The last month of my life I have spent countless hours trying to get this to work... no matter what I did I simply could not connect to my OpenVPN server unless I was on wifi, and even then I would often have problems. Now, I am trying not to get too excited just yet, because I had this working a few days ago and then all of the sudden it stopped working. I reflashed a backup I had made after I got it working the first time around, and it worked again for a minute or so, then stopped. I was so frustrated that I honestly missed out on a lot of life over the last few days, because I have been so preoccupied with researching ways to get this to work.
To be even more honest, I am not even sure exactly why it is working now, because I have tweaked so many settings to get it to work. However, with that said, the latest settings I have tweaked are:
- I installed the OpenVPN binary directly to my phone's /system partition. This is apparently an updated version of the binary, that knows how to handle certain error messages that the OpenVPN for Android app does not know what to do with. It also requires a rooted phone, of course, because we need to write to the read-only /system partition. Even then, I had to use a customized build because since updating to 4.4.4 (custom Arearom10), when the system is mounted as read-write (through ADB or the terminal emulator), the binary would still not install because the write access is limited to the user who requested it. Since each application on an Android system is running as it's own user, in it's own sandbox, the OpenVPN binary-installer available on the Play Store does not work.
- I was using UDP port 443 for my VPN, and have been for quite a while. This is because it (used to be anyway...) that this port was always open, no matter what network I was connected to. Things have changed, and now, for whatever reason, I could not even get a TCP connection to authenticate over port 443! (wtf?)
- So I changed the port of my server to a random port with no official usage, and then it connected via a TCP connection! Yay... sort of. TCP is slow. So then I switched the server back to UDP, and... it still worked!
- I also had to specify a TCP MTU payload of 1500 in the config file (which is generally the default anyway, so I don't know why that needed to be specified, but it does!)
- Hmm... what else... I have tried so many different configurations that I cannot even remember them all. But the settings I just outlined above are currently working on AT&T's 3G mobile network, so if you are struggling to get this to work this is what I would suggest:
1) Change the port number to something random. If it does not work, try another port. You should find one that works eventually, given that you...
2) Also specify to "override" the MTU payload to 1500 in your client.conf file.
3) Install the OpenVPN binary to /system/xbin/openvpn (You can try the official installer from the Play Store, if that does not work use the APK file referenced above.
4) Also install the "OpenVPN Settings" app from the Play Store... not sure why this is needed, but it is working and I am so sick of fucking around with everything, that I will deal with having dual 'vpn connected' notifications for the time being...
That should be all. Let me know if this works for you, I hope this helps someone. I will also post a much more detailed guild once I figure out exactly what solved the issue. By the way, it works fine without any of these insane tweaks over Verizon's network... (again... wtf?)
Long live hackers. The world would suck without them. Thank you to the dude who wrote that tweaked binary installer! You saved my Christmas.
Update: Oh yeah... I almost forgot to remind you, in case you have not been paying attention or simply don't know... Easy-Rsa was updated a while ago, and if you are not using version 3 yet, than you really ought to upgrade it, and also please remember to use a separate machine as your Certificate Authority, as opposed to generating and signing all of your server & client keys on the same server (or worse, VPS...). This is very important (if you care about security), because whoever owns your VPS server can likely obtain a root shell any time that they want to, thus giving them access to all of your keys, which breaks the encryption of the entire network!
No comments:
Post a Comment