Phone logs and OpenVPN

[AndyInNYC]

Knerd,

I have been having OpenVPN issues as well. My last round ended up being 'bad' certificates. They worked everywhere except on the phone (other PCs, iPhones, etc. could use them just fine). I used certificates created on another machine and ported them to the server.

Prior to that I had an issue many have had - the .tar file must been in a very specific format:

vpn.cnf (the 'client.conf' everywhere else)
a keys subdirectory
\keys\client.crt
\keys\client.key
\keys\ca.crt (I think from memory)

The vpn.cnf must reference the certificates as though they were in another directory - like this:
ca /config/openvpn/keys/ca.crt

Here is my working vpn.cnf (client side) file:
client
persist-tun
persist-key
cipher BF-CBC
auth SHA1
tls-client
ns-cert-type server
remote X.Y.Z.A # You fill in your VPN address here
nobind
port 1190
proto udp
dev tun
comp-lzo
verb 3
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client1.crt
key /config/openvpn/keys/client1.key

Here is the working server.conf file:

local X.Y.Z.A # Fill in your IP address here
port 1194
proto udp
dev tun
# added based on pbxinaflaah.com
daemon
persist-tun
persist-key
cipher BF-CBC
tls-server
#end added

mode server
server 10.8.0.0 255.255.255.0
push "route 10.2.1.0 255.255.255.0"
push "dhcp-option DNS 10.2.1.1"
keepalive 20 60
client-to-client
duplicate-cn
comp-lzo
verb 3
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
log-append /etc/openvpn/openvpn.log

I'm using iptables on my machine, you need to open the firewall - here's what I have as additions

-A INPUT -s 10.8.0.0/16 -j ACCEPT
-I INPUT -p udp --dport 1194 -j ACCEPT

in the *nat section as the very first line:

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Hope this helps you. You can look at the created openvpn.log file (now in /etc/openvpn) to see if your phone is at least trying to hit the VPN.

Andrew