Setting up OpenVPN on VPS server, and on ICS/GB clients - Android Software/Hacking General [Developers Only]

Warning: This configuration no longer works for me. Try at your own risk.
Who is this for?:
People who are comfortable installing servers but still need a little bit of spoon-feeding at times. People who already have a VPS and want to use it as a VPN for privacy purposes or to bypass a firewall. If you don't use ICS, your phone needs to be rooted.
I just spent a few hours figuring out VPN issues and want to share the fruits of my labor. This is for people with a server who want to set up both the server and the client. Goal: route all your internet traffic through your server when the VPN is active. You need a VPS or dedicated server to do this. I went with OpenVPN because PPTP VPNs don't work with some ICS roms. I don't know a lot about networking issues, so I can probably help with some linuxy-server setup issues, but a lot of networking is beyond my grasp.
Server config:
The hard part was the server config, which I found helpful information for on two pages. OpenVPN must be installed, and then you must generate keys and a little bit of data for the server. I used instructions here (but if you search for "server generate openvpn keys", there should be a lot of tutorials). On my system the "init-config" command didn't exist, so I basically skipped that step. When finished, copy client1.crt, client1.key, and ca.crt to the phone.
I had a really hard time with the config file, but this little bug report was a fantastic resource. I ended up with the following config file:
Code:
dev tun
server 10.8.0.0 255.255.255.0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
verb 5
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
comp-lzo
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
The DNS servers I'm using are google's. OpenDNS would be another good choice.
ICS instructions:
Install OpenVPN for Android. Open it, click "All your precious VPNs", add one and configure it. In the "basic" section, choose your server's hostname. For "type", choose "Certificates". Below that, select "ca.crt", "client1.crt", and "client1.key" in order. (Choose them with the file picker then press the "Select" button.) These are the files you generated on the server and copied to the phone. No other options need to be changed. Press "back" to save and touch the name of the configuration you've created. Enjoy your VPN-based browsing!
Gingerbread instructions (or ICS if you like pain):
Your device needs to be rooted with busybox and kernel tunneling capability. If you're running a popular rooted ROM, you probably have all you need. Install OpenVPN Installer and OpenVPN Settings. Run OpenVPN Installer and install the OpenVPN executable (please read the instructions--this may not work if your phone does not have the file /system/xbin/busybox).
Remember the files I told you to copy to your phone? Put them in /sdcard/openvpn/. Here's the client configuration file I used, which you should save as /sdcard/openvpn/openvpn.conf:
Code:
remote YOUR-SERVER.com
dev tun
client
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
comp-lzo
ca ca.crt
cert client1.crt
key client1.key
mute-replay-warnings
Then open the OpenVPN Settings app and check the two checkboxes to start the server and start the tunnel. Enjoy your VPN-based browsing!
To check whether it worked:
Use a browser to visit whatismyipaddress.com. The result that's displayed should be the IP address of your server.

Any way to make this work with http://tunlr.net/

Sorry, Tunlr.net is not related to OpenVPN.

Related

[APP][4.0+][v1.11 - 20150221] OpenConnect - SSL VPN client for Cisco AnyConnect

Highlights
100% open source (GPLv2+)
No ads
One-click connection (batch mode)
Supports RSA SecurID and TOTP software tokens
Keepalive feature to prevent unnecessary disconnections
Compatible with ARMv7, x86, and MIPS devices
No root required
Based on the popular OpenConnect Linux package
Click to expand...
Click to collapse
Requirements
Android 4.0 (ICS) or higher (with working VpnService + tun infrastructure)
An account on a suitable VPN server
Click to expand...
Click to collapse
Downloads
Binaries are attached to this post under the downloads tab.
Google Play: https://play.google.com/store/apps/details?id=app.openconnect
Source code: https://github.com/cernekee/ics-openconnect
F-Droid: https://f-droid.org/repository/browse/?fdid=app.openconnect
Click to expand...
Click to collapse
(note that the F-Droid binaries are signed by a different key than the official releases)
Changelog
Code:
v1.11 - 2015/02/21
- Fix "Unknown compression type 0" errors when CSTP and DTLS use
different compression settings
Older changelogs:
Code:
v1.10 - 2015/02/08
- Fix CSD script problem on Lollipop (bug #1)
- Fix IPv6 address display on status window (bug #2)
- Enable LZ4 compression support
- Identify as a mobile client when Android or iOS is selected
- Update to OpenConnect v7.04+, GnuTLS 3.2.21
v1.02 - 2014/09/02
- Fix regression on certificate handling
v1.01 - 2014/08/29
- Add Spanish translations (thanks to teosoft)
- Fix regression on CSD scripts starting with "#!/bin/sh"
- Improve error messages on broken ROMs that throw exceptions when
starting a VpnService
- Fix intermittent fragment-related crashes on ICS
v1.00 - 2014/08/10
- Fix problems storing >8kB certificates on some ROMs
- Clean up seldom-used menu items and move some options into General Settings
or About
- Integrate Xposed module for bypassing the VPN confirmation dialog
- Switch to ACRA for problem reporting
v0.96 - 2014/07/06
- Force a minimum MTU of 1280 on KK due to bugs in 4.4.3 and 4.4.4 ROMs:
https://code.google.com/p/android/issues/detail?id=70916
- Fix navigation anomalies (weird Back button behavior) seen after
re-entering OpenConnect from one of the Notifications
v0.95 - 2014/06/14
- Show the auth dialog <message> text in case it contains useful information
- Add German translations (thanks to Ingo Zansinger <[email protected]>)
- Add Chinese translations
- Add Advanced options for changing Dead Peer Detection timeout and enabling Perfect Forward Secrecy
- Clean up a bunch of lint warnings and unused strings/files
- Try to generate a human-readable profile name when adding a new VPN
v0.91 - 2014/06/01
- Fix bugs involving saved authgroups
- Fix batch mode error handling
- Update to GnuTLS 3.2.15 to fix GNUTLS-SA-2014-3 / CVE-2014-3466
v0.9 - 2014/04/26
- Add new "Send feedback" screen
- Add new "SecurID info" screen for RSA soft token users
- Allow changing settings and using other menu options (about, SecurID,
send feedback, etc.) while connected
- Update FAQ and provide some links to relevant XDA posts
v0.81 - 2014/04/06
- Fix potential issue recognizing certificates stored in VPN profiles
created with <= v0.7
v0.8 - 2014/04/02
- Fix hangs after reconnect if DTLS is disabled
- Fix incorrect storage of PKCS#12 certificates
- Remove unnecessary passphrase prompts on unencrypted certificates
- Add a workaround for ASA certificate request quirks
- Fix FC when attempting to import an OpenVPN profile
v0.7 - 2014/03/08
- Update GnuTLS to address CVE-2014-0092
- Fix FC and other misbehavior on IPv6 connections
- Update to libopenconnect 5.99+
- Fix/delete several broken translations
- Minor improvements to the auth form UI
- Switch curl from OpenSSL to GnuTLS and remove advertising clauses
v0.6 - 2014/02/09
- First release in Google Play Store
- Change to new "big O" launcher icon
- Avoid displaying error alerts if the user terminated the connection
- Try to make the libopenconnect build process more robust, and strip *.so
files to conserve space
v0.5 - 2014/02/01
- Fix "living dead" connections (can't pass data after reconnection due to
DTLS parameter mismatches)
- Add FAQ tab in response to user feedback
- Move log window into a tab
- Reorganize action bar so that the most important items (Status/Log/FAQ)
are tabs, and less important items (Settings/About) are in the menu
- Fix KeepAlive socket errors on KitKat devices
- Other UI and documentation fixes
- Add split tunnel configuration options
- Improve icons
v0.2 - 2014/01/18
- Allow SecurID token import via URI or text file
- Newly reworked "status" tab with uptime, error alerts, IP addresses,
etc.
- Fix a couple of bugs involving screen rotation / activity redraw on
the log window
- Prompt for hostname instead of profile name when adding a new VPN, to
help avoid "empty hostname" mistakes
- Numerous other UI improvements and fixes
- Remove "reconnect on boot" until it works properly
- Try to accommodate Linux CSD wrapper scripts starting with "#!/bin/bash"
Click to expand...
Click to collapse
FAQ
Q: What is this app used for?
A: OpenConnect is used to access virtual private networks (VPNs) which utilize the Cisco AnyConnect SSL VPN protocol. A typical use case might involve logging into your workplace remotely to check email after hours.
If in doubt, check with your I.T. administrator to see if a suitable service is available.
Q: How do I get started?
A: In most cases, you'll just need to create a profile and enter the hostname of the VPN gateway. The other fields in the profile are all optional and should be left alone unless there is a specific need to change them.
Once you've set up the profile, select the VPN entry and OpenConnect will attempt to establish a new session. If this fails, the "Log" tab may provide helpful diagnostic information.
Q: How do I authenticate using an SSL client certificate?
A: Copy your certificate files to Android's external storage directory (nominally /sdcard or the Downloads folder), then edit the VPN profile and make the following changes:
P12 or PFX file: select "User certificate", pick the file from the list, then touch "select". Leave "Private key" blank.
Single PEM/CRT/CER file: same as above.
Separate PEM/CRT/CER and KEY files: populate "User certificate" with the certificate file, and "Private key" with the key file.
