Android, CyanogenMod, and OpenVPN

Although I followed the instructions about how to configure OpenVPN with Cyanogen I failed at first because the certificate “installation” is not what I call user-friendly (Why not simply copy the certificate file to the right location?).

OpenVPN is a very secure and feature-rich OpenSource VPN solution. If you Google for it you will find serveral HOWTOs in the net. Most of them (e.g. this one) suggest to use the OpenVPN Installer and the associated settings app by Friedrich Sch├Ąuffelhut. It works very well. You can use a standard OpenVPN config file which can reside on the SD card together with the certificate(s).

I run the latest GingerDX on my Xperia X8 which is a fork of the CyanogenMod. It offers to configure OpenVPN directly: Settings->Wireless & network settings->VPN settings->Add VPN->Add OpenVPN VPN. There are several HOWTOs found on how to configure it as well, e.g. here on the Cyanogen Wiki.

I’d like to connect to a corporate OpenVPN server. The server is authenticated with a public key (server certificate) as usual. The certificate is signed by a corporate CA key and certificate. The client authenticates to server with a username and a password. This setup is nothing special. It is a typical setup.

To connect to such a server you need the server’s hostname (and probably the port number), the CA certificate, and a username/password. I copied the certificate to the root if the SD card and imported it: Settings->Location & security settings->Install from SD card. For whatever reason it was imported as a user certificate and not a CA certificate which made it impossible to be selected by the OpenVPN setup dialog.1

I logged into the smart phone using adb shell and after a while of digging I found the directory /data/misc/keystore/ which contains the certificates. If user or CA certificate is simply distinguished by the file name. User certificates are named 1000_USRCERT_xxx, CA certificates are named 1000_CACERT_xxx where xxx is the name which will be displayed in the certificate selection dialog of the Cyanogen OpenVPN setup. I simply renamed the file from …USR… to …CA… and it worked ­čśë Beside the certificates, the directory contains the file .masterkey. I guess that it contains the password which is used to encrypt keys.2 The certificates are stored in a yet unknown format although I think it is either the Java keytool format or probably PKCS12.3

The Cyanogen OpenVPN settings are stored to the file┬á/data/data/misc/vpn/profiles/dddd/.pobj where dddd is a large decimal number. Unfortunately this is a binary format as well ­čÖü Typical signature of a Java and/or Windows programmer…

  1. IMO a file dialog should appear at the CA certificate option.
  2. This is the case if client public key authentication is used.
  3. Unfortunately it is not PEM format.