Preparation
- An android device, in this case, Sony xperia Z is used
- Root permission required
- Linux Deploy for deploy image via chroot/proot
- OpenVPN
Step
1. Root android device for superuser permission
2. Install Linux Deploy from play store or custom apk.
- Install Linux Deploy
3. Install linux
- Click download icon to select which image to deploy

- Select which distribution and suite to use
- Set user name & password
- Allow init system
- Enable SSH server




- Deploy distribution



- After installation completed, start linux


4. Connect to android via SSH
5. Install OpenVPN
- Install required packages
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# update apt repository | |
$ sudo apt-get update | |
# install openvpn, esay-rsa and ufw | |
$ sudo apt-get install openvpn easy-rsa ufw |
- Create certification folder and edit vars configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# create ca folder | |
$ make-cadir ~/openvpn-ca | |
$ cd ~/openvpn-ca | |
# edit variables | |
$ vi vars |
- Edit vars as blow
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# certification info | |
export KEY_COUNTRY="TW" | |
export KEY_PROVINCE="CA" | |
export KEY_CITY="Taipei" | |
export KEY_ORG="Prhythm-Studio" | |
export KEY_EMAIL="mxxxxxxxxx@gmail.com" | |
export KEY_OU="RD" | |
# server key name | |
export KEY_NAME="vpnserver" |
- Build ca, server and client certification
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# source | |
$ source vars | |
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/android/openvpn-ca/keys |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# clean data | |
$ ./clean-all | |
# build ca | |
$ ./build-ca | |
Generating a 2048 bit RSA private key | |
.....................+++ | |
...................................+++ | |
writing new private key to 'ca.key' | |
----- | |
You are about to be asked to enter information that will be incorporated | |
into your certificate request. | |
What you are about to enter is what is called a Distinguished Name or a DN. | |
There are quite a few fields but you can leave some blank | |
For some fields there will be a default value, | |
If you enter '.', the field will be left blank. | |
----- | |
Country Name (2 letter code) [TW]: | |
State or Province Name (full name) [CA]: | |
Locality Name (eg, city) [Taipei]: | |
Organization Name (eg, company) [Prhythm-Studio]: | |
Organizational Unit Name (eg, section) [RD]: | |
Common Name (eg, your name or your server's hostname) [Prhythm-Studio CA]: | |
Name [vpnserver]: | |
Email Address [mxxxxxxxxx@gmail.com]: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# build server side key | |
# server name must equals to the KEY_NAME in vars | |
$ ./build-key-server vpnserver | |
Generating a 2048 bit RSA private key | |
...............................................+++ | |
...............................+++ | |
writing new private key to 'server.key' | |
----- | |
You are about to be asked to enter information that will be incorporated | |
into your certificate request. | |
What you are about to enter is what is called a Distinguished Name or a DN. | |
There are quite a few fields but you can leave some blank | |
For some fields there will be a default value, | |
If you enter '.', the field will be left blank. | |
----- | |
Country Name (2 letter code) [TW]: | |
State or Province Name (full name) [CA]: | |
Locality Name (eg, city) [Taipei]: | |
Organization Name (eg, company) [Prhythm-Studio]: | |
Organizational Unit Name (eg, section) [RD]: | |
Common Name (eg, your name or your server's hostname) [server]: | |
Name [server]: | |
Email Address [xooooooo@myhost.mydomain]: | |
Please enter the following 'extra' attributes | |
to be sent with your certificate request | |
A challenge password []: | |
An optional company name []: | |
Using configuration from /home/android/openvpn-ca/openssl-1.0.0.cnf | |
Check that the request matches the signature | |
Signature ok | |
The Subject's Distinguished Name is as follows | |
countryName :PRINTABLE:'TW' | |
stateOrProvinceName :PRINTABLE:'CA' | |
localityName :PRINTABLE:'Taipei' | |
organizationName :PRINTABLE:'Prhythm-studio' | |
organizationalUnitName:PRINTABLE:'RD' | |
commonName :PRINTABLE:'client-c6602' | |
name :PRINTABLE:'vpnserver' | |
emailAddress :IA5STRING:'mxxxxxxxxx@gmail.com' | |
Certificate is to be certified until Apr 27 09:24:08 2027 GMT (3650 days) | |
Sign the certificate? [y/n]:y | |
1 out of 1 certificate requests certified, commit? [y/n]y | |
Write out database with 1 new entries | |
Data Base Updated |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# build dh | |
$ ./build-dh | |
Generating DH parameters, 2048 bit long safe prime, generator 2 | |
This is going to take a long time | |
..........................................+....................................+......................................................+.............................+......................................+............................+............................................................................................................................+............................................+.............................................................................................+................................................................................................................................................................................................................+...............+.................................................................+.................................++*++* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# build client key for connection | |
$ ./build-key client-c6602 | |
Generating a 2048 bit RSA private key | |
..................+++ | |
..................................................+++ | |
writing new private key to 'client-c6602.key' | |
----- | |
You are about to be asked to enter information that will be incorporated | |
into your certificate request. | |
What you are about to enter is what is called a Distinguished Name or a DN. | |
There are quite a few fields but you can leave some blank | |
For some fields there will be a default value, | |
If you enter '.', the field will be left blank. | |
----- | |
Country Name (2 letter code) [TW]: | |
State or Province Name (full name) [CA]: | |
Locality Name (eg, city) [Taipei]: | |
Organization Name (eg, company) [Prhythm-Studio]: | |
Organizational Unit Name (eg, section) [RD]: | |
Common Name (eg, your name or your server's hostname) [client-c6602]: | |
Name [vpnserver]: | |
Email Address [mxxxxxxxxx@gmail.com]: | |
Please enter the following 'extra' attributes | |
to be sent with your certificate request | |
A challenge password []: | |
An optional company name []: | |
Using configuration from /home/android/openvpn-ca/openssl-1.0.0.cnf | |
Check that the request matches the signature | |
Signature ok | |
The Subject's Distinguished Name is as follows | |
countryName :PRINTABLE:'TW' | |
stateOrProvinceName :PRINTABLE:'CA' | |
localityName :PRINTABLE:'Taipei' | |
organizationName :PRINTABLE:'Prhythm-studio' | |
organizationalUnitName:PRINTABLE:'RD' | |
commonName :PRINTABLE:'client-c6602' | |
name :PRINTABLE:'vpnserver' | |
emailAddress :IA5STRING:'mxxxxxxxxx@gmail.com' | |
Certificate is to be certified until Apr 27 09:24:08 2027 GMT (3650 days) | |
Sign the certificate? [y/n]:y | |
1 out of 1 certificate requests certified, commit? [y/n]y | |
Write out database with 1 new entries | |
Data Base Updated |
- Copy required certification to the path of openvpn
- Clone configuration file from sample config
- Edit server.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# copy certification files to openvpn | |
$ sudo cp ca.crt ca.key vpnserver.crt vpnserver.key dh2048.pem /etc/openvpn | |
# generate server.conf | |
$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf | |
# edit openvpn server config | |
# change what you need in config | |
$ sudo vi /etc/openvpn/server.conf |
- Edit server.conf as blow, modify what your need
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# SSL/TLS root certificate (ca), certificate | |
# (cert), and private key (key). Each client | |
# and the server must have their own cert and | |
# key file. The server and all clients will | |
# use the same ca file. | |
# | |
# See the "easy-rsa" directory for a series | |
# of scripts for generating RSA certificates | |
# and private keys. Remember to use | |
# a unique Common Name for the server | |
# and each of the client certificates. | |
# | |
# Any X509 key management system can be used. | |
# OpenVPN can also use a PKCS #12 formatted key file | |
# (see "pkcs12" directive in man page). | |
ca ca.crt | |
cert vpnserver.crt | |
key vpnserver.key # This file should be kept secret | |
