1. Introduction
OpenVPN on Android
Concluding Remarks
OpenVPN on Android
Friedrich Schaeuffelhut
Freelance Software Developer
Munich
Droidcon Berlin, 2013
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License.
Friedrich Schaeuffelhut OpenVPN on Android
2. Introduction
OpenVPN on Android
Concluding Remarks
Outline
1 Introduction
About VPNs
About OpenVPN
2 OpenVPN on Android
Overview
Rooted Phone versus Android 4 VPN Service API
Implementations explained
Configuration Considerations
3 Concluding Remarks
OpenVPN Settings as a Library
Community
Friedrich Schaeuffelhut OpenVPN on Android
3. Introduction
About VPNs
OpenVPN on Android
About OpenVPN
Concluding Remarks
What is a VPN?
A VPN (Virtual Private Network) extends a private network
across public networks like the internet1
1
http://en.wikipedia.org/wiki/Virtual_private_network
Friedrich Schaeuffelhut OpenVPN on Android
4. Introduction
About VPNs
OpenVPN on Android
About OpenVPN
Concluding Remarks
Why use a VPN ?
Connect multiple sites
Form one logical network
Allow roaming users to
access files on a server / NAS
receive / send email via private mail server
access private servers, e.g. SCM, Jenkins, etc.
Create a network of trusted users
Simpler security configuration inside
Direct communication between remote users
e.g. exchange GIT commits between developers
Friedrich Schaeuffelhut OpenVPN on Android
5. Introduction
About VPNs
OpenVPN on Android
About OpenVPN
Concluding Remarks
What is OpenVPN ?
OpenVPN is a open source (GPL) VPN solution (James
Yonan)
Available since 2001 (Version 0.90)
on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX,
Mac OS X, Windows 2000/XP/Vista/7 and Android
OpenVPN is a trademark of OpenVPN Technologies Inc.
and commercially backed by this company
Friedrich Schaeuffelhut OpenVPN on Android
6. Introduction
About VPNs
OpenVPN on Android
About OpenVPN
Concluding Remarks
What technology is used by OpenVPN ?
Encryption
SSL based VPN (also used in https)
Using openssl
Kernel virtual network device
TUN: Layer 3, IP packets
TAP: Layer 2, Ethernet frames
Connection to VPN peer
Uses UDP or TCP
Encrypts data and control channel
Friedrich Schaeuffelhut OpenVPN on Android
7. Introduction
About VPNs
OpenVPN on Android
About OpenVPN
Concluding Remarks
Why use OpenVPN ?
Firewall friendly, only one port is needed
Network Address Translation (NAT) friendly
Simple installation
Same configuration can run on all platforms
Flexible user authentication
Preshared key
Username/Password authentication
X509 Certificates
Includes script for managing RSA certificates and keys
Friedrich Schaeuffelhut OpenVPN on Android
8. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
OpenVPN on Android ?
OpenVPN should run on Android - After all it’s Linux, isn’t
it?
TUN/TAP access requires root privileges
No “su” for Apps on a standard Android device
Most devices can be rooted, then “su” is available.
Android 4 (ICS) offers VPN API
(creating TUN device for the app)
Friedrich Schaeuffelhut OpenVPN on Android
9. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
Short History of OpenVPN on Android
Compiled OpenVPN for ADP1 in January 2009
Used AOSP source to compile, NDK did not exist
Added liblzo and missing cyphers to OpenSSL
Published source at github.com/fries
Alternate firmwares like CyanogenMOD2 picked it up
2
http://www.cyanogenmod.org/
Friedrich Schaeuffelhut OpenVPN on Android
10. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
OpenVPN Settings
OpenVPN binary alone is not very useful
OpenVPN Settings
modeled after Wifi Settings
starts/stops a config stored on SD card
now has 50,000 users
OpenVPN Installer
ADP1 had limited storage ⇒ separate App
copies binary into /system/xbin
Friedrich Schaeuffelhut OpenVPN on Android
11. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
The Present and the Future
VPN Service API is now available on Android 4 (ICS, API
Level 14+)
No ROOT required anymore
New Apps emerge
ics-android3 by Arne Schwabe
TorGuard4 App by Florida based VPNetworks LLC
3
https://code.google.com/p/ics-openvpn
4
http://torguard.net
Friedrich Schaeuffelhut OpenVPN on Android
12. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
Rooted Phone versus Android 4 VPN Service API
Rooted Phone VPN Service API
API Level 4+ 14+
Kernel device TUN or TAP TUN only
Device opened by OpenVPN Android
ifconfig OpenVPN Android
Routes OpenVPN Android
DNS servers App via setprop Android
Search domains App via setprop Android
Tethering Yes No5
5
Hot spot enabled, but no data transmitted
Friedrich Schaeuffelhut OpenVPN on Android
13. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
Is support for rooted devices required ?
