This is probably not that useful unless (a) you're paranoid or (b) you need access to a secured network from your phone, however I managed to build openvpn and stunnel against bionic and the onboard openssl library. These are available at http://g1.fnord.to/crypto
OpenVPN requires root access and busybox. With this you can conceivably route all IP traffic through a server somewhere by use of the 'route' command, after the VPN link is brought up. This has been tested, and does not seem to affect phone functionality.
stunnel doesn't require root afaik so you should be able to run it from /data/local. This should allow you to encrypt web traffic at least, by setting the proxy via the 'Proxy Settings' app that's available with AnyCut.
Some how I think T-Mobile might get mad if you did this... They say they allow tethering but if you go over your 10GB limit and they can't see your traffic I would think they would want to know what is up.
Good idea and I know some people are that paranoid... but I see this getting people in trouble... or maybe it is just me.
This is GREAT. I've been looking for this since the day I got my G1. I tried to compile a statically-linked binary a while back, but it was HUGE and wouldn't do much before segfaulting at me.
This gets a 4 smilies because this is how I access my work network remotely from my desktop, and now I can access some of these servers for maintenance remotely from my phone! (I would have given it a whole row of smilies, but apparently that is frowned upon.)
Thanks a million for getting this working!
I probably won't be using it as a default route, but it can be a static route to my office servers for sure!
Just got done testing this to vpn to my workplace and it works awesome. It also routes all traffic while tethering thru the vpn tunnel route.
This has been the best reason for me to get root yet.
Wow this is dope... trying to set this up now so now I can connect to my server on the go. I hope t-mobile don't even see this cuz they will be trippin over why do you need to hide your traffic but this is great no more keeping record of wat you do. Next is gonna be p2p and I will even fell back for t-mobile network lol Thanks this great
neoobs said:
Some how I think T-Mobile might get mad if you did this... They say they allow tethering but if you go over your 10GB limit and they can't see your traffic I would think they would want to know what is up.
Good idea and I know some people are that paranoid... but I see this getting people in trouble... or maybe it is just me.
Click to expand...
Click to collapse
It would probably help for wifi usage. I never connect to public wifi with my G1 for this very reason. I have openvpn running on my router at home so I can tunnel into it when i'm wifi-ing on the go. If the G1 is in an area where there is no 3G coverage but there is public wifi, this might just be what the doctor ordered.
Can the G1 auto connect to openvpn whenever it connects to a network (via wifi), i want it to automatically poll mail for me..
The openvpn daemon is designed to autoreconnect if a keepalive ping fails. I would think if it is running in the background and you changed from Edge/3g to Wifi that it would force a reconnect situation, and it would re-establish the vpn through the new connection.
I will test this right now and get back to you
After testing, it works as expected. ~60 seconds after starting wifi I got the following message:
Inactivity timeout (--ping-restart), restarting
After that it re-established the tunnel through the new interface, and I was able to access machines at my office again.
I didn't know if anyone used a shell script to start/stop their VPN but I made the following so that I can easily start and stop it
Code:
#!/system/bin/sh
case "$1" in
'start')
modprobe tun
/data/local/bin/openvpn --config /path/to/config.ovpn --writepid /data/local/openvpn.pid &
;;
'stop')
kill -9 `cat /data/local/openvpn.pid`
sleep 2
rmmod tun
;;
*)
echo "Usage: $0 [start|stop]"
;;
esac
Instead of keepalive for timeout detection, it would be nice to have hooks called on ifup/ifdown, just like debian's /etc/network/if-up.d/*.
It would allow immediate reconnection upon switching interfaces (between 3G and Wifi for example), and also prevent a situation where an interface comes up, sets the default route, and traffic goes cleartext for 60 seconds until vpn reconnection.
I can think of a lot of other uses for such hooks. Does android offer them?
If we're certain the hooks do not exist natively, I'll find a non-polling way to provide them.
I couldn't find an android interface for ifup, so I just used the netlink notifications, via ip(8). Note that you need the real iproute2 ip binary rather than the busybox one. Probably awk as well - I didn't check since I use debian binaries rather than busybox.
Here's how you use it:
Code:
ip monitor route | awk -W interactive '/^default/ {system("/data/local/bin/ifup " $5)}'
It'll execute /data/local/bin/ifup whenever the default route is changed, and pass the interface name as $1. For 3G/GPRS the interface name is usually rmnet0, whereas for WLAN it is if<num> where num is increasing on every insmod, probably indicating a leak in the tiwlan driver.
If you want it to reconnect openvpn whenver the route changes, you should probably
Code:
killall -USR1 openvpn
for any interface other than tap0 (or whatever you call your openvpn interface).
