I've set up an OpenVPN server on my home server (Gentoo Linux) and client on my laptop (ditto) in a TUN-based configuration that routes all client traffic through the VPN. I wanted to do the same on my phone (Galaxy SIII, updated to android 4.1.2) now that Connect exists.
I used the openvpn-confgen scripts from these forums to generate an .OVPN profile with embedded certs and private key (even though I'd already created those using easy-rsa) because I couldn't find documentation on how to embed these items manually in a config file.
The config did get me connected successfully, but it's not routing the traffic over the VPN - in fact it b0rks routing entirely on the phone so I can't reach the WAN at all. I also can't ping any server-side LAN (192.168.2.*) IPs from the phone.
Notes on network setup: the OVPN server is the DNS (and DHCP) server for its LAN, but it is not the default gateway (this is a consumer modem/router at 192.168.2.1, which is also secondary DNS server) so I push those IPs to clients (though they could have them hard-coded if necessary, no problem).
server.conf:
Code: Select all
# Server config
dev tun
comp-lzo
port 1222
proto udp
ca /etc/openvpn/ssl/ca.crt
cert /etc/openvpn/ssl/server.crt
key /etc/openvpn/ssl/server.key
dh /etc/openvpn/ssl/dh1024.pem
server 10.0.0.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.2.7"
push "dhcp-option DNS 192.168.2.1"
keepalive 10 120
user openvpn
group openvpn
persist-key
persist-tun
status /tmp/openvpn.status
verb 3
mute 10
Code: Select all
[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
connection-type=tls
remote=my.dyndns.hostname
comp-lzo=yes
cert-pass-flags=4
tap-dev=no
proto-tcp=no
port=1222
mssfix=no
ca=ca.crt
cert=happy.crt
key=happy.key
Here's the (current; I've tried a few tweaks already) phone.ovpn config:
Code: Select all
client
connect-retry-max 5
connect-retry 5
resolv-retry infinite
dev tun
nobind
remote my.dyndns.hostname 1222 udp
#remote-cert-tls server
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
<snip>
-----END RSA PRIVATE KEY-----
</key>