Android 4 VPN Service API is
very secure
useful for most users
Rooted phones
allow TAP devices and tethering
ideal for the enthusiast
still useful even on Android 4
OpenVPN Settings will
maintain support for rooted devices
support the Android 4 VPN Service API
leave the choice to the user
Friedrich Schaeuffelhut OpenVPN on Android
14. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
Implementations explained
OpenVPN management interface
Rooted Phones
Android 4 VPN Service API
Friedrich Schaeuffelhut OpenVPN on Android
15. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
The Management Interface
Connect via UNIX domain socket
Request/Respond username/password
Request/Respond passphrase
Restart/Terminate tunnel
Read status messages and byte counts
Query current tunnel state
Friedrich Schaeuffelhut OpenVPN on Android
16. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
Monitoring the OpenVPN Program
APP creates UNIX domain socket
OpenVPN connects in management-client mode
OpenVPN exits when management connection is closed
OpenVPN exits when APP is killed
socket is protected by file system permissions
only APP and OpenVPN can access socket
Used on both rooted devices and with VPN service API
Friedrich Schaeuffelhut OpenVPN on Android
17. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
Rooted devices
Supported by “OpenVPN Settings”6
Standard OpenVPN binary compiled for Android
Started via ’su’ command
OpenVPN configures network interface and routes
calls ifconfig and route
Android ifconfig and route are very simple
busybox provides compatible ifconfig and route
6
https://code.google.com/p/android-openvpn-settings/
Friedrich Schaeuffelhut OpenVPN on Android
18. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
Android 4 VPN Service
Implemented in ics-openvpn and “OpenVPN Settings”
User must grant permission to use VpnService
Android creates TUN device for App
⇒ Hand over TUN FD from App to OpenVPN
⇒ OpenVPN must send interface parameters to APP
(ip address, routes, dns server, etc)
Protect TCP/UDP connection from new default route
⇒ Hand over TCP/UDP socket from OpenVPN to App
Friedrich Schaeuffelhut OpenVPN on Android
19. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
Packet Transport
TUN vs TAP
UDP vs TCP
TCP over TCP
Friedrich Schaeuffelhut OpenVPN on Android
20. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
TUN vs TAP
TUN and TAP are virtual network kernel devices7
TAP TUN
level 2 3
simulates link layer device network layer device
operates on ethernet frames IP packets
network bridge routing
7
http://en.wikipedia.org/wiki/TUN/TAP
Friedrich Schaeuffelhut OpenVPN on Android
21. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
UDP vs TCP
UDP TCP
unreliable reliable
unordered ordered
datagramm stream
Friedrich Schaeuffelhut OpenVPN on Android
22. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
Data Channel Encapsulation
TCP over TCP
“Why TCP Over TCP Is A Bad Idea” by Olaf Titz8
TCP over TCP tends to break TCP’s retransmission
algorithm when the underlying connection suffers from
package loss
High packet loss will worsen the effect
UDP is better suited for packet transport than TCP
8
http://sites.inka.de/ W1011/devel/tcp-tcp.html
Friedrich Schaeuffelhut OpenVPN on Android
23. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
UDP versus TCP in Mobile Networks
UDP the winner for tunneling?
UPD in mobile networks has its drawbacks too
Mobile devices are usually behined a NAT gateway
For TCP the NAT session lasts as long as the TCP
connection exists
UDP has no connection, NAT sessions must time out
Once the NAT session has been discarded, the remote
VPN endpoint can not reach the mobile endpoint
Keep alive packets are needed to keep the connection up
But this will keep the radio busy and drain the battery
Personally I use UDP without problems
Friedrich Schaeuffelhut OpenVPN on Android
24. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
Creating a Configuration
Setting up Certificates
code.google.com/p/android-openvpn-settings/wiki/CertificateHowTo
Create CA
KEY_CN=ca KEY_EMAIL=ca@acme ./pkitool --initca
KEY_CN=server KEY_EMAIL=server@acme ./pkitool --server server
KEY_CN=client1 KEY_EMAIL=$KEY_CN@acme ./pkitool $KEY_CN
KEY_CN=client2 KEY_EMAIL=$KEY_CN@acme ./pkitool $KEY_CN
Friedrich Schaeuffelhut OpenVPN on Android
25. Overview
Introduction
Rooted Phone versus Android 4 VPN Service API
OpenVPN on Android
Implementations explained
Concluding Remarks
