Open VPN and Android $25-50



  • I am looking for some one to help me setup and configure my PF sense box as a Open VPN server and connect my Android 4.0 tablet as a client. I would like to learn how to do it also but if teaching me is a deal breaker then just the setup as long as it works. With in reason .

    I was also looking to setup squid, Clam AV and a few other security packages if the open VPN setup goes well I would be willing to arrange payment for those aswell.



  • This is a good video on youtube that I followed when I was setting mine up a while back and learning.
    http://www.youtube.com/watch?v=odjviG-KDq8&list=FLNNXWomBBF1ILy88yZKjRJQ&index=14&feature=plpp_video

    Then all you need to do is export the cert as he does in the video, email it to your android tablet, use featvpn to import it and off you go. Very easy and quick. If you are on ICS android get the free full version of featvpn from their site.

    Hope this helps.



  • Thanks that worked. It still does not have the functionality I would like it too. I want things like Twonky and other media and file sharing programs to function as if I am still on my home network is this possible or am I asking for something that is not going to happen.



  • Not that I have enabled it, but you can enable the option to route everything through the vpn.. this should be like its coming from your ip at home. However, you won;t be able able to access the local pcs/network items when this is enabled.. I haven't tried it but just a thought.


  • Rebel Alliance Developer Netgate

    You won't be able to be on the same subnet as your home network as OpenVPN on Android only supports tun mode, and not tap - this isn't a limitation of the client, it's a limitation in the API.

    We also have a full how-to on doing the VPN here:
    http://doc.pfsense.org/index.php/Android_VPN_Connectivity#OpenVPN_on_Android_.28Non-Root.29

    This OpenVPN client is free, the feat VPN client is limited in how it can be used for free.

    The VPN client I linked above has an FAQ inside the app that goes into more detail about the tap limtiation.



  • Thanks that works even better. My question is if I can't use TAP what does TUN get me how do I use it to access the things on my network?



  • I can access my pcs on my network just fine. I just push the network to the client and have no issues. I remote to my computers via my phone all the time. Its just the vpn network has to be different than the local network.  I forgot about that client. I had issues getting it to work right on my phone..


  • Rebel Alliance Developer Netgate

    It works great, if you push a DNS server to the VPN client and you also have your hostnames all setup on pfSense (either using DNS overrides or DHCP host registration) you can even hit things over the network by name, you just can't "browse" the network for windows file sharing. Though even that can work if you have a local WINS server.



  • what happens if I set the tunnel subnet the same as the local


  • Rebel Alliance Developer Netgate

    It will not work - you can't have the same subnet on both interfaces like that in a routed setup, at least not that I've seen work, and not that would be really feasible to do. (Presumably you could block out a "subnet" of /25 or so inside your LAN, use that for the tunnel network, and then setup  proxy ARP VIPs on LAN to cover that same block, and then make sure you don't use that block of the subnet locally… but that's ugly, may not work, and is sure to cause some routing issues somewhere... and you still don't get broadcast traffic!)

    It can be done in tap mode with bridging but it can't be done in tun mode.



  • Not sure if this helps, but instead of worrying about bridging or TAP mode, I found this topic about IGMP proxy: http://forum.pfsense.org/index.php?topic=41497.0

    This let me find the media server on my device. After that, it's just a matter of firewall rules letting the traffic pass.
    I can play DLNA content from my Nexus7 now.

    -timotl



  • That is what I want as my end result. Could you fill me in on your configuration settings. I have been able to access my media server via IP through the VPN but I would like it to work more nativly

    Also since I can't make my LAN and VPN on the same subnet can I have a few of my devices on the VPN subnet? I know but just trying tofigure out what I can use my shiny new PF sense box for.



  • I don't have a spare install right now, so part of this is from memory.
    Also, I am using 2.1Beta0 but I think all of these are the same for 2.0.1

    First you have to create a new interface and assign openvpn to it.
    Go to Interfaces, Assign and  click + to create a new one.
    Click on the new interface and enable it and name it and click Save.
    l be listed in the port drop down after you create a new interface.
    Back in the interfaces list, assign the OpenVPN port from the dropdown and save again.

    Then go to Services, IGMP Proxy. Click + to add new interfaces to IGMP Proxy.
    I set mine up as LAN is downstream with my LAN network address and the newly created OpenVPN interface as upstream with the OpenVPN network address. Save the config and check under Status, Serviced to see if it's running.

    Because I am the only one that uses my VPN, my firewall rules are set for any-any for everything OpenVPN. I also am not sure if the rules need to be created for the OpenVPN tab or the new interface name. I currently have rules for both wide open and haven't cared to play with them further.

    Hope it helps.

    -timotl



  • I had everything working but then I moved from an embedded to a hard drive install now after following the guide again when I go to up load the cert on the android app it says:
    option tls- remote has 4 parameters, expected between 1 and 1

    and it fails to set up the VPN

    Any ideas using open VPN app


  • Rebel Alliance Developer Netgate

    Someone replied when you posted that same question in another thread - but for the record:

    Your server CN probably has a space in it. As such you probably need to make sure you check the box to quote the server CN before exporting.

    The Android client wants/needs the quotes, but the windows client chokes on the quotes.

    The best solution is to avoid using a server CN with spaces in it.



  • Is that the strict user/ CN matcher box that should be checked and f not what box and where can I find it?
    Thank you.


  • Rebel Alliance Developer Netgate

    No it is not. It is not on the server config it's on the export tab.



  • I found using IPSEC worked perfectly >_< I'm on ICS as well. There's a well written guide as well that I'll have to find and post.


Locked