Here is an idea I have thought of:
Making a GUI (root needed of course) applaction for turning on/off and managing WIFI routing. Basically, it would package the tethering script, and give the ability to see who is connect/block/etc. Possibly even mac filtering down the line.
My one main stumping block is that I would really love to get a little DHCP server running on it in the background, so that it would be much easier to manage. For instance, say I am on customer site with my coworker, and there is no net access. I would like to just allow him to autoconnect with out having to go through the process of setting up a new static ip and having him need to do that on the client side.
I went through the current linux distro on the phone, and, not surprisingly did not find dhcpd One solution that I am thinking of is to install debian, and get one that way, but that would not work too well as it would also require users to install debian and apt-get dhcpd.
Another thought that I had was to extract the files from the .deb, and include them in app, and have it just copy the files to the proper places (include shell script) then call out to dhcpd start/stop when needed.
The last option would be implementing a simple DHCP server in Java, kind of my last resort, as I am not even sure the API access to java.util.net.*
Just found this:
http://www.dhcp.org/javadhcp/
Seems to be J2SE compliant, so I am thinking (if the android JVM is compliant) it could be leveraged as a simple DHCP server. I still like the idea of using a premade linux one though
See other thread..
very cool.... dnsmasq is the way to go me things
Related
Hi,
Not sure if anyone is working on a VPN client for Android, but I think this is something a lot of people would find useful. Not sure if it is even possible to do solely from the app layer, but for folks who have rooted phones, I would think that if you can run a VPN client on linux, you should be able to run one on Android, no?
Has there been any work on this? Any thoughts on this?
Thanks
I'd love to see one. I'd be able to use it for work which would be awesome.
OpenVPN already exists
http://forum.xda-developers.com/showthread.php?t=447230&highlight=openvpn
but that is not userspace. The problem with userspace applications is that without root there is no way to add the proper routes to force traffic over the vpn.
Of course, with root you could probably write a graphical frontend to something like OpenVPN.
Geezzzz guys this is the last thing I needed. If my employer catches wind that I can run openvpn from my phone and connect in to the office network; I will never ever get any me time outside of the office. Its nice being able to claim that I am not able to find a internet connection to help do x,y,z or troubleshoot why idiot A cannot send email to idiot B.
I see that there's been a little development here:
There's a commercial product (http://mocana.com/NanoPhone-Android.html) and there's an open-source project (http://code.google.com/p/android-vpnc/), but that one sounds a little scary.
I do have a rooted phone (RC33/JF1.41). I'm wondering if someone could simply compile vpnc and the necessary libraries for the G1. Is it more complicated than that?
So how hard would it be to get vpn setup via openvpn on a rooted phone? (for someone who's not a dev, but isn't afraid to tinker)
Hey guys!
On my long and lonesome journey through the Internet, I am on the hunt for an android, cisco compatible vpn client, I realized, that a lot of open source linux-vpn-clients that are cisco compatible often require the kernel tuntap-module.
So, as I'd like to try to crosscompile vpnc (or any other vpn-client) I have to check that the tuntap-module is supported by htc dreams android linux.
I was not able to find enough information about that, so my simple question to you:
Is there a tuntap mod for android?
Thanks for your help!
z
VPN on android
Firstly, if you have debian set up it's easy to use vpnc from there. You just install vpnc ("apt-get install vpnc"), load the tun module ("modprobe tun"), setup your profile in /etc/vpnc/YourProfileNameHere.conf, and connect: "vpnc YourProfileNameHere". Then just "vpnc-disconnect" to terminate the daemon. This works great and if you want you can always run a proxy in debian, and connect to localhost from an app in android. However, for a better solution, I saw this on the forum, although I've not got around to trying it out yet myself:
http://forum.xda-developers.com/showthread.php?t=447230
Anyway, the first method most certainly works with my the Cisco VPN server my company uses. I'd imagine the second way will too, and would be all nice and native.
Hope this helps
I searched xda-developers a lot about IPv6 (Android related) but only questions, no one seamed to get it to work. Now I got IPv6 working on my Android phone and I want to share it.
Of course I can not held any responsibility for anything. I am no developer, just a user, who used Google a lot and who put a lot of single things together. Rather I am not sure why it works, but it does work.
Quick guide:
1. find out if Linux (Debian) is available for your Android phone and learn how to use it
2. find out if a tun module or a kernel with tun support exists for your phone
3. learn how to use IPv6 on Windows (if you are a Windows user) (I was happy with gogo Client at http://gogonet.gogo6.com/page/download-1) and on normal Linux (normal in meaning of running on PC) (I used miredo first)
4. learn what aiccu is and how to use it on PC
5. install Linux (Debian) on your phone
6. load the tun module (or use a kernel with tun support)
8. register aiccu
9. request tunnel at aiccu
10. install aiccu on your rooted Android phone (with tun) inside Debian chroot
11. done, test "ping6 ipv6.google.com" inside console, should work, and test in Android stock browers, it should also work!
