SlideShare une entreprise Scribd logo
1  sur  36
Télécharger pour lire hors ligne
Introduction
                               OpenVPN on Android
                               Concluding Remarks




                              OpenVPN on Android

                                   Friedrich Schaeuffelhut

                                    Freelance Software Developer
                                              Munich


                                    Droidcon Berlin, 2013


This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License.




                              Friedrich Schaeuffelhut      OpenVPN on Android
Introduction
                   OpenVPN on Android
                   Concluding Remarks


Outline

  1   Introduction
         About VPNs
         About OpenVPN
  2   OpenVPN on Android
        Overview
        Rooted Phone versus Android 4 VPN Service API
        Implementations explained
        Configuration Considerations
  3   Concluding Remarks
        OpenVPN Settings as a Library
        Community


                  Friedrich Schaeuffelhut   OpenVPN on Android
Introduction
                                                   About VPNs
                          OpenVPN on Android
                                                   About OpenVPN
                          Concluding Remarks


What is a VPN?
  A VPN (Virtual Private Network) extends a private network
  across public networks like the internet1




    1
        http://en.wikipedia.org/wiki/Virtual_private_network
                         Friedrich Schaeuffelhut   OpenVPN on Android
Introduction
                                            About VPNs
                   OpenVPN on Android
                                            About OpenVPN
                   Concluding Remarks


Why use a VPN ?


     Connect multiple sites
     Form one logical network
     Allow roaming users to
         access files on a server / NAS
         receive / send email via private mail server
         access private servers, e.g. SCM, Jenkins, etc.
     Create a network of trusted users
         Simpler security configuration inside
         Direct communication between remote users
         e.g. exchange GIT commits between developers



                  Friedrich Schaeuffelhut   OpenVPN on Android
Introduction
                                         About VPNs
                OpenVPN on Android
                                         About OpenVPN
                Concluding Remarks


What is OpenVPN ?



    OpenVPN is a open source (GPL) VPN solution (James
    Yonan)
    Available since 2001 (Version 0.90)
    on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX,
    Mac OS X, Windows 2000/XP/Vista/7 and Android
    OpenVPN is a trademark of OpenVPN Technologies Inc.
    and commercially backed by this company




               Friedrich Schaeuffelhut   OpenVPN on Android
Introduction
                                            About VPNs
                   OpenVPN on Android
                                            About OpenVPN
                   Concluding Remarks


What technology is used by OpenVPN ?


     Encryption
         SSL based VPN (also used in https)
         Using openssl
     Kernel virtual network device
         TUN: Layer 3, IP packets
         TAP: Layer 2, Ethernet frames
     Connection to VPN peer
         Uses UDP or TCP
         Encrypts data and control channel




                  Friedrich Schaeuffelhut   OpenVPN on Android
Introduction
                                           About VPNs
                  OpenVPN on Android
                                           About OpenVPN
                  Concluding Remarks


Why use OpenVPN ?


    Firewall friendly, only one port is needed
    Network Address Translation (NAT) friendly
    Simple installation
    Same configuration can run on all platforms
    Flexible user authentication
        Preshared key
        Username/Password authentication
        X509 Certificates
    Includes script for managing RSA certificates and keys



                 Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                           Introduction
                                            Rooted Phone versus Android 4 VPN Service API
                   OpenVPN on Android
                                            Implementations explained
                   Concluding Remarks
                                            Configuration Considerations


OpenVPN on Android ?



     OpenVPN should run on Android - After all it’s Linux, isn’t
     it?
     TUN/TAP access requires root privileges
     No “su” for Apps on a standard Android device
     Most devices can be rooted, then “su” is available.
     Android 4 (ICS) offers VPN API
     (creating TUN device for the app)




                  Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                                Introduction
                                                 Rooted Phone versus Android 4 VPN Service API
                        OpenVPN on Android
                                                 Implementations explained
                        Concluding Remarks
                                                 Configuration Considerations


Short History of OpenVPN on Android



         Compiled OpenVPN for ADP1 in January 2009
         Used AOSP source to compile, NDK did not exist
         Added liblzo and missing cyphers to OpenSSL
         Published source at github.com/fries
         Alternate firmwares like CyanogenMOD2 picked it up




    2
        http://www.cyanogenmod.org/
                       Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                          Introduction
                                           Rooted Phone versus Android 4 VPN Service API
                  OpenVPN on Android
                                           Implementations explained
                  Concluding Remarks
                                           Configuration Considerations


OpenVPN Settings


     OpenVPN binary alone is not very useful

     OpenVPN Settings
         modeled after Wifi Settings
         starts/stops a config stored on SD card
         now has 50,000 users

     OpenVPN Installer
         ADP1 had limited storage ⇒ separate App
         copies binary into /system/xbin




                 Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                                 Introduction
                                                  Rooted Phone versus Android 4 VPN Service API
                         OpenVPN on Android
                                                  Implementations explained
                         Concluding Remarks
                                                  Configuration Considerations


The Present and the Future



         VPN Service API is now available on Android 4 (ICS, API
         Level 14+)
         No ROOT required anymore
         New Apps emerge
              ics-android3 by Arne Schwabe
              TorGuard4 App by Florida based VPNetworks LLC