The above method can be used for earlier events such as link-up, but I figured a default route would be the best time to start openvpn. For extra paranoia, you might want to use iptables to prevent connections to anything other than openvpn on tiwlan0, and have an "up" line in your openvpn config file to set the default route through your vpn when it comes up.
When I get around to write a nice script that does the above, I'll post it here.
How much space are we talking about using with native iproute2, awk, and other binaries? I would think the amount of space used is getting rather large. I guess that it quickly becomes a good time to start using the SD card to store apps.
I've not wanted to repartition my card, but I could always make a FS image and mount it 'mount -o loop' style.
As for instant-on, I'm not using this for paranoia like some are, so instant doesn't really matter to me nearly as much as it could otherwise.
Space requirements - I don't know how much it takes with the libs since I just use it inside a debian chroot and it's all on the sdcard. I need debian anyway, to run certain X apps, etc, so for me it's not a waste of space. Anyway, if you just build iproute2 and awk, or even your own binary that just creates a netlink socket and blocks on it, it shouldn't take a lot of space. Or, if you happen to have python on the phone, it can be done in a few lines of script instead of another binary.
Re instant on, I find it better, not just for paranoia reasons (e.g. ensuring that I never send a cleartext pop3/imap password over wlan), but also for long-running connections such as ssh. If I run them over the vpn interface, I have a fixed IP and the connections persist. If, on the other hand, I create the connection directly over 3g/wlan/gprs, it'll die as soon as I change interfaces. Therefore, I'd rather run all long-running connections over openvpn. IP mobility RFC implementation would be more efficient but as long as it's not an option, a vpn will do.
By the way, do we currently have a way to tie a script/executable to an icon/shortcut, or do you run your script from a terminal?
My understanding is there are problems running apps from a gui shortcut.
http://forum.xda-developers.com/showpost.php?p=3142661&postcount=93
I run everything I do from a terminal.
I guess we need a small loader then. Something that calls Exec.createSubprocess(), just like Term.apk does. Each app will have a symlink to this ShellLoader.apk, which will execute scripts based on the name it was executed under. Another one for the TODO list
From Term.java:
Code:
public void onCreate(Bundle icicle) {
super.onCreate(icicle);
Log.e(Term.LOG_TAG, "onCreate");
setContentView(R.layout.term_activity);
mEmulatorView = (EmulatorView) findViewById(EMULATOR_VIEW);
int[] processId = new int[1];
if (TEST_MODE) {
// This is a vt100 test suite.
mTermFd = Exec.createSubprocess("/sbin/vttest", null, null);
} else {
// This is the standard Android shell.
mTermFd = Exec.createSubprocess("/system/bin/sh", "-", null,
processId);
}
final int procId = processId[0];
final Term me = this;
final Handler handler = new Handler() {
@Override
public void handleMessage(Message msg) {
me.finish();
}
};
Can we use Exec.createSubprocess() as in this above but call "/system/bin/su /data/local/bin/APPLICATIONNAME" to make the Superuser app prompts for root among other things?
Maybe create a user interface that lets you enter what you want in the place of '/data/local/bin/appName' and then when it creates the shortcut also asks if that application needs root?
It could be a list of shortcuts that is selected from a list then. Look like a list of bookmarks perhaps?
I don't know enough of the android environment to know how realistically we could do something like that.
looks like that code example from above is old. Current source from git looks different, but the call looks similar enough. I will play with it here shortly.
Yes, we could do that, including su, but be careful with it
Re bookmarks inside a single loader, I think we can do even better:
We can have a single application called Loader, and call it with different parameters using AnyCut. AnyCut has a "make your own shortcut" option, where you can provide Action, Data and Type. I'm not familiar with the Android environment yet, but I guess the Action can point to the loader, and the Data can be a script name to be executed. This way, a single .apk can be used for starting many native programs.
If implemented that way, I suggest stripping slashes from Data and prepending with /data/local/scripts/ or a similar directory, so that it can only execute scripts the user meant for it to run, rather than arbitrary shell commands. /data/local/scripts/ can contain symlinks to scripts/apps the user wishes to execute from the Android interface. It's more secure that way, while retaining usability.
Makes sense?
Certainly does. You wouldn't want someone to be able to 'rm -rf /' or anything like that.
I think I like restricting it to /data/local/scripts and forcing us to symlink or place any scripts we want to be able run in that path.
Also agree with stripping slashes. There might be other sanitizing that we would want to do to keep malicious actions from being performed.
I would think strip any special characters that have special meaning to the shell * | < > ` etc. If we want to do anything that requires these, we put it in whatever shell script and then just call the script.
