OpenVPN for Palm Pre

From WebOS Internals
Jump to navigation Jump to search


OpenVPN enables you to build a secure virtual private network (VPN) connection from your Palm device to another available OpenVPN server, over an encrypted TLS connection. For encryption, it uses the libraries of the OpenSSL program. On the transport layer, it can use TCP or UDP. The secure connection, or "tunnel", between client and server is created using virtual network devices, using the TUN/TAP kernel drivers. With optware, openvpn is easily installable on your palm devices via ipkg. An application scenario could be to connect your Palm device via 3G to your home network, accessing data and services hosted by a NAS, for example.

OpenVPN client installation

To setup a connection to an available OpenVPN endpoint, you need the appropriate kernel module (tun.ko) on your Palm device and build a client-configuration depending and what type of connection you want to create (bridged or routed). The optware OpenVPN ipkg is a clean installation as the clipboard below proves. The Palm Pre/Pixi Linux OS is compiled with the /dev/tun driver built in, so you can ignore the module dependency warning. There are two projects to create GUIs for webOS - PreVPNc on Google Code and pre-openvpn on

note: oinstall is alias oinstall="sudo ipkg-opt install"

└─(~)--> $ oinstall openvpn
Installing openvpn (2.1_rc15-1) to root...
openvpn: unsatisfied recommendation for kernel-module-tun
Installing lzo (1.08-2) to root...
Configuring lzo
Configuring openvpn
Successfully terminated.

OpenVPN client configuration

OpenVPN is deployed quickly and easily. The website and source installations contain configuration scripts that can make OpenVPN connect to your home or work when WiFi is activated. The following excerpt assumes that you already have available the following things:

  • a certificate for yourself / your device (in the example, called palmpre.crt)
  • the issuing certificate authority (ca.crt)
  • a key-file (palmpre.key)
  • a client configuration for your Palm device (palmpre.ovpn)

Be aware, that the abovementioned filenames are only examples. Most likely, you would create these files yourself.
It is highly suggested that you make yourself familiar in creating your own keys (and certificates), in case you are not provided with from a very trusted source!
As you create certificates, keys, and certificate signing requests yourself, understand that only .key files should be kept confidential. .crt and .csr files can be sent over insecure channels such as plaintext email.You should never need to copy a .key file between computers. Normally each computer will have its own certificate/key pair.
Have a look at the wiki Setup optware OpenVPN on a NAS, giving you exact instructions how to. For easy key management, the package easy-rsa provides necessary tools. It is also available via optware and well documented on the OpenVPN website.

└─(/opt/etc/openvpn)--> # unzip
   creating: palmpre/
  inflating: palmpre/ca.crt
  inflating: palmpre/palmpre.key
  inflating: palmpre/palmpre.crt
  inflating: palmpre/palmpre.conf
  inflating: palmpre/dh2048.pem
  inflating: palmpre/palmpre.ovpn

Starting OpenVPN

For a first connection test, you should start openvpn on your Palm device allowing it to write to standard out. Thereby, you will be able to follow allong, if anything goes awry during the initialization sequence:

openvpn --config /opt/etc/openvpn/palmpre/palmpre.ovpn

If it connects successfully , you could start it as a background task (adding &), redirecting output to /dev/null. (You could write an upstart script, see the example for the Hamachi VPN in the resources below.)

└─(/opt/etc/openvpn)--> # openvpn --config /opt/etc/openvpn/palmpre/palmpre.ovpn >>/dev/null&

Testing connection

When testing access to your openvpn endpoint (server) from your Palm device, it can be benefitial if both can connect only via the openvpn tunnel (and not reach each other via an alternate route in your home network). The following scenario assumes, that a Palm device connects via openvpn to a private network (possibly your home network) from outside, using 3G (EVDO, UMTS). You can test this by turning off wifi and ssh to your Palm device using a Bluetooth PAN. See if your Palm device still has internet access over 3G, when turning off wifi. (While pinging google, drop wifi and monitor via SSH over Bluetooth PAN):

64 bytes from seq=5 ttl=52 time=46.505 ms
64 bytes from seq=6 ttl=52 time=45.603 ms
64 bytes from seq=7 ttl=52 time=49.132 ms
64 bytes from seq=8 ttl=52 time=101.013 ms 
64 bytes from seq=9 ttl=52 time=1556.213 ms <-- cutover wifi to evdo
64 bytes from seq=10 ttl=52 time=561.371 ms
64 bytes from seq=11 ttl=52 time=54.932 ms
64 bytes from seq=12 ttl=50 time=109.436 ms
64 bytes from seq=13 ttl=50 time=105.896 ms
64 bytes from seq=14 ttl=50 time=104.523 ms

If you ping IPs in your home network now (the openvpn endpoint/gateway or other IPs behind), traffic to your private network is routed through the encrypted tunnel:

└─(/opt/etc/openvpn/palmpre)--> # ping
PING ( 56 data bytes
64 bytes from seq=0 ttl=42 time=456.665 ms
64 bytes from seq=1 ttl=42 time=260.773 ms
64 bytes from seq=2 ttl=42 time=268.189 ms

└─(/opt/etc/openvpn/palmpre)--> # ping
PING ( 56 data bytes
64 bytes from seq=0 ttl=64 time=259.552 ms
64 bytes from seq=1 ttl=64 time=114.898 ms
64 bytes from seq=2 ttl=64 time=118.958 ms

└─(/opt/etc/openvpn/palmpre)--> # ping
PING ( 56 data bytes
64 bytes from seq=0 ttl=64 time=502.137 ms
64 bytes from seq=1 ttl=64 time=182.556 ms
64 bytes from seq=2 ttl=64 time=123.016 ms

OpenVPN IRC channel

The OpenVPN IRC channel ##OpenVPN exists on the same Freenode server #WebOS-Internals is located on. Please stop by either channel with questions after visiting [1]

Further resources

  1. The official website of OpenVPN. See the excellent Documentation! (Community software > Documentation > Howto)
  2. Easy-RSA Key management tool for OpenVPN
  3. Hamachi on Pre. Use the popular, proprietary Hamachi for VPN on your Palm device.
  4. Optware OpenVPN on a QNAP Nas gives you a good example of a complete configuration.