[SOLVED] Always so difficult… Trying to get Android smartphone to work

jdpratt51 · May 22, 2017, 3:12 PM

I have a similar issue where I can not connect via OpenVPN to the PFsense from outside my network any ideas?

NOYB · May 22, 2017, 4:17 PM

Fix those options errors.
Be sure you're exporting the correct config.

Mr. Jingles · May 22, 2017, 5:39 PM

Fix those options errors.
Be sure you're exporting the correct config.

Google doesn't give any clue as to that error message.

I did nothing special. I simply exported it. Both 'Android' and 'OpenVPN connect' export give the same problems. In both Android OpenVPN clients.

Mr. Jingles · May 22, 2017, 5:51 PM

There is something wrong with that export utility.

If I disable 'verify server CN' to get rid of the one of the errors in the previous screenshots, we get the next error. Now UDP protocol is not allowed…

Pic attached.

Mr. Jingles · May 22, 2017, 6:22 PM

Ok, when I install the OpenVPN client on Windows, I get a new/other/strange error:

Options error: You must define TUN/TAP device (–dev)

However, the server is setup as tun and the config file contains tun too (screenshot).

NOYB · May 22, 2017, 6:45 PM

Here are my Windows and Android OpenVPN profiles. There are only two lines different between them.

dev tun
resolv-retry infinite

Windows OpenVPN Profile (certs snipped out)


dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote my.domain.com 1194 udp
lport 0
verify-x509-name "OpenVPN Server Certificate" name
auth-user-pass
ns-cert-type server
comp-lzo adaptive

 <ca>-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----</ca> 
 <cert>-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----</cert> 
 <key>-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----</key> 
 <tls-auth>#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----</tls-auth> 
 key-direction 1

Android OpenVPN Profile (certs snipped out)


persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
remote my.domain.com 1194 udp
lport 0
verify-x509-name "OpenVPN Server Certificate" name
auth-user-pass
ns-cert-type server
comp-lzo adaptive

 <ca>-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----</ca> 
 <cert>-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----</cert> 
 <key>-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----</key> 
 <tls-auth>#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----</tls-auth> 
 key-direction 1

NOYB · May 22, 2017, 6:51 PM

Be sure the profile being used on the Android has LF line termination only. Not CRLF.

Mr. Jingles · May 22, 2017, 7:00 PM

@NOYB:

Be sure the profile being used on the Android has LF line termination only. Not CRLF.

Thank you for both replies, NOYB ;D

I'll compare your configs with mine.

What do you mean with the above quoted? I only export the *.ovpn in pfSense export utility, and then try to import it in Android. Do I need to change something somewhere?

NOYB · May 22, 2017, 7:04 PM

If you export and use directly that should be fine. It should have only the LF line endings. If you edit it, especially in Windows, it could be saved with CRLF line endings.

Mr. Jingles · May 30, 2017, 7:11 PM

@Mr.:

Nobody can help me?

This is my opvn profile. different compared to NOYB are (although I don't know why?):

auth SHA1
auth-user-pass
ns-cert-type server


persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
remote domain.dynu.net 44000 udp
lport 0
verify-x509-name "smartphone-server" name
remote-cert-tls server
comp-lzo adaptive

 <ca>-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----</ca> 
 <cert>-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----</cert> 
 <key>-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----</key> 
 <tls-auth>#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----</tls-auth> 
key-direction 1

But when I adapt NOYB's differential settings the problem remains the same.

Mr. Jingles · May 30, 2017, 8:49 PM

Solved.

Don't email the *.opvn profile to your Android device, neither from Windows nor Debian: the Android email client corrupts the *.ovpn…

NOYB · May 31, 2017, 1:36 AM

Here. Let me fix that for you.

@Mr.:

Don't email the *.opvn profile ~~to your Android device, neither from Windows nor Debian: the Android email client corrupts the *.ovpn…~~

Don't email security certificates. Especially private keys. Period!!!

Mr. Jingles · May 31, 2017, 3:07 PM

@NOYB:

Here. Let me fix that for you.

@Mr.:

Don't email the *.opvn profile ~~to your Android device, neither from Windows nor Debian: the Android email client corrupts the *.ovpn…~~

Period!!!

Here, let me fix that for you: ~~Period~~

Comma.

UNLESS it is on your own LAN and you are both the only sender and receiver.

NOYB · Jun 1, 2017, 12:20 AM

@Mr.:

@NOYB:

Here. Let me fix that for you.

@Mr.:

Don't email the *.opvn profile ~~to your Android device, neither from Windows nor Debian: the Android email client corrupts the *.ovpn…~~

Period!!!

Here, let me fix that for you: ~~Period~~

Comma.

UNLESS it is on your own LAN and you are both the only sender and receiver.

Nope. Not even then.

Gertjan · Jun 2, 2017, 8:10 PM

@Mr.:

…..
UNLESS it is on your own LAN and you are both the only sender and receiver.

With or without the mail server on the other side of the planet ? ;)

Mr. Jingles · Jun 2, 2017, 8:27 PM

@Gertjan:

@Mr.:

…..
UNLESS it is on your own LAN and you are both the only sender and receiver.

With or without the mail server on the other side of the planet ? ;)