When finished, delete the certificate files from external storage so they cannot be stolen by other apps.
If you are generating your own keys (e.g. for use with your ocserv gateway), some basic CA setup instructions are posted here.
Q: Will OpenConnect work with non-AnyConnect VPNs?
A: Unfortunately the software design is tied very closely to the AnyConnect requirements and the libopenconnect interfaces. Therefore it only works with Cisco AnyConnect and ocserv gateways.
Q: Will OpenConnect work with Cisco IPsec VPNs running on an ASA?
A: OpenConnect supports SSL VPN (CSTP + DTLS) only.
Q: How do I import a SecurID software token?
A: If you have an URL that starts with "com.rsa.securid.iphone://" or "http://127.0.0.1/securid/" in your email, click on it and tell OpenConnect to add it to the desired VPN profile. If you just have a raw token string then write it to a text file, copy it under /sdcard, click "Token string" in the VPN profile editor, then select the filename.
If you have an "sdtid" XML file, copy it to /sdcard and then import it.
Q: Is it possible to skip all login prompts when connecting?
A: If you have saved your username, password, or other credentials, or if you are using SecurID or certificate authentication, you can try enabling "Batch Mode" in the VPN profile to skip the login dialogs. If you need to change your saved password later or have trouble connecting, just disable batch mode.
The VPN warning dialog is a security feature built into the Android OS. It cannot be bypassed by OpenConnect, but if your device is rooted, you can try installing the Xposed Framework and then activating the Auto VPN Dialog Confirm module. Some notes on this are posted here.
Due to the user interaction required by these dialogs, it is not always possible to reliably start up the VPN in the background. So a "start-on-boot" feature is not currently provided.
Q: How do I improve battery life while the VPN is up?
A: One option is to select "Pause when asleep" under Settings. The downside is that VPN access will be temporarily stopped when the screen is off. Also, ASA gateways sometimes get annoyed with constant reconnections and may prematurely terminate your session after a few days.
Another option is to contact your server administrator and request that they disable dead peer detection (DPD), increase the idle timeout to >1hr, and increase the keepalive interval to ~5min or so.
Q: How do I use OpenConnect with AFWall+?
A: There are a few caveats to keep in mind when using an Android firewall with VPN:
* If you run KitKat, use Android 4.4.2 or higher and AFWall 1.2.8 or higher. Android 4.4 and 4.4.1 have a serious TCP MSS bug which causes stalled connections and/or poor performance. AFWall <=1.2.7 does not have the extra logic needed to handle the routing changes in KitKat.
* Always allow traffic from the VPN app on all interfaces. In particular, you should whitelist VPN traffic from OpenConnect, as OpenConnect sends DNS requests over the VPN interface every few minutes to help keep the connection from timing out.
Q: Are any apps incompatible with VPN?
A: Apps which perform their own DNS resolution, such as Firefox, may have issues picking up the latest system DNS settings when connecting to the VPN. This can be a problem if your system DNS servers are not accessible over the VPN's routes, or if you are trying to look up hostnames that do not have public (internet) DNS entries.
Q: Under what circumstances will OpenConnect request root?
A: There are two root-only features shown under Settings; both are disabled by default. One setting works around a ROM bug in CM9 which sets incorrect permissions on /dev/tun, preventing VpnService from passing traffic to the tunnel interface; the other setting loads tun.ko on ROMs that neglect to load it by default.
Based on user feedback and testing, future releases may autodetect these conditions.
Q: How do I send a problem report?
A: Navigate to Log -> (menu) -> Send log file. Please be sure to furnish a complete, accurate description of the issue you are seeing, as the logs do not always show a smoking gun.
Click to expand...
Click to collapse
TODO
Translations - I will set up the necessary infrastructure if there are volunteers
Compatibility testing
Add x509 certificate parsing/validation in the profile editor
Enable Android keystore support
Proxy support
Split tunnel DNS?
Click to expand...
Click to collapse
MISC
Using OpenConnect + ocserv (on a VPS) to bypass China's Great Firewall (GFW): link
XDA:DevDB Information
OpenConnect, App for the Android General
Contributors
cernekee
Source Code: https://github.com/cernekee/ics-openconnect
Version Information
Status: Testing
Created 2014-01-18
Last Updated 2015-02-21
hello cernekee,
I was using smoothconnect on my note3 and It was working just fine, but now after I update my note3 to kitkat it surfs only couple of things like "play store", google search, and whatsup. but all other web sites and programs do not!!
now I tried out this program "open connect" with some hope but nope, I does the same thing. It only opens play store and google search but no other things.
I wonder what cause this problem, any suggestions please??
msm88now said:
hello cernekee,
I was using smoothconnect on my note3 and It was working just fine, but now after I update my note3 to kitkat it surfs only couple of things like "play store", google search, and whatsup. but all other web sites and programs do not!!
now I tried out this program "open connect" with some hope but nope, I does the same thing. It only opens play store and google search but no other things.
I wonder what cause this problem, any suggestions please??
Click to expand...
Click to collapse
Sometimes an MTU or TCP MSS problem could cause this symptom. What kind of gateway are you connecting to? Are you the admininstrator?
Older versions of KitKat did have an MSS problem; I think 4.4.1+ is OK: https://code.google.com/p/android/issues/detail?id=61948
There are a few other outstanding problems on <= 4.4.2: http://www.androidpolice.com/2014/0...n-routing-fixes-are-planned-for-some-of-them/
Do you see the same problem connecting from other systems, like a Windows PC, or even the Cisco AnyConnect Android app?
Hi cernekee,
I have an openSSL Cisco vpn connection provided by my university, I hooked it with D-615 Dlink router through DHCP.
