OpenVPN + sTunnel for web browsing on Android (no root)

Samples of working configurations.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
Guavaman
OpenVpn Newbie
Posts: 6
Joined: Mon Feb 02, 2015 10:37 pm

OpenVPN + sTunnel for web browsing on Android (no root)

Post by Guavaman » Thu Feb 05, 2015 9:10 am

Goal: Allow Android-based clients to browse the web (with no DNS leaks) through OpenVPN wrapped in an SSL tunnel.

Notes:
- The same server hosts both sTunnel and OpenVPN.
- I am unaware if traffic from every application will use the tunnel.
- This assumes you already know the basics of setting up sTunnel and OpenVPN. (How to install them, create keys, set up iptables, etc.)

Since I found so little information on this topic on the web, I thought I'd share the result of must wasted time trying to get OpenVPN through sTunnel working on an non-rooted Android system. (Tested on Galaxy S3, Android 4.4.2, WiFi and OTA.)

Server config files:
--------------------

stunnel.conf:

Code: Select all

sslVersion = all
options = NO_SSLv2
chroot = /var/lib/stunnel4/
; PID is created inside the chroot jail
pid = /stunnel4.pid
; Debugging stuff (may be useful for troubleshooting)
; debug = 7
# Log should be created in the jail at /var/lib/stunnel4/stunnel.log
output = stunnel.log
setuid = stunnel4
setgid = stunnel4
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
#Enable this if you like. It is disabled on Debian-based distros.
#compression = zlib

[openvpn]
# sTunnel Listening port 
Accept = 993

# Connect to the local OpenVPN server
Connect = 127.0.0.1:1194

# Certificates
cert=/etc/stunnel/cert-server.pem
key=/etc/stunnel/key-server.pem
CAfile=/etc/stunnel/cert-client.pem
(CAfile can be a file containing each client cert in sequence as described here: https://www.stunnel.org/howto.html)

openvps config file:

Code: Select all

mode server
tls-server
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.1 255.255.255.255"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.0.1"
keepalive 10 120
tls-auth ta.key 0
cipher AES-128-CBC
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
(192.168.0.1 above must be replaced with the internal network IP address of the server's router)

Android Client Instructions:
----------------------------
1. Download and install the app "OpenVPN for Android" by Arne Schwabe from the Google Play Store.
2. Download and install the app "SSLDroid" by Balint Kovacs from the Google Play Store.
3. Based on the server configs above, open SSLDroid and create a new connection with the following settings:

Local Port: 1195 (Local listening port -- your choice, but must match OpenVPN server port below)
Remote Host: (fqdn or public ip address of your server)
Remote Port: 993
PKCS12 file: (import from file)
PKCS12 pass: (enter it if you created the PKCS12 with a password)

4. In OpenVPN for Android:

OpenVPN Global Settings:
Use system proxy: ON

Create a new profile, then in the profile settings page:

Basic:
LZO Compression: ON
CA Cert: (import from ca.crt)
Client Certificate: (import from client cert file)
Client Certificate Key: (import from client key file)

Server List:
Server Address: 127.0.01
Server Port: 1195
Protocol: TCP
Custom Options: OFF

IP and DNS:
Pull Settings: Request IP addresses, routes... ON
No local binding: ON
Override DNS Settings By Server: OFF

Routing:
Ignore pushed routes: OFF
Bypass VPN for local network: ON
IPv4 Use default Route: ON
IPv6 Use default Route: ON

Authentication/Encryption:
Expect TLS server certificate: ON
Certificate Hostname Check: OFF
Use TLS Authentication: ON
TLS Auth File: (import ta.key)
TLS Direction: 1
Encryption cipher: AES-128-CBC
Packet Authentication:

Advanced:
Persistent tun: ON
Connection Retries: Five
Seconds between connections: 5s
Random Host Prefix: OFF
Allow floating server: OFF
Override MSS value of TCP p...: OFF
Enable Custom Options: ON
Custom Options: route (fqdn or public ip address of your OpenVPN server) 255.255.255.255 net_gateway

---------

The key item here is the Custom Option above which tells OpenVPN not to route SSLDroid's SSL tunnel through the VPN. Without this option, the SSL tunnel will be broken when OpenVPN connects because SSLDroid can no longer reach the server.

5. Start the SSL tunnel in SSLDroid.
6. Start the OpenVPN tunnel.
7. Go to dnsleaktest.com in your browser and test.

I apologize for any mistakes as I am unable to edit the post at this time. Thanks!

Guavaman
OpenVpn Newbie
Posts: 6
Joined: Mon Feb 02, 2015 10:37 pm

Re: OpenVPN + sTunnel for web browsing on Android (no root)

Post by Guavaman » Thu Feb 05, 2015 8:13 pm

Small typo fix:

Under 4: In Open VPN for Android:

Change:
Server Address: 127.0.01

To:
Server List:
Server Address: 127.0.0.1

Locked