Connect to UCS with OpenVPN from mobile devices (Android) : Solution

Sometimes I additionally need access to my local network from outside using my mobile phone. In the past I used a Netgear Router with OpenVPN behind my Router.

A few weeks ago I installed the App OpenVPN Server from Univention app-store. After I was successful with my Windows client, I also want to use my OpenVPN Client on my mobile device downloaded from Google Playstore.

Before using the ovpn file I had to do some changes by adding all certificates into the ovpn-file:

1. As first step I copied the file win-ucs.ovpn to android.ovpn

# windows client config for server ucs

client
dev tun
proto udp
remote my-ucs-domain.de 1194
verify-x509-name ucs name-prefix
resolv-retry infinite
nobind
persist-key
persist-tun
ca CAcert.pem
cert cert.pem
key private.key
cipher AES-256-CBC
comp-lzo
verb 3
auth-user-pass

2. After the last line I added the certificates by copying the contents of the certificate files in the order

  • CAcert.pem
  • Cert.pem
  • Private.key
    and added “< ca>, < /ca>, < cert>, < /cert>, < key> and < /key>” (without space within the brackets) before and after each certificate as shown below.
    Then removed the links to those files from ovpn file by commenting out.
# ca CAcert.pem
# cert cert.pem
# key private.key

3. Finally the android.ovpn looks like this:

# Android client config for server ucs

client
dev tun
proto udp
remote my-ucs-domain.de 1194
verify-x509-name ucs name-prefix
resolv-retry infinite
nobind
persist-key
persist-tun
#ca CAcert.pem
#cert cert.pem
#key private.key
cipher AES-256-CBC
comp-lzo
verb 3
auth-user-pass

<ca>
-----BEGIN CERTIFICATE-----
MIIFsTCCBJmgAwIBAgIJAKW7fh1VR6IpMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
...
9eOGtVOFAAJ2J8hMFDiGBrtestu/
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6 (0x6)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, ST=DE, L=DE, O=my-ucs-domain, OU=Univention Corporate Server, CN=Univention Corporate Server Root CA (ID=JRxxoNmt)/emailAddress=ssl@my-ucs-domain.de
        Validity
            Not Before: Dec 14 15:01:17 2020 GMT
            Not After : Dec 13 15:01:17 2025 GMT
        Subject: C=DE, ST=DE, L=DE, O=my-ucs-domain, OU=Univention Corporate Server, CN=myname.openvpn/emailAddress=ssl@my-ucs-domain.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b9:48:f6:07:a4:ab:19:73:29:6c:8f:31:7e:d7:
                     ...
                    2e:33
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                :XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
            X509v3 Authority Key Identifier: 
                keyid:XX:XX:XX::XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
                DirName:/C=DE/ST=DE/L=DE/O=myDomain/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=JRxxoNmt)/emailAddress=ssl@my-ucs-domain.de
                serial:XX:XX:XX:XX:XX:XX:XX:X

            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:moni.openvpn, DNS:moni
    Signature Algorithm: sha256WithRSAEncryption
         30:89:87:b7:69:3d:31:d0:41:69:0d:19:b0:8b:02:48:72:04:
         ...
         9c:40:0a:fa
-----BEGIN CERTIFICATE-----
MIIFGjCCBAKgAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBujELMAkGA1UEBhMCREUx
...
2cZhRlDuAKXHgJxACvo=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuUj2B6SrGXMpbI8xfteEVpUfjzmxR3XgDD5hvzlfeftGe9td
....
xgfLD37cYtVCto8Ppr8E8kcCXPWVALouQHb89SD5mZvyNELelJ9G
-----END RSA PRIVATE KEY-----
</key>

4. As next step I copied the android.ovpn file to my mobile phone and imported it into OpenVPN client app.While import type in your logname but do not store the password for security reason.

5. Connect and type in the password - you become connected within a few seconds.

Have success!

(this posting may be used for knowledge base, if helpful)

1 Like
Mastodon