OpenVPN for Palm Pre
OpenVPN enables you to build a secure virtual private network (VPN) connection from your Palm device to another available OpenVPN server, over an encrypted TLS connection. For encryption, it uses the libraries of the OpenSSL program. On the transport layer, it can use TCP or UDP. The secure connection, or "tunnel", between client and server is created using virtual network devices, using the TUN/TAP kernel drivers. With optware, openvpn is easily installable on your palm devices via ipkg. An application scenario could be to connect your Palm device via 3G to your home network, accessing data and services hosted by a NAS, for example.
OpenVPN client installation
To setup a connection to an available OpenVPN endpoint, you need the appropriate kernel module (tun.ko) on your Palm device and build a client-configuration depending and what type of connection you want to create (bridged or routed). The optware OpenVPN ipkg is a clean installation as the clipboard below proves. The Palm Pre/Pixi Linux OS is compiled with the /dev/tun driver built in, so you can ignore the module dependency warning. There is a project to create a GUI for the pre .
note: oinstall is alias oinstall="sudo ipkg-opt install"
┌─(box@castle)-(09:28:44)-> └─(~)--> $ oinstall openvpn Installing openvpn (2.1_rc15-1) to root... Downloading http://ipkg.nslu2-linux.org/feeds/optware/cs08q1armel/cross/unstable/openvpn_2.1_rc15-1_arm.ipk openvpn: unsatisfied recommendation for kernel-module-tun Installing lzo (1.08-2) to root... Downloading http://ipkg.nslu2-linux.org/feeds/optware/cs08q1armel/cross/unstable/lzo_1.08-2_arm.ipk Configuring lzo Configuring openvpn Successfully terminated.
OpenVPN client configuration
OpenVPN is deployed quickly and easily. The OpenVPN.net website and source installations contain scripts that can make OpenVPN connect to your home or work when WiFi is activated. The following excerpt assumes that you already have available the following things:
- a certificate for yourself / your device (in the example, called palmpre.crt)
- the issuing certificate authority (ca.crt)
- a key-file (palmpre.key)
It is highly suggested that you make yourself familiar in creating your own keys (and certificates), in case you are not provided with from a trusted source. Have a look at the following wiki page, explaining in detail how to Setup optware OpenVPN on a NAS, giving you exact instructions how to setup an endpoint you could connect your Palm device to.
┌─(root@castle)-(10:17:05)-> └─(/opt/etc/openvpn)--> # unzip palmpre.zip Archive: palmpre.zip creating: palmpre/ inflating: palmpre/ca.crt inflating: palmpre/palmpre.key inflating: palmpre/palmpre.crt inflating: palmpre/palmpre.conf inflating: palmpre/dh2048.pem inflating: palmpre/palmpre.ovpn
For a first connection test, you should start openvpn on your Palm device allowing it to write to standard out. Thereby, you will be able to follow allong, if anything goes awry during the initialization sequence:
openvpn --config /opt/etc/openvpn/palmpre/palmpre.ovpn
If it connects successfully , you could start it as a background task (adding &), redirecting output to /dev/null. (You could write an upstart script, see the example for the Hamachi VPN in the resources below.)
┌─(root@castle)-(10:19:33)-> └─(/opt/etc/openvpn)--> # openvpn --config /opt/etc/openvpn/palmpre/palmpre.ovpn >>/dev/null&
When testing access to your openvpn endpoint (server) from your Palm device, it can be benefitial if both can connect only via the openvpn tunnel (and not reach each other via an alternate route in your home network). The following scenario assumes, that a Palm device connects via openvpn to a private network (possibly your home network) from outside, using 3G (EVDO, UMTS). You can test this by turning off wifi and ssh to your Palm device using a Bluetooth PAN. See if your Palm device still has internet access over 3G, when turning off wifi. (While pinging google, drop wifi and monitor via SSH over Bluetooth PAN):
64 bytes from 18.104.22.168: seq=5 ttl=52 time=46.505 ms 64 bytes from 22.214.171.124: seq=6 ttl=52 time=45.603 ms 64 bytes from 126.96.36.199: seq=7 ttl=52 time=49.132 ms 64 bytes from 188.8.131.52: seq=8 ttl=52 time=101.013 ms 64 bytes from 184.108.40.206: seq=9 ttl=52 time=1556.213 ms <-- cutover wifi to evdo 64 bytes from 220.127.116.11: seq=10 ttl=52 time=561.371 ms 64 bytes from 18.104.22.168: seq=11 ttl=52 time=54.932 ms 64 bytes from 22.214.171.124: seq=12 ttl=50 time=109.436 ms 64 bytes from 126.96.36.199: seq=13 ttl=50 time=105.896 ms 64 bytes from 188.8.131.52: seq=14 ttl=50 time=104.523 ms
If you ping IPs in your home network now (the openvpn endpoint/gateway or other IPs behind), traffic to your private network is routed through the encrypted tunnel:
┌─(root@castle)-(10:33:54)-> └─(/opt/etc/openvpn/palmpre)--> # ping 184.108.40.206 PING 220.127.116.11 (18.104.22.168): 56 data bytes 64 bytes from 22.214.171.124: seq=0 ttl=42 time=456.665 ms 64 bytes from 126.96.36.199: seq=1 ttl=42 time=260.773 ms 64 bytes from 188.8.131.52: seq=2 ttl=42 time=268.189 ms ┌─(root@castle)-(10:35:13)-> └─(/opt/etc/openvpn/palmpre)--> # ping 184.108.40.206 PING 220.127.116.11 (18.104.22.168): 56 data bytes 64 bytes from 22.214.171.124: seq=0 ttl=64 time=259.552 ms 64 bytes from 126.96.36.199: seq=1 ttl=64 time=114.898 ms 64 bytes from 188.8.131.52: seq=2 ttl=64 time=118.958 ms ┌─(root@castle)-(10:35:40)-> └─(/opt/etc/openvpn/palmpre)--> # ping 184.108.40.206 PING 220.127.116.11 (18.104.22.168): 56 data bytes 64 bytes from 22.214.171.124: seq=0 ttl=64 time=502.137 ms 64 bytes from 126.96.36.199: seq=1 ttl=64 time=182.556 ms 64 bytes from 188.8.131.52: seq=2 ttl=64 time=123.016 ms
OpenVPN IRC channel
The OpenVPN IRC channel ##OpenVPN exists on the same Freenode server #WebOS-Internals is located on. Please stop by either channel with questions after visiting