Comprehensive guide:
First of all, before you start fiddling with Android and IPv6, which is quite tricky, I highly recommend to learn how to use IPv6 on Windows (only if you are a Windows user) and on some Linux distribution (Debian or Ubuntu recommend, as Debian is imho the most easy to get Linux for our Android phones).
On Ubuntu, which was running in VMware, I installed a package called miredo.(used this guide https://wiki.ubuntu.com/IPv6 look for miredo) It is a great piece of software. I just installed it and afterwards an apache2 webserver and the server was reachable from outside the virtual machine. Furthermore I did run another virtual machine with XP, both virtual machines, XP and Ubuntu where behind NAT (standard network configuration in VMware, setting up port forwardings is quite complicated) and also my router has a NAT and Windows firewall on host computer was also activated. Still... From the XP virtual machine I could access the apache2 running on Ubuntu. Great. You do not need VMware to learn how to use IPv6, of course, you can also use real hardware, but for me, VMware is very convenient.
Also learn what aiccu is and how to use it (https://wiki.ubuntu.com/IPv6#Get_connected_with_SixXS).
After you just learnt how to use IPv6 on normal Linux (normal refers to the normal end user version, no hacked stuff for Android) you have to learn how to use Linux (Debian) on your Android phone.
I used this guide http://forum.xda-developers.com/showthread.php?t=1254283 but you will need another guide for your phone, because this is phone specific. Google the name of your phone in conjunction with chroot, Android, Linux, Debian or search xda. It may not be possible to install Linux on all Android phones. I do not know that and I can not help you with that because I am a Linux noob. Of course, maybe you don't have to use Debian on your phone, I just like Debian because imho you'll find most informations in conjunction with Android about it and because it's more newbie friendly in general compared to other Linux distros. So maybe you prefer some other distro.
Then you need to get a tun module for your phone/kernel or a kernel with tun support for your kernel. Load the module.
You need to register for aiccu and also request a tunnel.
Afterwards, last step, install aiccu. I think I edited aiccu.conf and entered username and password.
ping6 inside Debian chroot is working for me and also in Android stock browser I can access IPv6 websites.
There are quite a lot requirements and things to learn before, I am sorry, because I can not ease this process.
Right now I also can not tell you nothing about how stable this works, how reliable it is or what the benefits are.
Update:
Working - 3g connection on phone (everything only IPv6 of course)
- apache2 webserver
- SSH server - access with Putty
- SFTP - access with FireFTP or WinSCP
Native aiccu for Android
Some time ago, I hacked together a native aiccu port for Android. I only tested it with AYIYA tunnels. It worked greatly both on Android 2.1 in a Xperia X10 mini pro and on Android 2.3 in a Galaxy Tab.
To use, copy the aiccu-android-bin.7z contents to your phone and put your config at /data/aiccu/aiccu.conf.
Please note that you HAVE to use the provided "ip" executable. The one provided with busybox is incomplete for usage with aiccu, and won't work.
The aiccu-android-src.7z contains the source code if someone is interested in hacking deeper. In particular, testing heartbeat tunnels and seeing if any changes are needed to the source would be nice. Also, cleaning up and trying to push upstream would be great.
Nice thx
Sent from my MB860 using Tapatalk
thotypous said:
Some time ago, I hacked together a native aiccu port for Android. I only tested it with AYIYA tunnels. It worked greatly both on Android 2.1 in a Xperia X10 mini pro and on Android 2.3 in a Galaxy Tab.
To use, copy the aiccu-android-bin.7z contents to your phone and put your config at /data/aiccu/aiccu.conf.
Please note that you HAVE to use the provided "ip" executable. The one provided with busybox is incomplete for usage with aiccu, and won't work.
The aiccu-android-src.7z contains the source code if someone is interested in hacking deeper. In particular, testing heartbeat tunnels and seeing if any changes are needed to the source would be nice. Also, cleaning up and trying to push upstream would be great.
Click to expand...
Click to collapse
Very nice. This simplifys the process a lot.
Unfortunately this does not work on my x8. Maybe because busybox is preinstalled with my ROM?
When I do acciu test, it complains about the ip executable. But I already copied both.
Can I get ride of the old buybox ip? Should it work on x8 as well?
T-Mobile USA has an beta native IPv6 service for ICS Nexus S and Galaxy Nexus UMTS phones. You can google the details. It is natively supported on the stock ICS software now using the UMTS network.
