Hi guys.
I'm using my Nexus S as WiFi hotspot. It creates a WiFi LAN, 192.168.43.0/24 subnet.
Phone gets of course two IP: internal IP 192.168.43.1 which serves as gateway for connected clients, and external IP from my ISP.
When I start an SSH server (such as SSHDroid or Dropbear SSH Server), it is listening on external IP,
but I want it to listen only on internal IP (192.168.43.1), so I can connect only from a LAN client.
In the apps settings I didn't found anything related to this, so I ask you.. Is there any way to get an SSH server listening on 192.168.43.1 ?
Thanks
Check the dropbear and sshdroid documentation. You might be able to set this up in a config file, pushed to the phone with adb. Dropbear open_wrt example. If the internal address is tied to a virtual interface, you might be able to have sshd only listen on that interface.
Related
The purpose of this post is to explain how to tether with openvpn, which will hopefully avoid ATT's all seeing eyes, as well as prevent any detection during tethering.
All ATT will ever see is encrypted traffic between a connection that is initiated from my phone and ends at my vpn server. So the only way they would be able to determine if you are tethering, is if they are spying on you ala CIQ directly on your device, or your device phones home and tattles on you. That would open up a different can of worms and a **** storm would ensue.
This method requires a number of things.
* Openvpn server (preferably running on a static address, but will work with dynamic DNS services) with a reliable connection. I use a VPS server for $25 a month, but it is fast and reliable.
* Openvpn on your phone (any will work as long as it has the tun driver or tun built into the kernel(
* Some sort of gateway (your openvpn server can be running on it as well, or a seperate host), I use Freebsd/Openbsd. For linux, your on your own to figure out NAT and gateway functions.
Really, that is about it.
My Openvpn server config, you can set it up any way you like, but certain statements are required, specifically those in the hashed out box if you want your subnets to talk to each other, and route the traffic
Code:
port ****
proto tcp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/vps.server.crt
key /usr/local/etc/openvpn/keys/vps.server.key
dh /usr/local/etc/openvpn/keys/dh2048.pem
server 192.168.150.0 255.255.255.0
ifconfig-pool-persist ipp.txt
mode server
client-to-client
client-config-dir ccd
###############################################
# my phone and home subnets, can be any RFC1918 address space
# Advertise and note your home subnets in this section, unless you
# do not want the various subnets to talk to each other, then you
# can also remove the client-to-client statements
###############################################
push "route 192.168.15.0 255.255.255.0"
push "route 192.168.43.0 255.255.255.0"
route 192.168.15.0 255.255.255.0
route 192.168.43.0 255.255.255.0
###############################################
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 4
My client config on my phone (change the remote statement to match your openvpn server host and port)
Code:
client
proto tcp
dev tun
remote vpn.example.com 1234
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
/usr/local/etc/openvpn/ccd is where I have my client specific configs (match the location to that identified in the server.conf file for your vpn server). I also use certificates unique to each host that connects to my vpn, the names of the files in the "ccd" directory must match the name you gave the device when you created your certificates. I use easy-ssl to manage my certs.
for my phone, which I named "galaxy_s" I have the following (note the DNS option is optional, I was having problems with it so I just hardcoded 8.8.8.8, googles dns server into my network settings on my laptop)
/usr/local/etc/openvpn/ccd/galaxy_s
The iroute statement just tells the openvpn server what subnets you have behind your device, in this case the phone. I am guessing all of the android phones use 192.168.43.x as the NAT'd subnet, otherwise change it to whatever your phone is assigning.
Code:
push "redirect-gateway"
push "dhcp-option DNS 192.168.15.1"
iroute 192.168.43.0 255.255.255.0
The rest of the configurations are related to your primary gateway, which in my case also runs the openvpn server. I am using freebsd and pf, the configs needed for that are essentially natting statements, and firewall rules.
for pf, the following rules are what I use
I also trust all the traffic on my tun0 device, so I told pf to ignore it and pass all traffic
Code:
nat on $int from 192.168.150.0/24 to any -> $int/32
nat on $int from 192.168.43.0/24 to any -> $int/32
set skip on tun0
Hopefully this is useful to other folks, if not, let it be buried
THanks for an EXCELLENT guide!
