OpenVPN for Palm Pre

From WebOS Internals
Jump to navigation Jump to search

Introduction

OpenVPN enables you to build a secure virtual private network (VPN) connection from your Palm device to another available OpenVPN server, over an encrypted TLS connection. For encryption, it uses the libraries of the OpenSSL program. On the transport layer, it can use TCP or UDP. The secure connection, or "tunnel", between client and server is created using virtual network devices, using the TUN/TAP kernel drivers. With optware, openvpn is easily installable on your palm devices via ipkg. An application scenario could be to connect your Palm device via 3G to your home network, accessing data and services hosted by a NAS, for example.

OpenVPN client installation

To setup a connection to an available OpenVPN endpoint, you need the appropriate kernel module (tun.ko) on your Palm device and build a client-configuration depending and what type of connection you want to create (bridged or routed). The optware OpenVPN ipkg is a clean installation as the clipboard below proves. The Palm Pre/Pixi Linux OS is compiled with the /dev/tun driver built in, so you can ignore the module dependency warning. There is a project to create a GUI for the pre [1].

note: oinstall is alias oinstall="sudo ipkg-opt install"

┌─(box@castle)-(09:28:44)->
└─(~)--> $ oinstall openvpn
Installing openvpn (2.1_rc15-1) to root...
Downloading http://ipkg.nslu2-linux.org/feeds/optware/cs08q1armel/cross/unstable/openvpn_2.1_rc15-1_arm.ipk
openvpn: unsatisfied recommendation for kernel-module-tun
Installing lzo (1.08-2) to root...
Downloading http://ipkg.nslu2-linux.org/feeds/optware/cs08q1armel/cross/unstable/lzo_1.08-2_arm.ipk
Configuring lzo
Configuring openvpn
Successfully terminated.

OpenVPN client configuration

OpenVPN is deployed quickly and easily. The OpenVPN.net website and source installations contain scripts that can make OpenVPN connect to your home or work when WiFi is activated. The following excerpt assumes that you already have available the following things:

  • a certificate for yourself / your device (in the example, called palmpre.crt)
  • the issuing certificate authority (ca.crt)
  • a key-file (palmpre.key)

It is highly suggested that you make yourself familiar in creating your own keys (and certificates), in case you are not provided with from a trusted source. Have a look at the following wiki page, explaining in detail how to Setup optware OpenVPN on a NAS, giving you exact instructions how to setup an endpoint you could connect your Palm device to.

┌─(root@castle)-(10:17:05)->
└─(/opt/etc/openvpn)--> # unzip palmpre.zip
Archive:  palmpre.zip
   creating: palmpre/
  inflating: palmpre/ca.crt
  inflating: palmpre/palmpre.key
  inflating: palmpre/palmpre.crt
  inflating: palmpre/palmpre.conf
  inflating: palmpre/dh2048.pem
  inflating: palmpre/palmpre.ovpn

Starting OpenVPN

For a first connection test, you should start openvpn on your Palm device allowing it to write to standard out. Thereby, you will be able to follow allong, if anything goes awry during the initialization sequence:

openvpn --config /opt/etc/openvpn/palmpre/palmpre.ovpn

If it connects successfully , you could start it as a background task (adding &), redirecting output to /dev/null:

┌─(root@castle)-(10:19:33)->
└─(/opt/etc/openvpn)--> # openvpn --config /opt/etc/openvpn/palmpre/palmpre.ovpn >>/dev/null&

Testing connection

When testing access to your openvpn endpoint (server) from your Palm device, it can be benefitial if both can connect only via the openvpn tunnel (and not reach each other via an alternate route in your home network). The following scenario assumes, that a Palm device connects via openvpn to a private network (possibly your home network) from outside, using 3G (EVDO, UMTS). You can test this by turning off wifi and ssh to your Palm device using a Bluetooth PAN. See if your Palm device still has internet access over 3G, when turning off wifi. (While pinging google, drop wifi and monitor via SSH over Bluetooth PAN):

64 bytes from 74.125.67.100: seq=5 ttl=52 time=46.505 ms
64 bytes from 74.125.67.100: seq=6 ttl=52 time=45.603 ms
64 bytes from 74.125.67.100: seq=7 ttl=52 time=49.132 ms
64 bytes from 74.125.67.100: seq=8 ttl=52 time=101.013 ms 
64 bytes from 74.125.67.100: seq=9 ttl=52 time=1556.213 ms <-- cutover wifi to evdo
64 bytes from 74.125.67.100: seq=10 ttl=52 time=561.371 ms
64 bytes from 74.125.67.100: seq=11 ttl=52 time=54.932 ms
64 bytes from 74.125.67.100: seq=12 ttl=50 time=109.436 ms
64 bytes from 74.125.67.100: seq=13 ttl=50 time=105.896 ms
64 bytes from 74.125.67.100: seq=14 ttl=50 time=104.523 ms

If you ping an IP in your home network now, traffic to your private network is routed through the encrypted tunnel:

┌─(root@castle)-(10:33:54)->
└─(/opt/etc/openvpn/palmpre)--> # ping 192.218.1.10
PING 192.218.1.10 (192.218.1.10): 56 data bytes
64 bytes from 192.218.1.10: seq=0 ttl=42 time=456.665 ms
64 bytes from 192.218.1.10: seq=1 ttl=42 time=260.773 ms
64 bytes from 192.218.1.10: seq=2 ttl=42 time=268.189 ms

┌─(root@castle)-(10:35:13)->
└─(/opt/etc/openvpn/palmpre)--> # ping 192.218.0.1
PING 192.218.0.1 (192.218.0.1): 56 data bytes
64 bytes from 192.218.0.1: seq=0 ttl=64 time=259.552 ms
64 bytes from 192.218.0.1: seq=1 ttl=64 time=114.898 ms
64 bytes from 192.218.0.1: seq=2 ttl=64 time=118.958 ms

┌─(root@castle)-(10:35:40)->
└─(/opt/etc/openvpn/palmpre)--> # ping 192.218.0.218
PING 192.218.0.218 (192.218.0.218): 56 data bytes
64 bytes from 192.218.0.218: seq=0 ttl=64 time=502.137 ms
64 bytes from 192.218.0.218: seq=1 ttl=64 time=182.556 ms
64 bytes from 192.218.0.218: seq=2 ttl=64 time=123.016 ms

OpenVPN IRC channel

The OpenVPN IRC channel ##OpenVPN exists on the same Freenode server #WebOS-Internals is located on. Please stop by either channel with questions after visiting [2]

Resources

Using Hamachi for VPN on your Pre[[3]]