Android VPN Connectivity

From PFSenseDocs

In order to establish a VPN from an Android device to pfSense, you must be on at least pfSense 2.0.

L2TP was the easiest to make work during testing, but it does not encrypt traffic, it only tunnels.

In all cases, be sure to add firewall rules to the interface created for the VPN clients.

Initial testing was performed on a Verizon Droid X.

Summary

This is a summary of the following information only. Please keep reading for more details!

pfSense 1.2.3
Android version	Protocol
↓	PPTP	L2TP
Any	No	n/a

pfSense 2.0
Android Version	Protocol
↓	PPTP	L2TP					IPSec			OpenVPN
↓	(All)	CHAP	PAP	PSK	IPSec-PSK	IPSec-RSA	Xauth PSK	Xauth RSA	Hybrid RSA	Native	3rd-party App
1.6 (Donut)	Probably	Probably	Probably	?	n/a	n/a	n/a	n/a	n/a	n/a	n/a
2.1 (Eclair)	Yes (no encryption)	Probably	Probably	?	?	?	?	?	?	n/a	Maybe
2.2.1 (Froyo)	Yes	Probably	Probably	?	?	?	?	?	?	n/a	Maybe
2.3 (Gingerbread)	Yes	Probably	Probably	?	?	?	Yes (see text for details)	?	?	n/a	Maybe
3.0 (Honeycomb)	Yes	Probably	Probably	?	?	?	Probably	?	?	n/a	Maybe
4.0 (Ice Cream Sandwich)	Yes	Probably	Probably	?	?	?	Probably	?	?	n/a	Yes
4.1 (Jelly Bean)	Yes	Probably	Probably	?	?	?	Yes	?	?	n/a	Yes

pfSense 1.2.3

PPTP - Does not work (Appears to want an auth type not supported by pfSense 1.2.3)
L2TP Modes are not supported in pfSense 1.2.3

pfSense 2.0

PPTP - Works
- NOTE: PPTP may be insecure, MS-CHAPv1 is fundamentally flawed, and even MS-CHAPv2 has now been cracked. Please consider whether using another protocol will better meet your security needs.
L2TP - Works - Both PAP and CHAP work fine. IP config similar to PPTP
- NOTE: L2TP on its own is just a tunneling protocol, it does not encrypt traffic!
L2TP with Shared Secret - Does not work
L2TP+IPsec mode - Does not work, the phone must use its IP as the identifier as it forces main mode.

Android 2.1 (Eclair)

See this note on Android and PPTP from a user on the forum:

Android 2.1 does not have MPPE and therefor will not connect to -any- PPTP server that requires encryption. I updated to 2.2.1 Froyo today, and it instantly connected. Just an FYI For those of you who may or may not be confused as to why you see it working for some and not others.

Android 2.3 (Gingerbread) IPsec

For some devices, Gingerbread brought with it the "Advanced IPsec VPN" choices that will let it work with 2.0 and most likely other scenarios as well. Specifically these options are found on at least the Motorola Droid X, and likely others.

The VPN choices on these versions are:

Cert v1 (AES)
Cert v1 (AES, aggressive)
Cert v1 (AES, xauth)
Cert v2 (AES)
L2TP Cert v1 (AES)
L2TP PSK v1 (AES)
PSK v1 (AES)
PSK v1 (AES, xauth)
PSK v1 (AES, xauth, aggressive) [Tested, working]
PSK v2 (AES)

The choices that use main mode (anything that isn't labeled "aggressive") likely won't work as the IP of the phone is used as the identifier, no matter what is entered in the phone's GUI, so it would require anonymous PSKs. Unless there is some trick I'm not seeing.

PSK v1 (AES, xauth, aggressive) works against a 2.0 server when properly configured. This combination is reported to work well - see Mobile IPsec on 2.0 for configuration details.

If you try another mode and it works, let us know. The certificate method (Cert v1 (AES, aggressive)) should work in theory but has not yet been tested.

Android 4.0 (Ice Cream Sandwich) IPsec

With ICS, the VPN options have been revamped and the following choices are available:

L2TP/IPsec PSK
L2TP/IPsec RSA
IPsec Xauth PSK
IPsec Xauth RSA
IPsec Hybrid RSA

Of those, at least the IPsec Xauth PSK option should work, but testing is needed to confirm.

Android 4.1 (Jelly Bean) IPsec

Should be identical to 4.0. One report so far of a working configuration with XAuth: [1]

OpenVPN on Android (Non-Root)

Android 4.0 also brings the ability for third-party VPN clients. There is an excellent OpenVPN client that does not require root available on Google Play for devices running ICS.

Note: the FEAT VPN client also claims to not require root access for Android 2.1 through 3.2, but the free version is limited to 1hr/day of use. If you use this client (either the free or commercial version), please let us know if it works.

I have personally tested this client on an Asus Transformer Prime and a Motorola Droid Razr, both with Android 4.0.x.

With the latest update to the pfSense OpenVPN Client Export package, you can export an "Inline Configuration" that has the config, the certs, keys, etc, in a single file. This file imports into the client linked above quite easily, as follows:

Export the Inline Configuration
Transfer the config to the phone (copy the file directly, e-mail it to yourself and use a mail client that can save attachments, grab it from a file share on the network, etc.)
Open the OpenVPN App
Click "All your precious VPNs"
Click Import (File folder icon in top right)
Find the ovpn file you saved above, click it
Click Select
Click the Save icon

NOTE: If you use K9 mail, and possibly others, when you save the attachment to /mnt/sdcard/ the OpenVPN app will launch and import automatically.

Now that it's saved, you need to tell it your username if you're using a User Auth type.

In the list of VPNs, click the icon to edit the VPN (looks like three sliders)
Click Edit in the top bar (Pencil icon)
Click Basic
Fill in the Username
Click back a couple times to get back to the VPN list

You should now be able to connect to the VPN.

After the VPN has been successfully configured and tested, remember to remove the .ovpn file from your Android device's SD card. The settings are stored securely by the app, so keeping the file on insecure storage is not needed nor recommended.

Search

Personal tools

Views

Navigation

Toolbox