Database Info

Paranoia, the internet, and your phone.

This is probably not that useful unless (a) you're paranoid or (b) you need access to a secured network from your phone, however I managed to build openvpn and stunnel against bionic and the onboard openssl library. These are available at http://g1.fnord.to/crypto
OpenVPN requires root access and busybox. With this you can conceivably route all IP traffic through a server somewhere by use of the 'route' command, after the VPN link is brought up. This has been tested, and does not seem to affect phone functionality.
stunnel doesn't require root afaik so you should be able to run it from /data/local. This should allow you to encrypt web traffic at least, by setting the proxy via the 'Proxy Settings' app that's available with AnyCut.

Some how I think T-Mobile might get mad if you did this... They say they allow tethering but if you go over your 10GB limit and they can't see your traffic I would think they would want to know what is up.
Good idea and I know some people are that paranoid... but I see this getting people in trouble... or maybe it is just me.

This is GREAT. I've been looking for this since the day I got my G1. I tried to compile a statically-linked binary a while back, but it was HUGE and wouldn't do much before segfaulting at me.
This gets a 4 smilies because this is how I access my work network remotely from my desktop, and now I can access some of these servers for maintenance remotely from my phone! (I would have given it a whole row of smilies, but apparently that is frowned upon.)
Thanks a million for getting this working!
I probably won't be using it as a default route, but it can be a static route to my office servers for sure!

Just got done testing this to vpn to my workplace and it works awesome. It also routes all traffic while tethering thru the vpn tunnel route.
This has been the best reason for me to get root yet.

Wow this is dope... trying to set this up now so now I can connect to my server on the go. I hope t-mobile don't even see this cuz they will be trippin over why do you need to hide your traffic but this is great no more keeping record of wat you do. Next is gonna be p2p and I will even fell back for t-mobile network lol Thanks this great

neoobs said:
Some how I think T-Mobile might get mad if you did this... They say they allow tethering but if you go over your 10GB limit and they can't see your traffic I would think they would want to know what is up.
Good idea and I know some people are that paranoid... but I see this getting people in trouble... or maybe it is just me.
Click to expand...
Click to collapse
It would probably help for wifi usage. I never connect to public wifi with my G1 for this very reason. I have openvpn running on my router at home so I can tunnel into it when i'm wifi-ing on the go. If the G1 is in an area where there is no 3G coverage but there is public wifi, this might just be what the doctor ordered.

Can the G1 auto connect to openvpn whenever it connects to a network (via wifi), i want it to automatically poll mail for me..

The openvpn daemon is designed to autoreconnect if a keepalive ping fails. I would think if it is running in the background and you changed from Edge/3g to Wifi that it would force a reconnect situation, and it would re-establish the vpn through the new connection.
I will test this right now and get back to you

After testing, it works as expected. ~60 seconds after starting wifi I got the following message:
Inactivity timeout (--ping-restart), restarting
After that it re-established the tunnel through the new interface, and I was able to access machines at my office again.

I didn't know if anyone used a shell script to start/stop their VPN but I made the following so that I can easily start and stop it
Code:
#!/system/bin/sh
case "$1" in
'start')
modprobe tun
/data/local/bin/openvpn --config /path/to/config.ovpn --writepid /data/local/openvpn.pid &
;;
'stop')
kill -9 `cat /data/local/openvpn.pid`
sleep 2
rmmod tun
;;
*)
echo "Usage: $0 [start|stop]"
;;
esac

Instead of keepalive for timeout detection, it would be nice to have hooks called on ifup/ifdown, just like debian's /etc/network/if-up.d/*.
It would allow immediate reconnection upon switching interfaces (between 3G and Wifi for example), and also prevent a situation where an interface comes up, sets the default route, and traffic goes cleartext for 60 seconds until vpn reconnection.
I can think of a lot of other uses for such hooks. Does android offer them?
If we're certain the hooks do not exist natively, I'll find a non-polling way to provide them.

