Connecting to OpenVPN running on OpenWrt from Android

I followed the OpenWrt instructions and installed OpenVPN on the latest OpenWrt 21.02.1

The client config and server conf files both have these lines at the top:

user nobody
group nogroup
dev tun
..
..

I installed the OpenVPN for Android app on my Android phone. When entering the client config file... am I supposed to comment out or delete the first two lines since there is no user called: nobody and no group called nogroup in my Android. At least I didn't see anything in /etc/group and /etc/passwd.

OK I actually got it to work by commenting out those lines but what am I missing out on by commenting them out? Is there a way to obtain the benefit of running as user "nobody" and group "nogroup" when connecting to OpenVPN server on OpenWrt from an Android phone?

Cheers,

Flex

https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html
Here is the user guide.

Thank you @flygarn12

I am using the OpenVPN for Android app on a Pixel4a that is not rooted. On the link you provided to the OpenVPN manual it states:

--user user Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process. This option is useful to protect the system in the event that some hostile party was able to gain control of an OpenVPN session.

When I open Termux in the phone and try commands like ps, top, htop, pstree I am unable to see what user is running the OpenVPN for Android app process. Maybe that is because my phone is not rooted.

On the OpenVPN server side I run this command and get that result:

root@OPENWRT:~# ps | grep openvpn
10831 root      1228 S    grep openvpn
31966 root      5256 S    /usr/sbin/openvpn --syslog openvpn(server) --status /var/run/openv

This just tells me that OpenVPN server is being run as the root user.

I wonder is there a way for me to check if the OpenVPN connection from my phone is being run as an unpriviledged user or as root user.

Cheers,

Flex

Do you have many users on your phone to begin with that doesn’t have “admin” privileges?

But it doesn’t really matter because the VPN tunnel doesn’t care about what happens in the client and server. And the client and server doesn’t care what happens in the tunnel.
It is three separate systems where the client and server send data to each other. The VPN service only manages the scrambling of the data between the client and server.

It feels that it is more of a phone support question than OpenVPN or OpenWRT question.

I asked the creator of the OpenVPN for Android app.

That app ignores the OpenVPN --user and --group options and it runs as an unpriviledged user which can be confirmed by installing Android Debug Bridge (ADB) on a computer to which the phone is attached via USB cable. Then run commands such as these:

# adb shell
sunfish:/ $ top | grep openvpn
20901 shell        20   0  10G 2.8M 2.1M S  0.0   0.0   0:00.00 grep openvpn
20901 shell        20   0  10G 2.8M 2.1M S  0.0   0.0   0:00.00 grep openvpn
19186 u0_a253      20   0  14G  96M  49M S  0.6   1.7   0:02.23 de.blinkt.openvpn:openvpn
19186 u0_a253      20   0  14G  96M  49M S  0.3   1.7   0:02.25 de.blinkt.openvpn:openvpn
19186 u0_a253      20   0  14G  96M  49M S  0.6   1.7   0:02.26 de.blinkt.openvpn:openvpn

So in my case the client connecting to the OpenVPN server has user id: u0_a253 and not root.

Cheers,

Flex

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.