Hi,
Last week I received my Archos 101. In general it is great. Even better is this forum
I installed urukdroid (thanks to the project-team!). I tried to use openvpn but it failed and I am not sure about the reason.
The server-configuration is
...
ifconfig-pool 10.10.10.120 10.10.10.130
push "route 10.10.10.1"
route 10.10.10.0 255.255.255.0
ifconfig 10.10.10.1 255.255.255.0
push "route-gateway 10.10.10.1"
push "route 10.10.10.0 255.255.255.0"
...
As the Archos is the only device it would get IP 10.10.10.120.
BUT: ifconfig shows:
inet addr.: 10.10.10.255 Bcast: 10.255.255.255 Mask 255.0.0.0
That did (and cannot) work. No ping to home network possible.
When I called route it looked fine (I used redirect-gateway).
When I send the command
ifconfig tap0 10.10.10.120 broadcast 10.10.10.1 netmask 255.255.255.0
from Archos Terminal I had at least access to my home network. But all route entries are gone.
Who has an idea what I am doing wrong? I checked it in the last day again and again... If there is no solution: is it possible to 'save' the entries from route and restore it after my manual change of ifconfig? I would like to do it via script, as my home network I only reachable via dyndns.
Thanks and best regards!
I used the OpenVPN Howto Quickstart and had no problems.
macemoneta said:
I used the OpenVPN Howto Quickstart and had no problems.
Click to expand...
Click to collapse
Yes, I know the guide. I did the same with my ubuntu-netbook and it works directly.
And I think, it would work also on the Archos, if the openvpn/ifconfig on Archos accept the 10.10.10.120. But the IP is changed to 10.10.10.255 and that did not fit.
Where the h*** did the 255 instead of 120 come from?
I noticed the same problem...
No idea where it comes from, but as a workaround, you can put a script somewhere containing a suitable "ip addr add x.x.x.x/y dev z" statement, and reference that in the .conf file as "up scriptname".
Note that you need to add "--script-security 2" to the openvpn commandline to make that work. I added that to the OPENVPN_CFG variable in /etc/uruk.conf/openvpn.
regards
Patrick
This is the openvpn configuration I use for my Archos 101 (on the server). I'm not having any problems, using openvpn 2.1.1:
Code:
port 1194
dev tun
tls-server
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/[COLOR="Blue"]<my host>[/COLOR].crt
key /etc/openvpn/keys/[COLOR="blue"]<my host>[/COLOR].key
dh /etc/openvpn/keys/dh1024.pem
mode server
ifconfig 10.8.0.1 10.8.0.2
ifconfig-pool 10.8.0.4 10.8.0.255
push "route 10.8.0.1 255.255.255.255"
client-config-dir ccd
push "redirect-gateway def1"
push "dhcp-option DOMAIN [COLOR="Blue"]<my domain>[/COLOR]"
push "dhcp-option DNS [COLOR="blue"]<my dns server>[/COLOR]"
keepalive 10 60
inactive 3600
route 10.8.0.0 255.255.255.0
user openvpn
group openvpn
persist-tun
persist-key
verb 4
I examined the situation a bit further.
The problem comes from the ifconfig command that openvpn calls itself:
Code:
/system/bin/ifconfig myvpn \
192.168.x.41 \
netmask 255.255.255.0 \
mtu 1500 \
broadcast 192.168.x.255
This is only used when tap interfaces are involved, which is the case in my setup, but not in the setup macemoneta is showing. caesar68: do you also use tap interfaces?
I can reproduce the problem by just using that ifconfig command again.
When I list the IP-address-to-set as the last argument, instead, it works, i.e.
Code:
/system/bin/ifconfig myvpn \
netmask 255.255.255.0 \
mtu 1500 \
broadcast 192.168.x.255 \
192.168.x.41
A quick scanning of the openvpn manpage, does not suggest a way to override the ifconfig command that is used, but it does give an option --ifconfig-noexec which suppresses its calling.
Unfortuntely, when I just pack the is-working-after-the-interface-is-up ifconfig command into an up script with this option, it just gives me an error SIOCSIFNETMASK (Cannot assign requested address) - even if the same commandline works when I run it over an already upped interface... Probably because the interface then already had an IP address...
No problem, though, ifconfig is obsolete anyway, let us just use ip link and ip addr, which are fortunately available under Uruk.
So, caesar68, the clean solution would be to have
--script-security 2 on the openvpn commandline, e.g. via OPENVPN_CFG in /etc/uruk.conf/openvpn
in your myvpn.conf file:
Code:
ifconfig-noexec
up-delay
up-restart
up /etc/openvpn/myvpn-on-up
a corresponding script /etc/openvpn/myvpn-on-up, executable, with content
Code:
#! /system/bin/sh
ip link set $dev mtu $tun_mtu up
ip addr add $ifconfig_local/$ifconfig_netmask \
broadcast $ifconfig_broadcast \
dev $dev
Works For Me
Thanks for the explanation and the workaround, brian_o'fish. Why are you using tap though? Tap provides an Ethernet bridge, so you'll be transporting packets that really don't need to be sent to your Archos (reducing available bandwidth). Tun is layer 3 routed, so only traffic destined for either endpoint goes over the VPN connection.
macemoneta said:
Why are you using tap though?
Click to expand...
Click to collapse
That's what the server I'm using, is configured to do, as it provides transparant bridged LAN access via VPN, and that is what I want, as I am the admin of said LAN and VPN.
If the low level of broadcasts we have, ever increases or appears to be a problem to me, I'll set up an additional tun server, but for now it is simply not an issue.
Anyway, good hint in general!
Hi all!
Thanks a lot for your comments. Yes I am using tap. I would like to have access to my home network (storage etc.). Therefore I want to use the brigde functionality. And that works only when I changed the ifconfig manually afterwards. But the route is distroyed then and packages to the internet are not routed secure thru my home-network.
@ brian_o'fish: Thanks for the advise. I will try that the next days. In the moment I am happy to read, that I am not the only one with the problem (and maybe to stupid to use openvpn - but on the netbook it works).
I have never worked with tun. Maybe I could check, if that is also a workaround.
I will keep you informed, but I am on a trip the next days.
Thanks again!
*** Update ***:
I didn't work neither with tap nor with tun. Meanwhile I tried to run VPNC. I had some trouble, but it works now.
caesar68 said:
I didn't work neither with tap nor with tun.
Click to expand...
Click to collapse
Did you try the approach I described with tap, and can tell where / how it failed?
As seen when I type with wifi tethering enabled
iptables -L -t nat -v
the MASQUERADE line is like "-o pdp0 -i any", this means that packets are matched only when they exit via the mobile network.
However, the line should be more like "-i softap0 ! -o softap0". The MASQUERADE line should match packets that enter via the wifi access point, and leave via any other interface. (But see below, -i doesn't work, must use -s)
I found this while trying to use openvpn. When openvpn is running, the android device has complete access to the vpn according to my tests. The laptop associated with the AP can access the internet, the android device, but not the network behind the VPN connection. I can find no reason for this other than the MASQUERADE line. The routing table, sysctl *.forward etc. are all looking fine.
With this MASQUERADE line, it cannot possibly work, because when the unmasqueraded softap0 packets go down the tun0 interface, no machine knows where to route the reply packets.
This is on Android 2.3, Samsung galaxytab stock firmware. I'll investigate further.
Update:
when I stop tethering, the MASQUERADE rule goes away. This proves it's indeed controlled by tethering.
I tried it on Android 4.0, Sony Xperia pro, Cyanogenmod 9 ---> same thing
I can understand that noone ever thinks about making a MASQUERADE line with "-i interface", but it seems actually the right thing to me. (Must use -s addr/mask instead) I'm doing this on a laptop with lots of virtual machines connected to an internal network. This must be masqueraded for outgoing packets, no matter what interface it goes out (wlan0, eth0, openvpn etc.)
Update:
-i interface doesn't work in POSTROUTING. So the line should be "-s address_range_of_softap ! -o interface".
