droidcon2013 open vpn_schaeuffelhut
DESCRIPTION
TRANSCRIPT
IntroductionOpenVPN on AndroidConcluding Remarks
OpenVPN on Android
Friedrich Schaeuffelhut
Freelance Software DeveloperMunich
Droidcon Berlin, 2013
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License.
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
Outline
1 IntroductionAbout VPNsAbout OpenVPN
2 OpenVPN on AndroidOverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
3 Concluding RemarksOpenVPN Settings as a LibraryCommunity
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
About VPNsAbout OpenVPN
What is a VPN?
A VPN (Virtual Private Network) extends a private networkacross public networks like the internet1
1http://en.wikipedia.org/wiki/Virtual_private_networkFriedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
About VPNsAbout OpenVPN
Why use a VPN ?
Connect multiple sitesForm one logical networkAllow roaming users to
access files on a server / NASreceive / send email via private mail serveraccess private servers, e.g. SCM, Jenkins, etc.
Create a network of trusted usersSimpler security configuration insideDirect communication between remote userse.g. exchange GIT commits between developers
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
About VPNsAbout OpenVPN
What is OpenVPN ?
OpenVPN is a open source (GPL) VPN solution (JamesYonan)Available since 2001 (Version 0.90)on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX,Mac OS X, Windows 2000/XP/Vista/7 and AndroidOpenVPN is a trademark of OpenVPN Technologies Inc.and commercially backed by this company
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
About VPNsAbout OpenVPN
What technology is used by OpenVPN ?
EncryptionSSL based VPN (also used in https)Using openssl
Kernel virtual network deviceTUN: Layer 3, IP packetsTAP: Layer 2, Ethernet frames
Connection to VPN peerUses UDP or TCPEncrypts data and control channel
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
About VPNsAbout OpenVPN
Why use OpenVPN ?
Firewall friendly, only one port is neededNetwork Address Translation (NAT) friendlySimple installationSame configuration can run on all platformsFlexible user authentication
Preshared keyUsername/Password authenticationX509 Certificates
Includes script for managing RSA certificates and keys
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
OpenVPN on Android ?
OpenVPN should run on Android - After all it’s Linux, isn’tit?TUN/TAP access requires root privilegesNo “su” for Apps on a standard Android deviceMost devices can be rooted, then “su” is available.Android 4 (ICS) offers VPN API(creating TUN device for the app)
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
Short History of OpenVPN on Android
Compiled OpenVPN for ADP1 in January 2009Used AOSP source to compile, NDK did not existAdded liblzo and missing cyphers to OpenSSLPublished source at github.com/friesAlternate firmwares like CyanogenMOD2 picked it up
2http://www.cyanogenmod.org/Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
OpenVPN Settings
OpenVPN binary alone is not very useful
OpenVPN Settingsmodeled after Wifi Settingsstarts/stops a config stored on SD cardnow has 50,000 users
OpenVPN InstallerADP1 had limited storage ⇒ separate Appcopies binary into /system/xbin
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
The Present and the Future
VPN Service API is now available on Android 4 (ICS, APILevel 14+)No ROOT required anymoreNew Apps emerge
ics-android3 by Arne SchwabeTorGuard4 App by Florida based VPNetworks LLC
3https://code.google.com/p/ics-openvpn4http://torguard.net
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
Rooted Phone versus Android 4 VPN Service API
Rooted Phone VPN Service APIAPI Level 4+ 14+Kernel device TUN or TAP TUN onlyDevice opened by OpenVPN Androidifconfig OpenVPN AndroidRoutes OpenVPN AndroidDNS servers App via setprop AndroidSearch domains App via setprop AndroidTethering Yes No5
5Hot spot enabled, but no data transmittedFriedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
Is support for rooted devices required ?
Android 4 VPN Service API isvery secureuseful for most users
Rooted phonesallow TAP devices and tetheringideal for the enthusiaststill useful even on Android 4
OpenVPN Settings willmaintain support for rooted devicessupport the Android 4 VPN Service APIleave the choice to the user
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
Implementations explained
OpenVPN management interfaceRooted PhonesAndroid 4 VPN Service API
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
The Management Interface
Connect via UNIX domain socketRequest/Respond username/passwordRequest/Respond passphraseRestart/Terminate tunnelRead status messages and byte countsQuery current tunnel state
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
Monitoring the OpenVPN Program
APP creates UNIX domain socketOpenVPN connects in management-client modeOpenVPN exits when management connection is closedOpenVPN exits when APP is killedsocket is protected by file system permissionsonly APP and OpenVPN can access socket
Used on both rooted devices and with VPN service API
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
Rooted devices
Supported by “OpenVPN Settings”6
Standard OpenVPN binary compiled for AndroidStarted via ’su’ commandOpenVPN configures network interface and routes
calls ifconfig and routeAndroid ifconfig and route are very simplebusybox provides compatible ifconfig and route
6https://code.google.com/p/android-openvpn-settings/Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
Android 4 VPN Service
Implemented in ics-openvpn and “OpenVPN Settings”User must grant permission to use VpnServiceAndroid creates TUN device for App⇒ Hand over TUN FD from App to OpenVPN⇒ OpenVPN must send interface parameters to APP(ip address, routes, dns server, etc)Protect TCP/UDP connection from new default route⇒ Hand over TCP/UDP socket from OpenVPN to App
