How do I create an OpenVPN profile for Android?

[gregscott]

I have my own OpenVPN server running on a Red Hat Fedora system. It works and I can connect a Windows PC to it. Great stuff!

The OpenVPN Windows installation includes some sample .ovpn files with config parameters. I can customize one of them with the config parameters I want, then use various scripts on the server to generate key files for my client. I copy all those files to the correct directory on my Windows client and everything works.

Now I want to connect an Android tablet and an Android cell phone to my OpenVPN server. I installed OpenVPN Connect and everything I can find says I need to go through a process called "importing the profile". Launching OpenVPN Connect on my tablet, I see I can tap on various options to import a profile - that's great - but how do I build that profile in the first place? I am guessing this profile is really a .ovpn config file and set of key files.

Ideally, I would like to connect my tablet to a USB port on a PC and copy the .ovpn file and keys to a correct directory on the tablet. But I don't want to root the tablet - so what probably needs to happen is, copy the .ovpn config file and keys to an intermediate directory and use the GUI on the tablet to import them.

Am I on the right track? And are there sample .ovpn config files for Android clients? Or can I take my .ovpn client file from my PC and modify the key file names and use that as a starting point? Once imported, how do I edit the existing profile? Or do I edit the files in the intermediate directory and import again?

thanks

- Greg Scott

[gregscott]

I answered my own question. Here are detailed setup instructions. You need your own OpenVPN server and a Windows desktop PC.

Set up an OpenVPN client on an Android device.

Adapted from the write-up at:
https://fedoraproject.org/wiki/Openvpn

First, on the server:

1. cd /etc/openvpn
2. . vars
3. ./build-key {computername}

Where {computername} is the name you want to give your Android device.

On the client:

1. Install the OpenVPN client on a Windows desktop PC from http://openvpn.net/index.php/open-source/downloads.html. You will want some sample config files from this installation.

2. On your Windows PC, copy C:\Program Files\OpenVPN\sample-config\client.ovpn to My documents and edit as follows:

Substitute the name or IP Address of your OpenVPN server in the line that says:
remote my-server-1 1194

Find these lines:

ca ca.key
cert client.crt
key client.key

And substitute {computername}.key and {computername}.crt. Name your edited config file {computername}.ovpn

3. Install OpenVPN Connect on your Android device from the Google Play store.

2. Find {computername}.crt, {computername}.key, and ca.crt on the server at /etc/openvpn/keys. Copy to My Documents on your desktop PC.

3. Connect the Andriod device to your desktop computer with a USB cable. When the drivers load, use your desktop PC to navigate to the downloads folder on your Android device.

4. Copy ca.key, {computername}.crt, {computername}.key, and {computername}.ovpn from My Documents on your PC to the Downloads folder on your Android device.

5. On your Android device, tap Menu...Import. Tap "Import Profile from SD card". Navigate to the Downloads folder, select {computername}.ovpn and Import.

6. Connect to your VPN.

I tested using the Microsoft Remote Desktop client and connected to one of my Windows servers over my new OpenVPN connection. I am amazed this worked so well.

- Greg Scott

[bizzarrone]

Name your profile file so: luca.ovpn

Inside it has to be written so (of course, substiturte you key, ca and crt):

# Enables connection to GUI
management /data/data/de.blinkt.openvpn/cache/mgmtsocket unix
management-client
management-query-passwords
management-hold

setenv IV_GUI_VER "de.blinkt.openvpn 0.6.17"
machine-readable-output
client
verb 4
connect-retry-max 5
connect-retry 5
resolv-retry 60
dev tun
remote myserver.org 1194 tcp-client
<ca>
-----BEGIN CERTIFICATE-----
[..]
MBQGA1UEAxMNYml6emFycm9uZSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEjMCEGCSqG
SIb3DQEJARYUYml6emFycm9uZUBnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
[..]
-----END CERTIFICATE-----

</ca>
<key>
-----BEGIN PRIVATE KEY-----
[..]
xxO3qjrSdpbw/WmUSOTUV4bKQNVkRYZiUfO3Y5ZJM2toExDfmZav1wiwir3qF3ft
a53Lss1Boxpr40LWyY28guUU4JyDlNG/iTDLQKQbikJ+hc7m/P9ob2Yxfg7Hmu3e
[..]
-----END PRIVATE KEY-----

</key>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=IT, ST=MI, L=Milano, O=bizzarrone, OU=BizzarroneUnit, CN=bizzarrone CA/name=EasyRSA/emailAddress=sdfgdfgdfgdg@gmail.com
Validity
Not Before: Sep 16 14:43:10 2014 GMT
Not After : Sep 13 14:43:10 2024 GMT
Subject: C=IT, ST=MI, L=Milano, O=bizzarrone, OU=BizzarroneUnit, CN=lucamobile/name=EasyRSA/emailAddress=dfgdg@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
[..]
86:0b:dc:fa:69:c9:c2:8e:db:7b:74:57:23:09:7b:
[..]
1f:00:44:8e:08:cb:3e:62:bb:e7:10:ea:4c:31:d3:
30:c3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
F0:96:82:0:30:9E:2F
X509v3 Authority Key Identifier:
keyid:C3:1B:A0:dfg:74:6AA:BC:25
DirName:/C=IT/ST=MI/L=Milano/O=bizzarrone/OU=BizzarroneUnit/CN=bizzarrone CA/name=EasyRSA/emailAddress=cdghfdghdf@gmail.com
serial:90:dfg4:01:69:7E

