OpenVPN on SGS2 using Cyanogen 7.1

I have toyed with this yesterday and thought I would share the experiment. I wanted to try out the OpenVPN software built-in Cyanogen for my Samsung Galaxy S2, for this I used a Debian on the other side (which uses a public IP). The first step is obviously installing OpenVPN on the server, then configuring it. Once this is installed, you can do the following steps, this will take care of symlinking the easy-rsa directory, create the server CA and create its certificates.

ln -s /usr/share/doc/openvpn/examples/easy-rsa/1.0 easy-rsa
cd easy-rsa
source ./vars 
./build-key-server yourserver

Once this is done and you have checked there was no error in all the commands you typed, you can create your first client, still within the same directory do: ./build-key-pkcs12 cm7. In this example, cm7 is your client name.

This is the working config for my OpenVPN server, edit /etc/openvpn/server.conf. I chose TCP as a more reliable way to have my client keep the vpn connection over crappy GPRS.

proto tcp
port 8443
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/yourserver.crt
key /etc/openvpn/easy-rsa/keys/yourserver.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
status /var/log/openvpn-status.log
verb 3
mssfix 1200 
tun-mtu 1200

Now comes the interesting bit, Cyanogen has a page on OpenVPN but they don’t really explain how to install the p12 cert you generated. You will need to copy that to the root of your sdcard, then go to Settings/Location and Security/Storage Credentials/Install from SD Card. Once you have selected the file, it will ask for the same password as used during the client cert generation, then you can select a storage password to keep it safe.

You can now set up your OpenVPN, go to Settings/Wireless & Networks/VPN Settings/Add VPN, then define the IP, name and certs, select the same cert for CA and user. Then go to advanced and make sure you change the IP Port and switch to TCP. Now the interesting part, it failed to connect until i rebooted the device. Has to be the shittiest fix ever but here goes…

Make sure you have started your OpenVPN server and check the logs for errors.