Connect to a Unix / Linux server from a Symbian S60 handset

The popular PuTTy application for Windows, which allows administrators to connect to Unix or Linux hosts at the command line, has been ported to the Symbian Series 60 platform.

It is available for download from the SourceForge web site here: http://s2putty.sourceforge.net/download.html

It did not require any additional pre-requisite components to run on my Nokia E71. Simply copy the SIS file to the handset and run it, once installed it will be listed in the Installations folder:

Launch the application, and edit the Default profile that will be listed:

The following options will be available:

Under the General options you can define the hostname or IP address to connect to as well as the user to connect as:

Under the SSH options you can specify the port to connect using as well as the protocol version:

When connecting to the server for the first time you will be prompted to save the server's RSA key in the list of authorized hosts within the Symbian operating system:

You will then be prompted for the password of the user account you used to connect with:

You will then be connected to your remote server.

Connect to a VNC server from a Symbian S60 handset

VNC is a remote control application for a variety of platforms including Windows, MacOS X and Linux, similar to Microsoft’s own Terminal Services (or Remote Desktop as you may know it by):

http://en.wikipedia.org/wiki/VNC

In order to be able to remotely control a server via VNC, you must install the VNC server component onto the server.

The Windows version can be downloaded free of charge here:

http://www.realvnc.com/products/free/4.1/download.html

The MacOS X version can be downloaded here:

http://sourceforge.net/projects/osxvnc/

The VNC client for Symbian S60v3 can be downloaded from the SourceForge web site here:

http://sourceforge.net/projects/symvnc/

In this example I have used the Nokia E71.

The client requires that the OpenPIPS framework be installed on the S60 device before the VNC client can be used.

OpenPIPS is available for download as a plug-in to the Symbian S60 SDK available from the Nokia Developer web site. The SDK is only available for the Windows platform currently.

The SDK can be downloaded here:

http://www.forum.nokia.com/info/sw.nokia.com/id/4a7149a5-95a5-4726-913a-...

Before you can install the SDK, you must first install an instance of PERL onto the Windows PC, such as this one:

http://strawberryperl.com/

Install PERL, then install the S60 SDK.

The OpenPIPS plug-in can then be downloaded from the Nokia Developer site here:

http://www.forum.nokia.com/info/sw.nokia.com/id/91d89929-fb8c-4d66-bea0-...

Install the plug-in to the SDK.

Once installed, locate the file:

C:\Symbian\9.2\S60_3rd_FP1\nokia_plugin\openc\s60opencsis\pips_nokia_1_3_SS.sis

Copy this file to your S60 device and install it.

Now you can install the VNC Client. Once installed, it will be listed in the Installations folder:

Launching the client allows you to enter an IP address, port number and specify the access point to connect through (be it GPRS / 3G or WLAN):

When connecting, you will be prompted to enter the password for the connection as defined on the server:

Once connected, you will be displayed the contents of the machine you are controlling remotely:

The display resolution can be altered so that you are able to view the screen more clearly (but having to scroll horizontally and vertically). Key sequences (such as CTRL ALT DEL) can be sent to the remote machine via the Options menu:

Remote control-tastic!

Deploying an SSH-based VPN solution

Configuring and deploying VPN remote access solutions can be a complicated and time-consuming, not to mention expensive, exercise. For companies looking to provide a simple, inexpensive, secure remote access solution to staff, then an SSH-based VPN may be the answer.
I have blogged previously about the free OpenVPN software (http://blog.brightpointuk.co.uk/openvpn), which is able to provide SSL-based VPN access, but this solution can require some detailed knowledge of networking on behalf of the administrator, and also (as with most solutions) effectively makes the remote client a host on the local network, with all the security considerations that this entails.

The solution I'm going to look at today works differently: a terminal server is deployed at the office, or specific desktop machines can be deployed on a per-user basis if required. Remote users can remotely log into this Terminal Server and access desktop applications and LAN-based resources via Remote Desktop or VNC. The solution requires only that a single TCP port be opened on the firewall, and a key file be saved onto the user's remote PC.
Because the remote PC is not on the local network, rather a local machine is being remotely controlled, there is no concern of viruses or other malware gaining access to the network from the remote machine, and bandwidth requirements are low.
Although this solution does require that hardware be deployed in the office, it has the advantage of allowing users to use their personal home PCs if desired without undue security concerns - and can work across a wide range of client platforms including Windows, Mac and Linux.