I couldn't find an android interface for ifup, so I just used the netlink notifications, via ip(8). Note that you need the real iproute2 ip binary rather than the busybox one. Probably awk as well - I didn't check since I use debian binaries rather than busybox.
Here's how you use it:
Code:
ip monitor route | awk -W interactive '/^default/ {system("/data/local/bin/ifup " $5)}'
It'll execute /data/local/bin/ifup whenever the default route is changed, and pass the interface name as $1. For 3G/GPRS the interface name is usually rmnet0, whereas for WLAN it is if<num> where num is increasing on every insmod, probably indicating a leak in the tiwlan driver.
If you want it to reconnect openvpn whenver the route changes, you should probably
Code:
killall -USR1 openvpn
for any interface other than tap0 (or whatever you call your openvpn interface).
The above method can be used for earlier events such as link-up, but I figured a default route would be the best time to start openvpn. For extra paranoia, you might want to use iptables to prevent connections to anything other than openvpn on tiwlan0, and have an "up" line in your openvpn config file to set the default route through your vpn when it comes up.
When I get around to write a nice script that does the above, I'll post it here.

How much space are we talking about using with native iproute2, awk, and other binaries? I would think the amount of space used is getting rather large. I guess that it quickly becomes a good time to start using the SD card to store apps.
I've not wanted to repartition my card, but I could always make a FS image and mount it 'mount -o loop' style.
As for instant-on, I'm not using this for paranoia like some are, so instant doesn't really matter to me nearly as much as it could otherwise.

Space requirements - I don't know how much it takes with the libs since I just use it inside a debian chroot and it's all on the sdcard. I need debian anyway, to run certain X apps, etc, so for me it's not a waste of space. Anyway, if you just build iproute2 and awk, or even your own binary that just creates a netlink socket and blocks on it, it shouldn't take a lot of space. Or, if you happen to have python on the phone, it can be done in a few lines of script instead of another binary.
Re instant on, I find it better, not just for paranoia reasons (e.g. ensuring that I never send a cleartext pop3/imap password over wlan), but also for long-running connections such as ssh. If I run them over the vpn interface, I have a fixed IP and the connections persist. If, on the other hand, I create the connection directly over 3g/wlan/gprs, it'll die as soon as I change interfaces. Therefore, I'd rather run all long-running connections over openvpn. IP mobility RFC implementation would be more efficient but as long as it's not an option, a vpn will do.
By the way, do we currently have a way to tie a script/executable to an icon/shortcut, or do you run your script from a terminal?

My understanding is there are problems running apps from a gui shortcut.
http://forum.xda-developers.com/showpost.php?p=3142661&postcount=93
I run everything I do from a terminal.

I guess we need a small loader then. Something that calls Exec.createSubprocess(), just like Term.apk does. Each app will have a symlink to this ShellLoader.apk, which will execute scripts based on the name it was executed under. Another one for the TODO list

From Term.java:
Code:
public void onCreate(Bundle icicle) {
super.onCreate(icicle);
Log.e(Term.LOG_TAG, "onCreate");
setContentView(R.layout.term_activity);
mEmulatorView = (EmulatorView) findViewById(EMULATOR_VIEW);
int[] processId = new int[1];
if (TEST_MODE) {
// This is a vt100 test suite.
mTermFd = Exec.createSubprocess("/sbin/vttest", null, null);
} else {
// This is the standard Android shell.
mTermFd = Exec.createSubprocess("/system/bin/sh", "-", null,
processId);
}
final int procId = processId[0];
final Term me = this;
final Handler handler = new Handler() {
@Override
public void handleMessage(Message msg) {
me.finish();
}
};
Can we use Exec.createSubprocess() as in this above but call "/system/bin/su /data/local/bin/APPLICATIONNAME" to make the Superuser app prompts for root among other things?
Maybe create a user interface that lets you enter what you want in the place of '/data/local/bin/appName' and then when it creates the shortcut also asks if that application needs root?
It could be a list of shortcuts that is selected from a list then. Look like a list of bookmarks perhaps?
I don't know enough of the android environment to know how realistically we could do something like that.

looks like that code example from above is old. Current source from git looks different, but the call looks similar enough. I will play with it here shortly.