Cisco AnyConnect for andriod does not work on our university network because it asks for a certificate which my uni does not provide. that's why I'm using smoothconnect.
anyways, right now I have a flawless connection on my all devices on my room's wireless like my both Win7 laptops and my galaxy S2 andriod 4.1.2.
all work except my note 3 after I updated it to (4.4.2). I don't know if it's a IPv6 or MTU problem,
I tried to decrease MTU value in smoothconnect but with no success. as Cisco stated in: AnyConnect Android 4.4 (KitKat) Compatibility Update (CSCul28340)
any suggestions please???
msm88now said:
Hi cernekee,
I have an openSSL Cisco vpn connection provided by my university, I hooked it with D-615 Dlink router through DHCP.
Cisco AnyConnect for andriod does not work on our university network because it asks for a certificate which my uni does not provide.
Click to expand...
Click to collapse
I don't see this university's VPN requesting a certificate (i.e. SSL client cert). It just asks for a group/username/password.
Are you getting an error that says that the gateway is not licensed for mobile, after you enter your password?
that's why I'm using smoothconnect.
anyways, right now I have a flawless connection on my all devices on my room's wireless like my both Win7 laptops and my galaxy S2 andriod 4.1.2.
all work except my note 3 after I updated it to (4.4.2). I don't know if it's a IPv6 or MTU problem,
I tried to decrease MTU value in smoothconnect but with no success. as Cisco stated in: AnyConnect Android 4.4 (KitKat) Compatibility Update (CSCul28340)
any suggestions please???
Click to expand...
Click to collapse
Can you grab a packet capture when you're seeing the connectivity failures, and email me the result? e.g.
Code:
adb push tcpdump /data/local/tmp
adb shell
cd /data/local/tmp
su
chmod 755 tcpdump
./tcpdump -n -i tun0 -w out.pcap
yes that's right, Cisco anyconnect asks only for username/ password but when I try to start a connection it ends up with no license error!
that's way I'm using smoothconnect and now openconnect on my both andriod phones.
now for my problem, I didn't get what do you mean by connectivity failure because I'm not getting any connectivity failure messages on my note3 after update to 4.4.2 neither on smoothconnect nor on openconnect. it connects as usual and I can see some traffic packets are being transfered but I can only surf google serch, youtube and some other stuff like play store and whatsup. whenever I try to surf any other website like for example bbc news the browser( chrome, opera, Dolfin..) just waits and then ends up with nothing like there is no internet connection!
did I explain my problem clearly? is it an Ipv6 problem? I'm really confused and frustrated
msm88now said:
yes that's right, Cisco anyconnect asks only for username/ password but when I try to start a connection it ends up with no license error!
Click to expand...
Click to collapse
OK. This is because the Cisco mobile clients look for an "X-CSTP-License: accept" header from the gateway after authenticating, to see if the operator has paid extra to support the Cisco mobile client. libopenconnect-based clients (including SmoothConnect) do not require this header.
now for my problem, I didn't get what do you mean by connectivity failure because I'm not getting any connectivity failure messages on my note3 after update to 4.4.2 neither on smoothconnect nor on openconnect. it connects as usual and I can see some traffic packets are being transfered but I can only surf google serch, youtube and some other stuff like play store and whatsup. whenever I try to surf any other website like for example bbc news the browser( chrome, opera, Dolfin..) just waits and then ends up with nothing like there is no internet connection!
Click to expand...
Click to collapse
I can take a look at this to see what is happening. Just start up tcpdump to capture the tun0 traffic (see above instructions), then try visiting the BBC news site and maybe a few other non-working sites. Then hit control-C to interrupt tcpdump, make sure there is some data in the pcap file, and email me the pcap file.
cernekee said:
I can take a look at this to see what is happening. Just start up tcpdump to capture the tun0 traffic (see above instructions), then try visiting the BBC news site and maybe a few other non-working sites. Then hit control-C to interrupt tcpdump, make sure there is some data in the pcap file, and email me the pcap file.
Click to expand...
Click to collapse
Hi,
I don't know how to make Tcpdump on my note3 not to mention hitting the control-c on andriod. what instruction did you mean?
msm88now said:
I don't know how to make Tcpdump on my note3 not to mention hitting the control-c on andriod. what instruction did you mean?
Click to expand...
Click to collapse
Do you have a friend who is familiar with ADB, rooting phones, etc. who might be able to help out in person?
You could also try something like Shark for Root, or follow this video. Make sure you capture on the tun0 interface so that we can see what is happening on the VPN tunnel. If you capture from the wifi interface you'll still see traffic, but everything will be encrypted so it will not be possible to diagnose the failure.
I got it. first I rooted my note3 then I followed the instruction in the video and here it is, I hope it's what you asked me for. waiting for your diagnosis, fingers crossed
msm88now said:
I got it. first I rooted my note3 then I followed the instruction in the video and here it is, I hope it's what you asked me for. waiting for your diagnosis, fingers crossed
Click to expand...
Click to collapse
According to this trace (partial screenshot attached), the Note 3 is advertising an MSS of 1460 bytes on IPv4 TCP connections. This looks abnormally high for a VPN interface; the other direction is using an MSS of 1380, which looks more realistic. The MSS for IPv4 would normally be the tun0 MTU minus 40 bytes. I am assuming this means the MSS is being computed from the 1500-byte wlan0/eth0 MTU, not the smaller tun0 MTU.
When Google fixed the MSS bug in Android 4.4.1, they left the following comments in the changelog:
Code:
commit ca5b4e8d0d8219273ecf0961ed6e8c47ab5d798a
Author: JP Abgrall <[email protected]>
Date: Wed Nov 20 17:27:01 2013 -0800