Because this solution involves users remote controlling a LAN-based machine rather than being a virtual host on the remote network, files on the user's real machine cannot simply be transferred to network drives and applications cannot access LAN-based resources directly. But should your users require access to an intranet or a web-based application, and can open and edit files stored on the LAN from the remote desktop, then this should not be an issue. The type of access your users will require should be taken into consideration.

I shall now look at the steps involved in deploying this solution.

Deploy a Terminal Server

Each user that is going to be using the solution will need a machine to remotely control. This might be a Terminal Services machine with the appropriate number of CALs, a VMWare server with multiple virtual machines configured, or real machines (if users have office-based desktop PCs, these could be used - but this is not a very green solution).

Whatever the machine, any required users will need to be added to the Remote Desktop Users group:

Or you may prefer to simply add 'Domain Users' to the group for ease of administration.

Deploy the VPN Server

In this scenario the VPN server itself is only acting as an SSH server and router and as such does not need to be very powerful, or indeed even a physical machine - a virtualised host would be fine.
In this example I am using the free, open source CentOS Linux distribution (http://www.centos.org).
Install a base configuration of the server - SSH functionality will be installed automatically.
Create a non-root user account, let's call it 'vpn'.
Edit the SSH configuration file located in /etc/ssh/sshd_config
Edit the port that the SSH service will use from the default 22 to a port of your choosing. In this example I am using TCP port 8999, chosen entirely at random:

The server will need to be assigned an external, Internet-facing IP address, with a DNS entry if desired. The server can be located on the LAN, with the selected port open on the firewall from the Internet to the internal address of the SSH server. If this is not satisfactory, the server can be located in a DMZ or Core network segment, just ensure that the SSH server is accessible from the outside world on the target port, the SSH server 'knows' how to route incoming requests to the LAN subnet(s), and the desired ports are open between the SSH server and the LAN (3389 in the case of RDP or 5900 in the case of VNC).

Generate client SSH keys

Keys can be generated on a Mac or a Linux-based machine at the command line using the ssh-keygen command. The process is simpler on Windows machines using the free PuttyGen utility, available from http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe

Click on the Generate button, then move the mouse across the window to create 'randomness' with which to create the key"

Once complete the key will be displayed:

You may find it useful to edit the contents of the Comments field to enter the name of the user that the key was generated for. Copy the whole key:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBQxT0fyUIh1uGPoRRf4Rh8kh4Uq16
qYczeGxC+OrQkeCy0fjW7YO7HCeG5mtFxDyOEXTaBj5AAo4gE2rJQ+4bhGDmcqEmk
XhkjuDW01joBTYx1em+JUbiM3/qLLBAvefsqSL1LhrsiJovIAjvMJsKuH2k6//BlK/7vVr2Y
gZrDBQ== Generated for James Liddiard

On the SSH server, log in as the 'vpn' user, or as root and then issue 'su - vpn' to become that user.
You should be in the /home/vpn/ directory. Create a new directory called '.ssh'

mkdir .ssh

Create a new file called 'authorized_keys'

touch authorized_keys

Edit the file

view authorized_keys

Paste the whole key into the file and save it.

On the Windows client, select the option to save the private key, selecting Yes when prompted to save the key without a passphrase. They key will be saved as a .ppk file, keep it somewhere safe.

The key is now authorised for SSH access to the server. Repeat this process as often as required.

Configure the Windows client

Create a directory on the C drive, or somewhere suitable. Let's call it 'SSH'.
In the directory, save the .ppk file created earlier.

Download and save the file 'plink.exe' in the same directory, available from http://the.earth.li/~sgtatham/putty/latest/x86/plink.exe

We will need to accept and store the key of the SSH server. Run the following at the command prompt:

c:\SSH\plink -v -ssh -2 -P 8999 -l vpn 62.189.60.226

Where c:\SSH is the path to the location of the plink.exe file, 8999 is the port number specified for access to the SSH server, where vpn is the name of the non-root user account created on the SSH server, and where 62.189.60.226 is the external IP address of the SSH server.

This command can be saved in a batch file which can be double clicked to make things simpler, you will be prompted to accept the key and store it:

You will then be prompted to enter the password for the vpn user:

At this stage just press CTRL-C to end the batch job, there is no need to authenticate once the key has been stored.