    3
        https://code.google.com/p/ics-openvpn
    4
        http://torguard.net
                        Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                                 Introduction
                                                  Rooted Phone versus Android 4 VPN Service API
                         OpenVPN on Android
                                                  Implementations explained
                         Concluding Remarks
                                                  Configuration Considerations


Rooted Phone versus Android 4 VPN Service API


                                Rooted Phone                VPN Service API
   API Level                    4+                          14+
   Kernel device                TUN or TAP                  TUN only
   Device opened by             OpenVPN                     Android
   ifconfig                      OpenVPN                     Android
   Routes                       OpenVPN                     Android
   DNS servers                  App via setprop             Android
   Search domains               App via setprop             Android
   Tethering                    Yes                         No5



    5
        Hot spot enabled, but no data transmitted
                        Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                            Introduction
                                             Rooted Phone versus Android 4 VPN Service API
                    OpenVPN on Android
                                             Implementations explained
                    Concluding Remarks
                                             Configuration Considerations


Is support for rooted devices required ?


      Android 4 VPN Service API is
          very secure
          useful for most users
      Rooted phones
          allow TAP devices and tethering
          ideal for the enthusiast
          still useful even on Android 4
      OpenVPN Settings will
          maintain support for rooted devices
          support the Android 4 VPN Service API
          leave the choice to the user



                   Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                         Introduction
                                          Rooted Phone versus Android 4 VPN Service API
                 OpenVPN on Android
                                          Implementations explained
                 Concluding Remarks
                                          Configuration Considerations


Implementations explained




     OpenVPN management interface
     Rooted Phones
     Android 4 VPN Service API




                Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                          Introduction
                                           Rooted Phone versus Android 4 VPN Service API
                  OpenVPN on Android
                                           Implementations explained
                  Concluding Remarks
                                           Configuration Considerations


The Management Interface



     Connect via UNIX domain socket
     Request/Respond username/password
     Request/Respond passphrase
     Restart/Terminate tunnel
     Read status messages and byte counts
     Query current tunnel state




                 Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                          Introduction
                                           Rooted Phone versus Android 4 VPN Service API
                  OpenVPN on Android
                                           Implementations explained
                  Concluding Remarks
                                           Configuration Considerations


Monitoring the OpenVPN Program


     APP creates UNIX domain socket
     OpenVPN connects in management-client mode
     OpenVPN exits when management connection is closed
     OpenVPN exits when APP is killed
     socket is protected by file system permissions
     only APP and OpenVPN can access socket

     Used on both rooted devices and with VPN service API




                 Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                                 Introduction
                                                  Rooted Phone versus Android 4 VPN Service API
                         OpenVPN on Android
                                                  Implementations explained
                         Concluding Remarks
                                                  Configuration Considerations


Rooted devices



         Supported by “OpenVPN Settings”6
         Standard OpenVPN binary compiled for Android
         Started via ’su’ command
         OpenVPN configures network interface and routes
              calls ifconfig and route
              Android ifconfig and route are very simple
              busybox provides compatible ifconfig and route




    6
        https://code.google.com/p/android-openvpn-settings/
                        Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                          Introduction
                                           Rooted Phone versus Android 4 VPN Service API
                  OpenVPN on Android
                                           Implementations explained
                  Concluding Remarks
                                           Configuration Considerations


Android 4 VPN Service


     Implemented in ics-openvpn and “OpenVPN Settings”
     User must grant permission to use VpnService
     Android creates TUN device for App
     ⇒ Hand over TUN FD from App to OpenVPN
     ⇒ OpenVPN must send interface parameters to APP
     (ip address, routes, dns server, etc)
     Protect TCP/UDP connection from new default route
     ⇒ Hand over TCP/UDP socket from OpenVPN to App




                 Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                           Introduction
                                            Rooted Phone versus Android 4 VPN Service API
                   OpenVPN on Android
                                            Implementations explained
                   Concluding Remarks
                                            Configuration Considerations


Packet Transport




     TUN vs TAP
     UDP vs TCP
     TCP over TCP




                  Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                                Introduction
                                                 Rooted Phone versus Android 4 VPN Service API
                        OpenVPN on Android
                                                 Implementations explained
                        Concluding Remarks
                                                 Configuration Considerations


TUN vs TAP



        TUN and TAP are virtual network kernel devices7


                     TAP                         TUN
  level              2                           3
  simulates          link layer device           network layer device
  operates on        ethernet frames             IP packets
  network            bridge                      routing



   7
       http://en.wikipedia.org/wiki/TUN/TAP
                       Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                      Introduction
                                       Rooted Phone versus Android 4 VPN Service API
              OpenVPN on Android
                                       Implementations explained
              Concluding Remarks
                                       Configuration Considerations


UDP vs TCP




                   UDP                   TCP
                   unreliable            reliable
                   unordered             ordered
                   datagramm             stream




             Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                                  Introduction
                                                   Rooted Phone versus Android 4 VPN Service API
                          OpenVPN on Android
                                                   Implementations explained
                          Concluding Remarks
                                                   Configuration Considerations


Data Channel Encapsulation



         TCP over TCP
               “Why TCP Over TCP Is A Bad Idea” by Olaf Titz8
               TCP over TCP tends to break TCP’s retransmission
               algorithm when the underlying connection suffers from
               package loss
         High packet loss will worsen the effect
         UDP is better suited for packet transport than TCP