Maybe the best route is to just scan the /data/local/scripts folder and allow the user to select from a list.
In any case, whoever does this already has root, so it is just as easy to launch a terminal and break everything from there.
Just a few brainstormed thoughts.
Related
This is a program I wrote a while back that allows transparent tethering over USB without requiring root access. It works by simulating an unencrypted OpenVPN server and then internally running everything through a Java-based NAT. I get decent speeds off it, but your mileage may vary. It's a bit beta! Might explode! Wear eye protection!
It has a really basic website at http://lfx.org/azilink/, but to spare your eyes I'll just paste the instructions below:
Required files:
- ADB from the 1.1 SDK or from http://lfx.org/azilink/adb.zip
- OpenVPN 2.1 (not 2.0) from http://openvpn.net/index.php/downloads.html
- AziLink.apk from http://lfx.org/azilink/azilink.apk
- AziLink.ovpn from http://lfx.org/azilink/azilink.ovpn
Installation:
1) Install OpenVPN on the host. I use version 2.1_rc15, but any version should work. Apparently if you use version 2.0 you'll need to remove the NO_DELAY option from the AziLink.ovpn configuration file. You can find OpenVPN at:
http://openvpn.net/index.php/downloads.html
2) Enable USB debugging on the phone. From the home screen, this is under
Settings>Applications>Development>USB debugging.
3) Install the Android USB driver (if you don't already have one installed).
See http://code.google.com/android/intro/develop-and-debug.html#developingondevicehardware
4) Install the program. You can either use ADB to install by typing
"adb install azilink.apk" with the file in the current directory, or you can browse (on the phone!) to: http://lfx.org/azilink/azilink.apk
Either way you might need to allow installation from unknown sources
under Settings>Applications>Unknown Sources.
Configuration steps:
1) On the host, run "adb forward tcp:41927 tcp:41927" to set up port forwarding. Be sure to use adb from the Android 1.1 SDK! The version from 1.0 will lock up under heavy load. If you don't want to download the entire SDK, you can get a copy of ADB+drivers from http://lfx.org/azilink/adb.zip
2) On the phone, run AziLink and make sure "Service active" is checked.
3) Right click AziLink.ovpn on the host (not in the web browser!) and select "Start OpenVPN on this configuration file." You can find this file at: http://lfx.org/azilink/azilink.ovpn. If you're using Linux or, god forbid, MacOS, you'll also need to manually set the nameserver to 192.168.56.1 (the phone's NAT IP address).
Nice work around.
Wow, amazing work! I'll definitely have to mess around with this tomorrow...
OpenVPN 2.0.9
Thnx for the manual..!! Took me something to get it working, i'll find out, that it isn't working with OpenVPN version 2.0.9
OpenVPN 2.0.9 doesn't recognize the following rule in azilink.ovpn:
socket-flags TCP_NODELAY
And it worked with version 2.1rc15...
So no more Internet Sharing on Windows Mobile...
OpenVPN 2.0.9
Thnx for the manual..!! Took me sometime to get it working, i'll find out, that it isn't working with OpenVPN version 2.0.9
OpenVPN 2.0.9 doesn't recognize the following rule in azilink.ovpn:
socket-flags TCP_NODELAY
And it worked with version 2.1rc15...
So no more Internet Sharing on Windows Mobile...
help
Ok I'm a complete noob and I've played about with this but can't get it to work. How do I run adb? As in the very first step? Where do I type that. Do I need to install adb and how do I do it?
Thanks
Got it working
Man this is awesome.
I realised i needed to run the adb from cmd. see when i tried to open adb.exe it just kept closing.
thanks alot. this rocks
ps im writing this off my tethered pc
zecbmo said:
Ok I'm a complete noob and I've played about with this but can't get it to work. How do I run adb? As in the very first step? Where do I type that. Do I need to install adb and how do I do it?
Thanks
Click to expand...
Click to collapse
Nah, you can just unzip adb and run it directly from that folder. It's a command line program, so you'd need to run it from a command prompt (cmd.exe). I'm not sure whether adb needs to run as an administrator or not (I disable all that UAC garbage in Vista). If you have the proper driver installed, then the ADB command should return immediately without saying anything. If it says "waiting for device..." that means it wasn't able to find the Android debug driver.
I know this is all a bit hacky, but now that we've got root and wifi tethering I figured that there wouldn't be too much interest.
cheers
its working great like. im using this cus i havent rooted my phone yet. tethering was the only reason why i wanted to root it but this is a great alternative
Works Great. Thanks for the easy instructions.
Here is translation of post on Russian with images http://androidteam.ru/faq/azilink-tethering-with-android-usb.html
I have repacked all in one zip, and make some command files to make process a little easy.
another trick that may help on XP machines, probably other versions as well.
Create a shortcut to adb.exe on your windows desktop (mine is located in C:\and\tools)
Modify the 'target' (right-click,properties) of the shortcut to read C:\and\tools\adb.exe forward tcp:41927 tcp:41927 <I think this is the right code, I'm still using tetherbot on 1080>
That's it. Once everything's set up connecting is easy. one click on the computer, no cmds required
does this allow for media such as flash on web site to play on the laptop?
clevetbs said:
does this allow for media such as flash on web site to play on the laptop?
Click to expand...
Click to collapse
If you've got enough bandwidth. I'm not really sure what bitrate flash video runs at though.
Many thanks for this, aziwoqpd. I've not had the time to root, but have been looking for an easy way to tether. A usb connection is great, since the battery drains so quickly anyway it's nice to keep a charge going.
sonikamd - thanks for the suggestion, it's a great idea. Unfortunately my XP doesn't want to accept your syntax. I wish I could offer something else, but my skills (ha!) are nonexistant. I'm embarassed to say that I had to refresh my memory on how to maneuver around command lines...
Got any other suggestions?
Thanks again for all your work!
the AziLink.ovpn file wont download for me.
works fine for me, GREAT WORK!
Okay, so I'm trying this out on a mac. I've successfully built openvpn and have my tunneling device (/dev/tun0, /dev/tun1, etc.). I run the adb forward command and it starts the daemon successfully, I fire up azilink on the phone and it says it's waiting for the connection, I fire up openvpn and the phone changes to stating that it's connected. Openvpn does not exit out - it starts the tunnel - BUT in the logging it reports " ROUTE: problem writing to routing socket" twice (which oddly appears to be a non-fatal error to the application), and traffic is unable to flow. I'm guessing it's something about openvpn not correctly manipulating the darwin routing tables, but I've been unsuccessful thus far in figuring out the nature of the problem so I thought I'd check here.
I'm running the straight azilink openvpn config file, which means if I need any syntactical changes for darwin I haven't applied them. The openvpn documentation is not terribly good and I was unable to find any documentation of routing command differences for MacOS (if that's even the problem, of course).
Edit: I forgot to mention, I've been trying to ping known-good IPs by address to test the routing - after my first attempt at loading a web page failed I figured it best to remove name services from the possible list of problems. The bytes sent count was slowly incrementing (up to about 23K bytes in ten minutes of diagnosis), and the inbound count got up to about 900 bytes in the same period, so clearly *something* was getting through - unless those counters are counting all traffic into and out of the phone and just going over the cable - but I got no ping responses, no websites could load, and by all appearances from the terminal, no data was moving.
lindsayt said:
I'm running the straight azilink openvpn config file, which means if I need any syntactical changes for darwin I haven't applied them. The openvpn documentation is not terribly good and I was unable to find any documentation of routing command differences for MacOS (if that's even the problem, of course).
Edit: I forgot to mention, I've been trying to ping known-good IPs by address to test the routing - after my first attempt at loading a web page failed I figured it best to remove name services from the possible list of problems. The bytes sent count was slowly incrementing (up to about 23K bytes in ten minutes of diagnosis), and the inbound count got up to about 900 bytes in the same period, so clearly *something* was getting through - unless those counters are counting all traffic into and out of the phone and just going over the cable - but I got no ping responses, no websites could load, and by all appearances from the terminal, no data was moving.
Click to expand...
Click to collapse
The byte counters only include traffic that OpenVPN is forwarding, so something is making it over. Did you try changing the DNS server to either 192.168.56.1 or an external address like 4.2.2.2? OpenVPN on MacOS and Linux won't set the nameserver automatically.
Also, there's a bit of a problem with pinging. The app on the phone can't generate ICMP ping packets since it isn't running as root. When you send an ICMP ping, the phone translates it to a UDP ping, sends it, and translates the reply back to a ICMP ping. Unfortunately, probably about 50% of hosts don't reply to UDP pings. Some that I've tested with that do work are lfx.org and he.net.
I'll see if I can give it a quick test on a Mac sometime tomorrow.
EDIT: I managed to get it working, although T-Mobile's so-called "transparent" web proxy is barely working today so I was having trouble accessing websites without getting errors. SSH was working fine, though. Anyway, here's what I did:
1- Installed a MacOS port of OpenVPN called Tunnelblick (didn't have XCode handy to compile my own and it's got a pretty GUI)
2- Copied azilink.ovpn to /users/azi/library/openvpn or whatever it is
3- Click the Tunnelblick icon in the upper-right, go to details, click "set nameserver"
4- Remove the TCP_NODELAY line because it was complaining that my kernel didn't support it (and would cause my connection to timeout after about 30 seconds).