New solution:
https://code.google.com/p/gogodroid/wiki/GogoDroid
drawback:
needs ROM (kernel) with TUN (but any app could null that dependency)
First of all thanks for your work of putting all these information together!
I am using a Galaxy Nexus which allready has tun built in to the stock rom (ICS 4.0.4).
Unfortunately I cant get gogoDroid working. It seems it doesnt recognize the built in tun functionality.
So I tried it with the tun.ko module - no luck there neither, since there is no compiled version for the IMM76I Build :-(
Any suggestions on how to get it working anyways?
Edit: I also found another app which supports 6to4 tunneling called IPv6Config - you can find it on the Play market. Unfortunately 6to4 doesnt get thru NATted mobile networks...
Hello all !
Sorry to dig out this old thread again but here some infos about running IPv6 tunnels on a rooted Android phone.
I wrote a little app to simplify the installation, configuration and running the binaries posted by thotypous:
The app is called Androiccu and you can find it in the google market. Sorry, I'm not old enough to be allowed to post a link to it.
It's still in an early development stage but it does basically work for me and I would enjoy some feedback about success or failure.
This application downloads and installs the binaries, creates a config file with your login infos and can start and stop aiccu. All from a GUI, no need to play on a terminal.
Cheers and have fun testing.
why tunnel when you can have native ipv6 https://sites.google.com/site/tmoipv6/lg-mytouch
elgato99 said:
why tunnel when you can have native ipv6
Click to expand...
Click to collapse
Because most mobile network operators don't provide native IPv6 yet. You're among a few lucky ones that has such an operator. I'm not. When i'm at home i don't need this app as my router provides natively an IPv6 address to my phone over the wifi network. But on my router itself i have to run a tunnel as well as my provider is also not able to provide IPv6.
The biggest aim of this application is to become quickly obsolete when finally all mobile network operators will be able to provide IPv6 natively.
Best regards,
Martin
ty for info. my phone now running sixxs and route it on hostpot.
core7x said:
ty for info. my phone now running sixxs and route it on hostpot.
Click to expand...
Click to collapse
I have a sixxs tunnel. But how can I route this to wifi tethering? My ipad is connected to the wifi hotspot from the android, but the ipad can not resolve ipv6.google.com, but the android can do this.
Is there any alternative to Hamachi for WinRT (with the WinRT device being the client)..
Because RT doesn't run x86 apps, I need to VPN into a machine that sits behind a firewall with no port forwarding for RDP (remote desktop).
Therefore I want to run some VPN server on the machine so that the Surface RT can connect to the local LAN over the internet for an RDP session.
RT has the standard Windows VPN capabilities built in, I think (haven't actually tried). Third-party VPNs aren't supported without jailbreak, and won't be until Microsoft officially makes it available; WinRT apps simply do not have the permissions to create a network interface or re-route traffic (remember the days when Android VPN apps needed to be run as root? That's basically where RT still is).
Out of curiosity, if you can't forward the RDP port, why do you expect you'd be able to hit a VPN server behind the firewall? If it's just a matter of them specifically blocking port 3389, you can change the port that Terminal Services (RDP server) listens on in the registry.
You could try teamviewer, they can route the traffic through their servers so you don't need to forward a port to your pc in a firewall
hberntsen said:
You could try teamviewer, they can route the traffic through their servers so you don't need to forward a port to your pc in a firewall
Click to expand...
Click to collapse
I am planning to try that but was hoping there was also a service like Hamachi available ...
GoodDayToDie said:
RT has the standard Windows VPN capabilities built in, I think (haven't actually tried). Third-party VPNs aren't supported without jailbreak, and won't be until Microsoft officially makes it available; WinRT apps simply do not have the permissions to create a network interface or re-route traffic (remember the days when Android VPN apps needed to be run as root? That's basically where RT still is).
Click to expand...
Click to collapse
GoodDayToDie said:
Out of curiosity, if you can't forward the RDP port, why do you expect you'd be able to hit a VPN server behind the firewall? If it's just a matter of them specifically blocking port 3389, you can change the port that Terminal Services (RDP server) listens on in the registry.
Click to expand...
Click to collapse
Look up Hamachi and reread my OP
Fair point. You're not actually VPNing *into* your machine, but into a Hamachi-operated central management server. That has... interesting... security implications, but I suppose it does provide convenience (it would also be an immediate termination offense anywhere I've worked that had a firewall configuration like you describe, but that's your problem, not mine). Why can't you set up port forwarding in the firewall? Also, you did expressly state "Therefore I want to run some VPN server on the machine" where "the machine" presumably means the one behind the firewall...