    8
        http://sites.inka.de/ W1011/devel/tcp-tcp.html
                         Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                          Introduction
                                           Rooted Phone versus Android 4 VPN Service API
                  OpenVPN on Android
                                           Implementations explained
                  Concluding Remarks
                                           Configuration Considerations


UDP versus TCP in Mobile Networks


     UDP the winner for tunneling?
     UPD in mobile networks has its drawbacks too
         Mobile devices are usually behined a NAT gateway
         For TCP the NAT session lasts as long as the TCP
         connection exists
         UDP has no connection, NAT sessions must time out
         Once the NAT session has been discarded, the remote
         VPN endpoint can not reach the mobile endpoint
         Keep alive packets are needed to keep the connection up
         But this will keep the radio busy and drain the battery
     Personally I use UDP without problems



                 Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                                  Introduction
                                                   Rooted Phone versus Android 4 VPN Service API
                          OpenVPN on Android
                                                   Implementations explained
                          Concluding Remarks
                                                   Configuration Considerations


Creating a Configuration
Setting up Certificates




 code.google.com/p/android-openvpn-settings/wiki/CertificateHowTo
   Create CA
   KEY_CN=ca         KEY_EMAIL=ca@acme                   ./pkitool        --initca
   KEY_CN=server     KEY_EMAIL=server@acme               ./pkitool        --server server
   KEY_CN=client1    KEY_EMAIL=$KEY_CN@acme              ./pkitool        $KEY_CN
   KEY_CN=client2    KEY_EMAIL=$KEY_CN@acme              ./pkitool        $KEY_CN




                         Friedrich Schaeuffelhut   OpenVPN on Android
Overview
                                   Introduction
                                                    Rooted Phone versus Android 4 VPN Service API
                           OpenVPN on Android
                                                    Implementations explained
                           Concluding Remarks
                                                    Configuration Considerations


Creating a Configuration
OpenVPN Configuration Files


 code.google.com/p/android-openvpn-settings/wiki/CertificateHowTo

 client.conf                                        server.conf
                                                    mode server
 proto udp
 dev tun                                            proto udp
 topology subnet                                    dev tun
                                                    topology subnet
 tls-client
 ca   ca.crt                                        tls-server
 cert client.crt                                    ca   ca.crt
 key client.key                                     cert server.crt
                                                    key server.key
 remote-cert-tls server                             dh   dh1024.pem
                                                    remote-cert-tls client
 remote ***** YOUR SERVERS IP ADDRESS *****
 rport 1194
                                                    port 1194
 pull
                                                    ifconfig 10.0.0.1 255.255.255.0
                                                    client-config-dir vpnclients.ccd



                          Friedrich Schaeuffelhut   OpenVPN on Android
OpenVPN Settings as a Library
                                   Introduction
                                                    Community
                           OpenVPN on Android
                                                    Summary
                           Concluding Remarks
                                                    Acknowledgments


OpenVPN Settings as a Library
Create your OpenVPN based Client



           Licensed under the GPLv3
           Split in app and library modules
           Supports
                rooted phones (API Level 4+)
                Android 4 VPN service (API Level 14+)
           Implements OpenVPN service
           Client API connecting to OpenVPN service
                can be used for custom clients
                commercial license available9


      9
          email friedrich@schaeuffelhut.de
                          Friedrich Schaeuffelhut   OpenVPN on Android
OpenVPN Settings as a Library
                                Introduction
                                                 Community
                        OpenVPN on Android
                                                 Summary
                        Concluding Remarks
                                                 Acknowledgments


The TorGuard App
Using OpenVPN Settings as a Library




      US start-up offering privacy
      Provides anonymous internet access

      Choose a server, press Connect
      Trust the App
      Type in credentials
      Surf anonymously




                       Friedrich Schaeuffelhut   OpenVPN on Android
OpenVPN Settings as a Library
                                Introduction
                                                 Community
                        OpenVPN on Android
                                                 Summary
                        Concluding Remarks
                                                 Acknowledgments


The TorGuard App
Using OpenVPN Settings as a Library




      US start-up offering privacy
      Provides anonymous internet access

      Choose a server, press Connect
      Trust the App
      Type in credentials
      Surf anonymously




                       Friedrich Schaeuffelhut   OpenVPN on Android
OpenVPN Settings as a Library
                                Introduction
                                                 Community
                        OpenVPN on Android
                                                 Summary
                        Concluding Remarks
                                                 Acknowledgments


The TorGuard App
Using OpenVPN Settings as a Library




      US start-up offering privacy
      Provides anonymous internet access

      Choose a server, press Connect
      Trust the App
      Type in credentials
      Surf anonymously




                       Friedrich Schaeuffelhut   OpenVPN on Android
OpenVPN Settings as a Library
                                Introduction
                                                 Community
                        OpenVPN on Android
                                                 Summary
                        Concluding Remarks
                                                 Acknowledgments


The TorGuard App
Using OpenVPN Settings as a Library




      US start-up offering privacy
      Provides anonymous internet access

      Choose a server, press Connect
      Trust the App
      Type in credentials
      Surf anonymously