5- Clicked connect
If you want to see what traffic's going over openvpn, you can just run "sudo tcpdump -n -i tun0"
wow ... this works great ... tested using a german G1 under linux (arch 686), win vista (x64) & win xp (x86) ... pretty good speed and low latency (actually i can't notice any latency at all - no mather if using wlan or 3g)!
GREAT WORK!!!
I have a freebsd server on my home network that i used to be able to ssh into from my G1 using connectbot, but this recently stopped working. using the command line ssh program i get the following warning:
"Reading the random source seems to have been blocked. If you are experiencing problems, you probably need to find a better entropy source."
one thing i cam across while researching this was to replace /dev/random with a sym link to /dev/urandom, but i definitely want to ask an expert before i go messing around with device files.
i'm currently running JF1.42 RC33. I'm also a fairly experienced linux user, but by no means an expert. Thanks so much in advance for all your help, xda rocks!
note (for all you note lovers ): i think this stopped working when i upgraded to JF1.41 RC33, but I have no idea if that has anything to do with it. I also reinstalled freebsd around that time.
I'm using JF1.41 RC33 and have no trouble using connectbot or command line ssh. Are you able to ssh to your bsd server from something other than your G1?
yup, i'm able to do it from my main box. i'm having some trouble gettin rsa keys set up, but ssh itself is working
I updated to 1.42 and was not able to duplicate the error. Here is how those devices look on my phone:
$ ls -la /dev/*random
crw-rw-rw- 1 0 0 1, 8 Feb 12 22:30 /dev/random
crw-rw-rw- 1 0 0 1, 9 Feb 12 22:30 /dev/urandom
my devices and permissions are the same (damn lol). do you think that renaming /dev/random and making /dev/random a symbolic link to /dev/urandom would cause any problems? i'm gonna do some more research on the differences between the two, but any input would most definitely be appreciated
I'm not familiar enough with how Android as a whole works to say if that change would be ok. My concern would be about something else affected by this change.
Because of that, I would think the choice would be better made on an application level. Maybe this is an option that the connectbot developers would be willing to add as a program setting?
Perhaps there is a workaround. Some of the information out there suggests that if the random source is software-only, running more applications which access the network may cause it to unblock. After getting the error, I'd try pulling up a web page, signing into IM, searching in maps, etc. and then trying ssh. While not really a solution, if it works it would confirm the above information.
Well, I did some web browsing, messaging, and maps work, as well as installing Debian from the easy install thread, and it half worked: the terminal ssh program now works, but connectbot still doesn't. i tried 'use any unlocked key' and 'don't use keys', to no avail.
all i'm getting is a quick flash with a WARNING message that pops off the screen to fast for me to read. I think it's a different issue for connectbot? i wish i could hold onto that connectbot screen before it kicks me off...
I use my G1 and iPod Touch hand and hand. I share my G1s internet over wifi. Basically I want to create a script that will ssh from my G1 to my Touch then copy the contents of say my images folder to my Touch. This way keeping my iPod and G1 in sync over wifi. I'm wondering what would be the easiest way of doing it, creating a cron script that pings for my iPod's IP and if returned would start a SSH connection and auto copy my pictures? Any idea's?
Note: I was also thinking maybe creating a custom tether app based off the wifi tethering app available that when tethering was activated it would ping periodically for my iPod's IP. That way I could avoid the hassles of cron under the Android Environment and I would only be trying to sync when my G1 is tethering.
G1 has nothing to share with ipod, pervert
...right. I don't think you can do cron jobs on android or host a ssh server natively but you might be able to mount debian on your sdcard and then do everything from in there. rsync is popular for this.
jusplainmike said:
I use my G1 and iPod Touch hand and hand. I share my G1s internet over wifi. Basically I want to create a script that will ssh from my G1 to my Touch then copy the contents of say my images folder to my Touch. This way keeping my iPod and G1 in sync over wifi. I'm wondering what would be the easiest way of doing it, creating a cron script that pings for my iPod's IP and if returned would start a SSH connection and auto copy my pictures? Any idea's?
Click to expand...
Click to collapse
Basically, yeah. Could be easier / more elegant to build a Java app that runs in the background, pinging the ip. To copy via ssh you need scp, which is included in my JF 1.43 ADP1.1 flash.