Create a VBS script file, let's call it 'connect_vpn.vbs', use the following text:

Dim WSHShell
Dim WSHShell2
Dim Message
Dim Title

Set WSHShell = WScript.CreateObject("WScript.Shell")

cmdLine = "%comspec% /c c:\ssh\plink -v -ssh -2 -P 8999 -batch -l vpn -C -i c:\ssh\jimbob.ppk -L
127.0.0.2:3389:172.16.196.131:3389 62.189.60.226"
WshShell.Run cmdLine, 2
WScript.Sleep(10000)
WshShell.Run "mstsc /v:127.0.0.2:3389 /f"

where 'jimbob.ppk' is the name of the key file we created earlier and where '172.16.196.131' is the IP address of the internal machine to be remotely accessed.

Double click, or invoke the VBS file. The client will authenticate with the SSH server and forward the RDP request to the internal IP address of the machine to be accessed. After a pause of 10000 counts (as defined by the 'sleep' command), the Windows Remote Desktop client will launch and initiate a connection to 127.0.0.2 (a localhost address which will be forwarded by the plink script).
The 10000 delay command is arbitrary, this is the length of time it should take the SSH client to connect and authenticate. The RDP client will launch after 10000 milliseconds regardless as to whether the connection is established or not, therefore you may need to adjust this value yourself. It may be too long for 3G or DSL-based connections in which case it can be reduced. Don't be afraid to experiment.

If you are using VNC-based connections, then simply substitute the entries for 3389 with 5900 instead, and substitute the entry for 'mstsc' with the appropriate command line path to the VNC Viewer executable you are using, and use suitable switches.

Configure the Mac client

The procedure for configuring a Mac client in terms of keys is slightly different, MacOS not knowing what a 'ppk' file is.
If your administrator has generated a PPK file for you, then you will need to either convert it to an OpenSSH key, or generate key file manually on your Mac using the ssh-keygen command within Terminal:

ssh-keygen -f jimbob -b 1024

This will create 2 files within the directory in which the command was executed: 'jimbob' and 'jimbob.pub'.
Open the file 'jimbob.pub' using a suitable text editor:

Copy the contents of the file and save the key to the authorized_keys file on the SSH server as before.

On the Mac client we will need to accept and store the key of the SSH server as before. Open the Terminal application and run the following at the command prompt:

ssh -p 8999 -l vpn -i jimbob -L 3389:172.16.196.131:3389 62.189.60.226

You will be prompted to accept the key of the SSH server, type in 'yes' and press Enter.

The key has now been stored on the local Mac client.

Create a text file (with no extension) on the Mac with the following command line:

ssh -p 8999 -l vpn -i jimbob -L 3389:172.16.196.131:3389 62.189.60.226

Let's call it 'ssh_vpn'.

Launch the Terminal application and invoke the command by browsing to the correct directory and issuing:

. ./ssh_vpn

You will be connected to the SSH server as the VPN user (excuse my welcome message, I chose it purely to prove that I was indeed connecting as the correct user):

You can now launch a suitable RDP client on the Mac and connect to an address of 172.0.0.1, which will be forwarded automatically. Again, if using a VNC client, substitute any entry for 3389 with 5900 as the port number instead.

If you need to convert a supplied PPK file to the OpenSSH format for Mac usage, you will need to install the "MacPorts" version of Putty on your Mac: browse to http://www.macports.org in your browser and install the relevant package for your platform:

Before you will be able to install MacPorts, you will need to install the XCode tools from your MacOS installation source.

Once installed, run the following commands:

sudo port install putty

The required packages will be downloaded and installed, this process may take a few minutes:

Once installed, browse to the directory where the PPK file has been saved and convert it with the following command:

puttygen jimbob.ppk -O private-openssh -o jimbob.ssh

Now create a text file as we did before, but this time with the new details of the private key file:

ssh -p 8999 -l vpn -i jimbob.ssh -L 3389:172.16.196.131:3389 62.189.60.226

and run the file with the command:

. ./ssh_vpn

Once connected you can launch either a Remote Desktop or VNC client:

VPN-tastic!

OpenVPN

OpenVPN (http://openvpn.net) is a fully-featured SSL VPN solution.
OpenVPN can be used to provide secure remote access to field workers, can provide site-to-site VPN links or can be used to secure a private wireless network: if you can think of an application for a VPN solution, OpenVPN can probably accommodate it.