SecondaryTableController: force the MSS to match pmtu on TCP SYN
Without this change, the VPN sets up a tun/ppp that needs a small
MTU, and during TCP SYN the MSS will end up matching the outgoing iface
MTU which is potentially too big.
This leads to connection flakiness. The wrong MSS is visible by
tcpdump-ing on the tun/ppp device.
With this change, the MSS now is correct.
[b]It requires the kernel to be configured with
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
If kernel is not configured, it silently fails.[/b]
Bug: 11579326
Change-Id: I254d8c39435b92dff91931e461e1efb8b35f6b1e
Note the bolded sentences (emphasis mine). I suspect that your device is running the latest AOSP netd code that has the fix (if the ROM is indeed based on AOSP 4.4.1/4.4.2), but the kernel may be missing the TCPMSS target. If you see an error when running this command as root, it probably means that kernel support is missing:
Code:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN SYN -d 1.2.3.4 -j TCPMSS --clamp-mss-to-pmtu
Toward the bottom of the page on the original Android 4.4 MSS bug report I see a couple of reports from other Note 3 owners that the problem still isn't fixed for them, so it may be something particular to this device (such as the kernel configuration).
I do not see any evidence of IPv6 usage in your log, which rules out some of the known 4.4.2 VPN issues.
If this does turn out to be a kernel problem, you can try a custom kernel from XDA (assuming you can unlock your bootloader), or you could file a bug report with Samsung asking them to enable CONFIG_NETFILTER_XT_TARGET_TCPMSS=y in the next OTA update. From their end this is a simple, low-risk change.
cernekee;
Note the bolded sentences (emphasis mine). I suspect that your device is running the latest AOSP netd code that has the fix (if the ROM is indeed based on AOSP 4.4.1/4.4.2) said:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN SYN -d 1.2.3.4 -j TCPMSS --clamp-mss-to-pmtu
[/code]
Toward the bottom of the page on the original Android 4.4 MSS bug report I see a couple of reports from other Note 3 owners that the problem still isn't fixed for them, so it may be something particular to this device (such as the kernel configuration).
I do not see any evidence of IPv6 usage in your log, which rules out some of the known 4.4.2 VPN issues.
If this does turn out to be a kernel problem, you can try a custom kernel from XDA (assuming you can unlock your bootloader), or you could file a bug report with Samsung asking them to enable CONFIG_NETFILTER_XT_TARGET_TCPMSS=y in the next OTA update. From their end this is a simple, low-risk change.
Click to expand...
Click to collapse
as you can see in the attachment I applied the code with no error message. so in this case I assume I have no problem with the kernel? right?
then what causes the problem? and what can I do in order to solve it?
msm88now said:
as you can see in the attachment I applied the code with no error message. so in this case I assume I have no problem with the kernel? right?
then what causes the problem? and what can I do in order to solve it?
Click to expand...
Click to collapse
Can you connect to the VPN, try to access a few "bad" sites, and then post the full output from:
Code:
su
iptables -t mangle -nxvL
cernekee said:
Can you connect to the VPN, try to access a few "bad" sites, and then post the full output from:
Click to expand...
Click to collapse
here is the output after some bad sites access, I also repeated the provisos code during an openconnect session. hope it will help us.
msm88now said:
here is the output after some bad sites access
Click to expand...
Click to collapse
Hmm, on my KitKat device I have an st_mangle_POSTROUTING chain which does the TCPMSS clamping:
Code:
Chain st_mangle_POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * tun0 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
I did not see this in your output. Maybe Samsung is using an outdated version of netd.
Try running this command as root after bringing up the VPN and see if you are able to pass traffic with the bad sites:
Code:
iptables -t mangle -A POSTROUTING -p tcp -o tun0 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
If not, post the new "iptables -t mangle -nxvL" output so we can look at the traffic counters.
Also can you attach your /system/bin/netd binary?
Thanks.
cernekee;
Try running this command as root after bringing up the VPN and see if you are able to pass traffic with the bad sites:
[code said:
iptables -t mangle -A POSTROUTING -p tcp -o tun0 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Click to expand...
Click to collapse
are kidding me!! it really worked. after I run the the code I tried to access all the bad sites and all of them worked!! but not as fast as my other mobil SG2. I noticed that it takes noticably much longer to access them. but still, It worked and It's fantastic!!
any ways, I rebooted my note3 to see if it will work again but it turned out it didn't! I need to re-enter the code again to make it work. now could you tell me what is my phones problem exactly? despite the re-entering issue I'm very happy that I finally can use internet on my note3 again thanks to you cernekee.
msm88now said:
any ways, I rebooted my note3 to see if it will work again but it turned out it didn't! I need to re-enter the code again to make it work. now could you tell me what is my phones problem exactly?
Click to expand...
Click to collapse
The ROM is supposed to add that rule automatically, but it doesn't.
If you attach your /system/bin/netd binary and output from "getprop" I'll try to figure out why.
cernekee said:
The ROM is supposed to add that rule automatically, but it doesn't.
If you attach your /system/bin/netd binary and output from "getprop" I'll try to figure out why.
Click to expand...
Click to collapse
here I attached them.
I posted a problem report on Samsung's support forum:
http://developer.samsung.com/forum/...&messageId=259244&listLines=15&startId=zzzzz~
Works like a charm with the lastest Slimkat on Nexus 4. Thanks a lot !
Just add a widget to one click connect from the launcher and it will be the best VPN apps that I've use.
Today I've a Tasker task to launch Anyconnect with uri and simulate touchs screen to automate my connection.
@ edit :
Is there a way to don't have the attached screen ?