Then just
Code:
scp -i /sdcard/android_id.seckey -r [email protected]:/wherever/the/files/are/ /sdcard/where/i/want/them
You'd need to supply a public key without password protection (in my example android_id.seckey) to the iPod, which usually is a significant security risk. Maybe in case of your iPod, not so much though.
jusplainmike said:
Note: I was also thinking maybe creating a custom tether app based off the wifi tethering app available that when tethering was activated it would ping periodically for my iPod's IP. That way I could avoid the hassles of cron under the Android Environment and I would only be trying to sync when my G1 is tethering.
Click to expand...
Click to collapse
That's possible as well, but it's more complicated since you'd have to adapt to changes to WiFiTether / G1Tether. Also, that app might need root, while the other approach probably wouldn't, but would only work when both devices are connected to an access point where IPs are DHCP'd statically.
Interesting problem.
d00m said:
...right. I don't think you can do cron jobs on android or host a ssh server natively but you might be able to mount debian on your sdcard and then do everything from in there. rsync is popular for this.
Click to expand...
Click to collapse
The iPod host the ssh server, I would only have to SSH from the G1 and android actually has a cron service, I can't remember what it is of the top of my head exactly.
While trying to scp I get this error:
/system/bin/ssh: No such file or directory
Click to expand...
Click to collapse
Yet I can ssh from my G1
I was wondering if there is a method to cache DNS requests? I use CM latest and was browsing around in the system folder, when i came by /system/etc/resolv.conf. Here you find the nameservers used by android to resolve DNS.
This got me thinking, because I use a DNS cache on my Ubuntu Box. Might there be a way to do this on Android, to speed up browsing regularly visited websites? Does anyone have any idea how to use a local DNS cache to speed up browsing?
Here's the deal:
- In /system/etc/resolv.conf you find 4 nameservers (4.2.2.5 - 4.2.2.2)
- Doing a ping test (count = 1000) to those, i find big differences in latency. Average was 800 on my test on 3G (I live in the Netherlands). I found this number rather large.
- On IRC, when asking this question, they mentioned porting dnsmasq to android and change nameserver to localhost
A ported version of dnsmasq is found here: http://code.google.com/p/android-wifi-tether/source/browse/trunk/res/raw/dnsmasq?spec=svn120&r=120
Copied the file to /system/bin, chmod +x the file, and this one works.
Now here's the thing:
- dnsmasq --help mentions a configurationfile: /data/local/dnsmasq.conf. This one have to be made for android
- how to configure dnsmasq so it uses the DNS servers and create a cache, thus speeding up browsing (in my humble belief)
- how to start dnsmasq on booting android (and making sure it stays alive)
And finally, does it make sense to use this kind of method? Like to apply for a think tank to make this work
That does sound like a good idea. For me it isn't just 800ms to find out the DNS but on edge rather something like about 3 seconds! this would seriously speed the whole thing up! However, how are you gonna find the IP adresses for the first time?
Well dnsmasq creates a cache, using nameservers found in the config file, if i am correct. I am looking into the dnsmasq.conf examples to see what workaround i need.. Should be pretty straightforward
resolv.conf should have nameserver 127.0.0.1, and dnsmasq should use configured nameservers like 4.2.2.5 and create a cache. Therefore apps use the dnsmasq as DNS server.
Furthermore, i am trying to find out what nameservers are the fastest. 4.2.2.2-5 are Verizon, while i am in the Netherlands. OpenDNS has a datacenter in Amsterdam, so i figured changing nameservers to OpenDNS would speed things up some more..
Even better would be unbound, though the stated overhead of ~11 MB might be too much for G1/mT3G v1.
Also, do you have to do any tricks to prevent resolv.conf from being overwritten when you switch networks? I know that usually dhclient will rewrite the file, and there's a couple of workarounds, but I have no idea which ones would work on Android.
CM builds already have a dnsmasq binary in /system/bin. It's used for tethering. You could launch it with a different config file if needed (there's a dnsmasq.conf in /system/etc already for tethering). Also, the values in resolv.conf aren't really used by much anymore unless you have stuff linked with uclibc. The resolver in Bionic uses the values of the net.dns* system properties.
cyanogen said:
CM builds already have a dnsmasq binary in /system/bin. It's used for tethering. You could launch it with a different config file if needed (there's a dnsmasq.conf in /system/etc already for tethering). Also, the values in resolv.conf aren't really used by much anymore unless you have stuff linked with uclibc. The resolver in Bionic uses the values of the net.dns* system properties.
Click to expand...
Click to collapse
Thanks for the reaction... You are right indeed, i found the dnsmasq.conf:
Code:
no-resolv
no-poll
server=4.2.2.2
server=4.2.2.3
interface=usb0
dhcp-authoritative
dhcp-range=192.168.77.100,192.168.77.105,12h
dhcp-leasefile=/data/misc/dnsmasq.leases
pid-file=/data/misc/dnsmasq.pid
user=dhcp
no-negcache
What you're saying is that i should create another one, but i am wondering what values i should use..
interface=?
Also, regarding your remark on DNS, how to see the values of net.dns* and how to change them? sysctl -n doesn't show these values, I must be looking in the wrong direction...
Hey,
You don't have to set an interface at all.
The interface delcaretion limit dnsmasq to listen only on a specific interface (for both DHCP and DNS requests).
As far as I know dnsmasq is caching dns by default you can limit the cache size and set not to cache negative queries but it will cache by default so no special settings is needed.
In addition, Dnsmasq is also function as dhcp server and if you don't want it to try removing all lines that declaring on dhcp settings.
True on that one, i want to use dnsmasq mainly on 3G
On my remark about the dns properties, already found out to use getprop and setprop
getprop shows different values on DNS compared to resolv.conf:
[net.dns1.195]: [84.241.226.140]
[net.dns2.195]: [84.241.226.9]
[net.dns1]: [84.241.226.140]
[net.dns2]: [84.241.226.9]
You need to be aware of one thing with regards to the resolv.conf file.
It is NOT USED BY ANDROID.
If you use the command "getprop", you will see several dns entries in there -- none of which matches the static dns servers set in resolv.conf. The resolv.conf is used by TERMINAL BINARIES.
zrubi said:
Hey,
You don't have to set an interface at all.
The interface delcaretion limit dnsmasq to listen only on a specific interface (for both DHCP and DNS requests).
As far as I know dnsmasq is caching dns by default you can limit the cache size and set not to cache negative queries but it will cache by default so no special settings is needed.
In addition, Dnsmasq is also function as dhcp server and if you don't want it to try removing all lines that declaring on dhcp settings.
Click to expand...
Click to collapse
might as well restrict it to the local interface
Code:
interface=lo
you can then turn off dhcp with
Code:
no-dhcp-interface=lo
I use OpenDNS on my home network which is claimed to be better than ISP dns servers. When you signup/setup you are required to input their values for dns servers, perhaps you set these values from your phone?
Not sure if Android supports this... but the easiest and least resource intensive way to do this would be to simply add your commonly used domains to the hosts file. I believe some ad blocking software used to use this to block ads.
Aside from that... Bind can be run as a caching nameserver and would probably work in conjunction with setprop to overwrite the nameserver values android tries to use...
Another interesting idea might be to run a squid cache with data stored on the SD card... this should theoretically be faster than pulling the pages over 3G, but could be memory constrained.
FWIW I did some testing with timing page loads over 3G/2G/Wifi... and I found that the bottleneck for page loads on the G1 was not in fact the speed of the network connection(3G and WiFi were virtually identical - 12Mbps cable, 2G slightly slower), but CPU time spent in rendering(well, possibly memory related as well, but the G1 is always memory constrained so its hard to tell). The biggest speed improvement I experienced was in turning off Javascript.
I also tested Stock vs Dolphin vs Steel and found Stock & Steel to have very similar numbers, with Steel having a slight edge sometimes. Dolphin was always orders of magnitude slower.
IMHO The only real way to speed up browsing on the G1 would be to utilize an external compression proxy to reduce the amount of data being sent across the network to the G1, or to rewrite the browser/Dalvik VM/whatever to be more efficient. I tried the external proxy method but couldn't seem to get it to work.
good thought...i'll tinker w/ this some
also dot folder
@equid0x Good thoughts... I used Opera on Android, which uses a compression proxy. Runs fast. Might be an idea to look into this for the native browser and abandon the idea to cache DNS.
cyanogen said:
CM builds already have a dnsmasq binary in /system/bin. It's used for tethering. You could launch it with a different config file if needed (there's a dnsmasq.conf in /system/etc already for tethering). Also, the values in resolv.conf aren't really used by much anymore unless you have stuff linked with uclibc. The resolver in Bionic uses the values of the net.dns* system properties.
Click to expand...
Click to collapse
I think I have dnsmasq playing nice w/ this config:
Code:
no-resolv
no-poll
server=4.2.2.2
server=4.2.2.3
listen-address=127.0.0.7
interface=lo
pid-file=/data/misc/dnsmasqcache.pid
user=dhcp
no-negcache
it's listening on UDP port 53 -- seems to be doing its thing..
you're right..resolv.conf doesn't affect anything I do.
but I don't see any entries like net.dns* when i
#sysctl net
What am I missing about how Bionic does things?
alapapa said:
but I don't see any entries like net.dns* when i
#sysctl net
Click to expand...