The OpenVPN server software can be installed on Linux, Windows (2000 or later), Solaris or MacOS and there are clients available for an even wider range of platforms, including Windows Mobile.

In this article I shall describe how to install a VPN server and configure secure access to your private network from the Internet. This article is not necessarily reserved for IT admin staff: anyone who has a networked storage device at home and would like the ability to access their files while out and about – this is for you.
For those of you who are more comfortable with a Windows environment, there is an excellent article on The Register desribing how to install OpenVPN for Windows (http://www.theregister.co.uk/2008/09/01/openvpn_primer/). This article describes how to use OpenVPN to remotely access your corporate Internet connection.
I shall install and configure the server-side on the free Linux distribution CentOS (http://www.centos.org), version 4.7, and configure it to allow remote access to local network resources (file servers, intranet, etc).

Requirements

Before you install the server, it is important to consider how you intend to configure routing between your internal network and the outside world, and also the addressing scheme to use.

For your VPN solution to work, the client will need to recognise the remote resource being requested as residing on a network ‘behind’ the VPN server.
The vast majority of public WiFi services (and potentially cellular mobile network operators) will assign connected clients an IP address in the range 10.x.x.x , 172.16.x.x or 192.168.x.x (the addresses reserved for ‘internal’ networks) .
Therefore, if you have connected to a public WiFi service and have been assigned an address of, say, 192.168.0.42, you may be able to connect to your VPN server, but if you then request a connection to a server on the remote network with an address of 192.168.0.10 the client device will not know to route the request over the VPN link but will look for it on the local network.
Your internal network should therefore use an addressing scheme that is suitably unlikely to be in use elsewhere.

Once connected, the VPN client will be assigned an IP address on the remote network. Similarly, in order for the remote resource to be able to reply to requests from the VPN client, the address used by the client also needs to be ‘behind’ the VPN server so that local network resources know to route responses accordingly.
The necessary routes will need to be added to the local network resources: either each machine will need a route added to it to direct requests to the VPN network to the IP address of the OpenVPN server, or (preferably) add a route on the default gateway of the internal network.

The OpenVPN documentation suggests a network in the middle of the 10.x.x.x address block, such as 10.66.77.0/24 (so your VPN server might have an address of 10.66.77.1 with a subnet mask of 255.255.255.0).

For your VPN server to be accessible from the Internet, it will need a ‘routable’, or ‘real-world’ IP address. The majority of home broadband providers do not provide this unfortunately, so you may need to check with your provider what options are available. The external address of your server does not necessarily need to be ‘fixed’, but it will need to be routable. If you have a dynamic address, then you can create a free account with DynDNS (http://www.dyndns.org) which will enable you to connect to a ‘friendly name’ from your client device without having to worry about what the IP address might be at any given time.

In this example, my OpenVPN server will have a fixed external IP address. I shall be using an internal addressing scheme of 10.66.77.0/24 and I shall use a separate network range for the VPN: 10.66.78.0/24. The OpenVPN server will issue addresses to clients automatically via DHCP in this range.

Installation

Install a base (minimal) CentOS configuration.
During the installation assign the server an IP address on the local network (10.66.77.10, for example). Configure the default gateway with the internal address of your router (10.66.77.1, for example).
Install the GCC compiler via yum with the following command:

yum install gcc

The LZO compression library is also required. This is available from http://www.oberhumer.com/opensource/lzo/download/

The package will be in .tar.gz format. Extract the contents of the archive with the command:

tar xvfz lzo-x.x.x.tar.gz

now change to the directory created and run:

./configure
make
make install

OpenSSL is also required. This can be downloaded from http://rpm2html.osmirror.nl/openssl.html
The package will be in rpm format, install it with the command:

rpm –i openssl-x.x.x.rpm

Download the current OpenVPN installer package from http://openvpn.net
The package will be in .tar.gz format. Extract the contents of the archive with the command:

tar xvfz openvpn-x.x.x.tar.gz

now change to the directory created and run:

./configure
make
make install

OpenVPN is now installed but must now be configured.