Yes, we could do that, including su, but be careful with it
Re bookmarks inside a single loader, I think we can do even better:
We can have a single application called Loader, and call it with different parameters using AnyCut. AnyCut has a "make your own shortcut" option, where you can provide Action, Data and Type. I'm not familiar with the Android environment yet, but I guess the Action can point to the loader, and the Data can be a script name to be executed. This way, a single .apk can be used for starting many native programs.
If implemented that way, I suggest stripping slashes from Data and prepending with /data/local/scripts/ or a similar directory, so that it can only execute scripts the user meant for it to run, rather than arbitrary shell commands. /data/local/scripts/ can contain symlinks to scripts/apps the user wishes to execute from the Android interface. It's more secure that way, while retaining usability.
Makes sense?

Certainly does. You wouldn't want someone to be able to 'rm -rf /' or anything like that.
I think I like restricting it to /data/local/scripts and forcing us to symlink or place any scripts we want to be able run in that path.
Also agree with stripping slashes. There might be other sanitizing that we would want to do to keep malicious actions from being performed.
I would think strip any special characters that have special meaning to the shell * | < > ` etc. If we want to do anything that requires these, we put it in whatever shell script and then just call the script.
Maybe the best route is to just scan the /data/local/scripts folder and allow the user to select from a list.
In any case, whoever does this already has root, so it is just as easy to launch a terminal and break everything from there.
Just a few brainstormed thoughts.

dhcpd on Android/ARM

Has anyone tried compiling dhcpd for Android/ARM? I'm working on a Wireless Router application for Android, and having the phone be a dhcp server would make PC setup really easy.
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/

No, but if you get it working, I'd gladly pay (for the program, not dhcp ).
Is it possible to set it up to a non-adhoc wireless access point? My WiFi card doesn't work for adhoc under Ubuntu :/.

I've been using dnsmasq, works great..

Any reason why you want to use the source from openbsd?
You can get DHCP server from here:
https://www.isc.org/downloadables/12
It's currently compiling on my phone but everything looks good so far.
I guess you could also the udhcp from the busybox project. I think it's smaller.
http://udhcp.busybox.net/

npace said:
Any reason why you want to use the source from openbsd?
You can get DHCP server from here:
https://www.isc.org/downloadables/12
It's currently compiling on my phone but everything looks good so far.
I guess you could also the udhcp from the busybox project. I think it's smaller.
http://udhcp.busybox.net/
Click to expand...
Click to collapse
Oh, awesome! I didn't realize busybox had a dhcp daemon. Linux/ARM is supported too, and it seems to be running fine. I'll make sure it's actually working now.

Bleh, dnsd isn't working properly. Might need to compile within the Android build environment. (None of the busybox networking related commands seem to work, even basic ones such as nslookup.)
Basically what I'm trying to do is have the phone be a DNS, DHCP, and gateway server, so that the PC connection setup is painless: just associate with a the phone's ad hoc network.

What's the busybox's default pass? Mine seems to have it, but I can't figure it out.

Koush said:
Bleh, dnsd isn't working properly. Might need to compile within the Android build environment. (None of the busybox networking related commands seem to work, even basic ones such as nslookup.)
Basically what I'm trying to do is have the phone be a DNS, DHCP, and gateway server, so that the PC connection setup is painless: just associate with a the phone's ad hoc network.
Click to expand...
Click to collapse
did you try the udhcpd applet in busybox?

JesusFreke said:
did you try the udhcpd applet in busybox?
Click to expand...
Click to collapse
Nah, failed with a bunch of errors and I didn't bother looking into it further:
Code:
busybox udhcpd -f
udhcpd: /etc/udhcpd.conf: No such file or directory
udhcpd (v1.12.2) started
udhcpd: can't open '/var/lib/misc/udhcpd.leases': No such file or directory
udhcpd: is interface eth0 up and configured?: No such device
The missing files ones are obviously fixable, but the last one about the eth0 I have no idea about.