[App] DHCPv6 Client

Hi everyone,
What is this?
This is a DHCPv6 Client for Android.
Motivation
Google doesn't support DHCPv6. See: https://code.google.com/p/android/issues/detail?id=32621
This is an issue for a lot of people especially for corporations and universities because they need control over the IPv6 addresses they distribute.
I did some research and found out that Fairphone already has support for DHCPv6, they achieve this by implementing the wide-dhcpv6 client and added some own scripts around it.
This gave me the idea to play a little with this client. I did so and the result is this app.
Basically it is an implementation of Fairphone's DHCPv6 solution for every rooted Android phone and not just Fairphone.
Workflow
Broadcast Receiver for CONNECTIVITY_CHANGE (invoked when connectivity is changed)
Check if /system/bin/dhcp6c <interface> is running (this is the master process) if not then invoke it
Sending a signal with /system/bin/dhcp6ctl to the master process to get an IPv6 address (dhcp6ctl -C start interface <interface>)
Why is root required?
Root permissions are required for the DHCPv6 client to work because it binds to port 546.
Permissions
root - see above
access network and wifi state - catching network changes
internet - for checking if internet is available and getting a list of all interfaces available
billing - for donation
Get the app
Simply download it from the app store: Download from Google Play Store
Source Code
DHCPv6 Client for Android on GitHub
-realm_01
hostname/domain name support?
Installed this on my android TV media box, and it now connects to my DHCPv6 server as expected, and a lease is registered, however it does not supply a host name or domain name. The domain name is advertised by my router, and also supplied as option in DHCPv6 scope.
Are these an android problem, or the DHCPv6 client?
Almost working...
Hi !
Thanks for the app. Android really needs this. I'm trying to use it on Motorola XT1058 running Lollipop. I can see in the packet capture of my router (OpenWrt) that the DHCPv6 transaction is working and my router is giving out statefully assigned IPv6 addresses to my phone. Unfortunately, these addresses don't get assigned to wlan0 interface on Android. I'm still seeing only stateless addresses on wlan0. Any help would be appreciated.
Regards,
André
Thank you, as a system administrator it was crazy annoying to not be able to enforce a an IPv6 range for android devices
This app doesn't work until I adb shell into my device and run dhcp6c wlan0 as root manually.
Works on Pixel XL
Works fine on my Pixel XL with Android 7.1.
Thank you!
Hi, great job on this app. Wondering how you were able to override the Android DHCP software from trying to connect to networks and have it use the IPV6 info your client acquired?

[CWM][ARMv7][Intel][Optware-ng: dropbear, transmission, pyload, minidlna & many more]

[CWM][ARMv7][Intel][Optware-ng: dropbear, transmission, pyload, minidlna & many more]
Optware-ng is a Optware fork that uses modern toolchain and boasts to be (nearly) firmware-independent. I686 and hardfloat ARMv7 feeds were tested to run on android devices. Of course, since Optware(-ng) originally targets Linux devices, not all packages work, while some others require additional tweaking. But most packages do work fine, e.g., have you ever wanted to turn your android box into torrent leech/seed box? No good Play Store options to achieve that (of which I'm aware of). With Optware-ng, I have personally tested transmission to work fine, and there're also other torrent clients that may work too. Now, what about using your tablet as a DLNA server? You could use minidlna. There's also pyload and plenty of other useful apps.
To make installing Optware-ng simple, I've made these CWM flashables:
Optware-ng-armv7-binaries[CWM].zip
Optware-ng-Intel-binaries[CWM].zip
Optware-ng-init-script[CWM].zip
To install Optware-ng, simply flash Optware-ng-<YOUR-ARCH>-binaries[CWM].zip and then Optware-ng-init-script[CWM].zip. The first archive installs Optware-ng binaries to /data/Optware-ng, and the second installs initialization script in /system/etc/init.d and also creates /system/etc/passwd. After flashing, reboot your device, and it should become accessible via SSH with following credentials:
login: root
password: password
port: 2222
Needless to say that init.d support is required for this to work.
Please test and report back
To change SSH login password, edit /opt/etc/default/dropbear:
Code:
nano /opt/etc/default/dropbear
and restart dropbear or just reboot.
For better security you may use public key authorization only: set password to blank and add your public keys to /opt/etc/dropbear/authorized_keys (don't forget to `chmod 600 /opt/etc/dropbear/authorized_keys` after you create it!)
Project home:
https://github.com/alllexx88/Optware-ng

