Sunday, 15 July 2007

Installing and running OpenVPN on the Nokia N800

Here's how to get OpenVPN up and running on your N800. Once you have done this you can use the Internet securely from any Internet connection you come across by tunnelling the connection to your home Internet connection. It took me ages to get OpenVPN working on my N800 - hopefully this will save you some time. So roll your sleeves up and let's get on with it....

Installing OpenVPN on your home computer

1. The first thing to do is to install OpenVPN on your home machine. This will be the OpenVPN server. You can download OpenVPN2 for Linux from

http://openvpn.net/download.html

If you are using Windows at home I'd recommend installing the GUI version of OpenVPN2 instead, which you can download from:

http://openvpn.se/

2. The next bit is a bit tricky - you need to generate certificates and keys. Basically, since you are going to be encrypting stuff, you need these so that both your home computer (the server) and your N800 (the client) can encode and decode stuff they exchange.

The best way to do this is simply to follow the instructions at:

http://openvpn.net/howto.html#pki

3. The final step is to make a configuration file for OpenVPN on your home computer. Use this one for a Windows system, by copying it into a text file, naming it n800.ovpn, and putting it in the config folder in your OpenVPN folder, which will be in Program Files. If you are using Linux, you'll have to change the ca.crt, server.crt and server.key paths to wherever they are meant to be stored - if you are smart enough to use Linux you'll figure it out, but I think it is /etc/openvpn/

#### config file start######

dev tun
proto udp

# Server and client IP and Pool
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# Certificates for VPN Authentication
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"


# This file should be kept secret
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"


# Routes to push to the client
#NOTE - you must
change 192.168.0.0 below
# to your gateway address

push "route 192.168.0.0 255.255.255.0"

# route all traffic through vpn
push "redirect-gateway def1"

# Use compression on the VPN link
comp-lzo

# change 100.100.100.100 to a suitable DNS server (probably at your ISP)
push "dhcp-option DNS 100.100.100.100"


# Make the link more resistent to connection failures
keepalive 10 60
ping-timer-rem
persist-tun
persist-key

####config file finish######

To run the OpenVPN server from OpenVPNGui, start OpenVPNGui, right click in the icon in the system tray, go to N800, and click connect. In Linux, I think you need to navigate to the /etc/openvpn/ folder and run openvpn --config n800.ovpn

From memory, that should be working now. You'll get a whole sequence of messages, culminating in something like:

Mon Jul 16 08:09:18 2007 Initialization Sequence Completed

Configuring your router

For OpenVPN to work, your home PC is going to need to have the same local IP address all the time. The easiest way to do this is to find the option in your router to make a particular computer's IP address fixed. So if it has been assigned the IP address 192.168.0.5, click on the "fix" or "make static" button (or whatever else your router calls it) to ensure your computer is always assigned this IP address when it starts) This option can be hard to find, but is often in a section with a name like LAN management. If you can't find it, you'll have to set your computer up with a fixed IP address - if you don't know how to do this you can find out by Googling!

Now log in to your router, and find the page that says something like "Advanced Routing" or "Manual Routing."

You'll need to make the following entry:

Route name: OpenVPN
Destination LAN IP: 10.8.0.0
Subnet Mask: 255.255.255.252
Default Gateway: 192.168.X.X (change this to the IP address of your home computer)
Interface: LAN and Wireless

Save the changes you have just made, then find the page for Port Forwarding, and add this:

Name: OpenVPN
Protocol: UDP
Starting Port: 1194
End Port: 1194
Forward to: 192.168.X.X (change this to the IP address of your home computer)

Save changes and reboot your router.

Installing OpenVPN on your N800

Note: Become root before you do install and run OpenVPN

4. First of all, you are going to need three files. These were made available by Laurent Guerby - cheers Laurent, good work mate! - but to save his bandwidth you can download all three from here:
openvpn_2.0-1maemo2_armel.deb
liblzo1_1.08-3_armel.deb
openvpn

5. Now install openvpn_2.0-1maemo2_armel.deb. You can do this by going to the N800's application manager, finding the option to Install from file... on the Application menu , and clicking on 2.0-1maemo2_armel.deb in the location you just downloaded it to.

6. Do the same with liblzo1_1.08-3_armel.deb

7. Now you've installed these two files you need to overwrite the file called openvpn which is located in /usr/sbin/ on your n800 with the file called openvpn which you just downloaded. You can do this by going to the folder into which you just downloaded the file called openvpn in a terminal window and doing this command:

mv -f openvpn /usr/sbin/

8. You'll find that you now have a folder /etc/openvpn/ and that's the folder into which we now need to copy 4 files. These are the ca.crt, client.crt and client.key files you generated in step 2, and which should be on your server machine, and a config file which we will come to in a minute. (Note: they may be called client1.crt and client1.key or even client2.crt and client2.key)

So figure out a way to get the first three files off your server machine onto your N800. The easiest way may be to connect your N800 by USB and copy the 3 files onto one of the N800's memory cards. If you copy them to your external card, you can then go to a terminal window and do:

mv /media/mmc1/ca.crt /etc/openvpn/
mv /media/mmc1/client.crt /etc/openvpn/
mv /media/mmc1/client.key /etc/openvpn/

This will move the three files to /etc/openvpn/ - which is exactly where we want them!


