Connecting to OpenVPN running on OpenWrt from Android

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
flexmcmurphy
OpenVPN User
Posts: 26
Joined: Tue Nov 10, 2020 10:27 pm

Connecting to OpenVPN running on OpenWrt from Android

Post by flexmcmurphy » Fri Jan 07, 2022 9:34 pm

Code: Select all

OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
I installed OpenVPN on the latest OpenWrt 21.02.1

The client config and server conf files both have these lines at the top:

Code: Select all

user nobody
group nogroup
dev tun
..
..
I installed the OpenVPN for Android app on my Android phone. When entering the client config file... am I supposed to comment out or delete the first two lines since there is no user called: nobody and no group called nogroup in my Android. At least I didn't see anything in /etc/group and /etc/passwd in Android OS.

I see in the OpenVPN manual that the --user option lets you:
"Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process. This option is useful to protect the system in the event that some hostile party was able to gain control of an OpenVPN session."

I can connect from the Android client to OpenVPN server by commenting out those two lines but is there a way to obtain the benefit of running as user "nobody" and group "nogroup", or some such unpriviledged user, when connecting to OpenVPN server on OpenWrt from an Android phone? From a Terminal to my phones Android OS if I do ls -l I can see user and group of all files is: u0_a252 so should I make a user an group of u0_a252 on the server running OpenVPN and then use that as the user and group inyou are dropping root privileges on the client with --user and/or --group the client and server config files? My phone is not rooted so I guess running as user u0_a252 will be the same thing as running OpenVPN unpriviledged?

Lastly do I NEED to define a user AND a group or is one or the other enough? The OpenVPN manual is a bit ambiguous on this point because it also states: "[if] you are dropping root privileges on the client with --user and/or --group.."

Cheers,

Flex

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting to OpenVPN running on OpenWrt from Android

Post by TinCanTech » Fri Jan 07, 2022 10:47 pm

I believe the Android app ignores those options..

flexmcmurphy
OpenVPN User
Posts: 26
Joined: Tue Nov 10, 2020 10:27 pm

Re: Connecting to OpenVPN running on OpenWrt from Android

Post by flexmcmurphy » Sat Jan 08, 2022 12:31 pm

Thanks @TinCanTech.
I am using the OpenVPN for Android app. If it ignores the "user" and "group" options then is the OpenVPN connection from my phone is being run as an unpriviledged user or as root user then? My phone is not rooted.

When I open Termux in the phone and try commands like ps, top, htop, pstree I am unable to see what user is running the openvpn for android app process. Maybe that is because my phone is not rooted.
On the OpenVPN server side I run this command and get that result:

Code: Select all

root@OPENWRT:~# ps | grep openvpn
10831 root      1228 S    grep openvpn
31966 root      5256 S    /usr/sbin/openvpn --syslog openvpn(server) --status /var/run/openv
So OpenVPN server is running as the root user anyway. But I am interested to know if the OpenVPN connection from my phone is being run as an unpriviledged user or as root user.

Cheers,

Flex

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting to OpenVPN running on OpenWrt from Android

Post by TinCanTech » Sat Jan 08, 2022 3:16 pm

You read your client log, right ?

flexmcmurphy
OpenVPN User
Posts: 26
Joined: Tue Nov 10, 2020 10:27 pm

Re: Connecting to OpenVPN running on OpenWrt from Android

Post by flexmcmurphy » Sun Jan 09, 2022 7:58 pm

My client is the OpenVPN for Android App. In the app I can view the OpenVPN log and change the verbosity level.. with the verbosity level set to the max I still don't see any mention of a user or a UID.

On the server side in OpenWrt I run this command:

Code: Select all

root@OPENWRT:~# logread ; logread -f
In OpenWrt that command gives a real time read out of logging information as clients connect to the server and do things. But it also doesn't mention anything about what user is initiating the OpenVPN connection.

I found a way which I think gives me the information:

I installed ADB in Manjaro using these instructions then used these commands to see that user u0_a253 was running the OpenVPN for Android App.

Code: Select all

# adb shell
sunfish:/ $ top | grep openvpn
20901 shell        20   0  10G 2.8M 2.1M S  0.0   0.0   0:00.00 grep openvpn
20901 shell        20   0  10G 2.8M 2.1M S  0.0   0.0   0:00.00 grep openvpn
19186 u0_a253      20   0  14G  96M  49M S  0.6   1.7   0:02.23 de.blinkt.openvpn:openvpn
19186 u0_a253      20   0  14G  96M  49M S  0.3   1.7   0:02.25 de.blinkt.openvpn:openvpn
19186 u0_a253      20   0  14G  96M  49M S  0.6   1.7   0:02.26 de.blinkt.openvpn:openvpn
So when connecting to OpenVPN Server from the OpenVPN for Android App the connecting user in this case is called: u0_a253. I was glad to satisfy myself that it is not being run as the root user.

