This recipe is a continuation of the previous recipe. When integrating mobile clients into an existing OpenVPN setup, it is often necessary to treat these mobile clients differently from the regular OpenVPN clients. In some cases, it will be necessary to redirect all traffic for mobile clients over the VPN tunnel or a different encryption scheme needs to be used to optimize the OpenVPN app on the Android device. In this recipe, we will demonstrate how to push an option to an Android client, while leaving the options for all other clients unchanged.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.4. The client device was running Android 4.2 and OpenVPN for Android version 0.6.57. Keep the configuration file, basic-udp-server.conf
, from the Server-side routing recipe in Chapter 2, Client-server IP-only Networks at hand. For the client, keep the configuration file, example9-10.ovpn
, from previous recipe at hand.
basic-udp-server.conf
server configuration file:script-security 2 client-connect /etc/openvpn/cookbook/example9-11.sh
example9-11-server.conf
. Next, create the connect script:#!/bin/bash # Redirect the default gateway for all Android clients if [ "x_${IV_PLAT}" = "x_android" ] then echo "push "redirect-gateway def1"" >> $1 fi
example9-11.sh
. Make sure that the script is executable and start the server:[root@server]# chmod 755 example9-11.sh [root@server]# openvpn --config example9-11-server.conf
10.200.0.1
, demonstrating that the traffic is redirected via the OpenVPN server.In the OpenVPN for Android configuration, we added the push-peer-info
option. This causes the OpenVPN client to send configuration details to the server. Starting with OpenVPN 2.4, these configuration details are available both inside plugins and scripts. The client-connect
script examines the environment variable, IV_PLAT
, and pushes a redirect-gateway
if an Android client is connecting.
The push-peer-info
option is available in all OpenVPN 2.3 clients. However, support on the server side to actually process this information was added in version 2.4. The following peer information is sent to the server:
IV_COMP_STUB=1, IV_COMP_STUBv2=1
: This indicates that the client supports compression stubs. It also means that the server can push compression options to the client.IV_GUI_VER=de.blinkt.openvpn_0.6.57
: This indicates the client GUI version. In this case, the OpenVPN for Android client version 0.6.57 was used.IV_HWADDR=00:00:00:00:00:00
: This indicates the client's Ethernet hardware address. On Android clients, this option is always 00:00:00
, but on other platforms the MAC address of the TUN/TAP adapter is transmitted.IV_LZ4=1, IV_LZ4v2=1, IV_LZO=1
: This indicates that the client supports LZ4, LZ4v2, and LZO compression.IV_NCP=2
: This indicates that the client supports encryption cipher negotiation. This allows the client and server to negotiate the most optimal compression and HMAC algorithms.IV_PLAT=android
: This indicates the client platform.IV_PROTO=2
: This indicates the version of the push-peer-info format. In the future, the format or set of variables sent to the server might change, which would warrant an increase in the version number.IV_RGI6=1
: This indicates that the client supports redirection of the IPv6 gateway address.IV_SSL=OpenSSL_1.0.2h__3_May_2016
: This indicates the SSL library and version that is used by the OpenVPN client. This could be important to determine whether a particular client is susceptible to a crypto library vulnerability.IV_VER=2.4_master
: This indicates the version of the OpenVPN software on the client.18.226.164.82