Configuration Considerations
Creating a Configuration
OpenVPN Configuration Files
code.google.com/p/android-openvpn-settings/wiki/CertificateHowTo
client.conf server.conf
mode server
proto udp
dev tun proto udp
topology subnet dev tun
topology subnet
tls-client
ca ca.crt tls-server
cert client.crt ca ca.crt
key client.key cert server.crt
key server.key
remote-cert-tls server dh dh1024.pem
remote-cert-tls client
remote ***** YOUR SERVERS IP ADDRESS *****
rport 1194
port 1194
pull
ifconfig 10.0.0.1 255.255.255.0
client-config-dir vpnclients.ccd
Friedrich Schaeuffelhut OpenVPN on Android
26. OpenVPN Settings as a Library
Introduction
Community
OpenVPN on Android
Summary
Concluding Remarks
Acknowledgments
OpenVPN Settings as a Library
Create your OpenVPN based Client
Licensed under the GPLv3
Split in app and library modules
Supports
rooted phones (API Level 4+)
Android 4 VPN service (API Level 14+)
Implements OpenVPN service
Client API connecting to OpenVPN service
can be used for custom clients
commercial license available9
9
email friedrich@schaeuffelhut.de
Friedrich Schaeuffelhut OpenVPN on Android
27. OpenVPN Settings as a Library
Introduction
Community
OpenVPN on Android
Summary
Concluding Remarks
Acknowledgments
The TorGuard App
Using OpenVPN Settings as a Library
US start-up offering privacy
Provides anonymous internet access
Choose a server, press Connect
Trust the App
Type in credentials
Surf anonymously
Friedrich Schaeuffelhut OpenVPN on Android
28. OpenVPN Settings as a Library
Introduction
Community
OpenVPN on Android
Summary
Concluding Remarks
Acknowledgments
The TorGuard App
Using OpenVPN Settings as a Library
US start-up offering privacy
Provides anonymous internet access
Choose a server, press Connect
Trust the App
Type in credentials
Surf anonymously
Friedrich Schaeuffelhut OpenVPN on Android
29. OpenVPN Settings as a Library
Introduction
Community
OpenVPN on Android
Summary
Concluding Remarks
Acknowledgments
The TorGuard App
Using OpenVPN Settings as a Library
US start-up offering privacy
Provides anonymous internet access
Choose a server, press Connect
Trust the App
Type in credentials
Surf anonymously
Friedrich Schaeuffelhut OpenVPN on Android
30. OpenVPN Settings as a Library
Introduction
Community
OpenVPN on Android
Summary
Concluding Remarks
Acknowledgments
The TorGuard App
Using OpenVPN Settings as a Library
US start-up offering privacy
Provides anonymous internet access
Choose a server, press Connect
Trust the App
Type in credentials
Surf anonymously
Friedrich Schaeuffelhut OpenVPN on Android
31. OpenVPN Settings as a Library
Introduction
Community
OpenVPN on Android
Summary
Concluding Remarks
Acknowledgments
The TorGuard App
Using OpenVPN Settings as a Library
US start-up offering privacy
Provides anonymous internet access
Choose a server, press Connect
Trust the App
Type in credentials
Surf anonymously
Friedrich Schaeuffelhut OpenVPN on Android
32. OpenVPN Settings as a Library
Introduction
Community
OpenVPN on Android
Summary
Concluding Remarks
Acknowledgments
The TorGuard App
Using OpenVPN Settings as a Library
Download TorGuard from Google Play
For free trial send email to
DroidconBerlin2013@torguard.tg
For 20% discount use code
DroidconBerlin2013
Friedrich Schaeuffelhut OpenVPN on Android
33. OpenVPN Settings as a Library
Introduction
Community
OpenVPN on Android
Summary
Concluding Remarks
Acknowledgments
Community
Google Group for “OpenVPN Settings for Android”
Follow “OpenVPN Settings” on Google+
Follow me on Google+: Friedrich Schaeuffelhut
Follow me on Twitter: @fschaeuffelhut
Friedrich Schaeuffelhut OpenVPN on Android
34. OpenVPN Settings as a Library
Introduction
Community
OpenVPN on Android
Summary
Concluding Remarks
Acknowledgments
Summary
OpenVPN Networking
Android Implementation
Configuration
OpenVPN Settings Library
Outlook
Publish updated version of OpenVPN Settings
Unified OpenVPN for rooted devices and VPN service.
Friedrich Schaeuffelhut OpenVPN on Android
35. OpenVPN Settings as a Library
Introduction
Community
OpenVPN on Android
Summary
Concluding Remarks
Acknowledgments
Acknowledgements
OpenVPN: James Yonan and OpenVPN Technologies Inc
OpenVPN for Android 4 VPN service API: Arne Schwabe
Supporting my work: TorGuard, VPNetwork LLC.
Friedrich Schaeuffelhut OpenVPN on Android
36. OpenVPN Settings as a Library
Introduction
Community
OpenVPN on Android
Summary
Concluding Remarks
Acknowledgments
Thank You!
Friedrich Schaeuffelhut OpenVPN on Android