Generate Master Certificate Authority (CA) key

Within the openvpn directory, switch to the easy-rsa directory.
Edit the ‘vars’ file.
Scroll down and update the contents of the following fields:

KEY_COUNTRY  (eg GB)
KEY_PROVINCE  (eg Dorset)
KEY_CITY  (eg Poole)
KEY_ORG  (eg MyCompany)
KEY_EMAIL  (eg root@mydomain.com)

Save the file.
Make the file executable with using chmod:

chmod 755 vars

Now run the following commands:

. ./vars
. ./clean-all
. ./build-ca

You will be prompted to enter the details for the CA key, but having edited the vars file you should be able to press Enter and have the default value accepted. You will need to enter the hostname of the server, ‘server’ will do.

Once complete the following files will have been created in a new directory called ‘keys’:

ca.crt
ca.key

Generate OpenVPN server key

Having created the root certificate for the certificate authority, we must now create a key for the OpenVPN server itself. Run the command

. ./build-key-server server

Again most of the fields will be completed for you, simply press Enter when prompted. You will need to enter the hostname of the server, again ‘server’ will do.

In the keys directory the following files will have been created:

server.crt
server.csr
server.key

Generate OpenVPN client key

Now we need to generate a key file for the client. Issue the following command:

. ./build-key client1

When prompted for the hostname, simply enter ‘client1’. Repeat this process for as many clients as you require.

Configure Diffie-Hellman key exchange

Now run the command:

. ./build-dh

This will configure the necessary key exchange parameters automatically and create a file named ‘dh1024.pem’ in the keys directory.

Configure Server

The default server configuration file now needs to be updated with the specific details of your network. An example server configuration file lives in /sample-config-files/server.conf. Make a copy of the file and save it to the openvpn directory.
Edit the file.

Locate the line beginning ‘port 1194’
Here you can specify which port the server will listen for connections on. The default is 1194 but this can be changed to any port you want. It is important that whatever port you choose, any firewalls that the VPN server sits behind are configured to allow this port through to the server from the Internet.

You can also specify the protocol used (UDP or TCP). The default is UDP.

Scroll down and locate the section beginning:
ca ca.crt
cert server.crt
key server.key

Specify the location of the server and ca key files (if not in the same directory as the conf file)

Scroll down and locate the line beginning ‘dh dh1024.pem’
Specify the location of the Diffie Hellman config file (if not in the same directory as the conf file)

Scroll down and locate the line beginning ‘server 192.168.0.0 255.255.255.0’
The details of the VPN subnet will need to be defined. The default value will need to be amended with the new details (10.66.78.0 255.255.255.0 in my example)

Scroll down and locate the section beginning ‘;push "route 192.168.10.0 255.255.255.0" ‘
Any routes that you wish to be pushed down to connected client devices will need to be configured here (remove the ‘ ; ‘ character at the beginning of the line to make it active. In my example I will add an entry to have a route for the 10.77.66.0 network pushed to the client.

Scroll down and uncomment out the lines ‘user nobody’ and ‘group nobody’ to reduce the privileges of the OpenVPN daemon.
Once complete save the file.

NOTE – there are also options within the server.conf file to define DNS and WINS server settings that can be pushed to the client device when it connects. If you are running a DNS server on your local network then this is advisable as it allows you to connect to ‘friendly names’ directly from the client, otherwise you will need to know the IP addresses of all local resources you want to access.

NOTE – if there are further networks that sit behind the VPN server other than the network that it sits on (such as a DMZ environment), then the necessary routes will also need to be defined to be pushed to the client. More information on this is available on the OpenVPN web site.

Start the OpenVPN server

Start the server with the command:

openvpn server.conf

Configure routing

On the local network resource – the internal router if one is being used, or on each host separately, add a route to direct traffic for the 10.66.78.0 network to the local IP address of the OpenVPN server. Use the following command to configure the host manually:

route add –net 10.66.78.0 –netmask 255.255.255.0 10.66.77.10 1

On a Netgear router, static routes are defined in the Advanced --> Static Routes section:

Configure the Windows Client

The OpenVPN client for Windows can be downloaded from http://openvpn.se/download.html
Be sure to choose the GUI and TAP driver package rather than just the GUI. The TAP driver is required to install the virtual network adapter.
Once installed, browse to C:\Program Files\OpenVPN. The are sample configuration files in the ‘sample-config’ directory. Copy the file ‘client.ovpn’ to the ‘config’ directory and then edit it with Notepad.
Enter the external name or IP address of the VPN server. An entry has been made for ‘remote my-server1 1194’. Replace my-server1 with the details of your server. If you specified an alternate port to use other than 1194 when configuring the server, substitute this here also.