Koush said:
Bleh, dnsd isn't working properly. Might need to compile within the Android build environment. (None of the busybox networking related commands seem to work, even basic ones such as nslookup.)
Basically what I'm trying to do is have the phone be a DNS, DHCP, and gateway server, so that the PC connection setup is painless: just associate with a the phone's ad hoc network.
Click to expand...
Click to collapse
I'm a little confused about what you're trying to do here. In page 5 of the iptables thread, alansj has a script that will setup the wifi connection, forward the traffic using iptables and enable dnsmasq to serve as a DHCP server. (rale00 also deserves credit for building dnsmasq and the original script)
If I'm missing something here, what is it that you want to do differently?

Koush said:
Nah, failed with a bunch of errors and I didn't bother looking into it further:
Code:
busybox udhcpd -f
udhcpd: /etc/udhcpd.conf: No such file or directory
udhcpd (v1.12.2) started
udhcpd: can't open '/var/lib/misc/udhcpd.leases': No such file or directory
udhcpd: is interface eth0 up and configured?: No such device
The missing files ones are obviously fixable, but the last one about the eth0 I have no idea about.
Click to expand...
Click to collapse
You need a udhcp.conf file like this one:
http://udhcp.busybox.net/udhcpd.conf
Then you'll need to change the interface from eth0 to whatever the wifi one is... do 'ifconfig' with your wifi on and you'll see the interface name.

[INFO] OpenVPN

I just got OpenVPN working and thought I would share:
Rooted
Installed tun.ko
http://forum.xda-developers.com/showthread.php?t=1063656
Note: Skip this step if you are running Prime or any other ROM with the tun.ko module pre-installed.
Installed BusyBox using BusyBox Installer (Market). Installed to /system/xbin
Installed OpenVPN using OpenVPN Installer (Market) to /system/xbin
Installed OpenVPN Settings (Market)
Replaced OpenVPN binary with the one from:
http://code.google.com/p/android-openvpn-settings/issues/detail?id=26
UnBZ2'ed the file (I used 7-Zip on Windows for this)
adb remount
adb push openvpn-static-2.1.1 /system/xbin/openvpn
adb shell
chmod 555 /system/xbin/openvpn
Created /system/xbin/bb directory (requested in research I did, not sure if required)
mkdir /system/xbin/bb
Symlinked Busybox ifconfig and route /system/xbin/bb
ln -s /system/xbin/ifconfig /system/xbin/bb/ifconfig
ln -s /system/xbin/route /system/xbin/bb/route
Set up my usual OVPN config (configs must have absolute paths to certs!)
OpenVPN settings > Advanced > Load tun kernel module ON
OpenVPN settings > Advanced > TUN module settings
Load module using > insmod
Path to tun module > /system/lib/modules/tun.ko
I think this is everything I did, there was a bit of trial and error so I may have forgotten something.
Checked and the thing still boots afterward

Thanks a lot , will report back when i try it.

I get
insmod: init_module '/system/lib/modules/tun.ko' failed (Exec format error)

Assuming you have installed BusyBox, check the md5sum of your tun.ko:
# cd /system/lib/modules
# md5sum tun.ko
Response should be (or at least this is what I get):
7e09817dc4661b732f1a77fff76a10e6 tun.ko
If you don't get that response, I suggest you re-download the tun module, decompress it again and re-push it to your Transformer.

Busybox is installed. Tried both installers and both versions.
Md5sum is right.
Any other ideas?

Are you running stock? If you are running a different kernel the module probably won't work.

Thanks worked a treat

thanks works perfect

I am getting my Transformer within a week. Can't wait to get this going on the device... Thanks a ton!

It's running and connected but my IP is still showing up as my regular ISP 3G IP when I open a browser and go to www.ipchicken.com
Any idea why the traffic doesn't appear to be routing through it?
It shows as 100% connected and the key icon is white in the taskbar...

duckdown said:
Any idea why the traffic doesn't appear to be routing through it?
Click to expand...
Click to collapse
The default behaviour of OpenVPN is not to install a default route pointing out of the tun interface, unless the system you're connected to has IP forwarding and NAT enabled this wouldn't work anyway.
I can't post links, so google "openvpn config" and go to the first link. Look for the section titled: "Routing all client traffic (including web-traffic) through the VPN."

