Push-peer-info - pushing options to Android clients

This recipe is a continuation of the previous recipe. When integrating mobile clients into an existing OpenVPN setup, it is often necessary to treat these mobile clients differently from the regular OpenVPN clients. In some cases, it will be necessary to redirect all traffic for mobile clients over the VPN tunnel or a different encryption scheme needs to be used to optimize the OpenVPN app on the Android device. In this recipe, we will demonstrate how to push an option to an Android client, while leaving the options for all other clients unchanged.

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.4. The client device was running Android 4.2 and OpenVPN for Android version 0.6.57. Keep the configuration file, basic-udp-server.conf, from the Server-side routing recipe in Chapter 2Client-server IP-only Networks at hand. For the client, keep the configuration file, example9-10.ovpn, from previous recipe at hand.

How to do it...

  1. Append the following lines to the basic-udp-server.conf server configuration file:
            script-security 2 
            client-connect    /etc/openvpn/cookbook/example9-11.sh 
    
  2. Save it as example9-11-server.conf. Next, create the connect script:
            #!/bin/bash 
     
            # Redirect the default gateway for all Android clients 
            if [ "x_${IV_PLAT}" = "x_android" ] 
            then 
                echo "push "redirect-gateway def1"" >> $1 
            fi 
    
  3. Save this file as example9-11.sh. Make sure that the script is executable and start the server:
    [root@server]# chmod 755 example9-11.sh
    [root@server]# openvpn --config example9-11-server.conf
    
  4. Start the OpenVPN for Android app and establish the VPN connection.
  5. After the connection has been established, use another app, such as Fing, to ensure that all traffic is redirected via the OpenVPN tunnel:
    How to do it...
  6. The first address in the traceroute output is 10.200.0.1, demonstrating that the traffic is redirected via the OpenVPN server.

How it works...

In the OpenVPN for Android configuration, we added the push-peer-info option. This causes the OpenVPN client to send configuration details to the server. Starting with OpenVPN 2.4, these configuration details are available both inside plugins and scripts. The client-connect script examines the environment variable, IV_PLAT, and pushes a redirect-gateway if an Android client is connecting.

There's more...

The push-peer-info option is available in all OpenVPN 2.3 clients. However, support on the server side to actually process this information was added in version 2.4. The following peer information is sent to the server:

  • IV_COMP_STUB=1, IV_COMP_STUBv2=1: This indicates that the client supports compression stubs. It also means that the server can push compression options to the client.
  • IV_GUI_VER=de.blinkt.openvpn_0.6.57: This indicates the client GUI version. In this case, the OpenVPN for Android client version 0.6.57 was used.
  • IV_HWADDR=00:00:00:00:00:00: This indicates the client's Ethernet hardware address. On Android clients, this option is always 00:00:00, but on other platforms the MAC address of the TUN/TAP adapter is transmitted.
  • IV_LZ4=1, IV_LZ4v2=1, IV_LZO=1: This indicates that the client supports LZ4, LZ4v2, and LZO compression.
  • IV_NCP=2: This indicates that the client supports encryption cipher negotiation. This allows the client and server to negotiate the most optimal compression and HMAC algorithms.
  • IV_PLAT=android: This indicates the client platform.
  • IV_PROTO=2: This indicates the version of the push-peer-info format. In the future, the format or set of variables sent to the server might change, which would warrant an increase in the version number.
  • IV_RGI6=1: This indicates that the client supports redirection of the IPv6 gateway address.
  • IV_SSL=OpenSSL_1.0.2h__3_May_2016: This indicates the SSL library and version that is used by the OpenVPN client. This could be important to determine whether a particular client is susceptible to a crypto library vulnerability.
  • IV_VER=2.4_master: This indicates the version of the OpenVPN software on the client.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.226.164.82