7. Finally, you need a config file to put into /etc/openvpn/

To do this, download this config file onto your home computer:
n800remote.ovpn

Then you need to open the file in a text editor like notepad of kate, and edit it where indicated in the text of the file by adding your home IP address (if you have a fixed IP address.) If you have a dynamic IP address assigned by your ISP each time you connect to the Internet then don't worry - you can get round this by getting a free dyndns domain name from:
dyndns.org

and putting it in instead of your home IP address.

Save the changes you have made to the n800remote.ovpn and close it, and then copy it to /etc/openvpn in the same way you did with the .crt and .key files

8. Nearly done. We're just about ready to go, except that you are going to have to tell your router to forward the packets that your N800 sends to your home IP address on port 1194 (the default OpenVPN port) to your home computer running OpenVPN.

How to do this will depend on what make of router you have, but basically you log on to your router, and there's probably an option for port forwarding, and you just enter port number (1194) and the IP address of the computer running OpenVPN (probably something like 192.168.0.2). Save the changes and reboot the router for this to take effect.

9. Phew! That's it. you are ready to go. Make sure you are connected to the Internet from a remote location (ie not using your home Intenet connection) and open a terminal window. Make sure you are root, and type:
cd /etc/openvpn/
openvpn --config n800remote.ovpn


and if all went according to plan you'll see a load of stuff scroll down the screen, which will finish with:

Initialization Sequence Completed

The easiest way to check it is working as you expect is to fire up the N800 browser and go to:
www.whatsmyip.org

If all is well, you'll get the IP address of your home computer, not the IP address of the Internet connection you are using.

Easy, wasn't it? Actually, don't be alarmed of it doesn't work first go. It took me four or five attempts before the darn thing would work. Read any error messages, and try and figure out what is wrong, or leave a question in the comments section.

12 comments:

Ryan Wright said...

Dowload links are broken, friend.
But thanks for the great howto!

Paul Rubens said...

Oops. Sorry ryan. They're fixed now!

ralphb said...

Thanks for the very useful how-to.

Did you maybe also work out a convenient way to start and stop openvpn from the N800's desktop. Or maybe automatically according to which WLAN connection you have?

Having to drop to xterm to start openvon each time I come to the office is going to be a drag.

Paul Rubens said...

Sorry ralphb, but I have never heard of a gui or anything like that fot OpenVPN on the N800.

It may be possible to get it to start automatically according to the connection you are using, but I haven't a clue how you would go about doing that

Jason said...

Uhhh i followed all the instructions but for some reason it says handshake failed on the n800

does this have to do with my key files? or the way i set up dns?

Paul Rubens said...

Jason, it's hard to say for sure,but it does sound like it maybe it could be a key problem.

Also, you could try rereading the section about configuring your router, and ensuring you have entered a static route, and port forwarding.

Best of luck - let me know how you get on.

Jason said...

I set up an account with dnydns and put an ip update on vpn server box to be i set the n800 to connect to the dns that dyndns gave me and it my real ip shows up in the terminal when its trying to connect but then handshake fails and nothing shows up on the gui back on the server box, I would assume that means its not even connecting to it? I redid my key files multiple times and they still dont work

i set up portforwarding on my router.. I'm not sure were to go from here.... I think the problem is in the dns or the portforwarding.. Yeah i need help..

Also im 16 and just started learning linux so im not that great.

Anonymous said...

I can't install openvpn on my n800. I have install the last os 2007. what I can do?

Kevin said...

Boy, I how someone reads this soon, this is a great way to get data to/from my home network when I'm out and about.

I've got everything working, connection works, authentication, etc., but I continually get the following message: NOTE: unable to redirect default gateway -- Cannot read the current default gateway from the system.
I can ping the 192.168.x.x machine at home that is running the openvpn server; I can ping 10.8.0.1 (which is also the server, right?) and that's it. I have the push "route add 192.168.0.0 255.255.255.0" stuff but can't see anything on the home network.

If someone can provide some useful information, I'd be very grateful. I have tried all of the suggestions that I've been able to google, but nothing works.

Help!

Paul Rubens said...

Kevin,

I had this problem, and it drove me mad for a while. The solution was to completely uninstall and reinstall it. If you've revently upgraded to the latest OS then make sure you download the new OpenVPN.

But in my case a reinstall solved it - hope this helps!

Kevin said...

Do you mean the n800 version? I installed everything new just the other day. I'm getting openvpn from one of the normal repositories, should I be using one from somewhere else???

If you mean openvpn on the server, what version are you running there?

Thanks for the quick reply. This ability will really expand the usefulness of my n800 and I can't wait to get it working...

Anonymous said...

hi,

do you know how to terminate the session gracefully? do you just close x-term and the session closes or something? i found that when i did this other clients couldn't connect after to the vpn server.

 
© Copyright 2007-2008