A colleague from work recently pointed out that the $12 server he picked up after I had sent around the "LOOK AT THIS BARGIN" link was a perfect tool for circumventing the port block that was in place in the corporate guest wifi (said port block effectively rendering it useless for anything but basic web browsing).I don't know anything about this kind of behavior, yet was equally interested in this VPN for another, yet to be named use case.
THE INSTALL
The link below has the best explanation of how do this:
http://tipupdate.com/how-to-install-openvpn-on-ubuntu-vps/
I archived it as a PDF should this disappear any time soon.
On my personal experience of the installation was as follows (all done through "root"):
Success.. Success... Success... [Step 9 in the instructions] FAIL.
Note: in step 5, the following command is run:
. /etc/openvpn/easy-rsa/2.0/build-key client1
This is creating your client user name (i.e. the name you will log into the system as). Also critical for Android at least is to supply a password (and not just press enter on this field).
. /etc/openvpn/easy-rsa/2.0/build-key MY_INITIALS
THE TUN FAILURE
Looking at the log for the init.d startup script:
cat /var/log/syslog
Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Cannot allocate TUN/TAP dev dynamically
A quick google suggested that OpenVZ (the server virtual stack that is running on my VPS) often had this error, the root cause being that the kernel did not have the tun network module available. Some citations of security issues (although opinion seems divided) as the leading reason for it not being enabled by default.
Quick confirmation of this:
# modprobe tun
FATAL: Module tun not found.
A quick email to +URPad DC support and its resolved 10 mins later. Great support guys!
Still not working however. More Googlage and this fixed it:
mkdir /dev/net
mknod /dev/net/tun c 10 200
Carrying on from Step 9. Success... Success!
THE P12
What we have done is configured a VPN, secured with "L2TP/IPsec CRT". This is in effect a digital certificate based authentication that you can install on a client (Android phone, laptop etc...) and authenticate automatically with the VPS server.
Android prefers the certificate and key in a single package (pkcs12 to be specific), so we need to combine the client certs + keys into a single file.
In the directory where we created the client keys (/etc/openvpn/easy-rsa/2.0/keys), the following files exist:
-rw-r--r-- 1 root root 3913 Jan 22 09:39 client1.crt
-rw------- 1 root root 887 Jan 22 09:39 client1.key
# cd /etc/openvpn/easy-rsa/2.0/keys
# openssl pkcs12 -export -in client1.crt -inkey client1.key -certfile dh1024.pem -out certs.p12
This outputs the file "certs.p12" which is a combo of the .crt and .key file.
ANDROID INSTALL
To download the .p12 file from the server (created in step 3), some obvious ways exist:
THE INSTALL
The link below has the best explanation of how do this:
http://tipupdate.com/how-to-install-openvpn-on-ubuntu-vps/
I archived it as a PDF should this disappear any time soon.
On my personal experience of the installation was as follows (all done through "root"):
Success.. Success... Success... [Step 9 in the instructions] FAIL.
Note: in step 5, the following command is run:
. /etc/openvpn/easy-rsa/2.0/build-key client1
This is creating your client user name (i.e. the name you will log into the system as). Also critical for Android at least is to supply a password (and not just press enter on this field).
. /etc/openvpn/easy-rsa/2.0/build-key MY_INITIALS
THE TUN FAILURE
Looking at the log for the init.d startup script:
cat /var/log/syslog
Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Cannot allocate TUN/TAP dev dynamically
A quick google suggested that OpenVZ (the server virtual stack that is running on my VPS) often had this error, the root cause being that the kernel did not have the tun network module available. Some citations of security issues (although opinion seems divided) as the leading reason for it not being enabled by default.
Quick confirmation of this:
# modprobe tun
FATAL: Module tun not found.
A quick email to +URPad DC support and its resolved 10 mins later. Great support guys!
Still not working however. More Googlage and this fixed it:
mkdir /dev/net
mknod /dev/net/tun c 10 200
Carrying on from Step 9. Success... Success!
THE P12
What we have done is configured a VPN, secured with "L2TP/IPsec CRT". This is in effect a digital certificate based authentication that you can install on a client (Android phone, laptop etc...) and authenticate automatically with the VPS server.
Android prefers the certificate and key in a single package (pkcs12 to be specific), so we need to combine the client certs + keys into a single file.
In the directory where we created the client keys (/etc/openvpn/easy-rsa/2.0/keys), the following files exist:
-rw-r--r-- 1 root root 3913 Jan 22 09:39 client1.crt
-rw------- 1 root root 887 Jan 22 09:39 client1.key
# cd /etc/openvpn/easy-rsa/2.0/keys
# openssl pkcs12 -export -in client1.crt -inkey client1.key -certfile dh1024.pem -out certs.p12
This outputs the file "certs.p12" which is a combo of the .crt and .key file.
ANDROID INSTALL
To download the .p12 file from the server (created in step 3), some obvious ways exist:
- Download the certificates via app like WinSCP or file manager such as Servant Salamander with a SCP plugin and copy to your Android phone via the SDCard or USB (mass storage or ADB if your adventurous)
- Grab them directly from the server via your Android phone
- Email them to yourself on the phone
I went for the latter option - nice and clean. Android supports receiving uuencoded data, which is very easy to send from a shell. On the server, I ran the following:
# cd /etc/openvpn/easy-rsa/2.0/keys
# uuencode certs.p12 certs.p12 | mail -s "VPN Files" MYEMAILADDRESS@gmail.com -- -f MYEMAILADDRESS@gmail.com
Note: The uuencode first param is the input file, the second is the name of the attachment you want the file to appear as in the email.
In gmail app in Android, I simply selected the file and "saved" it to the phone. This doesn't give you an option of where to save it, but that is not important thankfully.
You can then import the certificates by going to:
In gmail app in Android, I simply selected the file and "saved" it to the phone. This doesn't give you an option of where to save it, but that is not important thankfully.
You can then import the certificates by going to:
- Settings Menu
- Security Menu
- Install from SDCard
- Then select the "Download" directory and then the file that you emailed yourself.
No comments:
Post a Comment