Secure Your Android Phone With OpenVPN On Ubuntu 16.04 In 10 Minutes

September 30, 2017

OpenVPN is an open source secure tunnel application. It creates an encrypted tunnel between a client and a server. Any data passing through the tunnel is immune from being read by anyone that is able to intercept the data. In this case, the client will be your Android phone and the server will be a server that you own running OpenVPN.

This is extremely valuable because it means that all of your data is unreadable by anyone between you and your server. This includes the suspect WiFi network you just connected to, your phone company, or even your office.

OpenVPN has a (well-deserved) reputation for being difficult to setup and configure. However, we will employ some additional tools to get an OpenVPN server up and running in a couple of minutes and get your phone connecting and routing all data to it in a few more.

It is better to host your own VPN as a commercial services cannot always be trusted.

Update: With the discovery of the the KRAK WPA2 attack almost all WiFi is now potentially vulnerable to decryption. If you are using OpenVPN you are safe as your data is already encrypted by OpenVPN before it hits the WiFi network.

All you need for this guide is:

  1. A server running Ubuntu 16.04 (newer versions may work but I have only tested this on 16.04).
  2. An Android phone.

A small virtual machine will be prefect for this application. Very little processing power is required only reliability and bandwidth.

If you are in the UK or Europe then a Memset Cloud VPS running Ubuntu 16.04 will get you up and running in a couple of minutes and will work perfectly for this application.

Your server will need a public IP address that does not have anything bound to port 443. This is the port that HTTPS usually binds to so if you are running a website from this IP then the following guide will not work.

We will use port 443 because it is frequently allowed outbound through firewalls and the OpenVPN traffic will most likely be mistaken for simple HTTPS traffic.

Step 1 - Install the needed packages

Log into your server as root (or as a sudo enable user) and run the following commands:

apt-get update
apt-get upgrade
apt-get install openvpn zip

We will need zip later in the guide.

Step 2 - Download the OpenVPN configuration script

GitHug user Tinfoil Security has created an extremely useful bash script that will:

  1. Configure OpenVPN.
  2. Create some server configuration files.
  3. Create a set of client configuration files.

The following command will download the openvpn.sh script from Tinfoil Security’s GitHub account:

wget https://raw.githubusercontent.com/tinfoil/openvpn_autoconfig/master/bin/openvpn.sh

Step 3 - Run openvpn.sh

First, we need to make the openvpn.sh executable in order to run it:

chmod 755 openvpn.sh

Next, run the script:

./openvpn.sh

It will do everything automatically and requires no options or input.

Step 4 - Start the OpenVPN server

openvpn.sh creates two OpenVPN server configuration profiles. We will use the /etc/openvpn/tcp443.conf configuration file as it will start the server on port 443 using TCP.

We can specify which configuration file we want to use by including its name, without the .conf, in the systemctl start command:

systemctl start openvpn@tcp443.service

The OpenVPN is now running and listening for new connections on port 443.

Step 5 - Get the client configuration file onto your phone

The openvpn.sh created a client configuration file at /etc/openvpn/client.ovpn which we will need on your phone so it can connect to your server.

As this file contains a private key it needs to be securely loaded onto your phone. First, encrypt the file using the zip command:

cd /etc/openvpn
zip -e client.ovpn.zip client.ovpn

This creates an encrypted .zip file of the client.ovpn file.

Next, download client.ovpn.zip to your local computer.

Install an app on your phone that will decrypt zip files such as ZArchiver

You can either email the file to your phone or upload `client.ovpn.zip’ to your Google Drive account. From there you can download it to your phone.

When you have download it, you will be prompted to extract the file with ZArchiver. Extract client.ovpn to your Downloads directory.

You can remove the archiving app once you have extracted the client.ovpn file.

Step 6 - Connect your Phone to the OpenVPN server

First, you will need to install the OpenVPN Connect app from the Google Play Store.

When OpenVPN Connect is installed open it and hit the three dots in the top right. Then go:

Import -> Import Profile from SD card

Then navigate your file system until you locate client.ovpn and select it.

Now all you need to do is hit Connect from the app’s homepage.

That’s it!

Your phone will now direct all data via the OpenVPN tunnel to your server.

You can change the way that the application connects via:

Three Dots -> Preferences

You can choose to have the tunnel open all the time, when the phone is unlocked or only when you are connecting to WiFi.