Popular Posts
javax.net.ssl.SSLHandshakeException: Connection closed by peer in Android 5.0 Lollipop Recently, there is a error occurs when access website via ssl connection like below although it worked fine several days ago. // Enable SSL... Enable SSL connection for Jsoup import org.jsoup.Connection; import org.jsoup.Jsoup; import javax.net.ssl.*; import java.io.IOException; import java.security.KeyManagement... Build an OpenVPN server on android device Preparation An android device, in this case, Sony xperia Z is used Root permission required Linux Deploy for deploy i...
Stats
Build an OpenVPN server on android device

Preparation


  1. An android device, in this case, Sony xperia Z is used
  2. Root permission required
  3. Linux Deploy for deploy image via chroot/proot
  4. OpenVPN


Step

1. Root android device for superuser permission
2. Install Linux Deploy from play store or custom apk.
3. Install linux
  • Click download icon to select which image to deploy

  • Select which distribution and suite to use
  • Set user name & password
  • Allow init system
  • Enable SSH server

  • Deploy distribution

  • After installation completed, start linux

4. Connect to android via SSH
5. Install OpenVPN
  • Install required packages
# update apt repository
$ sudo apt-get update
# install openvpn, esay-rsa and ufw
$ sudo apt-get install openvpn easy-rsa ufw
view raw step-001 hosted with ❤ by GitHub
  • Create certification folder and edit vars configuration
# create ca folder
$ make-cadir ~/openvpn-ca
$ cd ~/openvpn-ca
# edit variables
$ vi vars
view raw step-002 hosted with ❤ by GitHub
  • Edit vars as blow
# certification info
export KEY_COUNTRY="TW"
export KEY_PROVINCE="CA"
export KEY_CITY="Taipei"
export KEY_ORG="Prhythm-Studio"
export KEY_EMAIL="mxxxxxxxxx@gmail.com"
export KEY_OU="RD"
# server key name
export KEY_NAME="vpnserver"
view raw vars hosted with ❤ by GitHub
  • Build ca, server and client certification
# source
$ source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/android/openvpn-ca/keys
view raw step-003 hosted with ❤ by GitHub
# clean data
$ ./clean-all
# build ca
$ ./build-ca
Generating a 2048 bit RSA private key
.....................+++
...................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [TW]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Taipei]:
Organization Name (eg, company) [Prhythm-Studio]:
Organizational Unit Name (eg, section) [RD]:
Common Name (eg, your name or your server's hostname) [Prhythm-Studio CA]:
Name [vpnserver]:
Email Address [mxxxxxxxxx@gmail.com]:
view raw step-003-1 hosted with ❤ by GitHub
# build server side key
# server name must equals to the KEY_NAME in vars
$ ./build-key-server vpnserver
Generating a 2048 bit RSA private key
...............................................+++
...............................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [TW]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Taipei]:
Organization Name (eg, company) [Prhythm-Studio]:
Organizational Unit Name (eg, section) [RD]:
Common Name (eg, your name or your server's hostname) [server]:
Name [server]:
Email Address [xooooooo@myhost.mydomain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/android/openvpn-ca/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'TW'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'Taipei'
organizationName :PRINTABLE:'Prhythm-studio'
organizationalUnitName:PRINTABLE:'RD'
commonName :PRINTABLE:'client-c6602'
name :PRINTABLE:'vpnserver'
emailAddress :IA5STRING:'mxxxxxxxxx@gmail.com'
Certificate is to be certified until Apr 27 09:24:08 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
view raw step-003-2 hosted with ❤ by GitHub
# build dh
$ ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..........................................+....................................+......................................................+.............................+......................................+............................+............................................................................................................................+............................................+.............................................................................................+................................................................................................................................................................................................................+...............+.................................................................+.................................++*++*
view raw step-003-3 hosted with ❤ by GitHub
# build client key for connection
$ ./build-key client-c6602
Generating a 2048 bit RSA private key
..................+++
..................................................+++
writing new private key to 'client-c6602.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [TW]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Taipei]:
Organization Name (eg, company) [Prhythm-Studio]:
Organizational Unit Name (eg, section) [RD]:
Common Name (eg, your name or your server's hostname) [client-c6602]:
Name [vpnserver]:
Email Address [mxxxxxxxxx@gmail.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/android/openvpn-ca/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'TW'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'Taipei'
organizationName :PRINTABLE:'Prhythm-studio'
organizationalUnitName:PRINTABLE:'RD'
commonName :PRINTABLE:'client-c6602'
name :PRINTABLE:'vpnserver'
emailAddress :IA5STRING:'mxxxxxxxxx@gmail.com'
Certificate is to be certified until Apr 27 09:24:08 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
view raw step-003-4 hosted with ❤ by GitHub

