droidcon2013 open vpn_schaeuffelhut

IntroductionOpenVPN on AndroidConcluding Remarks

OpenVPN on Android

Friedrich Schaeuffelhut

Freelance Software DeveloperMunich

Droidcon Berlin, 2013

This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License.

Friedrich Schaeuffelhut OpenVPN on Android


Outline

1 IntroductionAbout VPNsAbout OpenVPN

2 OpenVPN on AndroidOverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations

3 Concluding RemarksOpenVPN Settings as a LibraryCommunity



About VPNsAbout OpenVPN

What is a VPN?

A VPN (Virtual Private Network) extends a private networkacross public networks like the internet1

1http://en.wikipedia.org/wiki/Virtual_private_networkFriedrich Schaeuffelhut OpenVPN on Android



Why use a VPN ?

Connect multiple sitesForm one logical networkAllow roaming users to

access files on a server / NASreceive / send email via private mail serveraccess private servers, e.g. SCM, Jenkins, etc.

Create a network of trusted usersSimpler security configuration insideDirect communication between remote userse.g. exchange GIT commits between developers




What is OpenVPN ?

OpenVPN is a open source (GPL) VPN solution (JamesYonan)Available since 2001 (Version 0.90)on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX,Mac OS X, Windows 2000/XP/Vista/7 and AndroidOpenVPN is a trademark of OpenVPN Technologies Inc.and commercially backed by this company




What technology is used by OpenVPN ?

EncryptionSSL based VPN (also used in https)Using openssl

Kernel virtual network deviceTUN: Layer 3, IP packetsTAP: Layer 2, Ethernet frames

Connection to VPN peerUses UDP or TCPEncrypts data and control channel




Why use OpenVPN ?

Firewall friendly, only one port is neededNetwork Address Translation (NAT) friendlySimple installationSame configuration can run on all platformsFlexible user authentication

Preshared keyUsername/Password authenticationX509 Certificates

Includes script for managing RSA certificates and keys



OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations

OpenVPN on Android ?

OpenVPN should run on Android - After all it’s Linux, isn’tit?TUN/TAP access requires root privilegesNo “su” for Apps on a standard Android deviceMost devices can be rooted, then “su” is available.Android 4 (ICS) offers VPN API(creating TUN device for the app)




Short History of OpenVPN on Android

Compiled OpenVPN for ADP1 in January 2009Used AOSP source to compile, NDK did not existAdded liblzo and missing cyphers to OpenSSLPublished source at github.com/friesAlternate firmwares like CyanogenMOD2 picked it up

2http://www.cyanogenmod.org/Friedrich Schaeuffelhut OpenVPN on Android



OpenVPN Settings

OpenVPN binary alone is not very useful

OpenVPN Settingsmodeled after Wifi Settingsstarts/stops a config stored on SD cardnow has 50,000 users

OpenVPN InstallerADP1 had limited storage ⇒ separate Appcopies binary into /system/xbin




The Present and the Future

VPN Service API is now available on Android 4 (ICS, APILevel 14+)No ROOT required anymoreNew Apps emerge

ics-android3 by Arne SchwabeTorGuard4 App by Florida based VPNetworks LLC

3https://code.google.com/p/ics-openvpn4http://torguard.net




Rooted Phone versus Android 4 VPN Service API

Rooted Phone VPN Service APIAPI Level 4+ 14+Kernel device TUN or TAP TUN onlyDevice opened by OpenVPN Androidifconfig OpenVPN AndroidRoutes OpenVPN AndroidDNS servers App via setprop AndroidSearch domains App via setprop AndroidTethering Yes No5

5Hot spot enabled, but no data transmittedFriedrich Schaeuffelhut OpenVPN on Android



Is support for rooted devices required ?

Android 4 VPN Service API isvery secureuseful for most users

Rooted phonesallow TAP devices and tetheringideal for the enthusiaststill useful even on Android 4

OpenVPN Settings willmaintain support for rooted devicessupport the Android 4 VPN Service APIleave the choice to the user




Implementations explained

OpenVPN management interfaceRooted PhonesAndroid 4 VPN Service API




The Management Interface

Connect via UNIX domain socketRequest/Respond username/passwordRequest/Respond passphraseRestart/Terminate tunnelRead status messages and byte countsQuery current tunnel state




Monitoring the OpenVPN Program

APP creates UNIX domain socketOpenVPN connects in management-client modeOpenVPN exits when management connection is closedOpenVPN exits when APP is killedsocket is protected by file system permissionsonly APP and OpenVPN can access socket

Used on both rooted devices and with VPN service API




Rooted devices

Supported by “OpenVPN Settings”6

Standard OpenVPN binary compiled for AndroidStarted via ’su’ commandOpenVPN configures network interface and routes

calls ifconfig and routeAndroid ifconfig and route are very simplebusybox provides compatible ifconfig and route