GlassROM dns - secure and private

Finally. A ethical, free as in freedom and free as in free beer DNS that protects your privacy and is secure by design.
Our privacy policy is simple and in English, not legalese:
We do not collect any data whatsoever. That's it
Secure: instead of writing our own security systems there are certain things (called best practices) that must be followed first. All the time in the world can be spent writing a perfect security system but that's really just extra work. If you don't apply the currently accepted practices and instead code your own that's stupid
Glassrom is currently the only public dns resolver to implement almost all of these. No other "big" DNS provider has gone beyond dnssec or aggressive nsec
Only modern TLS (TLSv1.3) is supported. No support for TLSv1.2 or older.
What's the matter? Oh you don't trust a no-name company that suddenly popped up overnight
Got a tinfoil hat? We've got you covered. Message me privately and get the dns server configs. The config you'll receive will be exactly the same as the one running on the glassrom server. All you have to do is buy your own server and run the dns server as per the configuration
What about adblocking?
Glassrom DNS came out of the idea to resist censorship and spying - wherever, whenever and however it occurs. Blocking ads is technically censorship and we will not step away from our ideals to provide uncensored internet access even if it means we won't block ads
That being said you might be able to locally run a pi-hole server that connects to the glassrom dns server for upstream DNS. We are currently exploring this possibility
The last thing. Don't most services have to store some logs to improve their quality?
Yes they do have to and since glassrom doesn't collect that data we just expect the absolute worst and prepare for it. Since the server has no tracking, no analytics, no collection whatsoever we can't even tell if you used our dns
You aren't 100% invisible. Any intelligence agency (Read: NSA) listening on the wires can tell that you did connect to our dns service. If you use DoH or DoT they can't tell what data you transmitted or what website you connected to but as the NSA says: "metadata is how we ***** people"
No VPN or DNS service is resistant to such external monitoring. If you don't want to be monitored it is advised to use a VPN and tor in addition to this. Even then you might not be 100% invisible. Be careful
The glassrom server disables dns prefetching to resist a certain attack where an external party could query the server and calculate the amount of time it takes to return a request. The attack works like this: if a dns server has prefetch enabled it will prefetch the IP address for some popular websites as per the users using the DNS server and the response time will be abnormally short. An attacker with sufficient resources can see that certain queries take lesser time to return and deduce what websites are frequently visited. Disabling this optimisation makes the dns server slower but we have disabled it regardless
The glassrom server will cache dns requests for anywhere from just 2 minutes to 1 hour in ram. This data will never be written out to the disk and the cached request will only store the address -> IP mapping and no additional data
Standard DNS at 217.61.104.90 or [2a03:a140:0010:2c5a:0000:0000:0000:0001] (port 53) (TCP/UDP)
DNS over TLS: https://dns.glassrom.pw:853
DNS over HTTPS: https://dns.glassrom.pw/dns-query
This was created using unbound, nginx and doh-proxy
Chromium based browsers: please request developers to add support for glassrom DNS
Firefox: open about:config and change these values
network.trr.mode 3
network.trr.uri https://dns.glassrom.pw/dns-query
network.trr.bootstrapAddress 217.61.104.90
network.security.esni.enabled true
Android 9 private dns: TLSv1.3 support is spotty on android 9. Use stunnel and a dns changer app that uses the vpnservice api to use encrypted DNS
Systemd on Linux: read the documentation. Your systemd MUST be linked against an up-to-date openssl/gnutls to be able to use TLSv1.3
Alternative Linux method: use stunnel and use openresolv to change your dns to 127.0.0.1 or run unbound yourself with glassrom as an upstream dns server running on port 853
Windows: if you care about privacy and security you wouldn't be using this. We have no windows instructions so if somebody wants to contribute reply below
Donate:
If you like our dns service why not donate to keep it running? Donations will allow improvement of service quality
https://donorbox.org/glassrom
Remember that since we don't collect data the success of this project will be determined by the donations received
Thanks a lot! No chance to use your dns with lineageOS 17.0 built in private dns?
kurtn said:
Thanks a lot! No chance to use your dns with lineageOS 17.0 built in private dns?
Click to expand...
Click to collapse
Nginx doesn't allow setting of different ciphers per stream/server block
It's not a program limitation. In theory implementing this is just not possible
You can use stunnel and change your dns to 127.0.0.1 until a fix is found. The fix would definitely be using a second server that proxies to the main one but replies with both TLS 1.2 and TLS 1.3
Also it doesn't really matter how you do DNS over TLS. Esni is possible over it but I haven't seen a single implementation using DoT+eSNI. Only DoH+eSNI is a thing for now
Redirecting the encrypted 853 port to 127.0.0.1:53 using stunnel is no different from using a native implementation
Use the stunnel approach and set your dns server to 127.0.0.1
I won't tell you how to do this. The arch wiki has a pretty in-depth article and you can easily install stunnel with termux so just go and read the arch wiki
For your browser Firefox or the one I use - fennec f-droid edition can enable DoH and esni
I'll ask the bromite maintainer to consider inclusion. Currently I'm unsure how much load the server can handle

Unlimited WiFi Tethering For Any Carrier [NEVER THROTTLED]