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
Packet Transport
TUN vs TAPUDP vs TCPTCP over TCP
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
TUN vs TAP
TUN and TAP are virtual network kernel devices7
TAP TUNlevel 2 3simulates link layer device network layer deviceoperates on ethernet frames IP packetsnetwork bridge routing
7http://en.wikipedia.org/wiki/TUN/TAPFriedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
UDP vs TCP
UDP TCPunreliable reliableunordered ordereddatagramm stream
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
Data Channel Encapsulation
TCP over TCP“Why TCP Over TCP Is A Bad Idea” by Olaf Titz8
TCP over TCP tends to break TCP’s retransmissionalgorithm when the underlying connection suffers frompackage loss
High packet loss will worsen the effectUDP is better suited for packet transport than TCP
8http://sites.inka.de/ W1011/devel/tcp-tcp.htmlFriedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
UDP versus TCP in Mobile Networks
UDP the winner for tunneling?UPD in mobile networks has its drawbacks too
Mobile devices are usually behined a NAT gatewayFor TCP the NAT session lasts as long as the TCPconnection existsUDP has no connection, NAT sessions must time outOnce the NAT session has been discarded, the remoteVPN endpoint can not reach the mobile endpointKeep alive packets are needed to keep the connection upBut this will keep the radio busy and drain the battery
Personally I use UDP without problems
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
Creating a ConfigurationSetting up Certificates
code.google.com/p/android-openvpn-settings/wiki/CertificateHowTo
Create CAKEY_CN=ca KEY_EMAIL=ca@acme ./pkitool --initcaKEY_CN=server KEY_EMAIL=server@acme ./pkitool --server serverKEY_CN=client1 KEY_EMAIL=$KEY_CN@acme ./pkitool $KEY_CNKEY_CN=client2 KEY_EMAIL=$KEY_CN@acme ./pkitool $KEY_CN
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OverviewRooted Phone versus Android 4 VPN Service APIImplementations explainedConfiguration Considerations
Creating a ConfigurationOpenVPN Configuration Files
code.google.com/p/android-openvpn-settings/wiki/CertificateHowTo
client.conf
proto udpdev tuntopology subnet
tls-clientca ca.crtcert client.crtkey client.key
remote-cert-tls server
remote ***** YOUR SERVERS IP ADDRESS *****rport 1194
pull
server.confmode server
proto udpdev tuntopology subnet
tls-serverca ca.crtcert server.crtkey server.keydh dh1024.pemremote-cert-tls client
port 1194
ifconfig 10.0.0.1 255.255.255.0client-config-dir vpnclients.ccd
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OpenVPN Settings as a LibraryCommunitySummaryAcknowledgments
OpenVPN Settings as a LibraryCreate your OpenVPN based Client
Licensed under the GPLv3Split in app and library modulesSupports
rooted phones (API Level 4+)Android 4 VPN service (API Level 14+)
Implements OpenVPN serviceClient API connecting to OpenVPN service
can be used for custom clientscommercial license available9
9email [email protected] Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OpenVPN Settings as a LibraryCommunitySummaryAcknowledgments
The TorGuard AppUsing OpenVPN Settings as a Library
US start-up offering privacyProvides anonymous internet access
Choose a server, press ConnectTrust the AppType in credentialsSurf anonymously
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OpenVPN Settings as a LibraryCommunitySummaryAcknowledgments
The TorGuard AppUsing OpenVPN Settings as a Library
US start-up offering privacyProvides anonymous internet access
Choose a server, press ConnectTrust the AppType in credentialsSurf anonymously
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OpenVPN Settings as a LibraryCommunitySummaryAcknowledgments
The TorGuard AppUsing OpenVPN Settings as a Library
US start-up offering privacyProvides anonymous internet access
Choose a server, press ConnectTrust the AppType in credentialsSurf anonymously
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OpenVPN Settings as a LibraryCommunitySummaryAcknowledgments
The TorGuard AppUsing OpenVPN Settings as a Library
US start-up offering privacyProvides anonymous internet access
Choose a server, press ConnectTrust the AppType in credentialsSurf anonymously
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OpenVPN Settings as a LibraryCommunitySummaryAcknowledgments
The TorGuard AppUsing OpenVPN Settings as a Library
US start-up offering privacyProvides anonymous internet access
Choose a server, press ConnectTrust the AppType in credentialsSurf anonymously
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OpenVPN Settings as a LibraryCommunitySummaryAcknowledgments
The TorGuard AppUsing OpenVPN Settings as a Library
Download TorGuard from Google PlayFor free trial send email [email protected] 20% discount use codeDroidconBerlin2013
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OpenVPN Settings as a LibraryCommunitySummaryAcknowledgments
Community
Google Group for “OpenVPN Settings for Android”Follow “OpenVPN Settings” on Google+Follow me on Google+: Friedrich SchaeuffelhutFollow me on Twitter: @fschaeuffelhut
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OpenVPN Settings as a LibraryCommunitySummaryAcknowledgments
Summary
OpenVPN NetworkingAndroid ImplementationConfigurationOpenVPN Settings Library
OutlookPublish updated version of OpenVPN SettingsUnified OpenVPN for rooted devices and VPN service.
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OpenVPN Settings as a LibraryCommunitySummaryAcknowledgments
Acknowledgements
OpenVPN: James Yonan and OpenVPN Technologies IncOpenVPN for Android 4 VPN service API: Arne SchwabeSupporting my work: TorGuard, VPNetwork LLC.
Friedrich Schaeuffelhut OpenVPN on Android
IntroductionOpenVPN on AndroidConcluding Remarks
OpenVPN Settings as a LibraryCommunitySummaryAcknowledgments
Thank You!
Friedrich Schaeuffelhut OpenVPN on Android