2015-03-01

SigmaVPN Android Setup

Date: 2015-03-01

A short guide to setting up SigmaVPN for Android. SigmaVPN for Android requires the peer to be running SigmaVPN or QuickTun.This guide uses SigmaVPN for Android v0.27 (2013-06-05) and SigmaVPN commit c05cccfa2277a6c186e62e6cb85bd9fedcf3bbcd on 2014-06-18.

TUN/TAP interface provides a a virtual TUNnel for IP packets, or a virtual network TAP for ethernet frames.SigmaVPN for Android supports only the TUN interface.


A TUN device needs to be configured with a network range. SigmaVPN requires a separate TUN device for each peer Android device.Since it is a point-to-point arrangement, we will create a /30 network for each peer Android device. Let's use the private range 172.30.172.0/30 for the first TUN device. We'll assign 172.30.172.1 to the TUN device on the SigmaVPN host, and 172.30.172.2 to the TUN device created by SigmaVPN for Android.

Bare-bone Setup

SigmaVPN host setup:
# Generate keys for the SigmaVPN host.
$ naclkeypair
PRIVATE KEY: 55467491bb51b6166add9c22c560a6a0ce0ca8836aab29db5d6fd3abd56eec2b 
PUBLIC KEY: fce78ab3177a6541713ab826e735521f2764a450dc168b7a0c30107a3e04f45b 

# Creates the tun device.
$ ip tuntap add dev tun0 mode tun
$ ip addr add 172.30.172.1/30 dev tun0
# Let's not introduce unnecessary fragmentation.
$ ip link set dev tun0 mtu 1400 
# Activate the interface.
$ ip link set dev tun0 up

$cat > /etc/sigmavpn.conf << 'EOF'
# Comments are allowed
[firstandroiddevicename]
# Don't use nacl0 which is not secure.
proto = nacltai
# Remote's public key, get this from SigmaVPN for Android side.
proto_publickey = 8fa2b21bc9b7188067b75255232d571de254cba2dc7a960312db754842f4c72a
# Local's private key, this will be the PRIVATE KEY from the earlier naclkeypair invocation.
proto_privatekey = 55467491bb51b6166add9c22c560a6a0ce0ca8836aab29db5d6fd3abd56eec2b
local = tuntap
local_interface = tun0
# Tell SigmaVPN that tun0 is a tun device since in Linux the TUN device can be named anything.
local_tunmode = 1
# SigmaVPN for Android requires protocol info to be disabled.
local_protocolinfo = 0
peer = udp
# The address of SigmaVPN for Android device will be changing constantly.
peer_remotefloat = 1
# Where SigmaVPN should be listening for UDP. Typically this will be the address of the Internet-bound network interface.
peer_localaddr = 10.0.0.1
# Choose whatever port, SigmaVPN does not have a default port number.
peer_localport = 5678
EOF

$ sigmavpn -c  /etc/sigmavpn.conf
SigmaVPN.
Copyright (c) 2011 Neil Alexander T. All rights reserved.
Using configuration file '/etc/sigmavpn.conf'
firstandroiddevicename: Session active
Remote endpoint is now 1.2.3.4:5977

SigmaVPN for Android setup:
  • Tunnel/Remote Address & Port: the Internet address of the SigmaVPN host.
  • Tunnel/Remote Public Key: the SigmaVPN's host public key for this device.
  • Tunnel/Use TAI64 nonce: always enable this.
  • Network/Tunnel Address Prefix: 172.30.172.2/30
  • Network/Static Route: what ranges should be routed through the VPN. If not specified, only 172.30.172.0/30 will be.
  • Network/DNS Servers: if not specified, will use the DNS server  
At this point, you should be able to ping 172.30.172.1 from the Android device, and 172.30.172.2 from the SigmaVPN host.

Internet Access for the Android Device

There are additional setup if you want the Android device to access the Internet through the SigmaVPN host.

On the SigmaVPN host (assuming a Linux):
# Enable IP forwarding.
sysctl -w net.ipv4.ip_forward=1
# Masquerade traffic from VPN to the Internet, assuming eth0 is the Internet-bound network interface.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Allow established traffic to be forwarded.
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow traffic initiated from VPN to access the world.
iptables -A FORWARD -i tun0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT

SigmaVPN for Android setup:
  • Network/Static Route: 0.0.0.0/0
  • Network/DNS Servers: get it from /etc/resolv.conf on the SigmaVPN host

A Second Android Device

  • New keys for the Sigma VPN host. You can use the same one but if you lose an Android device, you'll have to change the keys for all the others.
  • A new TUN device with a different range, let's say 172.30.172.4/30.
  • The TUN address on the SigmaVPN host is 172.30.172.5/30.
  • SigmaVPN on the host must listen on a different port.
  • SigmaVPN for Android's Network/Tunnel Address Prefix: 172.30.172.6/30.
  • If you want the second Android device  to access Internet:
    iptables -A FORWARD -i tun1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT