[SOLVED] Always so difficult… Trying to get Android smartphone to work

Mr. Jingles

Good evening again,

Why is everything always so difficult :-[ Imagine BMW released cars like that.

I follow the pfSense wiki to create a VPN server for remote access with my Android 'smart'phone.

I then export the *.opvn to import in my Android 6, using either 'OpenVPN for Android' or 'OpenVPN Connect'.

Of course it doesn't work. I didn't even expect it anymore ( >:( ).

I've added three screenshots with vague errors where once again uncle Google also doesn't help.

Would anybody know how to fix this? Does anybody happen to have it working, their Android phone connecting to pfSense?

Ah, I did notice, in the Client export, pfSense does [b]not show the Dynamic DNS host I created in the drop down list; I had to add the address myself, like:

Hostname: apfelstrudel.dynu.net

Thank you in advance for any help very much,

Bye,

Screenshot_20170521-233820.png_thumb

Screenshot_20170521-233832.png_thumb

Screenshot_20170521-233918.png_thumb

NOYB

Yes I have it working on Android with OpenVPN connect.

To state the obvious. You have an error trying to read the config file. That's what needs to be resolved.

Don't recall for sure but I may of had to place the OpenVPN profile in downloads rather than on the SD card. I know there was something I had to do that with. May have been OpenVPN but don't recall for sure.

Mr. Jingles

Thank you NOYB :)

I tried your suggestion: I stored the a900.ovpn (=deliberately short name) both on the internal storage/Download as well as on /sdcard/Download, but the problem/error message remains the same.

Would you have any other ideas?

Thank you.

jdpratt51

I have a similar issue where I can not connect via OpenVPN to the PFsense from outside my network any ideas?

NOYB

Fix those options errors.
Be sure you're exporting the correct config.

Mr. Jingles

@NOYB:

Fix those options errors.
Be sure you're exporting the correct config.

Google doesn't give any clue as to that error message.

I did nothing special. I simply exported it. Both 'Android' and 'OpenVPN connect' export give the same problems. In both Android OpenVPN clients.

Mr. Jingles

There is something wrong with that export utility.

If I disable 'verify server CN' to get rid of the one of the errors in the previous screenshots, we get the next error. Now UDP protocol is not allowed…

Pic attached.

Screenshot_20170522-194924.png_thumb

Mr. Jingles

Ok, when I install the OpenVPN client on Windows, I get a new/other/strange error:

Options error: You must define TUN/TAP device (–dev)

However, the server is setup as tun and the config file contains tun too (screenshot).

ovpn40.png_thumb

NOYB

Here are my Windows and Android OpenVPN profiles. There are only two lines different between them.

dev tun
resolv-retry infinite

Windows OpenVPN Profile (certs snipped out)


dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote my.domain.com 1194 udp
lport 0
verify-x509-name "OpenVPN Server Certificate" name
auth-user-pass
ns-cert-type server
comp-lzo adaptive

 <ca>-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----</ca> 
 <cert>-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----</cert> 
 <key>-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----</key> 
 <tls-auth>#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----</tls-auth> 
 key-direction 1

Android OpenVPN Profile (certs snipped out)


persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
remote my.domain.com 1194 udp
lport 0
verify-x509-name "OpenVPN Server Certificate" name
auth-user-pass
ns-cert-type server
comp-lzo adaptive

 <ca>-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----</ca> 
 <cert>-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----</cert> 
 <key>-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----</key> 
 <tls-auth>#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----</tls-auth> 
 key-direction 1

NOYB

Be sure the profile being used on the Android has LF line termination only. Not CRLF.

Mr. Jingles

@NOYB:

Be sure the profile being used on the Android has LF line termination only. Not CRLF.

Thank you for both replies, NOYB ;D

I'll compare your configs with mine.

What do you mean with the above quoted? I only export the *.ovpn in pfSense export utility, and then try to import it in Android. Do I need to change something somewhere?

NOYB

If you export and use directly that should be fine. It should have only the LF line endings. If you edit it, especially in Windows, it could be saved with CRLF line endings.

Mr. Jingles

@Mr.:

Nobody can help me?

This is my opvn profile. different compared to NOYB are (although I don't know why?):

auth SHA1
auth-user-pass
ns-cert-type server


persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
remote domain.dynu.net 44000 udp
lport 0
verify-x509-name "smartphone-server" name
remote-cert-tls server
comp-lzo adaptive

 <ca>-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----</ca> 
 <cert>-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----</cert> 
 <key>-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----</key> 
 <tls-auth>#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----</tls-auth> 
key-direction 1

But when I adapt NOYB's differential settings the problem remains the same.

Mr. Jingles

Solved.

Don't email the *.opvn profile to your Android device, neither from Windows nor Debian: the Android email client corrupts the *.ovpn…

NOYB

Here. Let me fix that for you.

@Mr.:

Don't email the *.opvn profile ~~to your Android device, neither from Windows nor Debian: the Android email client corrupts the *.ovpn…~~

Don't email security certificates. Especially private keys. Period!!!

Mr. Jingles

@NOYB:

Here. Let me fix that for you.

@Mr.:

Don't email the *.opvn profile ~~to your Android device, neither from Windows nor Debian: the Android email client corrupts the *.ovpn…~~

Period!!!

Here, let me fix that for you: ~~Period~~

Comma.

UNLESS it is on your own LAN and you are both the only sender and receiver.

NOYB

@Mr.:

@NOYB:

Here. Let me fix that for you.

@Mr.:

Don't email the *.opvn profile ~~to your Android device, neither from Windows nor Debian: the Android email client corrupts the *.ovpn…~~

Period!!!

Here, let me fix that for you: ~~Period~~

Comma.

UNLESS it is on your own LAN and you are both the only sender and receiver.

Nope. Not even then.

Gertjan

@Mr.:

…..
UNLESS it is on your own LAN and you are both the only sender and receiver.

With or without the mail server on the other side of the planet ? ;)

Mr. Jingles

@Gertjan:

@Mr.:

…..
UNLESS it is on your own LAN and you are both the only sender and receiver.

With or without the mail server on the other side of the planet ? ;)