Otter logo image
Valid HTML 4.01 Transitional

Asus Transformer Pad Infinity
Upgrading the VPNs

Jim Carter, 2015-01-11

In the upgrade to CyanogenMod-11 I am going to check out and upgrade the VPN software carefully and with documentation. Starting with Android-4.3 (CyanogenMod-10.x) (I think), there is a new section in Settings titled VPNs. I'm going to see what, if anything, it can do for me.

I hope that the procedure will be mostly identical on Mica and Selen. If there are differences I will point that out. Selen will communicate with my main router, Jacinth, directly over cellular data (4G-LTE, Verizon, IPv6 in active use, IPv4 also available). Mica will utilize Selen's hostapd (WiFi Hotspot), which only passes IPv4. On Jacinth I have IPSec and OpenVPN on ports 1194 and on 443 (to fake out uncooperative hotel nets). There is a firewall feature called OOBA (Out of Band Authentication) whereby the client needs to authenticate and register its IP address before using the OpenVPN ports. I will attempt to set up all three VPNs on each client.

Initial Positive Control

For this test, Xena (Linux laptop) is connecting to each service on Jacinth through Selen's hostapd (SSID = SelenAP). Selen's IP today: 70.211.130.87; Xena's IP: 192.168.43.208

IPSec

Xena received 1 cert request for an unknown CA, sent CFT root 2024; no clue what the prob is on Jacinth, but Xena says Jacinth replied auth failed. Client cert is not expired. Problem was a dead symlink on Jacinth.

Added link to the correct intermediate cert: ln -s -f /etc/ssl/ca/ca-cft-i1-2024.crt /etc/ipsec.d/cacerts/ . Still fails. Restarted strongswan on Jacinth. Success! (And SSH session was not broken.) Traceroute to sunset shows the first hop was at Jacinth.

OpenVPN 1194

Xena's conf file has --tls-remote which is deprecated.

Private key password verification failed, exiting.

Yes indeedy the password was not updated after the last change.

We're using AES-256-CBC with compression. Unfortunately there are no GCM ciphers offered (vs CBC).

Success!

OpenVPN 443

For this, I copied the key/PW fixup from OpenVPN 1194. Success!

Conclusion

In the password change document, I need to add an item for updating the host keys used by the VPNs.

Need to experiment: will either StrongSwan or OpenVPN accept a KCA (key, certificate, intermediate, anchor) concatenated file? Or other less complete concatenations? If I could use the host.kca symlink or its friends, when I install a new cert the VPNs will follow automatically.

I do not use the VPNs frequently, so deficiencies are not recognized promptly and if recognized do not get a high priority. It would be really helpful if I could come up with a functional test for the VPNs to go in restarter and checkout.sh, and from there into the daily housekeeping report.

Installing the CA and User Certs

It turns out that a big reason for VPN failures was missing certificates. Here is how I got the required certs onto the machines:

Mica does not have my current cert. It does have the CFT root (so Firefox says). Where? In Firefox's Software Security Device, which can be synced. But Settings - Security - User shows no CA certs at all. But Mica/Firefox won't connect to Diamond, no issuer cert (for Diamond's host cert), which is no lie if we're using the local trust store.

Trying to install the CA cert.

On Selen, u-jimc-cft-R2015.p12 was hanging around in Downloads and the certificate installer found and installed it with no hassle.

When you add or view a user-provided CA cert, the certificate installer (?) pops a notification thet your network may be monitored by an untrusted third party; a cert you have installed makes this possible. Dumb. First, I'm not sure how this monitoring is possible -- certificate authentication to WPA, but it's the Wi-Fi provider's own cert. And it is an explicitly trusted first party (CFT, i.e. me), not an untrusted third party. Hiss, boo!

Installing OpenVPN Binary

We have OpenVPN Installer 0.2.5. Installation options: /system/xbin/openvpn and /system/xbin/busybox ifconfig (the preferred values). When you run it and tell it to install, it maunders that /system is still readonly. Lots and lots of people complain about this issue.

On the OpenVPN Installer issue tracker, bcafa...@gmail.com (2013-08-30) has an explanation (jimc says: smells like namespaces) and a patched APK that fixes it. I downloaded it and saved it in ~jimc/upgrade/mica/files/. A plethora of people post "thanks". Uninstall the original one first.

My experience (on Mica and Selen): I downloaded it on Xena and used adb install openvpn-installer-debug.apk to push it over. When executed (use the app drawer), it reported permission denied (to /system/xbin). Mica was pretty chewed up by that time and I just rebooted. Then, the app installed OpenVPN successfully. Worked the first time on Selen.

For reference, Edin Korda (2013-12-14) obtained (from an unstated place) the binary, plus liblzo.so, and copied them to /system/xbin and /system/lib respectively, and set the appropriate permissions. It worked for him. There are several versions of the binary, with hardwired variations on the installation options.

Setting up Mica using Setup VPN

First, Mica will connect to SelenAP. Did connect, its IP is 192.168.43.49 and it is listed under connected devices. The VPN section is under Networking - More. Evidently the only thing you can set here (via the "menu" menu) is Always-On VPN, which is useful but is not what I'm trying to do right now. That's the end of that experiment.

Setting Up the VPNs in Apps

As hoped for, the experiences on Mica and Selen were very similar, except that various prerequisite trails were blazed on Mica and just copied on Selen. Selen is using cellular data and is authorized by OOBA. Mica is communicating through Selen's hostapd (Wi-Fi Hotspot).

IPSec

Both machines failed. Never got to sending packets to Jacinth. Log file has messages about kernel-netlink plugin might require CAP_NET_ADMIN; unable to load 9 plugin features due to unmet dependencies.

I cleared data (on Mica), no help. I spotted the missing certs and installed them.

Success! Now that the required certs are available.

OpenVPN 1194

First step is to run OpenVPN Installer to install the binary. See gory details above.

Sucess on the first try! This one uses password authentication. There is something screwy when I try to talk to http://jacinth.jfcarter.net ; page loading hangs. It's OOBA! The wild-side IP got changed and had to be reauthorized.

OpenVPN 443

Success on the first try.

Mathnet

Success, and I can get to http://sunset.math.ucla.edu which is excluded from the general public by a firewall. And Sunset has an IPv6 address which was correctly bypassed.

Otter logo image