OpenVPN is an open source secure tunnel application. It creates an encrypted tunnel between a client and a server. Any data passing through the tunnel is immune from being read by anyone that is able to intercept the data. In this case, the client will be your Android phone and the server will be a server that you own running OpenVPN. It is better to host your own VPN as a commercial services cannot always be trusted.
This is extremely valuable because it means that all of your data is unreadable by anyone between you and your server. This includes the suspect WiFi network you just connected to, your phone company, or even your office.
OpenVPN has a (well-deserved) reputation for being difficult to setup and configure. However, we will use a tools to get an OpenVPN server up and running in a couple of minutes and get your phone connecting and routing all data to it in a few more.
Update: With the discovery of the the KRAK WPA2 attack almost all WiFi is now potentially vulnerable to decryption. If you are using OpenVPN you are safe as your data is already encrypted by OpenVPN before it hits the WiFi network.
All you need for this guide is:
- A server running Ubuntu 16.04 or 18.04.
- An Android or iPhone.
A small virtual machine will be prefect for this application. Very little processing power is required only reliability and bandwidth.
If you are in the UK or Europe then a Memset Cloud VPS running Ubuntu 16.04 will get you up and running in a couple of minutes and will work perfectly for this application.
Your server will need a public IP address that does not have anything bound to port 443. This is the port that HTTPS usually binds to so if you are running a website from this IP then the following guide will not work.
We will use port 443 because it is frequently allowed outbound through firewalls and the OpenVPN traffic will most likely be mistaken for simple HTTPS traffic.
Step 1 - Install the needed packages
Log into your server as root (or as a sudo enable user) and run the following commands:
apt-get update
apt-get upgrade
apt-get install openvpn zip
We will need zip later in the guide.
Step 2 - Download the OpenVPN configuration script
GitHug user Tinfoil Security has created an extremely useful bash script that will:
- Configure OpenVPN.
- Create some server configuration files.
- Create a set of client configuration files.
The following command will download the openvpn.sh script from Tinfoil Security’s GitHub account:
wget https://raw.githubusercontent.com/tinfoil/openvpn_autoconfig/master/bin/openvpn.sh
Step 3 - Run openvpn.sh
First, we need to make the openvpn.sh executable in order to run it:
chmod 755 openvpn.sh
Next, run the script:
./openvpn.sh
It will do everything automatically and requires no options or input.
Step 4 - Start the OpenVPN server
openvpn.sh creates two OpenVPN server configuration profiles. We will use the /etc/openvpn/tcp443.conf configuration file as it will start the server on port 443 using TCP.
We can specify which configuration file we want to use by including its name, without the .conf, in the systemctl start command:
systemctl start openvpn@tcp443.service
The OpenVPN is now running and listening for new connections on port 443.
Step 5 - Get the client configuration file onto your phone
The openvpn.sh created a client configuration file at /etc/openvpn/client.ovpn which we will need on your phone so it can connect to your server.
As this file contains a private key it needs to be securely loaded onto your phone. First, encrypt the file using the zip command:
cd /etc/openvpn
zip -e client.ovpn.zip client.ovpn
This creates an encrypted .zip file of the client.ovpn file.
Next, download client.ovpn.zip to your local computer so you can either email `client.ovpn.zip’ your phone or upload the file to your Google Drive account, Dropbox account etc.
When the file is on your phone you will need an app that can unzip password protected files. iZip will do this on IOS and the XZip app will do this on Android.
Find client.ovpn.zip and unzip it using the app you just downloaded. You can uninstall the app after you have opened the file as you won’t need it again in this guide.
Step 6 - Connect your Phone to the OpenVPN server
First, you will need to install the OpenVPN app. This is available from the Google Play Store here or from Apple itunes here .
When OpenVPN Connect is installed open it and hit the three dots in the top right. Then go:
Import -> Import Profile from SD card
Then navigate your file system until you locate client.ovpn and select it.
Now all you need to do is hit Connect from the app’s homepage.
That’s it!
Your phone will now direct all data via the OpenVPN tunnel to your server.
You can change the way that the application connects via:
Three Dots -> Preferences
You can choose to have the tunnel open all the time, when the phone is unlocked or only when you are connecting to WiFi.