# Push routes to the client to allow it | |
# to reach other private subnets behind | |
# the server. Remember that these | |
# private subnets will also need | |
# to know to route the OpenVPN client | |
# address pool (10.8.0.0/255.255.255.0) | |
# back to the OpenVPN server. | |
push "route 10.10.10.0 255.255.255.0" | |
# If enabled, this directive will configure | |
# all clients to redirect their default | |
# network gateway through the VPN, causing | |
# all IP traffic such as web browsing and | |
# and DNS lookups to go through the VPN | |
# (The OpenVPN server machine may need to NAT | |
# or bridge the TUN/TAP interface to the internet | |
# in order for this to work properly). | |
push "redirect-gateway def1 bypass-dhcp" | |
# Certain Windows-specific network settings | |
# can be pushed to clients, such as DNS | |
# or WINS server addresses. CAVEAT: | |
# http://openvpn.net/faq.html#dhcpcaveats | |
# The addresses below refer to the public | |
# DNS servers provided by opendns.com. | |
push "dhcp-option DNS 8.8.8.8" | |
push "dhcp-option DNS 8.8.4.4" | |
# It's a good idea to reduce the OpenVPN | |
# daemon's privileges after initialization. | |
# | |
# You can uncomment this out on | |
# non-Windows systems. | |
user nobody | |
group nogroup |
- Modify networking config sysctl.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# adjust the server networking configuration | |
$ sudo vi /etc/sysctl.conf |
- Modify content to allow transfer traffic from vpn
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Uncomment the next line to enable packet forwarding for IPv4 | |
net.ipv4.ip_forward=1 |
- Make changes work
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# let changes work | |
$ sudo sysctl -p |
- Edit firewall rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# edit firewall rules for routing | |
$ sudo vi /etc/ufw/before.rules |
- Add following content to allow route from vpn subnet to wireless
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# START OPENVPN RULES | |
# NAT table rules | |
*nat | |
:POSTROUTING ACCEPT [0:0] | |
# Allow traffic from OpenVPN client to wlan0 | |
-A POSTROUTING -s 10.8.0.0/8 -o wlan0 -j MASQUERADE | |
COMMIT | |
# END OPENVPN RULES |
- Edit firewall configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# edit firewall configuration | |
$ sudo vi /etc/default/ufw |
- Allow forward policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that | |
# if you change this you will most likely want to adjust your rules | |
DEFAULT_FORWARD_POLICY="ACCEPT" |
- Add firewall rule for vpn and ssh
- Make changes work. (In this case, there was some error but I ignore that)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# allow vpn connection | |
$ sudo ufw allow 1194/udp | |
Rules updated | |
Rules updated (v6) | |
# allow ssh connection | |
$ sudo ufw allow OpenSSH | |
Rules updated | |
Rules updated (v6) | |
# restart firewall | |
$ sudo ufw disable | |
Firewall stopped and disabled on system startup | |
$ sudo ufw enable | |
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y | |
ERROR: problem running ufw-init | |
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/3.4.67-qemu+/modules.dep.bin' | |
modprobe: FATAL: Module nf_conntrack_ftp not found in directory /lib/modules/3.4.67-qemu+ | |
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/3.4.67-qemu+/modules.dep.bin' | |
modprobe: FATAL: Module nf_nat_ftp not found in directory /lib/modules/3.4.67-qemu+ | |
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/3.4.67-qemu+/modules.dep.bin' | |
modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/3.4.67-qemu+ | |
iptables-restore: line 87 failed | |
iptables-restore: line 30 failed | |
ip6tables-restore: line 138 failed | |
Problem running '/etc/ufw/before.rules' | |
Problem running '/etc/ufw/after.rules' | |
Problem running '/etc/ufw/before6.rules' |
- Start openvpn
- Validate result
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# start vpn service | |
$ sudo service openvpn start | |
# check result | |
# tunnel will be display when service start successfully | |
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 | |
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 | |
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 | |
RX packets:5237 errors:0 dropped:0 overruns:0 frame:0 | |
TX packets:5060 errors:0 dropped:12 overruns:0 carrier:0 | |
collisions:0 txqueuelen:100 | |
RX bytes:458486 (458.4 KB) TX bytes:3861064 (3.8 MB) |