                       Friedrich Schaeuffelhut   OpenVPN on Android
OpenVPN Settings as a Library
                                Introduction
                                                 Community
                        OpenVPN on Android
                                                 Summary
                        Concluding Remarks
                                                 Acknowledgments


The TorGuard App
Using OpenVPN Settings as a Library




      US start-up offering privacy
      Provides anonymous internet access

      Choose a server, press Connect
      Trust the App
      Type in credentials
      Surf anonymously




                       Friedrich Schaeuffelhut   OpenVPN on Android
OpenVPN Settings as a Library
                                Introduction
                                                 Community
                        OpenVPN on Android
                                                 Summary
                        Concluding Remarks
                                                 Acknowledgments


The TorGuard App
Using OpenVPN Settings as a Library




      Download TorGuard from Google Play
      For free trial send email to
      DroidconBerlin2013@torguard.tg
      For 20% discount use code
      DroidconBerlin2013




                       Friedrich Schaeuffelhut   OpenVPN on Android
OpenVPN Settings as a Library
                         Introduction
                                          Community
                 OpenVPN on Android
                                          Summary
                 Concluding Remarks
                                          Acknowledgments


Community




    Google Group for “OpenVPN Settings for Android”
    Follow “OpenVPN Settings” on Google+
    Follow me on Google+: Friedrich Schaeuffelhut
    Follow me on Twitter: @fschaeuffelhut




                Friedrich Schaeuffelhut   OpenVPN on Android
OpenVPN Settings as a Library
                           Introduction
                                          Community
                   OpenVPN on Android
                                          Summary
                   Concluding Remarks
                                          Acknowledgments


Summary


    OpenVPN Networking
    Android Implementation
    Configuration
    OpenVPN Settings Library


    Outlook
        Publish updated version of OpenVPN Settings
        Unified OpenVPN for rooted devices and VPN service.




                Friedrich Schaeuffelhut   OpenVPN on Android
OpenVPN Settings as a Library
                        Introduction
                                         Community
                OpenVPN on Android
                                         Summary
                Concluding Remarks
                                         Acknowledgments


Acknowledgements




    OpenVPN: James Yonan and OpenVPN Technologies Inc
    OpenVPN for Android 4 VPN service API: Arne Schwabe
    Supporting my work: TorGuard, VPNetwork LLC.




               Friedrich Schaeuffelhut   OpenVPN on Android
OpenVPN Settings as a Library
         Introduction
                          Community
 OpenVPN on Android
                          Summary
 Concluding Remarks
                          Acknowledgments




               Thank You!




Friedrich Schaeuffelhut   OpenVPN on Android

Contenu connexe

Similaire à Droidcon2013 open vpn_schaeuffelhut

Site to-multi site open vpn solution. with active directory auth
Site to-multi site open vpn solution. with active directory authSite to-multi site open vpn solution. with active directory auth
Site to-multi site open vpn solution. with active directory authChanaka Lasantha
 
Site to-multi site open vpn solution with mysql db
Site to-multi site open vpn solution with mysql dbSite to-multi site open vpn solution with mysql db
Site to-multi site open vpn solution with mysql dbChanaka Lasantha
 
Site to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestSite to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestChanaka Lasantha
 
VPN Overview and IPsec Intro
VPN Overview and IPsec IntroVPN Overview and IPsec Intro
VPN Overview and IPsec IntroNetgate
 
Openstack Neutron & Interconnections with BGP/MPLS VPNs
Openstack Neutron & Interconnections with BGP/MPLS VPNsOpenstack Neutron & Interconnections with BGP/MPLS VPNs
Openstack Neutron & Interconnections with BGP/MPLS VPNsThomas Morin
 
When to use Serverless? When to use Kubernetes?
When to use Serverless? When to use Kubernetes?When to use Serverless? When to use Kubernetes?
When to use Serverless? When to use Kubernetes?Niklas Heidloff
 
Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...
Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...
Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...Cohesive Networks
 
Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...
Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...
Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...Cohesive Networks
 
Securing Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNSecuring Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNA Green
 
OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on MikrotikGLC Networks
 
Android 110521210945-phpapp01
Android 110521210945-phpapp01Android 110521210945-phpapp01
Android 110521210945-phpapp01Mona AlRekabi
 
#OSSPARIS19 - From Components To Commerce To Connections: Open Source at Huaw...
#OSSPARIS19 - From Components To Commerce To Connections: Open Source at Huaw...#OSSPARIS19 - From Components To Commerce To Connections: Open Source at Huaw...
#OSSPARIS19 - From Components To Commerce To Connections: Open Source at Huaw...Paris Open Source Summit
 
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdfKdpKumar
 
VMware vCloud Air: Security Infrastructure and Process Overview
VMware vCloud Air: Security Infrastructure and Process OverviewVMware vCloud Air: Security Infrastructure and Process Overview
VMware vCloud Air: Security Infrastructure and Process OverviewVMware
 
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8Microsoft Mobile Developer
 

Similaire à Droidcon2013 open vpn_schaeuffelhut (20)

Site to-multi site open vpn solution. with active directory auth
Site to-multi site open vpn solution. with active directory authSite to-multi site open vpn solution. with active directory auth
Site to-multi site open vpn solution. with active directory auth
 
Site to-multi site open vpn solution with mysql db
Site to-multi site open vpn solution with mysql dbSite to-multi site open vpn solution with mysql db
Site to-multi site open vpn solution with mysql db
 