Save the following files from the VPN server onto the client:

ca.crt
client.crt
client.key

The OpenVPN connection can be initiated by right clicking on the system tray icon and selecting Connect:

If all has gone well, you should be successfully connected and your local IP address will be displayed. You can now verify the connection by attempting to ping the local address of a resource on the remote network.

Configure the Mac Client

The setup procedure on the mac is a slightly more manual process. There are packages that can be purchased which include all of the required packages, such as Viscosity (http://www.viscosityvpn.com/), but with a little effort you can do it for free.

Firstly, install the XCode tools from the Apple OS DVD, if not installed already. These are required as they contain the GCC compiler which is required to install some of the prerequisite packages.

Next, you need to install a TUNTAP driver for the virtual network adapter, such as this one:
http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
This package is MPKG file, simply run it and follow the on-screen instructions.

Next download and install Fink from http://www.finkproject.org/ (Fink provides similar functionality to yum on Linux systems).
Once Fink has been installed, open a Terminal window and enter the following command:

fink install openssl097 openssl097-dev openssl097-shlibs

This will download and install the necessary OpenSSL libraries onto the Mac.

Download the LZO Compression library from http://www.oberhumer.com/opensource/lzo/download/

This will come down as an archive file. Extract the contents of the file, then open a Terminal window and change directory to the location of the extracted files. Run the following commands:

./configure --enable-shared
make
make test
sudo make install

Download the current version of OpenVPN from http://openvpn.net

Again this will be an archive file. Extract the contents of the file, then open a Terminal window and change directory to the location of the extracted files. Run the following commands:

./configure --with-ssl-lib=/sw/include/ --with-ssl-headers=/sw/include/ 
--with-lzo-lib=/usr/local/lib/ --with-lzo-headers=/usr/local/lib/
make
sudo make install

Now create a directory for OpenVPN:

sudo mkdir /etc/openvpn

Copy your certificate and key files into this directory:

ca.crt
client.crt
client.key

Now create an openvpn.conf text file containing the following script:

client
dev tun0
proto udp
remote (server address) 1194
resolv-retry infinite
user nobody
group nobody
persist-key
persist-tun
mute-replay-warnings
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
comp-lzo
verb 3
mute 20

(where (server address) will need to be substituted for the external name or IP address of the VPN server.

Save the file to the /etc/openvpn directory

To initiate the connection, issue the following command:

sudo /usr/local/sbin/openvpn --config /etc/openvpn/openvpn.conf

There is a free GUI for OpenVPN that allows you to initiate connections from the menu bar without having to type the above command into Terminal every time. The GUI is called Tunnelblick and is available from the Google web site: http://code.google.com/p/tunnelblick/

Once installed, Tunnelblick adds an icon to the menu bar, shaped like a tunnel:

To configure Tunnelblick, simply click on Details and then ‘Edit Configuration’. Paste in the same script that you created above.

Configure the Pocket PC client

The Pocket PC client for the Windows Mobile platform can be downloaded from here - http://ovpnppc.ziggurat29.com/ovpnppc-files.htm

The client can be downloaded either as an executable package that must be installed onto the PDA from a PC via ActiveSync, or as a CAB file package that can be installed on the device locally.

Once installed, an icon for the client will be added to the Today screen and also to the Programs folder:

In order to configure the client, the required keys must be copied to the PDA as with the previous clients, to the \Program Files\OpenVPN\Config directory:

ca.crt
client.crt
client.key

However once on the device, the crt files must be renamed with a .pem extension, giving:

ca.pem
client.pem
client.key

In the /config directory on the PDA will be a file named 'sample.opvn'. Copy this file and rename it to the desired name of your configuration as you want it appear within the client.
The easiest way to do this is to copy the file to your PC, edit it, then copy it back again.
Enter the following text into the file:

client
dev tap
proto udp
remote (server address) 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca "\\Program Files\\OpenVPN\\Config\\ca.pem"
cert "\\Program Files\\OpenVPN\\Config\\client.pem"
key "\\Program Files\\OpenVPN\\Config\\client.key"
comp-lzo
verb 3
mute 20

Once the configuration file has been saved to the PDA, it will be listed as an available connection within the OpenVPN client on the Today screen:

If desired, within the Settings of the client it is possible to specify which Internet connection the OpenVPN client should use to initiate the connection to the OpenVPN server: