Selection | Setup | Testing | Software | Homedir | Top |
In the upgrade to CyanogenMod-11 I am going to check out and upgrade the VPN software carefully and with documentation. Starting with Android-4.3 (CyanogenMod-10.x) (I think), there is a new section in Settings titled VPNs. I'm going to see what, if anything, it can do for me.
I hope that the procedure will be mostly identical on Mica and Selen. If there are differences I will point that out. Selen will communicate with my main router, Jacinth, directly over cellular data (4G-LTE, Verizon, IPv6 in active use, IPv4 also available). Mica will utilize Selen's hostapd (WiFi Hotspot), which only passes IPv4. On Jacinth I have IPSec and OpenVPN on ports 1194 and on 443 (to fake out uncooperative hotel nets). There is a firewall feature called OOBA (Out of Band Authentication) whereby the client needs to authenticate and register its IP address before using the OpenVPN ports. I will attempt to set up all three VPNs on each client.
For this test, Xena (Linux laptop) is connecting to each service on Jacinth through Selen's hostapd (SSID = SelenAP). Selen's IP today: 70.211.130.87; Xena's IP: 192.168.43.208
Xena received 1 cert request for an unknown CA, sent CFT root 2024; no clue what the prob is on Jacinth, but Xena says Jacinth replied auth failed. Client cert is not expired. Problem was a dead symlink on Jacinth.
Added link to the correct intermediate cert: ln -s -f /etc/ssl/ca/ca-cft-i1-2024.crt /etc/ipsec.d/cacerts/ . Still fails. Restarted strongswan on Jacinth. Success! (And SSH session was not broken.) Traceroute to sunset shows the first hop was at Jacinth.
Xena's conf file has --tls-remote which is deprecated.
Private key password verification failed, exiting.
Yes indeedy the password was not updated after the last change.
We're using AES-256-CBC with compression. Unfortunately there are no GCM ciphers offered (vs CBC).
Success!
For this, I copied the key/PW fixup from OpenVPN 1194. Success!
In the password change document, I need to add an item for updating the host keys used by the VPNs.
Need to experiment: will either StrongSwan or OpenVPN accept a KCA (key, certificate, intermediate, anchor) concatenated file? Or other less complete concatenations? If I could use the host.kca symlink or its friends, when I install a new cert the VPNs will follow automatically.
I do not use the VPNs frequently, so deficiencies are not recognized promptly and if recognized do not get a high priority. It would be really helpful if I could come up with a functional test for the VPNs to go in restarter and checkout.sh, and from there into the daily housekeeping report.
It turns out that a big reason for VPN failures was missing certificates. Here is how I got the required certs onto the machines:
Mica does not have my current cert. It does have the CFT root (so Firefox says). Where? In Firefox's Software Security Device, which can be synced. But Settings - Security - User shows no CA certs at all. But Mica/Firefox won't connect to Diamond, no issuer cert (for Diamond's host cert), which is no lie if we're using the local trust store.
Trying to install the CA cert.
the file cannot be opened. Use the
Open Asaction and pass it to Certificate Installer (system app, and does not have an App Drawer icon). It shows a black on black modal dialog and doesn't install the cert. Maybe it will only read the cert if it's part of a PKCS#12 file.
Certificate Installermentioned above. It does have an icon. It creates a local webserver and sics a browser on it, and the browser will install the cert. Firefox already
knowsthat the cert is installed. The default browser takes a long time to log in to Google sites, when when you hit
backit doesn't install the cert. Neither browser could handle u-jimc-cft-R2015.p12; they both hung while downloading it. I uninstalled the app.
On Selen, u-jimc-cft-R2015.p12 was hanging around in Downloads and the certificate installer found and installed it with no hassle.
When you add or view a user-provided CA cert, the certificate installer (?)
pops a notification thet your network may be monitored by an untrusted
third party; a cert you have installed makes this possible.
Dumb. First,
I'm not sure how this monitoring is possible -- certificate authentication to
WPA, but it's the Wi-Fi provider's own cert. And it is an explicitly trusted
first party (CFT, i.e. me), not an untrusted third party. Hiss, boo!
We have OpenVPN Installer 0.2.5. Installation options: /system/xbin/openvpn
and /system/xbin/busybox ifconfig (the preferred values).
When you run it and tell it to install, it maunders that /system is still
readonly
. Lots and lots of people complain about this issue.
On the OpenVPN Installer issue tracker, bcafa...@gmail.com (2013-08-30) has an explanation (jimc says: smells like namespaces) and a patched APK that fixes it. I downloaded it and saved it in ~jimc/upgrade/mica/files/. A plethora of people post "thanks". Uninstall the original one first.
My experience (on Mica and Selen): I downloaded it on Xena and used adb
install openvpn-installer-debug.apk
to push it over. When executed (use
the app drawer), it reported permission denied (to /system/xbin). Mica was
pretty chewed up by that time and I just rebooted. Then, the app installed
OpenVPN successfully. Worked the first time on Selen.
For reference, Edin Korda (2013-12-14) obtained (from an unstated place) the binary, plus liblzo.so, and copied them to /system/xbin and /system/lib respectively, and set the appropriate permissions. It worked for him. There are several versions of the binary, with hardwired variations on the installation options.
First, Mica will connect to SelenAP. Did connect, its IP is 192.168.43.49 and it is listed under connected devices. The VPN section is under Networking - More. Evidently the only thing you can set here (via the "menu" menu) is Always-On VPN, which is useful but is not what I'm trying to do right now. That's the end of that experiment.
As hoped for, the experiences on Mica and Selen were very similar, except that various prerequisite trails were blazed on Mica and just copied on Selen. Selen is using cellular data and is authorized by OOBA. Mica is communicating through Selen's hostapd (Wi-Fi Hotspot).
Both machines failed. Never got to sending packets to Jacinth.
Log file has messages about kernel-netlink plugin might require
CAP_NET_ADMIN
; unable to load 9 plugin features due to unmet
dependencies
.
I cleared data (on Mica), no help. I spotted the missing certs and installed them.
Success! Now that the required certs are available.
First step is to run OpenVPN Installer to install the binary. See gory details above.
Sucess on the first try! This one uses password authentication. There is something screwy when I try to talk to http://jacinth.jfcarter.net ; page loading hangs. It's OOBA! The wild-side IP got changed and had to be reauthorized.
Success on the first try.
Success, and I can get to http://sunset.math.ucla.edu which is excluded from the general public by a firewall. And Sunset has an IPv6 address which was correctly bypassed.
Selection | Setup | Testing | Software | Homedir | Top |