Site to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestSite to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latest
 
The “Open” in Open Networking
The “Open” in Open NetworkingThe “Open” in Open Networking
The “Open” in Open Networking
 
VPN Overview and IPsec Intro
VPN Overview and IPsec IntroVPN Overview and IPsec Intro
VPN Overview and IPsec Intro
 
Week13
Week13Week13
Week13
 
Week13
Week13Week13
Week13
 
Openstack Neutron & Interconnections with BGP/MPLS VPNs
Openstack Neutron & Interconnections with BGP/MPLS VPNsOpenstack Neutron & Interconnections with BGP/MPLS VPNs
Openstack Neutron & Interconnections with BGP/MPLS VPNs
 
When to use Serverless? When to use Kubernetes?
When to use Serverless? When to use Kubernetes?When to use Serverless? When to use Kubernetes?
When to use Serverless? When to use Kubernetes?
 
Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...
Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...
Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...
 
Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...
Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...
Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...
 
Securing Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNSecuring Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPN
 
vpn activity.pdf
vpn activity.pdfvpn activity.pdf
vpn activity.pdf
 
OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on Mikrotik
 
Android 110521210945-phpapp01
Android 110521210945-phpapp01Android 110521210945-phpapp01
Android 110521210945-phpapp01
 
Katuwal_Arun_flex_get_vpn.pdf
Katuwal_Arun_flex_get_vpn.pdfKatuwal_Arun_flex_get_vpn.pdf
Katuwal_Arun_flex_get_vpn.pdf
 
#OSSPARIS19 - From Components To Commerce To Connections: Open Source at Huaw...
#OSSPARIS19 - From Components To Commerce To Connections: Open Source at Huaw...#OSSPARIS19 - From Components To Commerce To Connections: Open Source at Huaw...
#OSSPARIS19 - From Components To Commerce To Connections: Open Source at Huaw...
 
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
 
VMware vCloud Air: Security Infrastructure and Process Overview
VMware vCloud Air: Security Infrastructure and Process OverviewVMware vCloud Air: Security Infrastructure and Process Overview
VMware vCloud Air: Security Infrastructure and Process Overview
 
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
 

Plus de Droidcon Berlin

Droidcon de 2014 google cast
Droidcon de 2014   google castDroidcon de 2014   google cast
Droidcon de 2014 google castDroidcon Berlin
 
Android programming -_pushing_the_limits
Android programming -_pushing_the_limitsAndroid programming -_pushing_the_limits
Android programming -_pushing_the_limitsDroidcon Berlin
 
Android industrial mobility
Android industrial mobility Android industrial mobility
Android industrial mobility Droidcon Berlin
 
From sensor data_to_android_and_back
From sensor data_to_android_and_backFrom sensor data_to_android_and_back
From sensor data_to_android_and_backDroidcon Berlin
 
new_age_graphics_android_x86
new_age_graphics_android_x86new_age_graphics_android_x86
new_age_graphics_android_x86Droidcon Berlin
 
Testing and Building Android
Testing and Building AndroidTesting and Building Android
Testing and Building AndroidDroidcon Berlin
 
Matchinguu droidcon presentation
Matchinguu droidcon presentationMatchinguu droidcon presentation
Matchinguu droidcon presentationDroidcon Berlin
 
Cgm life sdk_droidcon_2014_v3
Cgm life sdk_droidcon_2014_v3Cgm life sdk_droidcon_2014_v3
Cgm life sdk_droidcon_2014_v3Droidcon Berlin
 
The artofcalabash peterkrauss
The artofcalabash peterkraussThe artofcalabash peterkrauss
The artofcalabash peterkraussDroidcon Berlin
 
Raesch, gries droidcon 2014
Raesch, gries   droidcon 2014Raesch, gries   droidcon 2014
Raesch, gries droidcon 2014Droidcon Berlin
 
Android open gl2_droidcon_2014
Android open gl2_droidcon_2014Android open gl2_droidcon_2014
Android open gl2_droidcon_2014Droidcon Berlin
 
20140508 quantified self droidcon
20140508 quantified self droidcon20140508 quantified self droidcon
20140508 quantified self droidconDroidcon Berlin
 
Tuning android for low ram devices
Tuning android for low ram devicesTuning android for low ram devices
Tuning android for low ram devicesDroidcon Berlin
 
Froyo to kit kat two years developing & maintaining deliradio
Froyo to kit kat   two years developing & maintaining deliradioFroyo to kit kat   two years developing & maintaining deliradio
Froyo to kit kat two years developing & maintaining deliradioDroidcon Berlin
 
Droidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon Berlin
 

Plus de Droidcon Berlin (20)

Droidcon de 2014 google cast
Droidcon de 2014   google castDroidcon de 2014   google cast
Droidcon de 2014 google cast
 
Android programming -_pushing_the_limits
Android programming -_pushing_the_limitsAndroid programming -_pushing_the_limits
Android programming -_pushing_the_limits
 
crashing in style
crashing in stylecrashing in style
crashing in style
 
Raspberry Pi
Raspberry PiRaspberry Pi
Raspberry Pi
 
Android industrial mobility
Android industrial mobility Android industrial mobility
Android industrial mobility
 