Quick question. When I use this server conf file, my ssh on my local network hangs up and goes down.
In other words:
I am running openvpn on a home linux server. It is connected through a home router to the internet and has a network set up at 192.168.1.0.
Router is 192.168.1.1,
vpn server is on 192.168.1.51.
If I start openvpn, I cannot ssh from a local network (192.168.1.81) laptop. If I turn off openvpn I can. I changed your 192.168.15.0 addresses in server conf file to 192.168.1.0. I have a feeling it has to do with that.
Well, yes, you will need to modify the configs to suit your own address scheme. As for why you cannot ssh, I am not sure, is that .81 device on the same network as the openvpn server, or are you coming from a different network.
My setup has the gateway the same as the openvpn server simply due to the fact that I am using a Virtual Private Server (VPS) and I only have that as the 1 external static system.
I would check the route statements, I'm not sure, but you might have a routing loop that would be causing the problem, can you traceroute or ping, or use any other protocol/application to see if you can connect). If you set the default gateway of the openvpn server as the .1 address, and then you are trying to connect to another internal address, the .81, when you ssh from whatever device is connected to the openvpn server, it may attempt to connect to the gateway at .1 and then return back into your network to .81.
I could be wrong, it is hard to tell when you are not sitting at the actual systems.
Got it to work! Here's some tips for others
Thanks again for your help jvanbrecht. Last night I was able to sit down, get a better understanding of how it worked via openvpn's HOWTO, and get it running.
I did need to make a few mods for it to work in my configuration (as is expected since very few network configs are the same).
My configuration:
Single home network, say on 192.168.15.0.
Single router, at 192.168.15.1.
Home server hosting VPN on 192.168.15.51. It is running Ubuntu Maverick.
Skyrocket on subnet 192.168.43.0
My modifications:
Since I don't need direct access between VPN clients and my home subnetwork, in the server config I commented out:
Code:
#push "route 192.168.1.0 255.255.255.0"
#route 192.168.1.0 255.255.255.0
It was giving me some problems SSHing into my home server from a local network machine so this was the quick fix.
Initially it wasn't routing ALL traffic, just that directed from VPN client to the VPN server. So I added this to the server conf:
Code:
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.150.1"
In my home (tomato) router, I just port forwarded any TCP traffic on 1194 to the home server (192.168.15.51)
I think openvpn does this already. But just in case, I added an iptable nat entry to forward packet from VPN network to eth0 (my NIC). As root:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
And I added the following entry to /etc/rc.local so it persists on restart.
Code:
iptables -t nat -A POSTROUTING -s 192.168.150.0/24 -o eth0 -j MASQUERADE
Some debugging tips for others
Simplest way to verify HTTP traffic is being forwarded is, after connecting to vpn from phone, go to www.whatismyip.com. Make sure it matches your phone.
If you are having trouble connecting to the VPN, watch the openvpn log for errors. "tail -f /var/log/openvpn/openvpn.conf"
After connecting, make sure you can ping from your home server to the phone.
From Server: "ping 192.168.150.10"
From Phone: Open Terminal Emulator and type "ping 192.168.150.1"
You can also validate the traffic is forwarding through VPN by using traceroute. You can test both forwarding and DNS
From Phone: Open Terminal Emulator, type
Code:
su
For no-DNS test first:
Code:
traceroute 74.125.115.104
For DNS test:
Code:
traceroute www.google.com
For each, do your tests on the cell network (NOT home wifi) and verify that the route passes through your vpn server and doesn't bypass it completely.
Lastly to make sure traffic is being piped, you can monitor VPN traffic from your openvpn server by typing:
Code:
tcpdump -i tun0
jvanbrecht:
Do you have any recommendations about dropped connections? I noticed while testing that sometimes my openvpn connection would drop and my phone browsing would immediately default to the direct default cell provider connection.
Of course if tethering, this could be very bad.
Any tips on ensuring that if VPN is enabled, but no connection, that it won't ever try and route around it?
would using any vpn do the same thing? or something making this special ? any one tested this ?