  • Copy required certification to the path of openvpn
  • Clone configuration file from sample config
  • Edit server.conf
# copy certification files to openvpn
$ sudo cp ca.crt ca.key vpnserver.crt vpnserver.key dh2048.pem /etc/openvpn
# generate server.conf
$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
# edit openvpn server config
# change what you need in config
$ sudo vi /etc/openvpn/server.conf
view raw step-004 hosted with ❤ by GitHub
  • Edit server.conf as blow, modify what your need
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert vpnserver.crt
key vpnserver.key # This file should be kept secret
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 10.10.10.0 255.255.255.0"
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup
view raw server.conf hosted with ❤ by GitHub
  • Modify networking config sysctl.conf
# adjust the server networking configuration
$ sudo vi /etc/sysctl.conf
view raw step-005 hosted with ❤ by GitHub
  • Modify content to allow transfer traffic from vpn
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
view raw sysctl.conf hosted with ❤ by GitHub
  • Make changes work
# let changes work
$ sudo sysctl -p
view raw step-006 hosted with ❤ by GitHub
  • Edit firewall rules
# edit firewall rules for routing
$ sudo vi /etc/ufw/before.rules
view raw step-007 hosted with ❤ by GitHub
  • Add following content to allow route from vpn subnet to wireless
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to wlan0
-A POSTROUTING -s 10.8.0.0/8 -o wlan0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
view raw before.rules hosted with ❤ by GitHub
  • Edit firewall configuration
# edit firewall configuration
$ sudo vi /etc/default/ufw
view raw step-008 hosted with ❤ by GitHub
  • Allow forward policy
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"
view raw ufw hosted with ❤ by GitHub
  • Add firewall rule for vpn and ssh
  • Make changes work. (In this case, there was some error but I ignore that)
# allow vpn connection
$ sudo ufw allow 1194/udp
Rules updated
Rules updated (v6)
# allow ssh connection
$ sudo ufw allow OpenSSH
Rules updated
Rules updated (v6)
# restart firewall
$ sudo ufw disable
Firewall stopped and disabled on system startup
$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/3.4.67-qemu+/modules.dep.bin'
modprobe: FATAL: Module nf_conntrack_ftp not found in directory /lib/modules/3.4.67-qemu+
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/3.4.67-qemu+/modules.dep.bin'
modprobe: FATAL: Module nf_nat_ftp not found in directory /lib/modules/3.4.67-qemu+
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/3.4.67-qemu+/modules.dep.bin'
modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/3.4.67-qemu+
iptables-restore: line 87 failed
iptables-restore: line 30 failed
ip6tables-restore: line 138 failed
Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/after.rules'
Problem running '/etc/ufw/before6.rules'
view raw step-009 hosted with ❤ by GitHub
  • Start openvpn
  • Validate result
# start vpn service
$ sudo service openvpn start
# check result
# tunnel will be display when service start successfully
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:5237 errors:0 dropped:0 overruns:0 frame:0
TX packets:5060 errors:0 dropped:12 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:458486 (458.4 KB) TX bytes:3861064 (3.8 MB)
view raw step-010 hosted with ❤ by GitHub

6. Use vpn client to connect android device
My Conky config

About Conky: Conky is a free, light-weight system monitor for X, that displays any kind of information on your desktop.