Details matter in ux
Details matter in uxDetails matter in ux
Details matter in ux
 
From sensor data_to_android_and_back
From sensor data_to_android_and_backFrom sensor data_to_android_and_back
From sensor data_to_android_and_back
 
droidparts
droidpartsdroidparts
droidparts
 
new_age_graphics_android_x86
new_age_graphics_android_x86new_age_graphics_android_x86
new_age_graphics_android_x86
 
5 tips of monetization
5 tips of monetization5 tips of monetization
5 tips of monetization
 
Testing and Building Android
Testing and Building AndroidTesting and Building Android
Testing and Building Android
 
Matchinguu droidcon presentation
Matchinguu droidcon presentationMatchinguu droidcon presentation
Matchinguu droidcon presentation
 
Cgm life sdk_droidcon_2014_v3
Cgm life sdk_droidcon_2014_v3Cgm life sdk_droidcon_2014_v3
Cgm life sdk_droidcon_2014_v3
 
The artofcalabash peterkrauss
The artofcalabash peterkraussThe artofcalabash peterkrauss
The artofcalabash peterkrauss
 
Raesch, gries droidcon 2014
Raesch, gries   droidcon 2014Raesch, gries   droidcon 2014
Raesch, gries droidcon 2014
 
Android open gl2_droidcon_2014
Android open gl2_droidcon_2014Android open gl2_droidcon_2014
Android open gl2_droidcon_2014
 
20140508 quantified self droidcon
20140508 quantified self droidcon20140508 quantified self droidcon
20140508 quantified self droidcon
 
Tuning android for low ram devices
Tuning android for low ram devicesTuning android for low ram devices
Tuning android for low ram devices
 
Froyo to kit kat two years developing & maintaining deliradio
Froyo to kit kat   two years developing & maintaining deliradioFroyo to kit kat   two years developing & maintaining deliradio
Froyo to kit kat two years developing & maintaining deliradio
 
Droidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicro
 

Dernier

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Juan Carlos Gonzalez
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdfPaige Cruz
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideHironori Washizaki
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 

Dernier (20)