It's been a few weeks since I tried the openvpn app. Back then everything seemed to be working well. But I tried again today and am having problems.
- I can access everything fine via vpn if my phone is connected to my local wifi where the vpn server resides.
- I can access IP addresses (e.g. the ip address of google.com) if connected to vpn via AT&T's 3G network
- I CANNOT access websites by their name (e.g. www.google.com) anymore.
It seems the DNS forwarding over VNC is messed up. Any tips on what the problem could be?
I still have the same settings as above, e.g. push "dhcp-option DNS 192.168.150.1"
Is it possible I need to do any additional configuration on my phone?
Is it possible to replace my router DNS address with a public one like google's "8.8.8.8" or "4.2.2.2"?
Any tips greatly appreciated!
Deleted. Please ignore. Still having issues.
So I had the opportunity to play around with my config (listed above) a bit more this evening. I was at a location where I had good external WiFi (Panera) along with 3G.
If I connect from my phone to my home VPN server over EXTERNAL WIFI (Panera), I have no problems with VPN. everything works flawlessly.
If I connect from my phone to my home VPN server over AT&T 3G network, it fails. Essentially it can't resolve any DNS queries. I can type in a website's IP address and surf that way, but I can't say type in "www.cnn.com" and get a page to load.
For the latter, when I watch the web queries using "tcpdump -i tun0", I see the requests go out from my phone to the websites, but they don't come back. For example, I see:
"192.168.150.10 > a.b.c.d (www.cnn.com)",
but I don't see:
"a.b.c.d (www.cnn.com) > 192.168.150.10"
Is it possible that AT&T is somehow blocking VPN via DNS? At first I thought my openvpn dns settings were messed up ... but it works across external wifi no problem.
---------- Post added at 01:24 AM ---------- Previous post was at 01:07 AM ----------
For those that are interested in the future, I think I narrowed down the issue:
It seems VPN connectivity is dependent on the AT&T Access Point Network (APN)
By default for my Skyrocket I was on the AT&T PTA APN wit settings:
Code:
APN: pta
MMSC: http://mmsc.mobile.att.net
MMS proxy: proxy.mobile.att.net
MMS Port: 80
...
I then switched to what is called the "AT&T Expanded" APN with settings:
Code:
APN: wap.cingular
User Name: [email protected]
(rest of settings somewhere here on xda ...)
... and that one worked perfectly.
I switched back and forth a few tiimes to confirm. It seems on pta, I can't resolve DNS over VPN. For the wap.cingular, I have no problems.
Anyone else can confirm this is most likely the issue I am seeing and that it can possibly make sense?
Synopsis:
Need to bypass corporate web proxy for unfiltered Internet access. Google Chrome is the preferred and tested browser, but Firefox should work as well. Corporate environment utilizes an automated global proxy setting, which must be bypassed using run-time arguments. Since I have a Squid proxy running at home on my cable connection, all I need to do is establish a port-forwarding tunnel from my phone to my house, then another from my laptop to my phone. This will allow me to browse the web and proxy any traffic through my phone to my proxy server at home, around our corporate proxy and firewall. The phone utilizes a DSL connection typically used for testing and other non-business traffic and is isolated from the corporate LAN.
Requirements:
A Web Proxy (Squid instance or other third-party available)
Atrix 2 Rooted (others not tested)
SSHDroid from Google Play
BusyBox (with ssh binary)
Google Chrome or Firefox
Putty SSH Client for Windows or other SSH client software AND a familiarization with SSH tunneling.
Procedure
On the Atrix 2, be sure 'Motorola Phone Portal' mode is configured for the USB connection. This will tell the phone to assign an IP address to the USB interface of the phone. In my case, it is 192.168.16.2. Once that is done, connect your phone to your PC via the USB cable. This may auto-launch IE on your desktop to your phone to the web portal on port 8080 and is not necessary.
On the Atrix 2, launch SSHDroid to enable inbound SSH connections. No special settings were configured in that app for any of this to work.