background yes
use_xft yes
xftfont Arial:size=8
xftalpha 1
update_interval 1.0
total_run_times 0
own_window yes
own_window_transparent yes
own_window_type desktop
own_window_hints undecorated,below,sticky,skip_taskbar,skip_pager
double_buffer yes
minimum_size 200 1200
maximum_width 200
draw_shades yes
draw_outline no
draw_borders no
draw_graph_borders yes
default_color white
default_shade_color black
default_outline_color white
alignment top_right
gap_x 12
gap_y 12
no_buffers yes
uppercase no
cpu_avg_samples 2
override_utf8_locale yes
TEXT
${font Terminus:bold:size=10}SYSTEM ${hr 2}
${font Terminus:normal:size=8}$sysname $kernel $alignr $machine
Host:$alignr$nodename
Uptime:$alignr$uptime
File System: $alignr${fs_type}
Battery: ${battery_percent BAT0}% ${alignr}${battery_bar 8,60 BAT0}
${font Terminus:bold:size=10}PROCESSORS ${hr 2}
${font Terminus:normal:size=8}${cpugraph}
CPU1: ${cpu cpu1}% ${cpubar cpu1}
CPU2: ${cpu cpu2}% ${cpubar cpu2}
CPU3: ${cpu cpu3}% ${cpubar cpu3}
CPU4: ${cpu cpu4}% ${cpubar cpu4}
${font Terminus:bold:size=10}MEMORY ${hr 2}
${font Terminus:normal:size=8}RAM $alignc $mem / $memmax $alignr $memperc%
$membar
${font Terminus:bold:size=10}DISKS ${hr 2}
${font Terminus:normal:size=8}Read: ${diskio_read}${alignr}Write: ${diskio_write}
${diskiograph_read 25,98}${alignr}${diskiograph_write 25,98}
${font Terminus:normal:size=8}/ $alignc ${fs_used /} / ${fs_size /} $alignr ${fs_used_perc /}%
${fs_bar /}
${font Terminus:normal:size=8}/home $alignc ${fs_used /home} / ${fs_size /home} $alignr ${fs_used_perc /home}%
${fs_bar /home}
${font Terminus:bold:size=10}TOP PROCESSES ${hr 2}
${font Terminus:normal:size=8}${top pid 1}${goto 40}${top name 1}${alignr}${top cpu 1} %
${top pid 2}${goto 40}${top name 2}${alignr}${top cpu 2} %
${top pid 3}${goto 40}${top name 3}${alignr}${top cpu 3} %
${top pid 4}${goto 40}${top name 4}${alignr}${top cpu 4} %
${top pid 5}${goto 40}${top name 5}${alignr}${top cpu 5} %
${font Terminus:bold:size=10}TOP MEMORY ${hr 2}
${font Terminus:normal:size=8}${top_mem pid 1}${goto 40}${top_mem name 1}$alignr${top_mem mem 1} %
${top_mem pid 2}${goto 40}${top_mem name 2}$alignr${top_mem mem 2} %
${top_mem pid 3}${goto 40}${top_mem name 3}$alignr${top_mem mem 3} %
${top_mem pid 4}${goto 40}${top_mem name 4}$alignr${top_mem mem 4} %
${top_mem pid 5}${goto 40}${top_mem name 5}$alignr${top_mem mem 5} %
${font Terminus:bold:size=10}NETWORK ${hr 2}
${font Terminus:normal:size=8}Public IP:${alignr}${curl ifconfig.io/ip 5}IP address: $alignr ${addr wlan0}
SSID: $alignr ${wireless_essid wlan0}
Connection quality: $alignr ${wireless_link_qual_perc wlan0}%
${downspeedgraph wlan0}
DLS:${downspeed wlan0} kb/s $alignr total: ${totaldown wlan0}
${upspeedgraph wlan0}
ULS:${upspeed wlan0} kb/s $alignr total: ${totalup wlan0}
view raw .conkyrc hosted with ❤ by GitHub
Preview: