IMPORTANT: at the time of writing there is no easy to use VPN software for the N9. The procedure below requires you to enable the Developer mode of the N9 and perform a series of relatively complicated procedures. While below method works well it’s by all means a “hack” and not recommended for the average user.
Before you begin
Due to security limitations on the N9, you need to use the VPN in hybrid routing mode when using GPRS or 3G. On WiFi both the hybrid routing mode and the full routing mode work well. When enabling hybrid routing mode be sure to add Google to your routing list.
First we add Elleo’s repository and use that to install OpenVPN and all its dependencies.
Do as root:
~ $ echo 'deb http://repo.pub.meego.com/home:/elleo/Harmattan/ ./' > /etc/apt/sources.list.d/elleo.list ~ $ apt-get update ~ $ apt-get install openvpn
We then upgrade to Jare’s version of OpenVPN which includes the manifest necessary to make things work with Harmattan’s Aegis security framework.
Do as root:
~ $ wget http://www.jlranta.com/stuff/openvpn_2.1.3-3harmattan1_armel_aegis.deb ~ $ dpkg -i openvpn_2.1.3-3harmattan1_armel_aegis.deb
If you do not have wget installed on your N9, you can download Jare’s file to your PC and copy it to the N9 from there.
Installing 12VPN configs
Next we’ll need to install the configuration file and security certificates from 12VPN.
Do as root:
- Go to https://12vpn.com/setup/expert-downloads/
- Download bundle.zip
- Download 1 (just 1, not more) config file. We downloaded the default config for Las Vegas.
- Rename the config file to vpn.conf and place it in /etc/openvpn/ on the N9.
- Copy combined.pem from bundle.zip to /etc/openvpn/ on the N9.
- Copy username.crt2.pem from bundle.zip to /etc/openvpn/ on the N9.
- Copy username.key2.pem from bundle.zip to /etc/openvpn/ on the N9.
- Copy ta.key from bundle.zip to /etc/openvpn/ on the N9.
If all went well, the contents of /etc/openvpn/ should look something like this:
~ $ ls -l /etc/openvpn total 20 -rw-r--r-- 1 root root 1331 Dec 8 21:35 combined.pem -rw-r--r-- 1 root root 1075 Dec 8 21:35 v123456.crt2.pem -rw-r--r-- 1 root root 888 Dec 8 21:35 v123456.key2.pem -rw-r--r-- 1 root root 254 Dec 9 06:02 vpn.conf -rwxr-xr-x 1 root root 1357 Jul 25 21:11 update-resolv-conf ~ $
Starting and stopping the VPN
Starting and stopping the VPN should be done as user. Do not do it as root, exit your devel-su if you are in one.
To start the VPN:
~ $ /etc/init.d/openvpn start Starting virtual private network daemon(s)... Autostarting VPN 'vpn':. ~ $
To stop the VPN:
~ $ /etc/init.d/openvpn stop Stopping virtual private network daemon(s)... Stopping VPN 'vpn':. ~ $
The VPN may take a few seconds to start. Depending on your network setup, starting the VPN will break your SSH connection to the N9. If the VPN is not connecting, please consult the /var/log/syslog file for errors.
Creating Start/Stop icons
Although the Developer mode provides a terminal it’s not the most convenient way to start and stop the VPN. Fortunately it’s quite easy to create some icons to start and stop the VPN.
First, you’ll need an icon to display. For simplicity we’ll use our website’s favicon: https://12vpn.com/wp-content/uploads/2010/10/12vpn-fav.png. Copy this file to /usr/share/icons/hicolor/64×64/apps/12vpn.png on the N9.
Now create the following two files, as root:
[Desktop Entry] Encoding=UTF-8 Version=1.0 Type=Application Terminal=false Name=12VPN ON Exec=/etc/init.d/openvpn restart Icon=/usr/share/icons/hicolor/64x64/apps/12vpn.png X-Window-Icon= X-HildonDesk-ShowInToolbar=true X-Osso-Type=application/x-executable
[Desktop Entry] Encoding=UTF-8 Version=1.0 Type=Application Terminal=false Name=12VPN OFF Exec=/etc/init.d/openvpn stop Icon=/usr/share/icons/hicolor/64x64/apps/12vpn.png X-Window-Icon= X-HildonDesk-ShowInToolbar=true X-Osso-Type=application/x-executable
Note that we use restart instead of start. This way we only have to tap the start icon when we need to stop and restart the VPN (e.g. after switching networks).
The newly created VPN icons should show up on the N9′s screen immediately. One to turn the VPN on, one to turn it off. Please note that when you tap one of the buttons, its title will dim for a few seconds as the command is executed. The connecting/disconnecting happens in the background. The dimming of the title does not reflect the connection status or the actually connecting to the VPN.
Please allow up to 30 seconds for a VPN connection to be established and up to 5 seconds for one to be shut down. Especially on GRPS things can take a while.
DNS poisoning (optional)
The N9 runs a local DNS cache to speed up your Internet experience. The down-side of this is that your N9 can suffer from DNS poisoning when used in China. DNS poisoning can render your VPN connection useless. To minimize the effects of DNS poisoning we have to tell dnscache to use a different DNS as well as flush the DNS cache after establishing the VPN connection.
Edit the contents of /etc/dbus-1/system.d/dnsmasq.conf by copy&pasting the section for root and making it a section for user. The result should look like this:
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <policy user="root"> <allow own="uk.org.thekelleys.dnsmasq"/> <allow send_destination="uk.org.thekelleys.dnsmasq"/> <allow send_interface="uk.org.thekelleys.dnsmasq"/> </policy> <policy user="user"> <allow own="uk.org.thekelleys.dnsmasq"/> <allow send_destination="uk.org.thekelleys.dnsmasq"/> <allow send_interface="uk.org.thekelleys.dnsmasq"/> </policy> <policy context="default"> <deny own="uk.org.thekelleys.dnsmasq"/> <deny send_destination="uk.org.thekelleys.dnsmasq"/> <deny send_interface="uk.org.thekelleys.dnsmasq"/> </policy> </busconfig>
Create a new file called /etc/openvpn/12vpn.sh with the following contents:
#!/bin/develsh /usr/bin/logger 12VPN DNS Set and flush /usr/bin/dbus-send --system --type=method_call --dest=uk.org.thekelleys.dnsmasq /uk/org/thekelleys/dnsmasq uk.org.thekelleys.SetServers \ uint32:134744072 string:twitter.com string:facebook.com string:fbcdn.net string:twttr.com string:youtube.com string:ytimg.com string:google.com string:1e100.net\ uint32:134743044 string:twitter.com string:facebook.com string:fbcdn.net string:twttr.com string:youtube.com string:ytimg.com string:google.com string:1e100.net\ uint32:134744072 uint32:134743044 /usr/bin/dbus-send --system --type=method_call --dest=uk.org.thekelleys.dnsmasq /uk/org/thekelleys/dnsmasq uk.org.thekelleys.ClearCache exit 0
Make this file executable using the chmod command:
~ # chmod +x /etc/openvpn/12vpn.sh ~ #
Finally, edit /etc/openvpn/vpn.conf and add the line:
Each time you connect the VPN the DNS cache will automatically be flushed.
You’ll notice that we specifically list some domains like twitter.com. This is because dnsmasq on the N9 will ALWAYS include the ISP’s DNS, even if we don’t want it. The only sure way to override the ISP’s DNS is to list the domain to dnsmasq explicitly.
If you want to be able to set&flush the DNS manually, without restarting the VPN, you can create another application icon. Create a file called /usr/share/applications/flushdns.desktop with the following content:
[Desktop Entry] Encoding=UTF-8 Version=1.0 Type=Application Terminal=false Name=Flush DNS Exec=/etc/openvpn/12vpn.sh Icon=/usr/share/icons/hicolor/64x64/apps/12vpn.png X-Window-Icon= X-HildonDesk-ShowInToolbar=true X-Osso-Type=application/x-executable
Tapping the Flush DNS icon will set the DNS using the script we created above as well as flush the DNS cache. This takes just a second or so.
The following things need to be improved:
- Automatically restart the VPN after switching between mobile and WiFi network.
- Improve feedback after tapping the icons.
Source 12VPN via @Gbraad