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 

Droidcon2013 open vpn_schaeuffelhut

  • 1. Introduction OpenVPN on Android Concluding Remarks OpenVPN on Android Friedrich Schaeuffelhut Freelance Software Developer Munich Droidcon Berlin, 2013 This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. Friedrich Schaeuffelhut OpenVPN on Android
  • 2. Introduction OpenVPN on Android Concluding Remarks Outline 1 Introduction About VPNs About OpenVPN 2 OpenVPN on Android Overview Rooted Phone versus Android 4 VPN Service API Implementations explained Configuration Considerations 3 Concluding Remarks OpenVPN Settings as a Library Community Friedrich Schaeuffelhut OpenVPN on Android
  • 3. Introduction About VPNs OpenVPN on Android About OpenVPN Concluding Remarks What is a VPN? A VPN (Virtual Private Network) extends a private network across public networks like the internet1 1 http://en.wikipedia.org/wiki/Virtual_private_network Friedrich Schaeuffelhut OpenVPN on Android
  • 4. Introduction About VPNs OpenVPN on Android About OpenVPN Concluding Remarks Why use a VPN ? Connect multiple sites Form one logical network Allow roaming users to access files on a server / NAS receive / send email via private mail server access private servers, e.g. SCM, Jenkins, etc. Create a network of trusted users Simpler security configuration inside Direct communication between remote users e.g. exchange GIT commits between developers Friedrich Schaeuffelhut OpenVPN on Android
  • 5. Introduction About VPNs OpenVPN on Android About OpenVPN Concluding Remarks What is OpenVPN ? OpenVPN is a open source (GPL) VPN solution (James Yonan) Available since 2001 (Version 0.90) on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX, Mac OS X, Windows 2000/XP/Vista/7 and Android OpenVPN is a trademark of OpenVPN Technologies Inc. and commercially backed by this company Friedrich Schaeuffelhut OpenVPN on Android
  • 6. Introduction About VPNs OpenVPN on Android About OpenVPN Concluding Remarks What technology is used by OpenVPN ? Encryption SSL based VPN (also used in https) Using openssl Kernel virtual network device TUN: Layer 3, IP packets TAP: Layer 2, Ethernet frames Connection to VPN peer Uses UDP or TCP Encrypts data and control channel Friedrich Schaeuffelhut OpenVPN on Android
  • 7. Introduction About VPNs OpenVPN on Android About OpenVPN Concluding Remarks Why use OpenVPN ? Firewall friendly, only one port is needed Network Address Translation (NAT) friendly Simple installation Same configuration can run on all platforms Flexible user authentication Preshared key Username/Password authentication X509 Certificates Includes script for managing RSA certificates and keys Friedrich Schaeuffelhut OpenVPN on Android
  • 8. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations OpenVPN on Android ? OpenVPN should run on Android - After all it’s Linux, isn’t it? TUN/TAP access requires root privileges No “su” for Apps on a standard Android device Most devices can be rooted, then “su” is available. Android 4 (ICS) offers VPN API (creating TUN device for the app) Friedrich Schaeuffelhut OpenVPN on Android
  • 9. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations Short History of OpenVPN on Android Compiled OpenVPN for ADP1 in January 2009 Used AOSP source to compile, NDK did not exist Added liblzo and missing cyphers to OpenSSL Published source at github.com/fries Alternate firmwares like CyanogenMOD2 picked it up 2 http://www.cyanogenmod.org/ Friedrich Schaeuffelhut OpenVPN on Android
  • 10. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations OpenVPN Settings OpenVPN binary alone is not very useful OpenVPN Settings modeled after Wifi Settings starts/stops a config stored on SD card now has 50,000 users OpenVPN Installer ADP1 had limited storage ⇒ separate App copies binary into /system/xbin Friedrich Schaeuffelhut OpenVPN on Android
  • 11. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations The Present and the Future VPN Service API is now available on Android 4 (ICS, API Level 14+) No ROOT required anymore New Apps emerge ics-android3 by Arne Schwabe TorGuard4 App by Florida based VPNetworks LLC 3 https://code.google.com/p/ics-openvpn 4 http://torguard.net Friedrich Schaeuffelhut OpenVPN on Android
  • 12. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations Rooted Phone versus Android 4 VPN Service API Rooted Phone VPN Service API API Level 4+ 14+ Kernel device TUN or TAP TUN only Device opened by OpenVPN Android ifconfig OpenVPN Android Routes OpenVPN Android DNS servers App via setprop Android Search domains App via setprop Android Tethering Yes No5 5 Hot spot enabled, but no data transmitted Friedrich Schaeuffelhut OpenVPN on Android
  • 13. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations Is support for rooted devices required ? Android 4 VPN Service API is very secure useful for most users Rooted phones allow TAP devices and tethering ideal for the enthusiast still useful even on Android 4 OpenVPN Settings will maintain support for rooted devices support the Android 4 VPN Service API leave the choice to the user Friedrich Schaeuffelhut OpenVPN on Android
  • 14. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations Implementations explained OpenVPN management interface Rooted Phones Android 4 VPN Service API Friedrich Schaeuffelhut OpenVPN on Android
  • 15. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations The Management Interface Connect via UNIX domain socket Request/Respond username/password Request/Respond passphrase Restart/Terminate tunnel Read status messages and byte counts Query current tunnel state Friedrich Schaeuffelhut OpenVPN on Android
  • 16. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations Monitoring the OpenVPN Program APP creates UNIX domain socket OpenVPN connects in management-client mode OpenVPN exits when management connection is closed OpenVPN exits when APP is killed socket is protected by file system permissions only APP and OpenVPN can access socket Used on both rooted devices and with VPN service API Friedrich Schaeuffelhut OpenVPN on Android
  • 17. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations Rooted devices Supported by “OpenVPN Settings”6 Standard OpenVPN binary compiled for Android Started via ’su’ command OpenVPN configures network interface and routes calls ifconfig and route Android ifconfig and route are very simple busybox provides compatible ifconfig and route 6 https://code.google.com/p/android-openvpn-settings/ Friedrich Schaeuffelhut OpenVPN on Android
  • 18. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations Android 4 VPN Service Implemented in ics-openvpn and “OpenVPN Settings” User must grant permission to use VpnService Android creates TUN device for App ⇒ Hand over TUN FD from App to OpenVPN ⇒ OpenVPN must send interface parameters to APP (ip address, routes, dns server, etc) Protect TCP/UDP connection from new default route ⇒ Hand over TCP/UDP socket from OpenVPN to App Friedrich Schaeuffelhut OpenVPN on Android