The only time I've tried using Hamachi before was for "LAN" gaming over the 'net, which I decided not to do after looking at how it worked. That was long enough ago I'd forgotten the details of how it worked.
My first post still stands. There are at least two things Hamachi (or similar) would need to do that are impossible for a WinRT app (or for any software on RT without a jailbreak, really): create a network interface (we haven't even managed that *with* jailbreak, because except in the case of the semi-official driver from Pluggable we don't have any NDIS6 driver we can compile for ARM) and control a network interface from an app (there are possibly some rather hacky ways this could be done, but nothing we have right now).
Good Thank you:fingers-crossed:
Maybe someone will port Zerotier? It's too complicated for me, please help me make my life little easier
What is the best way to watch HTTPS traffic from apps now? I will collect what I have found so far, but hoping someone more knowledgeable will add some points. Feel free to correct or point out other ways of accomplishing this. It feels like regardless of the options, the root of the problems are how to get around certificate pinning.
Emulator vs Phone
This is the first question and probably the most dependent on what you want to achieve. Working on a real device gives more space between your device and the proxy which makes things easier. The extra space is costly in other ways. For example, I would prefer to have a single instance running on the computer to collect information, but using a phone is easier but has the physical requirement of a device connected to the network.
Phone
Physical separation allows for clearer testing. Fully functional device means your input and output work as expected.
Emulator - Waydroid
Emulator running on the same computer causes more complicated networking to ensure you don't block your own traffic. Troubleshooting is trickier as it's more difficult to easily access parts of the emulator that a phone is easy to access. For example, I spent much more time than I would have expected to move a VPN configuration file from my computer to the virtual machine emulator than I would have ever expected. Adding the same configuration to the phone was a simple QR code scan.
Emulator running in a virtual machine allows for a future use case of running the whole thing in the cloud without a physical device.
Proxies
As far as I know, the only way to capture the HTTPS traffic is to use a proxy. This is in the form of an application running on a separate (virtual or physical as mentioned above) device. The hardest part here is the Certificate Authority which signs the HTTPS traffic when it leaves the app. More sophisticated apps, to prevent fraud, do a variety of actions to prevent the user or 3rd parties from capturing the data in each HTTPS request.
mitmproxy
open source, link
I tried this first as it comes with Python library which would make capturing data for later analysis much easier. Mitmproxy has a few different modes, and ultimately I found that `mitmproxy --mode wireguard` which runs via VPN captured a good amount of traffic, but still had target SDK traffic unable to be opened. Mitmproxy has a built in tool to help installing the certificate in Android as a user certificate. This will capture some HTTPs traffic, but for some apps and many SDKs this does not capture their traffic. Traffic can be captured in several ways: CLI tool for analysis of live traffic in memory, CLI dump to file and in memory live in browser of choice.
Charles Proxy
free for 30 days, shareware, link
I first used Charles nearly 10 years ago, and it doesn't feel like it's changed much, but is actively maintained. When I first started using Charles it was a breeze to use, CA was less of a problem. But as Android changed it also now has the problems of CA needing to be installed, and helps the user by providing it's own signed certificate which can be installed as a user certificate. Charles is a standalone program that you run and as such it does have a fair amount of issues on my linux environment related to it's display sizes. .
Burp Suite - Community Edition
paid/free, link
Community edition that is free to use. Runs in browser and comes with it's own CA tool.
Android Certificate Authority
These are the certificates used to sign HTTPS traffic to keep it secure. In Android there are three levels: User, System (root) and App Pinned Certificates. In Android settings you can add a CA which will be considered "user". Apps can choose whether to ignore this certificate. System CAs can only be set by a root user. While a user can install user CA's, apps do not have to use these. CAs can be set by users as root certificates. I believe this must be set regardless of device or VM. The majority of the certificates provided by the proxies don't seem to open a lot of HTTPS traffic. This is likely because Android N (API level 24) certificate pinning was introduced in 2016 and at this point most SDKs and Apps use this for transferring traffic.
JustTrustMe
open source, link
This is installed on a device or emulator. An Xposed addon that can be installed to force apps to use root authorities and prevent them from pinning their own CA.
apk-mitm
open source, link
This can be installed in a separate linux environment and is used to modify an app's apk before being installed into a VM emultator or phone. It attempts to get around the app's certificate pinning by patching the APK to disable certificate pinning.
This is just my notes on what I'm looking into. I figured I'd post here to see if anyone has some advice or pointers. Please feel free to correct / add to this! Meanwhile I'll also keep my notes here if it helps anyone.
To anyone later who is interested in this topic, I was able to finally get a working solution using Magisk + LSPosed and two certificate modules which unpinned certificates and set my user certificate to system. I wrote my detailed steps here if anyone needs the help.