This complicates matters for a workaround. I'm planning to schedule a script at boot time, but I don't know how to (correctly) find the softap address when it's not running.
Update:
I tried tethering and replaced the iptables rule with "-s address_range_of_softap ! -o softap0" instead of just "-o pdp0". This still works to route/masquerade traffic to the internet, but doesn't work vor tun0 (openvpn). I don't know why. No packets/bytes go through it (counter doesn't increase) when pinging the other side of the vpn.
We have an application that needs to connect to a GoPro private Wifi network (non-routable), and at the same time, connect to the Internet over cellular.
On Android 4.4.4 and earlier, we were able to achieve this with a rooted device, and then execution of these commands:
svc wifi disable
svc data enable
insmod /system/lib/modules/wlan.ko
netcfg wlan0 up
wpa_supplicant -B -Dnl80211 -iwlan0 -c/data/misc/wifi/wpa_supplicant.conf
dhcpcd wlan0
On the Moto E 4G (XT1527), rooted and running Lollipop, these commands no longer work -- dhcpcd seems to get stuck and never finishes running.
Does anyone know of an alternate method of bringing both networks up?
Or, does anyone know if it's possible to downgrade the XT1527 back to Android 4.4.4?
Thank you!
Hi Guys,
I am stumped on this. I am trying to build in WiFi support for a Freescale IMX6 board running Android 4.2.2 via a RALINK USB WiFi Module. I was able to build the RALINK drivers from my kernel source and the device loads up just fine. I can bring the adpater "up" in netcfg and I can use the iwlist binary to see access points near me.
However, I cannot get Settings.apk to bring up the adapter. When I go to turn WiFi on, logcat shows the following:
E/WifiStateMachine( 2879): Failed to load driver!
E/WifiStateMachine( 2879): DriverFailedState
I can get WPA_SUPPLICANT started manually by running the following command:
wpa_supplicant -dd -Dnl80211 -iwlan0 -c /data/misc/wifi/wpa_supplicant.conf
where /data/misc/wifi/wpa_supplicant has only two lines:
ctrl_interface=wlan0
update_config=1
I also set the following the props just to be sure:
setprop wifi.interface wlan0
setprop wlan.driver.status "ok"
I am stumped, because I am loading the driver manually first, I do not want wpa_supplicant or settings (whatever method it uses) to load any driver. I have rebuild WPA_SUPPLICANT binary with what I think are the correct board settings, but I always get the same error.
Can anyone help?
Since WifiStateMachine is giving the error, do I need to recompile and replace the Java framework on the device?
Is this a sign of WPA_SUPPLICANT not being built correctly?
Is there some other component I am missing??
Thank you!!!
Hi Guys,
I am stumped on this. I am trying to build in WiFi support for a Freescale IMX6 board running Android 4.2.2 via a RALINK USB WiFi Module. I was able to build the RALINK drivers from my kernel source and the device loads up just fine. I can bring the adpater "up" in netcfg and I can use the iwlist binary to see access points near me.
However, I cannot get Settings.apk to bring up the adapter. When I go to turn WiFi on, logcat shows the following:
E/WifiStateMachine( 2879): Failed to load driver!
E/WifiStateMachine( 2879): DriverFailedState
I can get WPA_SUPPLICANT started manually by running the following command:
wpa_supplicant -dd -Dnl80211 -iwlan0 -c /data/misc/wifi/wpa_supplicant.conf
where /data/misc/wifi/wpa_supplicant has only two lines:
ctrl_interface=wlan0
update_config=1
I also set the following the props just to be sure:
setprop wifi.interface wlan0
setprop wlan.driver.status "ok"
I am stumped, because I am loading the driver manually first, I do not want wpa_supplicant or settings (whatever method it uses) to load any driver. I have rebuild WPA_SUPPLICANT binary with what I think are the correct board settings, but I always get the same error.
Can anyone help?
Since WifiStateMachine is giving the error, do I need to recompile and replace the Java framework on the device?
Is this a sign of WPA_SUPPLICANT not being built correctly?
Is there some other component I am missing??
Thank you!!!
Anyone?