September 30, 2017
OpenVPN is an open source secure tunnel application. It creates an encrypted tunnel between a client and a server. Any data passing through the tunnel is immune from being read by anyone that is able to intercept the data. In this case, the client will be your Android phone and the server will be a server that you own running OpenVPN.
This is extremely valuable because it means that all of your data is unreadable by anyone between you and your server. This includes the suspect WiFi network you just connected to, your phone company, or even your office.
OpenVPN has a (well-deserved) reputation for being difficult to setup and configure. However, we will employ some additional tools to get an OpenVPN server up and running in a couple of minutes and get your phone connecting and routing all data to it in a few more.
It is better to host your own VPN as a commercial services cannot always be trusted.
Update: With the discovery of the the KRAK WPA2 attack almost all WiFi is now potentially vulnerable to decryption. If you are using OpenVPN you are safe as your data is already encrypted by OpenVPN before it hits the WiFi network.
All you need for this guide is:
- A server running Ubuntu 16.04 (newer versions may work but I have only tested this on 16.04).
- An Android phone.
A small virtual machine will be prefect for this application. Very little processing power is required only reliability and bandwidth.
Your server will need a public IP address that does not have anything bound to port
443. This is the port that HTTPS usually binds to so if you are running a website from this IP then the following guide will not work.
We will use port
443 because it is frequently allowed outbound through firewalls and the OpenVPN traffic will most likely be mistaken for simple HTTPS traffic.
Step 1 - Install the needed packages
Log into your server as root (or as a
sudo enable user) and run the following commands:
apt-get update apt-get upgrade apt-get install openvpn zip
We will need
zip later in the guide.
Step 2 - Download the OpenVPN configuration script
- Configure OpenVPN.
- Create some server configuration files.
- Create a set of client configuration files.
The following command will download the
openvpn.sh script from Tinfoil Security’s GitHub account:
Step 3 - Run openvpn.sh
First, we need to make the
openvpn.sh executable in order to run it:
chmod 755 openvpn.sh
Next, run the script:
It will do everything automatically and requires no options or input.
Step 4 - Start the OpenVPN server
openvpn.sh creates two OpenVPN server configuration profiles. We will use the
/etc/openvpn/tcp443.conf configuration file as it will start the server on port
443 using TCP.
We can specify which configuration file we want to use by including its name, without the
.conf, in the systemctl start command:
systemctl start firstname.lastname@example.org
The OpenVPN is now running and listening for new connections on port
Step 5 - Get the client configuration file onto your phone
openvpn.sh created a client configuration file at
/etc/openvpn/client.ovpn which we will need on your phone so it can connect to your server.
As this file contains a private key it needs to be securely loaded onto your phone. First, encrypt the file using the
cd /etc/openvpn zip -e client.ovpn.zip client.ovpn
This creates an encrypted
.zip file of the
client.ovpn.zip to your local computer.
Install an app on your phone that will decrypt zip files such as ZArchiver
You can either email the file to your phone or upload `client.ovpn.zip’ to your Google Drive account. From there you can download it to your phone.
When you have download it, you will be prompted to extract the file with ZArchiver. Extract
client.ovpn to your Downloads directory.
You can remove the archiving app once you have extracted the
Step 6 - Connect your Phone to the OpenVPN server
When OpenVPN Connect is installed open it and hit the three dots in the top right. Then go:
Import -> Import Profile from SD card
Then navigate your file system until you locate
client.ovpn and select it.
Now all you need to do is hit Connect from the app’s homepage.
Your phone will now direct all data via the OpenVPN tunnel to your server.
You can change the way that the application connects via:
Three Dots -> Preferences
You can choose to have the tunnel open all the time, when the phone is unlocked or only when you are connecting to WiFi.