Android OpenVPN Connect - Problems

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
dss
OpenVpn Newbie
Posts: 2
Joined: Tue Nov 13, 2012 8:48 pm

Android OpenVPN Connect - Problems

Post by dss » Tue Nov 13, 2012 9:18 pm

Hi to all!
We can't get to work Android "OpenVPN Connect" application with our OpenVPN server community edition:
root@openvpn:~# /usr/sbin/openvpn --help
OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 20 2012.

We use keys that was works on Windows (OpenVPN GUI), Linux and even iPad (GuizmOVPN).

But whenever I try to connect from my OpenVPN Connect (Android 4.1.1, Samsung Galaxy S III), I get the following error:
OpenVPN core error : PolarSSL: error parsing config private key : PEM - Unsupported key encryption algorithm
Can't you say what's wrong? I saw several posts with this bug, but no answer...

----------------
Below, you can see the details:
testk.ovpn file (IP was changed to XXX):

Code: Select all

client
dev tun
proto tcp
remote XXX.XXX.XXX.XXX 3546

resolv-retry infinite
nobind

persist-key
persist-tun

ca  "/storage/extSdCard/mykeys/ca.crt"
cert "/storage/extSdCard/mykeys/testuser.crt"
key "/storage/extSdCard/mykeys/testuser.key"

comp-lzo
verb 3
testuser.crt:

Code: Select all

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 80 (0x50)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=EN, ST=TestState, L=TestCity, O=Test Org, OU=it, CN=servername.domain.lan/emailAddress=test@domain.en
        Validity
            Not Before: Nov 12 17:26:38 2012 GMT
            Not After : Nov 10 17:26:38 2022 GMT
        Subject: C=EN, ST=TestState, O=Test Org, OU=it, CN=testuser/emailAddress=test@domain.en
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:
                   [ .... REMOVED .... ]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                E6:C6:39:51:03:AD:EB:E4:F6:84:CF:2C:78:B7:0A:10:0F:4B:2A:C1
            X509v3 Authority Key Identifier: 
                keyid:BD:3B:E4:DC:9A:8B:B5:5B:35:2C:CA:F7:CA:AE:21:C9:65:EE:C3:5B
                DirName:/C=EN/ST=TestState/L=TestCity/O=Test Org/OU=it/ CN=servername.domain.lan/emailAddress=test@domain.en
                serial:B7:6A:CB:33:8D:03:8E:45

    Signature Algorithm: md5WithRSAEncryption

[ .... REMOVED .... ]

-----BEGIN CERTIFICATE-----

[ .... REMOVED .... ]

-----END CERTIFICATE-----
testuser.key:

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,DFA3F25E5C979CF3

[ .... REMOVED .... ]

-----END RSA PRIVATE KEY-----

dss
OpenVpn Newbie
Posts: 2
Joined: Tue Nov 13, 2012 8:48 pm

Re: Android OpenVPN Connect - Problems

Post by dss » Thu Nov 15, 2012 12:46 pm

Problem Solved!
Greetings to James Yonan from OpenVPN!

=================

The OpenVPN Connect client for Android doesn't currently support PEM-encrypted private keys. PEM-encrypted private keys are somewhat nonstandard and have been largely supplanted by PKCS#12 files which are more secure because they can benefit from the hardware-backed keystores that exist on many Android devices. They are also easier to use because they are protected by the Android-level device password, so the password doesn't have to be repeatedly entered or insecurely stored.

Our Android client fully supports PKCS#12 files. You can easily convert your certificate and key files to a PKCS#12 file using this openssl command:

openssl pkcs12 -export -in testuser.crt -inkey testuser.key -certfile ca.crt -name TestUser -out testuser.p12

This command will combine your key files into the PKCS#12 file testuser.p12 which can then be imported onto the Android device using the Menu / Import / Import PKCS#12 option in the app.

Once this is done, remove the ca, cert, and key directives from your .ovpn file and re-import it. When you connect the first time, the app will ask you to select a certificate to use for the profile. Just select the TestUser certificate and you should be able to connect normally.

Post Reply