I don't know how else to view a client side log when the client is the OpenVPN for Android App, running on an Android phone, that might confirm the user that is in control of the connection. If you know this then please let me know?

Cheers,

Flex

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting to OpenVPN running on OpenWrt from Android

Post by TinCanTech » Sun Jan 09, 2022 8:14 pm

I may be confusing the app you are using with this one: https://github.com/schwabe/ics-openvpn

That version clearly states which options are being ignored.

flexmcmurphy
OpenVPN User
Posts: 26
Joined: Tue Nov 10, 2020 10:27 pm

Re: Connecting to OpenVPN running on OpenWrt from Android

Post by flexmcmurphy » Mon Jan 10, 2022 11:06 pm

Yes that is the app that I am using and I know it ignores those options...

Now because you suggested it to me I am curious about how to use the client side log to identify the user that IS connecting to the server. But I don't see any mention of a username in the client side log when I look at it, even when turned up to maximum verbosity, in the app. Maybe that type of information is not actually available in a client side log after all?

Any further advice much appreciated.

Cheers.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting to OpenVPN running on OpenWrt from Android

Post by TinCanTech » Mon Jan 10, 2022 11:18 pm

Openvpn 'username' is only a variable set for openvpn.

It is not like the actual user name on the client in anyway.

That is unless, you go specifically out-of-your-way to do so.

flexmcmurphy
OpenVPN User
Posts: 26
Joined: Tue Nov 10, 2020 10:27 pm

Re: Connecting to OpenVPN running on OpenWrt from Android

Post by flexmcmurphy » Mon Jan 10, 2022 11:42 pm

Alright, I meant if it is possible to see the UID of the client side process that is connecting to the OpenVPN server. I'm talking about unix/linux stuff.

I just got a bit obsessed with confirming that it is not the "Root" user so I could see for myself that the client side connection is indeed running as an unprivileged user. I guess I already answered this by using the ADB tools I mentioned above. If you cannot double confirm that the user is: u0_a253 using a client side log than OK I can let this go!

Flex

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting to OpenVPN running on OpenWrt from Android

Post by TinCanTech » Tue Jan 11, 2022 12:32 am

flexmcmurphy wrote:
Mon Jan 10, 2022 11:42 pm
I meant if it is possible to see the UID of the client side process that is connecting to the OpenVPN server. I'm talking about unix/linux stuff
I know what you mean .. Openvpn is fairly smart ginger!

Imagine if OpenVPN were as insidious as Windblows!?

flexmcmurphy
OpenVPN User
Posts: 26
Joined: Tue Nov 10, 2020 10:27 pm

Re: Connecting to OpenVPN running on OpenWrt from Android

Post by flexmcmurphy » Thu Jan 13, 2022 12:03 am

If you know what I mean that why did you suggest I look in the client side logs when the UID of the connecting process doesn't appear to be recorded there and you didn't confirm if you were able or not able to see that information yourself in your own set up and come back to me and acknowledge your findings either way... as a beginner with OpenVPN that's the kind of support I was hoping for.

But thank you for your time.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting to OpenVPN running on OpenWrt from Android

Post by TinCanTech » Thu Jan 13, 2022 2:03 am

flexmcmurphy wrote:
Thu Jan 13, 2022 12:03 am
as a beginner with OpenVPN that's the kind of support I was hoping for
TinCanTech wrote:
Tue Jan 11, 2022 12:32 am
I meant if it is possible to see the UID of the client side process that is connecting to the OpenVPN server. I'm talking about unix/linux stuff
This stuff is not shared by openvpn-ce server and client.

In order to share the sort of information which you are concerned, literally does take Windblows and Anti-T-h-rust..

The development of Openvpn is an open process, which you are very welcome to take a part in.h

flexmcmurphy
OpenVPN User
Posts: 26
Joined: Tue Nov 10, 2020 10:27 pm

Re: Connecting to OpenVPN running on OpenWrt from Android

Post by flexmcmurphy » Thu Jan 13, 2022 8:45 pm

Well that's the answer you should have given me back on Sat Jan 08, 2022 3:16 pm so instead of suggesting I search the client log.
Thank you kindly.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting to OpenVPN running on OpenWrt from Android

Post by TinCanTech » Thu Jan 13, 2022 9:16 pm

You should have read the manual and the howto by now ...

Post Reply