Just figured I would share this for anyone who is sick of their tethering being throttled after a insanely small bandwidth limit. I mean if you pay for unlimited data, who are they to tell you how you can use it. Also you could technically cancel your ISP if you really wanted to and you were motivated enough to get this setup correctly.
I'm have a repo on GitHub for this -> https://github.com/RiFi2k/unlimited-tethering
# Unlimited Tethering
Bypass tethering caps or throttling on cell phone unlimited data plans. Potentially cancel your internet and route your whole home though your unlimited data plan.
Inspired from [XDA](https://forum.xda-developers.com/) forum threads.
[Working Options for Unlimited Tetherting, Hotspot, Carrier Check Bypass Methods](https://forum.xda-developers.com/showthread.php?t=3825144)
[Unlimited WiFi Tethering](https://forum.xda-developers.com/showthread.php?t=2914057)
## Requirements
* **Unlimited data plan**
* **Ability to hotspot your phone**
* **Computor or Router**
This is not a carrier specific method, I use Verizon but this should generally work with any carrier. It also doesn't matter if they throttle or cap you at 15GB or something, that is what we are about to work around.
If you are going to go the router method it will be a lot more work but the router will handle all the traffic routing and you can just connect any device in your house to your router and it will just work. If you are just going to use your PC then you can generally have this running in ~15 to 30 minutes.
I have personally used anywhere from 80-150GB of data with this method consistantly for 6+ months and never been throttled one time while my traffic was going through the tunnel.
## Overview
1) Download [Termux](https://termux.com/) app, [install openssh](https://wiki.termux.com/wiki/Remote_Access) on it, make sure you have python2 as well and simlink the `python2` command to `python`.
```
pkg install python2
py2_path=$(which python2)
py_path=${py2_path%/*}/python
ln -s "$py_path" "$py2_path"
```
2) Configure authentication as explained [here](https://wiki.termux.com/wiki/Remote_Access) for SSH. If you don't already have a keypair it explains how to set up an ssh keypair and use it to authenticate to your phone from a PC. I personally used my existing SSH public key and made a folder / file `~/.ssh/authorized_keys` on Termux and dropped it in there with something like `curl "https://github.com/rifi2k.keys" > ~/.ssh/authorized_keys` if you already have your public keys on github here.
2) Hotspot your phone.
3) Run `ifconfig` inside Termux to get your current tethering local IP. It will be the only 192.x.x.x spit out and generally for andriod will be ending in 192.x.43.x. Save this.
4) Run `sshd -dD` inside Termux which starts an openssh server in debug mode to audit traffic. Your looking to see something like this as output from the above command.
```
debug1: Bind to port 8022 on ::.
Server listening on :: port 8022.
debug1: Bind to port 8022 on 0.0.0.0.
Server listening on 0.0.0.0 port 8022.
```
5) Now pop onto a PC and connect it to your hotspot.
6) Now SSH tunnel all the traffic from the device back through the openssh server your running on the Termux app. Now that you are on the same local network you can SSH tunnel into our saved IP address and port from earlier `192.x.43.x:8022` or similar.
You can use ssh which would look something like this.
If you want to use OpenSSH on Windows my recommendation would be Chocolatey package manager. https://gitlab.com/DarwinJS/ChocoPackages/tree/master/openssh
```bash
TERMUX_USER="u0_a249"
TERMUX_IP="192.x.43.x"
TERMUX_PORT="8022"
LOCAL_SOCKS_PORT="8123"
ssh -D $LOCAL_SOCKS_PORT -fqgN [email protected]$TERMUX_IP -p $TERMUX_PORT
```
TERMUX_USER would be your username on the Termux app.
TERMUX_IP would be the IP you got from `ifconfig` in Termux.
TERMUX_PORT would be the port `sshd` is using in Termux.
LOCAL_SOCKS_PORT would be the port you want to use for your local proxy.
So then once you run the above ssh command you need to configure a system wide or application specific Socks Proxy which would be proxying all traffic to `127.0.0.1` for the Socks Host and whatever `LOCAL_SOCKS_PORT` is from above for the Socks Port.
I use [sshuttle](https://github.com/sshuttle/sshuttle) which already handles most of the [gotchas with tcp over tcp etc](https://sshuttle.readthedocs.io/en/stable/how-it-works.html). and which also has a solution for [Windows](https://sshuttle.readthedocs.io/en/stable/windows.html) and linux. Also sshuttle generally handles setting up the Socks Proxy for you. A command for sshuttle might look like this.
## Linux
```bash
TERMUX_USER="u0_a249"
TERMUX_IP="192.x.43.x"
TERMUX_PORT="8022"
sshuttle -r [email protected]$TERMUX_IP:$TERMUX_PORT 0.0.0.0/0 -l 0.0.0.0:0
```
## Windows
On Windows I would download [Virtualbox](https://www.virtualbox.org/). You can verify the sha256 of the files via PowerShell with `Get-FileHash C:\path\to\file.exe`. Also you might want to use [git bash](https://medium.com/@botdotcom/learn-how-to-install-and-use-git-on-windows-9deecbd6f126) instead. Then you want to make sure you launch a linux VM in [bridged mode](https://www.linuxbabe.com/virtualbo...duction-to-virtualbox-bridged-networking-mode).
Then run sshuttle inside the VM following the directions here for [sshuttle in a VM](https://sshuttle.readthedocs.io/en/stable/windows.html).
Inside the VM
```
sshuttle -l 0.0.0.0 -x 10.0.0.0/8 -x 192.168.0.0/16 0/0
```
Back on your Windows machine, assuming your VM has the IP `192.168.1.200` on the bridged network.
```
route add 0.0.0.0 mask 0.0.0.0 192.168.1.200
```
That should route traffic through the VM and the tunnel.
As long as you make sure all your traffic passes through the tunnel it 100 percent shows that all your internet is being used by Termux app not your hotspot app so you need no other spoofing of hops or anything because to your phone and carrier you are just using a bunch of data in termux, you do it right you will never be throttled.

Categories

Resources