X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:lucamobile
Signature Algorithm: sha256WithRSAEncryption
78[..]
88:f7:da:78:93:f6:44:99:36:f1:42:10:21:d7:f8:8d:30:ea:
60:0d:6b:af:ec:e7:b3:96:5f:c1:cc:e9:ef:dd:9e:1b:b6:b9:
36:62:2b:2f:62:87:4d:63:64:bf:d9:f6:7c:20:4a:e0:e1:32:
08:0d:da:d5:fd:88:7d:fb:1b:d2:6c:bf:ea:48:19:6c:70:15:
3c:3e:52:f2:4a:55:f5:d4:fd:88:71:eb:64:c1:b2:5984:
37:fd:a5:c697:9c:33:3c:13:16:00:b1:ed1c:24:60:
75:b2:07:e7:85:98:68:c1:83:4c:13:fe:f8:d1:1f:c2:17:61:
c6:a2:2a:15
-----BEGIN CERTIFICATE-----
[..]
AQEA5efm0W3kMusSbscTt6o60naW8P1plEjk1FeGykDVZEWGYlHzt2OWSTNraBMQ
35mWr9cIsIq96hd37Wudy7LNQaMaa+NC1smNvILlFOCcg5TRv4kwy0CkG4pCfoXO
5vz/aG9mMX4Ox5rt3iJT1HYsCsJYjLMjfvAvDPSmP2mRIdhxKp84LrqGC9z6acnC
[..]-----END CERTIFICATE-----

</cert>
comp-lzo
remote-cert-tls server

[bizzarrone]

# Enables connection to GUI
management /data/data/de.blinkt.openvpn/cache/mgmtsocket unix
management-client
management-query-passwords
management-hold

setenv IV_GUI_VER "de.blinkt.openvpn 0.6.17"
machine-readable-output
client
verb 4
connect-retry-max 5
connect-retry 5
resolv-retry 60
dev tun
remote server.no-ip.org 1194 tcp-client
<ca>
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIJAJCHYZV0AWl+MA0GCSqGSIb3DQEBCwUAMIGoMQswCQYD
[..]
fRS5ZH/ChV7p6eT/
-----END CERTIFICATE-----

</ca>
<key>
-----BEGIN PRIVATE KEY-----
[..]
irNqKzQR7eStOVQpfdgjOnU=
-----END PRIVATE KEY-----

</key>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=IT, ST=MI, L=Milano, O=bizzarrone, OU=BizzarroneUnit, CN=bizzarrone CA/name=EasyRSA/emailAddress=xxxxx@gmail.com
Validity
Not Before: Sep 16 14:43:10 2014 GMT
Not After : Sep 13 14:43:10 2024 GMT
Subject: C=IT, ST=MI, L=Milano, O=bizzarrone, OU=BizzarroneUnit, CN=lucamobile/name=EasyRSA/emailAddress=xxxx@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e5:e7:e6:d1:6d:e4:32:eb:12:6e:c7:13:b7:aa:
3a:d2:76:96:f0:fd:69:94:48:e4:d4:57:86:ca:40:
d5:64:45:86:62:51:f3:b7:63:96:49:33:6b:68:13:
10:df:99:96:af:d7:08:b0:8a:bd:ea:17:77:ed:6b:
x
1c:68:04:84:5a:24:46:a0:39:c3:91:c5:0d:43:a3:
f6:f2:e3:61:2c:0c:2e:40:e4:95:3c:82:dd:3c:12:
17:f91f:90:3a:19:0a:b5:bb:4b:1a:e0:89:64:
35:76:e4:c8:4d:d9:8b:71:bf:b1:e8:9f:83:f6:a2:
e5:20:a6:4c:f4:12:c0:f3:31:f4:b6:f2:6f:fa:a6:
1f:00:44:8e:08:cb:3e:62:bb:e7:10:ea:4c:31:d3:
30:c3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
F0:96:82:B2:AC:FA:81:41:2A:03:60:5F:39xxF8:70:99:90:30:9E:2F
X509v3 Authority Key Identifier:
keyid:C3:1B:A0:D4:74:6A:88:47:36:29:98:37:02:5E:63:1B:8A:0A:BC:25
DirName:/C=IT/ST=MI/L=Milano/O=bizzarrone/OU=BizzarroneUnit/CN=bizzarrone CA/name=EasyRSA/emailAddress=xx@gmail.com
serial:90:87:61:95:xx:01:69:7E

X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:lucamobile
Signature Algorithm: sha256WithRSAEncryption
78:cc:0b:d4:8c:95:12:6b:4b:56:f9:1f:79:99:1e:54:d0:6c:
16:ee:e5:4f:64:e4:9d:50:2c:db:f9:7a:67:fa:7c:a1:05:65:
25:37:3a:8a:b8:c4:7b:1f:2b:c8:36:af:ba:5c:ce:49:db:47:
43x
36:62:2b:2f:62:87:4d:63:64:bf:d9:f6:7c:20:4a:e0:e1:32:
08:0d:da:d5:fd:88:7d:fb:1b:d2:6c:bf:ea:48:19:6c:70:15:
3c:3e:52:f2:4a:55:f5:d4:fd:88:71:eb:64:c1:b2:5984:
37:fd:a5:c697:9c:33:3c:13:16:00:b1:ed1c:24:60:
75:b2:07:e7:85:98:68:c1:83:4c:13:fe:f8:d1:1f:c2:17:61:
c6:a2:2a:15
-----BEGIN CERTIFICATE-----
MIIFQjCCBCqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCSVQx
[..]
SlX11P2IcetkwbJZzYQ3/aXG3pecMzwTFgCx7c0cJGB1sgfnhZhowYNME/740R/C
F2HGoioV
-----END CERTIFICATE-----

</cert>
comp-lzo
remote-cert-tls server

[kr34tor]

How do you creste the .ovpn file itself. Im using ubuntu for the server and trying to import a .ovpn from androids openvpn connect app.