6https://code.google.com/p/android-openvpn-settings/Friedrich Schaeuffelhut OpenVPN on Android



Android 4 VPN Service

Implemented in ics-openvpn and “OpenVPN Settings”User must grant permission to use VpnServiceAndroid creates TUN device for App⇒ Hand over TUN FD from App to OpenVPN⇒ OpenVPN must send interface parameters to APP(ip address, routes, dns server, etc)Protect TCP/UDP connection from new default route⇒ Hand over TCP/UDP socket from OpenVPN to App




Packet Transport

TUN vs TAPUDP vs TCPTCP over TCP




TUN vs TAP

TUN and TAP are virtual network kernel devices7

TAP TUNlevel 2 3simulates link layer device network layer deviceoperates on ethernet frames IP packetsnetwork bridge routing

7http://en.wikipedia.org/wiki/TUN/TAPFriedrich Schaeuffelhut OpenVPN on Android



UDP vs TCP

UDP TCPunreliable reliableunordered ordereddatagramm stream




Data Channel Encapsulation

TCP over TCP“Why TCP Over TCP Is A Bad Idea” by Olaf Titz8

TCP over TCP tends to break TCP’s retransmissionalgorithm when the underlying connection suffers frompackage loss

High packet loss will worsen the effectUDP is better suited for packet transport than TCP

8http://sites.inka.de/ W1011/devel/tcp-tcp.htmlFriedrich Schaeuffelhut OpenVPN on Android



UDP versus TCP in Mobile Networks

UDP the winner for tunneling?UPD in mobile networks has its drawbacks too

Mobile devices are usually behined a NAT gatewayFor TCP the NAT session lasts as long as the TCPconnection existsUDP has no connection, NAT sessions must time outOnce the NAT session has been discarded, the remoteVPN endpoint can not reach the mobile endpointKeep alive packets are needed to keep the connection upBut this will keep the radio busy and drain the battery

Personally I use UDP without problems




Creating a ConfigurationSetting up Certificates

code.google.com/p/android-openvpn-settings/wiki/CertificateHowTo

Create CAKEY_CN=ca KEY_EMAIL=ca@acme ./pkitool --initcaKEY_CN=server KEY_EMAIL=server@acme ./pkitool --server serverKEY_CN=client1 KEY_EMAIL=$KEY_CN@acme ./pkitool $KEY_CNKEY_CN=client2 KEY_EMAIL=$KEY_CN@acme ./pkitool $KEY_CN




Creating a ConfigurationOpenVPN Configuration Files

code.google.com/p/android-openvpn-settings/wiki/CertificateHowTo

client.conf

proto udpdev tuntopology subnet

tls-clientca ca.crtcert client.crtkey client.key

remote-cert-tls server

remote ***** YOUR SERVERS IP ADDRESS *****rport 1194

pull

server.confmode server

proto udpdev tuntopology subnet

tls-serverca ca.crtcert server.crtkey server.keydh dh1024.pemremote-cert-tls client

port 1194

ifconfig 10.0.0.1 255.255.255.0client-config-dir vpnclients.ccd



OpenVPN Settings as a LibraryCommunitySummaryAcknowledgments

OpenVPN Settings as a LibraryCreate your OpenVPN based Client

Licensed under the GPLv3Split in app and library modulesSupports

rooted phones (API Level 4+)Android 4 VPN service (API Level 14+)

Implements OpenVPN serviceClient API connecting to OpenVPN service

can be used for custom clientscommercial license available9

9email [email protected] Schaeuffelhut OpenVPN on Android



The TorGuard AppUsing OpenVPN Settings as a Library

US start-up offering privacyProvides anonymous internet access

Choose a server, press ConnectTrust the AppType in credentialsSurf anonymously




The TorGuard AppUsing OpenVPN Settings as a Library

Download TorGuard from Google PlayFor free trial send email [email protected] 20% discount use codeDroidconBerlin2013




Community

Google Group for “OpenVPN Settings for Android”Follow “OpenVPN Settings” on Google+Follow me on Google+: Friedrich SchaeuffelhutFollow me on Twitter: @fschaeuffelhut




Summary

OpenVPN NetworkingAndroid ImplementationConfigurationOpenVPN Settings Library

OutlookPublish updated version of OpenVPN SettingsUnified OpenVPN for rooted devices and VPN service.




Acknowledgements

OpenVPN: James Yonan and OpenVPN Technologies IncOpenVPN for Android 4 VPN service API: Arne SchwabeSupporting my work: TorGuard, VPNetwork LLC.




Thank You!


droidcon2013 open vpn_schaeuffelhut

Technology

introduction openvpn

androidabout openvpn

openvpn2 openvpn

vpn service api openvpn

standard android device

useful openvpn settings

introductionabout vpns

vpn api