Thunderbolt OpenVPN Howto

[zetarhopike]

I was asked to post how I got the OpenVPN client working on my Thunderbolt with stock rom and kernel so here goes:

1) Root your phone and verify su is working.

2) Install the BusyBox Installer from the Market. When you run the installer, install version 1.18.4 into /system/xbin

3) Remount /system with read/write privileges using adb shell as root:

mount -o remount,rw -t ext3 /dev/block/mmcblk0p25 /system

4) Symlink /system/xbin to /system/xbin/bb from adb shell as root:

ln -s /system/xbin /system/xbin/bb

(this may be an unnecessary step)

5) Push the tun.ko module from my other post to /system/lib/modules:

adb push tun.ko /system/lib/modules

File attached as well.

6) Chmod the tun.ko module, load the module and verify it loaded correctly (from adb shell as root):

chmod 644 /system/lib/modules/tun.ko
insmod /system/lib/modules/tun.ko
lsmod

lsmod should output should contain something like "tun 11171 0 - Live 0xbf005000"

7) Install 'OpenVPN Settings' and 'OpenVPN Installer'. We will be replacing the openvpn binary from the installer with another one so it may not be necessary to install 'OpenVPN Installer' at all.

8) Place your openvpn config files (.ovpn, .key and .p12) in /sdcard/openvpn.

9) Replace the openvpn binary in /system/xbin with the one located here

adb push openvpn-static-2.1.1 /sdcard

From adb shell as root:

cp /sdcard/openvpn-static-2.1.1 /system/xbin
cd /system/xbin
mv openvpn openvpn.old
mv openvpn-static-2.1.1 openvpn

File repackaged and attached as well.

10) Start up 'OpenVPN Settings' and open the Advanced Menu:
-check the box for load tun kernel module
-Configure TUN module settings to use insmod with /system/lib/modules/tun.ko as the path
-check the box for 'Fix HTC Routes'

11) Turn on OpenVPN and connect.

12) Edited copy of my client config:
dev tun
dev-node /dev/tun
persist-tun
persist-key
proto udp
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote your_server_name 1194
auth-user-pass password.txt <--insecure, remove after testing
pkcs12 your_config_name.p12
tls-auth your_config_name.key 1

13) Troubleshooting
-netcfg command should show tun0 as up and with an ip from your vpn subnet
-'cat /proc/net/route' should show one or more entries for tun0 depending on your configuration

This is my first Android phone so I am by no means an expert.
I have not had anyone else test this yet but it is working for me including DNS and routing. I'd be happy to modify my post if anyone has any suggestions or additions.

 

[Simace]

Tried this tun.ko on stock (2.6.32.21-gb05544a), rooted TB and using VPN Connections (v.99) to a Cisco ASA5510 firewall.

VPN Tunnel created and ASA shows authetication (group and user name/password passed properly), however, it will not pass any data AND ASA log begins to show "Unsupported message length of 0" shortly after tunnel creation.

The ASA configuation is solid and I have numerous standard Cisco VPN clients, one (1) iPhone 4, two (2) iPad's, two (2) Droid X's (stock froyo but rooted, running VPN Connections (v.99)) and all work without issue.

Is there something I'm missing or is it that this tun.ko is compiled for a slightly older TB OS version?

FWIW: I placed insmod withing the inti.rc file (as I did on the Droid X's) and it is launched at time of phone boot.

 

[zetarhopike]

The module is compiled with the most recent HTC kernel source release and works fine with OpenVPN; I have been using it for a couple weeks now without issue. I have been unable to get vpnc on my TB to work with our Cisco ASA appliance however. The issue is not with the module but with the port of vpnc. The vpnc port project seems to be basically dead, see get-a-robot-vpnc issue list
Can you post your vpnc logs so I can compare them with mine (make sure you sanitize them and have the debug level turned up)? I have made some modifications to the vpnc script that have fixed some of the errors but I still have yet to have the routes created correctly. Have you tried modifying your vpnc script? Which version of Busy Box are you running and where do you have it installed? I noticed that with the 1.18 version from the installer in the market was missing some commands that vpnc needs so I rolled back to 1.17.

 

[Simace]

In looking at the ASA logs, I noticed the following using this tun.ko:

Group = OVPN, Username = xxxx, IP = 16.xxx.xxx.xxx, Client Type: Linux Client Application Version: ERSION

Interesting?

EDIT
Posted as you posted. How do I get logging on vpnc? There is only an option "VPNC FLAGs" and nothing else.