  • 19. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations Packet Transport TUN vs TAP UDP vs TCP TCP over TCP Friedrich Schaeuffelhut OpenVPN on Android
  • 20. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations TUN vs TAP TUN and TAP are virtual network kernel devices7 TAP TUN level 2 3 simulates link layer device network layer device operates on ethernet frames IP packets network bridge routing 7 http://en.wikipedia.org/wiki/TUN/TAP Friedrich Schaeuffelhut OpenVPN on Android
  • 21. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations UDP vs TCP UDP TCP unreliable reliable unordered ordered datagramm stream Friedrich Schaeuffelhut OpenVPN on Android
  • 22. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations Data Channel Encapsulation TCP over TCP “Why TCP Over TCP Is A Bad Idea” by Olaf Titz8 TCP over TCP tends to break TCP’s retransmission algorithm when the underlying connection suffers from package loss High packet loss will worsen the effect UDP is better suited for packet transport than TCP 8 http://sites.inka.de/ W1011/devel/tcp-tcp.html Friedrich Schaeuffelhut OpenVPN on Android
  • 23. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations UDP versus TCP in Mobile Networks UDP the winner for tunneling? UPD in mobile networks has its drawbacks too Mobile devices are usually behined a NAT gateway For TCP the NAT session lasts as long as the TCP connection exists UDP has no connection, NAT sessions must time out Once the NAT session has been discarded, the remote VPN endpoint can not reach the mobile endpoint Keep alive packets are needed to keep the connection up But this will keep the radio busy and drain the battery Personally I use UDP without problems Friedrich Schaeuffelhut OpenVPN on Android
  • 24. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations Creating a Configuration Setting up Certificates code.google.com/p/android-openvpn-settings/wiki/CertificateHowTo Create CA KEY_CN=ca KEY_EMAIL=ca@acme ./pkitool --initca KEY_CN=server KEY_EMAIL=server@acme ./pkitool --server server KEY_CN=client1 KEY_EMAIL=$KEY_CN@acme ./pkitool $KEY_CN KEY_CN=client2 KEY_EMAIL=$KEY_CN@acme ./pkitool $KEY_CN Friedrich Schaeuffelhut OpenVPN on Android
  • 25. Overview Introduction Rooted Phone versus Android 4 VPN Service API OpenVPN on Android Implementations explained Concluding Remarks Configuration Considerations Creating a Configuration OpenVPN Configuration Files code.google.com/p/android-openvpn-settings/wiki/CertificateHowTo client.conf server.conf mode server proto udp dev tun proto udp topology subnet dev tun topology subnet tls-client ca ca.crt tls-server cert client.crt ca ca.crt key client.key cert server.crt key server.key remote-cert-tls server dh dh1024.pem remote-cert-tls client remote ***** YOUR SERVERS IP ADDRESS ***** rport 1194 port 1194 pull ifconfig 10.0.0.1 255.255.255.0 client-config-dir vpnclients.ccd Friedrich Schaeuffelhut OpenVPN on Android
  • 26. OpenVPN Settings as a Library Introduction Community OpenVPN on Android Summary Concluding Remarks Acknowledgments OpenVPN Settings as a Library Create your OpenVPN based Client Licensed under the GPLv3 Split in app and library modules Supports rooted phones (API Level 4+) Android 4 VPN service (API Level 14+) Implements OpenVPN service Client API connecting to OpenVPN service can be used for custom clients commercial license available9 9 email friedrich@schaeuffelhut.de Friedrich Schaeuffelhut OpenVPN on Android
  • 27. OpenVPN Settings as a Library Introduction Community OpenVPN on Android Summary Concluding Remarks Acknowledgments The TorGuard App Using OpenVPN Settings as a Library US start-up offering privacy Provides anonymous internet access Choose a server, press Connect Trust the App Type in credentials Surf anonymously Friedrich Schaeuffelhut OpenVPN on Android
  • 28. OpenVPN Settings as a Library Introduction Community OpenVPN on Android Summary Concluding Remarks Acknowledgments The TorGuard App Using OpenVPN Settings as a Library US start-up offering privacy Provides anonymous internet access Choose a server, press Connect Trust the App Type in credentials Surf anonymously Friedrich Schaeuffelhut OpenVPN on Android
  • 29. OpenVPN Settings as a Library Introduction Community OpenVPN on Android Summary Concluding Remarks Acknowledgments The TorGuard App Using OpenVPN Settings as a Library US start-up offering privacy Provides anonymous internet access Choose a server, press Connect Trust the App Type in credentials Surf anonymously Friedrich Schaeuffelhut OpenVPN on Android
  • 30. OpenVPN Settings as a Library Introduction Community OpenVPN on Android Summary Concluding Remarks Acknowledgments The TorGuard App Using OpenVPN Settings as a Library US start-up offering privacy Provides anonymous internet access Choose a server, press Connect Trust the App Type in credentials Surf anonymously Friedrich Schaeuffelhut OpenVPN on Android
  • 31. OpenVPN Settings as a Library Introduction Community OpenVPN on Android Summary Concluding Remarks Acknowledgments The TorGuard App Using OpenVPN Settings as a Library US start-up offering privacy Provides anonymous internet access Choose a server, press Connect Trust the App Type in credentials Surf anonymously Friedrich Schaeuffelhut OpenVPN on Android
  • 32. OpenVPN Settings as a Library Introduction Community OpenVPN on Android Summary Concluding Remarks Acknowledgments The TorGuard App Using OpenVPN Settings as a Library Download TorGuard from Google Play For free trial send email to DroidconBerlin2013@torguard.tg For 20% discount use code DroidconBerlin2013 Friedrich Schaeuffelhut OpenVPN on Android
  • 33. OpenVPN Settings as a Library Introduction Community OpenVPN on Android Summary Concluding Remarks Acknowledgments Community Google Group for “OpenVPN Settings for Android” Follow “OpenVPN Settings” on Google+ Follow me on Google+: Friedrich Schaeuffelhut Follow me on Twitter: @fschaeuffelhut Friedrich Schaeuffelhut OpenVPN on Android
  • 34. OpenVPN Settings as a Library Introduction Community OpenVPN on Android Summary Concluding Remarks Acknowledgments Summary OpenVPN Networking Android Implementation Configuration OpenVPN Settings Library Outlook Publish updated version of OpenVPN Settings Unified OpenVPN for rooted devices and VPN service. Friedrich Schaeuffelhut OpenVPN on Android
  • 35. OpenVPN Settings as a Library Introduction Community OpenVPN on Android Summary Concluding Remarks Acknowledgments Acknowledgements OpenVPN: James Yonan and OpenVPN Technologies Inc OpenVPN for Android 4 VPN service API: Arne Schwabe Supporting my work: TorGuard, VPNetwork LLC. Friedrich Schaeuffelhut OpenVPN on Android
  • 36. OpenVPN Settings as a Library Introduction Community OpenVPN on Android Summary Concluding Remarks Acknowledgments Thank You! Friedrich Schaeuffelhut OpenVPN on Android