How to set up a VPN server for Android ClientsApps / OneVpn / how-to / servers
Have problems with connecting your Android device to a VPN server? In this how-to, we intend to cover server configuration that are known to work with Android clients.
You probably also need to configure firewalls and routing in order for the server to work as you intend. That is not covered here.
This page is far from complete, and when time permits new configurations will be added.
Questions or comments are easiest communicated by email (see the contact page).
PPTP is probably still the most popular VPN type. It is frequently, and successfully used with Windows servers.
Following describes how to set up a PPTP server on Linux, that has been verified to work with Android clients.
Update: Weirdness continues. Now the encryption problem has returned. Confusing. I must have done something, but no idea what. As far as I can tell nothing has changed, but it nevertheless ain't working.
Update: As of Android 2.3.3 there is no need to disable neither encryption nor compression. The connection works fine with 128-bits mppe and everything else as default.
Update: Since the time of writing, this configuration has stopped working. It was working on a Android 2.2.1 and stopped working on Android 2.2.2. It now only works if encryption is disabled, i.e. removing the mppe options.
This was done on Ubuntu 10.04, please modify according to your specific Linux distribution.
Install the pptp server daemon:
sudo apt-get install pptpd
Edit the file /etc/pptpd.conf according to your requirements.
Edit the file /etc/ppp/pptp-options, and be sure to enable 128-bits stateless MPPE and disable BSD Compression. Following is a sample file for reference:
# Authentication # Name of the local system for authentication purposes # (must match the second field in /etc/ppp/chap-secrets entries) name pptpd # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. require-mschap-v2 # Require MPPE 128-bit encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) require-mppe-128 # MPPE should be stateless nomppe-stateful # Debian: do not replace the default route nodefaultroute # Logging debug # Miscellaneous # Create a UUCP-style lock file for the pseudo-tty to ensure exclusive # access. lock # Disable BSD-Compress compression nobsdcomp
I have only tested a simple setup to a local Windows Vista, following this guide:
This worked without a problem, but is probably only useful for those of you who want to connect to a home network. The server on Vista only allows 1 connection at a time. For offices where several users are connecting, I suppose a Windows Server of some kind is necessary. I utilize a VPN to to a Windows Server from time to time, but I have not set it up and don't have the details. It works fine, however, possibly it was necessary to disable compression on the server side.
L2TP is probably the simplest VPN server type to set up, at least on Linux. Note, however, that L2TP on its own only provides user authentication, it does not provide encryption of the data passed through the tunnel. This is OK as long as the data you want to transfer isn't sensitive, or some other protocol is used in addtition for encryption.
On Linux (more specifically Ubuntu 9.10 and higher) I've tested both xl2tpd and l2tpns. Both are easily configured, and no special consideration is needed for Android clients.
L2tpns requires a RADIUS server for authentication. If you don't have a RADIUS server, and expect to have only a few users, and a single VPN server, then xl2tpd should be easiest. If you have many users/VPN servers, then you should consider l2tpns with, for instance, FreeRADIUS.
By far the most secure and flexible VPN solution available on Android. Also fairly complex to set up. L2TP is responsible for the tunneling and user authentication, IPSec is used as underlying protocol which encrypts data and uses certificates to authenticate the peers.
UPDATE: As of Android 2.3, Gingerbread, the issue with certificate IDs has been fixed. Using Android L2TP/IPSec CRT to connect to a Linux server now works flawlessly. We have yet to test whether the fix has been applied in earlier versions of Android as well.
Unfortunately it seems that there's currently an issue on Android which makes L2TP/IPSec CRT rather useless at the moment. At least if you want to connect to a OpenSWAN or StrongSWAN, which was what I tried. The issue has been fixed in the Android source code (apparently), but it is not clear to me at the moment when it will find its way into an official release.
I did manage to configure a working l2tpns with OpenSWAN using certficates, but it only works for a specific IP-address.
As far as I have concluded, the only way to make it work is by specifying, as part of the client certificate, the IP-address the client has. The problem is that the client is a mobile devices which changes IP-address constantly. It would therefor require a separate certificate for every IP address that the device gets assigned. So this would be a nightmare to set up.
Just a quick research into the Android source code, it seems that the issue has been fixed though (at least there's a recent comment saying that it now sends CN as ID instead of the IP). It hasn't been fixed on any device I've tried so far, however, but as soon as I can confirm that it is working I'll add more details on how to set it up.
I haven't tried this myself, but there is a rather detailed description on how to configure a CISCO ASA for L2TP/IPSec with CRT and get it working with Android. Here's a link
There's unfortunately no direct support in 1 VPN for pre-shared keys nor secrets, so this type of VPN must be configured in the Android VPN Settings. You can use 1 VPN to save the password, but once you click connect in 1 VPN, you get redirected to the Android VPN where you must paste the password manually in the password field, and then click connect again. Still better than having to type the password each time, it is not as convenient as a 1-click connect.
The upside is that the PSK variant of L2TP over IPSEC is actually working, at least connecting to a Linux with l2tpns and OpenSWAN.
Using OpenSWAN and l2tpns on ubuntu it's fairly straight forward to set this up. I used the example configuration l2tp-psk.conf povided in /etc/ipsec.d/examples/. Just make sure that you have:
If you leave it as:
You will likely see errors in the l2tpns-log about: Out of sequence tunnel ...