 

[Simace]

/data/data/org.codeandroid.vpnc_frontend/files/vpnc --script /data/data/org.codeandroid.vpnc_frontend/files/vpnc-script --no-detach
Enter IPSec gateway address:
190.xxx.xxx.xxx
Enter IPSec ID for 190.xxx.xxx.xxx:
VPNC1
Enter IPSec secret for VPNC1@190.xxx.xxx.xxx:
xxxxxxxx
Enter username for 190.xxx.xxx.xxx:
xxxx
Enter password for xxxx@190.xxx.xxx.xxx:
*********



process stderr


vpnc still trying to connect. Will check again in 500 milliseconds
which: not found
which: not found
which: not found

process stderr which: not found
which: not found
which: not found

vpnc still trying to connect. Will check again in 500 milliseconds
vpnc still trying to connect. Will check again in 500 milliseconds
vpnc still trying to connect. Will check again in 500 milliseconds
vpnc still trying to connect. Will check again in 500 milliseconds
vpnc still trying to connect. Will check again in 500 milliseconds
vpnc still trying to connect. Will check again in 500 milliseconds
vpnc still trying to connect. Will check again in 500 milliseconds
vpnc still trying to connect. Will check again in 500 milliseconds
vpnc still trying to connect. Will check again in 500 milliseconds
Invalid argument
Invalid argument
Invalid argument
Invalid argument
Invalid argument
Invalid argument
Invalid argument
Invalid argument
backing up dns and resolve.conf
vpnc-script ran to completion

process stdout Invalid argument
Invalid argument
Invalid argument
Invalid argument
Invalid argument
Invalid argument
Invalid argument
Invalid argument
backing up dns and resolve.conf
vpnc-script ran to completion

which: not found
which: not found
which: not found
: permission denied
cp: can't stat '/etc/resolv.conf': No such file or directory
vpnc[10658]: can't open pidfile /var/run/vpnc/pid for writing

process stderr which: not found
which: not found
which: not found
: permission denied
cp: can't stat '/etc/resolv.conf': No such file or directory
vpnc[10658]: can't open pidfile /var/run/vpnc/pid for writing

Connect string detected!

 

[zetarhopike]

I had the same issue with the command 'which', I rolled back busybox 1.17 since 1.18 does not seem to have it. You'll also want to change your pidfile to something on /mnt/sdcard or some other valid location that is writable.
Adding the following vpnc flags will give you more verbose output and change the pid file location:
--debug 1 --pid-file /sdcard/vpnc-pid
(debug level can be set from 1 to 99)
You may also want to try running vpnc manually from an adb shell. Just copy the command string from the log with the addition of the flags I mentioned above.

Check issue 124, Issue 124 - get-a-robot-vpnc - adapted vpnc-script for Froyo - VPN Connections for android - Google Project Hosting, I based my vpnc script modifications on the file attached to the first post.

 

[zetarhopike]

Group = OVPN

That is odd!
In my logs, "Group" is equal to what I have set as my IPSec ID. Does your ASA configuration require an IPSec ID to be set? I think there are some bugs related to configurations that do not use an IPSec ID.

 

[Simace]

That is odd!
In my logs, "Group" is equal to what I have set as my IPSec ID. Does your ASA configuration require an IPSec ID to be set? I think there are some bugs related to configurations that do not use an IPSec ID.

I had changed the log for privacy. Forgot that the ASA log showed the IPSec ID. There isn't a descrepancy, it is correct.

 

[zetarhopike]

Oh, I understand. I assume you are questioning the client application version string, I have no idea what ERSION is.

Client Type: Linux Client Application Version: ERSION

I get something to the affect of "Client Application Version: Unknown" when I connect but I also get that when I connect with vpnc from my laptop (Gentoo). I do not have access to the logs personally but I can get a copy if needed.

EDIT: I should have some time to test this further tonight, I'll post some more info if I make more progress.

 

[Simace]

I changed busybox to 1.17 and the WHICH errors went away (but an "rmnet" error showed up) and I used the --debug 1 --pid-file /sdcard/vpnc flag which got rid of the previous premissions denied on the pid file.

Here's what the log looks like now:

process stderr


vpnc still trying to connect. Will check again in 500 milliseconds
vpnc still trying to connect. Will check again in 500 milliseconds
backing up dns and resolve.conf
vpnc-script ran to completion

process stdout backing up dns and resolve.conf
vpnc-script ran to completion

Device "rmnet" does not exist.
cp: can't stat '/etc/resolv.conf': No such file or directory

process stderr Device "rmnet" does not exist.
cp: can't stat '/etc/resolv.conf': No such file or directory

Connect string detected!

Even though the tunnel is up and the ASA shows the connection (pass phase 2), it still begins to show "Unsupported message length of 0" and there is no data to/from the tunnel to the phone.

 

[Simace]

Replaced the vpnc-script (/data/data/org.codeandroid.vpnc_frontend/files) file with the one found here and now eveything is working as it should!

Excellent!

NOTE: I checked the log and notice that it still records the "Device "rmnet" does not exist.", however, the vpn tunnel is created and data is being passed. Any ideas on this "rmnet" message?

 

[JF_AH_64]

Followed your instructions but still get "cannot allocate tun/tap dynamically" when trying to connect using openvpn. Any suggestions would be much appreciated.