ah, technology....

So, Wednesday I got a Motorola Droid.  The theory being that, now that I'm working on things remotely connected to social networking, I should have a personal communications device capable of interacting with the Internet, whether that be web, Twitter, or whatever.  And this thing has a screen with enough resolution that it's actually pretty amazing.

And the main things I really wanted to do were get access to my internal web and mail servers.  Normally, this is done with OpenVPN, but an alternative would be to use client and server PKI certificates, which I'm also set up to handle.

How much has to be done to make the droid deal with this?  Let's see:

The simplest solution would be to load the thing up with client certificates and open my firewall using certificate-based authentication.  Can't be done.  First, I'm using a self-signed root certificate, and there's no facility to add a trusted one.   Solution?  Jailbreak the phone, get root, and update the cacerts.bks file.  Fortunately, they used the default password on the file, so I could do that.

Great, now the browser trusts my servers, but to ensure security now that I've opened my firewall up, I want the servers to authenticate the clients.  The Droid's browser and email infrastructure apparently won't send client certificates when servers request them.  I'm not sure what its certificate store actually does, then, because I *think* I successfully got one installed.  Something to look into, but for now certificate-based browser is DOA.

Next thing is to let the device connect to my networks through a VPN.  The Droid supports a couple VPN alternatives, which appear to be Microsoft-based.   OpenVPN isn't one of them, and that's what I'm configured to use.   So: Do I rebuild my firewalls with a non-OpenVPN solution that the Droid maybe will support, or do I try to get OpenVPN to work?

Like hell I'm going to screw with my firewalls.  OpenVPN it is.  Already jailbroke the phone, so now it's a matter of grabbing a copy of the tun kernel module from somebody, OpenVPN from somebody else, a couple apps from Android Marketplace, and go.

So close: got the client on the droid connected to the server on my firewall.  Except I use bridged OpenVPN so all my machines look like they're on the same subnet.  Very convenient, except the droid doesn't have the bridge-utils package, it doesn't look like anybody ever made it, and even if they did this probably wouldn't work since the droid has a PPP connection not an Ethernet one, so there's nothing to bridge to.

So, after having turned off routed support in OpenVPN in my iptables rules and DNS configuration, apparently I'm going to have to put it back.  It'll have to be a separate OpenVPN server, because again I'm not going to screw up the ones that already work in bridged mode.  But in theory it should be possible.

Not tonight, though.