Hey man, thanks for the reply.
The directions said to add this line to the config file
Code:
push "redirect-gateway def1"
But I've done that and it still doesn't seem to be doing anything.. IP is still showing up as my regular 3G network
Am I doing something wrong or omitting a step that you can notice?
Thanks again for the help

Oh, hm, on second look it wants me to add that line to the SERVER's config file.
I have no access to the servers config file -- I pay $4 a month for my VPN and do not run the OpenVPN server myself.
Is there anything I can do from the client side?
It works perfectly fine in Windows, routing all traffic through the VPN as it should..

duckdown said:
Oh, hm, on second look it wants me to add that line to the SERVER's config file.
I have no access to the servers config file -- I pay $4 a month for my VPN and do not run the OpenVPN server myself.
Is there anything I can do from the client side?
It works perfectly fine in Windows, routing all traffic through the VPN as it should..
Click to expand...
Click to collapse
You might actually be able to just use the "redirect-gateway local def1" line in your own config, as I understand it the "push" directives in the server conf are just sending config to the clients which could just as easily be done client side. I might be wrong, but it's worth a go. Otherwise you can set up routes in the client config too, but you may have to remove your existing default route via some scripting or something.

duclicsic said:
You might actually be able to just use the "redirect-gateway local def1" line in your own config, as I understand it the "push" directives in the server conf are just sending config to the clients which could just as easily be done client side. I might be wrong, but it's worth a go. Otherwise you can set up routes in the client config too, but you may have to remove your existing default route via some scripting or something.
Click to expand...
Click to collapse
This is correct, I have this and the exact same conf works fine on my desktop.
However on my tablet no data gets routed. Also my tray is getting spammed with "Connected".

Kevincod said:
This i correct, I have this and the exact same conf works fine on my desktop.
However on my tablet no data gets routed. Also my tray is getting spammed with "Connected".
Click to expand...
Click to collapse
+1
10chars...

I forgot the part with the modified openvpn, I replaced the binary and the routing works great now, however I still get spammed with "Connected" in the tray.
Seems to be a common issue: http://code.google.com/p/android-openvpn-settings/issues/detail?id=74#c0

I can't get the traffic to go through the VPN for the life of me.. This thing is mental

Check out thread 1118465, in The general section. Found that /system/bin/ip was not setting up route/gateway correctly, and openvpn was not using the busybox ip
fix: mv /system/bin/ip /system/bin/ip.bay
This then forces use of busybox ip. Worked for me.

PowellEB said:
Check out thread 1118465, in The general section. Found that /system/bin/ip was not setting up route/gateway correctly, and openvpn was not using the busybox ip
fix: mv /system/bin/ip /system/bin/ip.bay
This then forces use of busybox ip. Worked for me.
Click to expand...
Click to collapse
We had to do the same thing to get Cisco VPN working. the system IP was not routing properly, so renaming it forced using the busybox IP

[Q] Android VPN configuration, through ADB?

Hello
I would like to configure multiple (let's say 100) devices with VPN settings.
Configuring the devices one by one manually is something that I want to avoid.
I do not have any MDM software.
Devices are Android 4 and possible 2.3-3.
Questions:
- Where are the VPN settings located?
- Can I edit the settings with ADB/sqlite3
- Are root rights needed?
- Is it possible to change settings from application (if I would create VPN config app for this purpose)?
Any links to the documentation or examples are appreciated, couldn't find these with google.

from the terminal in a rooted g1.
> adb shell
# sqlite3 /data/data/com.google.android.providers.settings/databases/settings.db
sqlite> INSERT INTO system VALUES(99,’http_proxy', 'proxyort');
sqlite>.exit

wilsonj said:
from the terminal in a rooted g1.
> adb shell
# sqlite3 /data/data/com.google.android.providers.settings/databases/settings.db
sqlite> INSERT INTO system VALUES(99,’http_proxy', 'proxyort');
sqlite>.exit
Click to expand...
Click to collapse
Thanks, but system table does not contain any VPN settings.
I have manually configured couple on VPN connections from settings, but cannot find those from settings.db.
Do you know which database and table contains VPN settings?
Regards,
Kimmo

I am not that much technical but what i have understood from your question is that you are willing to use your android devices instantly on 100 devices i guess! well the simple way of doing this is going through router because it will absolutely safe your time from configuring it on each device. however, you did not mention that are you willing to use from your home/office or plan to use it while travelling as well.
The best thing what i can recommend you is to go with a business vpn which will give you access to 100+ vpn accounts.
The best option will be to use router which will safe you from the hazel of setting again and again...

