Connecting to OpenVPN running on OpenWrt from Android



  • OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
    library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
    

    I installed OpenVPN on the latest OpenWrt 21.02.1

    The client config and server conf files both have these lines at the top:

    user nobody
    group nogroup
    dev tun
    ..
    ..
    

    I installed the OpenVPN for Android app on my Android phone. When entering the client config file... am I supposed to comment out or delete the first two lines since there is no user called: nobody and no group called nogroup in my Android. At least I didn't see anything in /etc/group and `/etc/passwd in Android OS.

    I see in the https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html that the --user option lets you: "Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process. This option is useful to protect the system in the event that some hostile party was able to gain control of an OpenVPN session."

    I can connect from the Android client to OpenVPN server by commenting out those two lines but is there a way to obtain the benefit of running as user "nobody" and group "nogroup", or some such unpriviledged user, when connecting to OpenVPN server on OpenWrt from an Android phone?

    From a Terminal to my phones Android OS if I do ls -l I can see user and group of all files is: u0_a252 so should I make a user an group of u0_a252 on the server running OpenVPN and then use that as the user and group in you are dropping root privileges on the client with --user and/or --group the client and server config files? My phone is not rooted so I guess running as user u0_a252 will be the same thing as running OpenVPN unprivileged?

    Lastly do I NEED to define a user AND a group or is one or the other enough? The OpenVPN manual is a bit ambiguous on this point because it also states: "[if] you are dropping root privileges on the client with --user and/or --group.."

    Cheers,

    Flex



  • I asked the creator of the https://github.com/schwabe/ics-openvpn/discussions/1436 app.

    That app ignores the OpenVPN --user and --group options and it runs as an unpriviledged user which can be confirmed by installing Android Debug Bridge (ADB) on a computer to which the phone is attached via USB cable. Then run commands such as these:

    # adb shell
    sunfish:/ $ top | grep openvpn
    20901 shell        20   0  10G 2.8M 2.1M S  0.0   0.0   0:00.00 grep openvpn
    20901 shell        20   0  10G 2.8M 2.1M S  0.0   0.0   0:00.00 grep openvpn
    19186 u0_a253      20   0  14G  96M  49M S  0.6   1.7   0:02.23 de.blinkt.openvpn:openvpn
    19186 u0_a253      20   0  14G  96M  49M S  0.3   1.7   0:02.25 de.blinkt.openvpn:openvpn
    19186 u0_a253      20   0  14G  96M  49M S  0.6   1.7   0:02.26 de.blinkt.openvpn:openvpn
    

    So in my case the client connecting to the OpenVPN server has user id: u0_a253 and not root.

    Regarding my original question.... my understanding is that u0_a252 is the UID of the Terminal process.

    Cheers,

    Flex




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2