Server:
mode server # Neccessary if you are using TLS auth, regardless of network
tls-server # TLS is not mandatory, but I recommend you use it.
local 123.45.678.9 # Your servers IP
port 30333 # Pick a random port with no official usage. Port 443 never worked for me on Android, not sure why. Just keep trying till you find one that works.
topology p2p # Force point-to-point tunneling (unless you have windows clients)
proto udp # TCP over TCP sucks, you should know that.
dev tun # TAP is not supported on Android.
ca ca.crt # Your certificates, of course.
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0 # Server IP, you can change this
ifconfig-pool-persist ipp.txt # Useful if you need to remote access your device
client-config-dir clients Allows different options for clients *
keepalive 7 80 # Default 10/120, I use a lower setting because mobile networks tend to drop connections sometimes, so ping more frequently to keep track of your connnection.
tls-auth /etc/openvpn/.certs/ta.key 0 # HMAC firewall, protected me from heartbleed!
cipher AES-128-CBC # This & Blowfish work well on embedded devices, no need for AES-256 yet. The government would love for to believe that they switched to AES-256 because they know how to crack AES-128, but that's a load of horse shit. It would take about 10 billion years to try all of the possible combinations in a 128 bit key. Brute force attacks are a waste of time these days. If the NSA wants to decrypt your traffic, they will need to get your keys another way, for example by hiding malicious code in an app that you thought was safe because Google allowed it in the Play Store.
comp-lzo # Just do it...
max-clients 10 # Not needed, but limit it to the number of clients that will be connecting for securities sake.
user nobody # Always do this for security.
group nogroup # And that.
persist-key # And this.
persist-tun # And also that.
status openvpn-status.log # It's good to know who is logged in.
log openvpn.log # I choose this over 'log-append' because I keep no logs anyway.
verb 3 # Keep this low unless you are debugging, verbose logs are more overhead for your server.
auth SHA256 # SHA512 and certain other ciphers simply do NOT work over AT&T's 3G. SHA1 and SHA256 DO work, so go with SHA256, (if you can) because SHA1 is less secure.
tun-mtu 1500 # This is key! Without specifying the MTU, nothing works! Don't ask me why.
float # This should help you maintain your connection while switching networks.
* client-config-dir clients : In your devices configuration, you will need these options to force all traffic to route through the VPN rather than the normal route:
push "redirect-gateway
push "dhcp-option DNS 208.67.222.222" # Don't forget to push DNS. I may abandon OpenDNS, as apparently they keep logs of every query they ever get. I don't like that.
push "dhcp-option DNS 208.67.220.220" # Make sure you have two at least
ifconfig-push 10.8.0.99 10.8.0.100 # This is not necessary, but its useful.
Client:
I am using OpenVPN for Android, available from the play store. Import your keys and certs, then delete them! Android SD card security has a ways to go, and most people are not running on rooted phones, so they can't effectively control what apps get access to what. Factor that in with the disgusting amount of ad networks found in Android apps these days, and if you don't delete those keys, your traffic will be decrypted. Ad companies don't usually bother to encrypt your stolen data before transmitting it, so the NSA will easily extract those keys. In fact, I recommend you not only delete them, but shred them. Use a linux computer with secure-delete installed and run
$ srm -R /path/to/certs
Configure the settings you used in your server configuration, and then go to Advanced > Custom Options. Type in the following two directives, with a return in between them (we need them on two lines in the generated client config):
tun-mtu 1500 # Don't forget this!
auth nocache # Make damn sure the passphrase to your key is not cached in your phones memory! This is important!!!
Here is the missing explanation of options I could never find...
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Some other things to consider...
If your phone does not have a quad core processor, you may be better off leaving the auth cipher to SHA1, because it is less overhead for the CPU. Also, on 3G networks VPN's can be so slow that it's hardly worth the effort at times. It depends a lot on where your server is located. I can deal with a little speed drop, but the latency increase can be aggravating. I also suspect AT&T is throttling VPN users, as well as doing some other dirty things. Sometimes when I go to dnsleaktets.com, my phone will disconnect and then reconnect to the mobile network before the page loads... that spells FISHY to me. Make sure you are using a firewall because I have found Android disobeying the routing rules in the past.
In conclusion, VPN's on Android systems need more development. Wireless carriers need to stop being dicks. The entire process will be painful trial and error, every step of the way. Some things work and some things do not. For instance, switching from WiFi to mobile data works fine, but vice versa and you will need to reconnect to the VPN. I'll close by reminding you to use easyrsa3 and a separate machine to sign all of your certificates. As Cartman would say, "That's hella important."
care to open vpn with high speed browsing and secure using , try waselpro vpn service
ReplyDeletehttp://www.openvpnandroid.com/openvpn-for-android/