mobile-jethro.p12, so I named it to mobile.p12 and imported it again – which resolved the problem! Bit of a nasty character handling bug it seems….

Android VPN Rage

Having obtained a shiny new Nexus S to replace my aging HTC Magic, I’ve been spending the last few days setting it up as I want it – favorite apps, settings, email, etc.

The setup is a little more complex for me, since I run most of my services behind a secure internal VPN – this includes email, SIP and other services.

 

On my HTC Magic, I ran OpenVPN which was included in Cynogenmod – this is ideal, since I run OpenVPN elsewhere on all my laptops and servers and it’s a very reliable, robust VPN solution.

With the Nexus S, I want to stick to stock firmware, but this means I only have the options of a PPTP or IPsec/L2TP VPN solution, both of which I consider to be very unpleasant solutions.

I ended up setting up IPsec (OpenSwan) + L2TP (xl2tp + ppp) and got this to work with my Android phone to provide VPN connectivity. For simplicity, I configured the tunnel to act as a default route for all traffic.

 

Some instant deal breakers I’ve discovered:

  1. Android won’t remember the VPN user password – I can fix this for myself by potentially moving to certificates, but this is a deal breaker for my work VPN with it’s lovely 32-char password as mandated by infrastructure team.
  2. Android disconnects from the VPN when changing networks – eg from 3G to wifi….. and won’t automatically reconnect.
  3. I’m unable to get the VPN to stand up on my internal RFC 1918 wifi range, for some reason the VPN establishes and then drops, yet works fine over 3G to the same server.

 

I love Android and I suspect many other platforms won’t be much better, but this really is a bit shit – I can only see a few options:

  1. Get OpenVPN modules onto my phone and setup OpenVPN tunnels for the stock firmware – for this, I will need to root the device, compile the Nexus kernel with tun module support, copy onto the phone and then install one of the UIs for managing the VPN.
  2. Switch to Cynogenmod to gain these features, at the cost of the stability of using the stable releases from Google/Samsung.
  3. Re-compile the source released by Samsung and apply the patches I want for OpenVPN support in the GUI from Cynogenmod.
  4. Re-compile the source released by Samsung and apply patches to the VPN controls in Android to fix VPN handling properly. Although this still doesn’t fix the fact that IPsec is a bit shit in general.

 

All of these are somewhat time intensive activities as well as being way beyond the level of a normal user, or even most technical users for that matter.

I’m wondering if option 3 is going to be the best from a learning curve and control perspective, but I might end up doing 1 or 2 just to get the thing up and running so I can start using it properly.

It’s very frustrating, since there’s some cool stuff I can now do on Android 2.3, like native SIP support that I just need to get the VPN online for first. :-(