Click to collapse
Use:
# getprop
Brut.all said:
Use:
# getprop
Click to expand...
Click to collapse
Thanks.
i can:
# setprop net.dns1 127.0.0.1
# setprop net.dns2 127.0.0.1
and it uses dnsmasq for a while, then they change back to t-mobile's (seems like it happens when i change towers or it goes from 3g->edge or vice-versa
does net.dnschange have any ability to control this?
know where I can find any documentation on the dhcp process that populates these values?
edit: just tested again and the settings persisted all night. performance wasn't noticeably different than normal. I'll try to do some more scientific tests and report back..
was this project dropped? anything goin on here?
dnsmasq cpu problem
Hi Guys,
I've implemented the dnsmasq with my adhoc connection. My config file is:
no-resolv
no-poll
server=10.50.30.254
listen-address=127.0.0.1
interface=lo
pid-file=/data/misc/dnsmasqcache.pid
user=dhcp
no-negcache
addn-hosts=/data/misc/dnsmasq-host
cache-size=65536
local-ttl=86400
where the dnsmasq-host file is a copy of http://www.mvps.org/winhelp2002/hosts.txt to avoid advertising site.
After few minutes I run dnsmasq I get the cpu at 100% and the process sayd:
dnsmasq: Unknown cmd ''
dnsmasq: Unknown cmd ''
dnsmasq: Unknown cmd ''
I've tried only with few config options but the result is the same.
Do you know what is that?
TLDR: Got new phone, don't want to root now but still want to do things I needed root for. I need a non-root packet capture solution, or to decide if I should still root my new phone, or to get into development again. What is my best option? Use case below.
I have always rooted my phones which have always been as easy as 'fastboot oem unlock'. Not with ROG3. It needs an OEM tool and from what I read here I only get one chance.
After all the years though my uses of root fall into one of 3 categories: ad blocking, back up, and one specific case of packet capture.
I used AdAway for DNS level ad blocking. Private DNS with dns.adguard.com seems to be fine for that. Easy enough to set up.
Backup is with Titanium Backup. I am going to install all apps I ever had on my last phone (which has root and Ti) hoping that the stock transfer tool would pick them up and carry them over. Storage is not an issue; I have 512G. Apps I really don't care about anymore can be deleted later.
Next, my sticking point: Packet capture.
For that I have been running a tcpdump binary inside Terminal Emulator a week at a time. I am after the network traffic of one game, which I am not going to name for fear of ruining the fun. Its traffic has been in clear HTTP since I started playing in 2015. Through it I have gathered how units level up, enemy patterns in battles, and scripts for story scenes. I so enjoyed having these data that I kept playing, as long as it remains viable. My setup writes a pcap file to external storage that I can copy to my laptop for analysis. I configured tcpdump to capture only traffic to/from one IP to save space.
To get the same functionality I need a packet capture app to capture only the game's traffic, and save one pcap file per session. I tried 3 such apps and they all fall short in one way or another.
TPacketCapture captures all; app filter is its very expensive paid feature. Plus it stalls all traffic within 3 minutes of starting.
Greyshirts SSL Packet Capture splits capture by HTTP streams. Each must be selected manually for export with no option for a whole session export. Is a problem because every transaction of the game is its own HTTP stream. Is also a known beef among users and author seems unwilling to address. It keeps its data files to itself; I was only able to get them via root and they are not straight pcap, yet not difficult to figure out. It does decode the game traffic very nicely, to the point it becomes human-readable.
PCAPDroid does not save files; it only streams off its builtin HTTP server or UDP. I could not get useful capture out of it, but it is open source, so I could try adding that feature myself, hence the question of getting into development.
I did find a way to mass export data out of Greyshirts. I can use adb backup to back up that entire app's data. Then I found information on how to extract from it the data files it kept to itself. Then because those data is in a lighter format than pcap, it's actually easier for me to script a parser and work on them directly!
-- EDIT --
I found that some public wifi break if used with a private DNS.
Then for some time I totally lost adb backup functionality! I would get an empty backup even though everything else goes as expected. I resigned to defer moving that game over and set up Android Studio to start that development work I mentioned (in essence, attempt to modify PCAPDroid to save captures to external storage and add AdAway functionality).
Instead of using just the command line tools like I always have, I installed Android Studio. The SDK tools got updated along the way to 1.0.41 on SDK Tools 30.0.5 (I got the "ADB backup deprecated" message too, but the [email protected]% I care) . Then when I tried adb backup again I got my full backups again.
-- END EDIT --
I think there's my solution and I can now go without rooting. If I do need root in the future, adb backup should save the day.