Thank you for you answer. You did not understand my question, which basically is:
- how to configure VPN settings using sqlite3

working

[MOD] DNS Server for Android - Notable speed increase

Hi,
This is a potential game changer, DNS server for Android, the open source, DNSMasq and some specific config files for it.
It runs on your Android device and you point your DNS queries to it instead of your remote ISP DNS server.
Using this setup will speed up your Android online experience many fold because DNS (specially over 3G) is one of the slowest blocking components of the entire browsing activity.
Features/Points to note -
- Caching, multithreaded. The replies from the cache are instantenous, hence browsing speed is enhanced significantly
- Query multiple DNS servers simultaneously. Fastest reply is used. Hence redundancy is also achieved along with speed. Currently set to Google DNS servers, Open DNS servers and your home Wifi router. Best not to use more than 5.
- Works with all versions of Android from 1.5 -4.x and all Android phones and tablets
- You can add your ISP's (both 3g and home) DNS servers to /data/local/dnsmasq.conf.
- Don't use your ISP's servers (and remove your Wifi router) if anonymity is a concern.
- Can help circumvent DNS restrictions.
- If your home router has DNS and an IP other than 192.168.1.1, you can change the entry in /data/local/dnsmasq.conf
- It may not start automatically if your ROM doesn't have init.d support. In that case and in either case, you can download SManager and set /etc/init.d/97dns to 'su' (run as root), 'boot' (run on boot) and 'net' ( run on network change)
- To make it stick all the more, you can download SetDNS and enable it and set the DNS server to 'Custom' -> 127.0.0.1 primary and 8.8.4.4 secondary ( backup Google DNS in case DNSMasq is not running for some reason). Make sure that you have Wifi and 3G options checked.
- Will significantly speed up your tethering experience if you set your DNS server to the Android phone and to use this DNS server. Currently the dhcpd option is disabled. You can either enable it or tell your tethering DHCP software to send DNS server=192.168.x.x ( or your Android phone IP) to your PC.
- Block Ads with the MVPS HOSTS file located at /data/local/dnsmasq-host
- VPN connections with and without split tunneling are supported. Check out commented sections in config files. Can use different DNS servers for different domains.
- You need to use this version of DNSMasq. Others ( eg those distributed with most ROMs) have a runaway CPU problem or don't work without the -d (debug) option. Any help resolving those issues welcome.
- You'll need root and su. busybox optional. Simply run Install.bat to install it and configure it automatically. Then make it stick with SManager and SetDNS as mentioned above.
- It's not mine, I just found the correct version and configured it.
- Enjoy! Please click the Thanks button if this helps you.
25th May - Fixed bug where Wifi DHCP wasn't working

Any idea why this breaks my native tether on an og evo 4g on team dirt cm9 port?

Is it necessary to use the install.bat from a pc to make this work or can I just add the dns script to the init.d folder?

Firstly, thank you.
I am trying to manually setup this so I can use some dns redirection (using the --server option) but when I run the install.bat file, it breaks tethering (which uses dnsmasq as well). Would you please help me out understanding what steps the script did to get it running?

Hi,
I think that this version of DNSMASQ may need some different startup options to support dhcp. I have specifically disabled dhcp in the config file.
Or it (dhcp) simply may be compiled out of the binary and it currently may not be usable for both DNS and DHCP.
YMMV. BTW the install script backs up the dnsmasq binary so you can replace it with the backup in case of any issues.
Cheers.

I will try this one if it'll bring any good to my connection. Thanks.