On your PC, manipulate your Chrome shortcut to use different proxy settings than the default. By default Chrome utilizes the Internet Settings on the PC, so this is necessary if you already have a proxy defined at the OS level. To do this, you must create a new shortcut to Chrome, then right-click on that shortcut, go to properties, and change the 'Target' field to include this information:
--proxy-server="localhost:3128" (don't forget the quotes)
Be sure to use this shortcut to launch Chrome or you will continue to use the OS-level Internet Settings.
Now, launch the Putty SSH client and create a new SSH session to your Android device. Enter the appropriate connection information, and under the Connection/SSH/tunnel section, define the port forward information for the web proxy. In my case I set it to port 3128 forwarding to 192.168.16.2:3128. Save this session. This will tell your PC when the SSH session is established to set up local TCP port 3128 to listen for requests, then forward them to the Android phone across the USB connection on the same port.
Try to connect to your SSH server on your phone. By default, the username is 'root' and password is 'admin' for SSHdroid. You should now be successfully logged into your phone.
In the Putty SSH session on your phone, you will now have to launch a command-line SSH session where you will establish the real tunnel to the real proxy server. Enter 'ssh <REMOTE SSH USERNAME>@<REMOTE SSH HOST> -L <IP OR HOSTNAME OF PROXY>:<PROXYPORT>:<USB NETWORK IP ADDRESS>:<LOCAL PROXY PORT>' (without quotes) to establish the SSH tunnel. Here is what my connection (sanitized) looks like. You can also run 'ssh -?' to get an idea of command-line options for the ssh binary.
ssh [email protected] -L 192.168.1.1:3128:192.168.16.2:3128
This will set your phone to listen on TCP port 3128 on the 192.168.16.2 interface and forward any requests to 192.168.1.1 on the same port. It is important to specify the USB interface as by default it will only set up connections on the localhost (127.0.0.1) interface, which won't accept connections from other remote hosts.
Finally, launch Chrome using the shortcut you created and you should now be sending all web traffic out the USB interface and through your phone to your remote proxy server. You can verify this by connecting to a resource such as your home Internet router on the LAN interface to verify. If you are running Squid at home, you should also be able to view your /var/log/squid/access.log and see your requests.
I have not tested remote web proxies or other methods, but in principle it should work.
Feedback and ideas for improvement are welcome!
I just USB tether and use Tunnelier (because putty does not have auto reconnect) and Proxifier (so I don't have to set the proxy settings in each application I want proxied)
Hi, I have a samsung galaxy note 10.1 N8000. On my local network I have a synology diskstation DS213j which can run a vpn server L2TP/IPSec or openvpn.
On my samsung I have the latest official firmware.
L2TP/IPSec server DS213j is working fine with my ubuntu 11.10 notebook. I didn't try openvpn yet, but I guess I get that working too.
On my samsung I can connect nicely to L2TP/IPSec server (with build in android vpn client) or the openvpn server (with Openvpn for android app).
However I cannot access internet or my local lan. Although I can ping my local lan addresses. When I open ie the url to my webinterface of the local lan it tries to connect to it. It sometimes even manage to display the login screen.
I guess my routing on the tablet is wrong. Routing is set to automatic, only dns servers has been filled in manually, because they didn't get pushed right by the openvpn server on my synology. Notice that I don't have this problem on my ubuntu notebook.
Did someone manage to succesfully setup a vpn connection using L2TP/IPSec or openvpn?
If so I must take another look at the vpn servers on my synology, else I think I need to get root access to my tablet to manipulate the routing table.
BTW the goal is to rout all the traffic through the vpn expecially the internet. I need to access the internet through my home IP so I can use the live TV app from my cable/internet provider when I am on the road.
divx118
divx118 said:
Hi, I have a samsung galaxy note 10.1 N8000. On my local network I have a synology diskstation DS213j which can run a vpn server L2TP/IPSec or openvpn.
On my samsung I have the latest official firmware.
L2TP/IPSec server DS213j is working fine with my ubuntu 11.10 notebook. I didn't try openvpn yet, but I guess I get that working too.
On my samsung I can connect nicely to L2TP/IPSec server (with build in android vpn client) or the openvpn server (with Openvpn for android app).
However I cannot access internet or my local lan. Although I can ping my local lan addresses. When I open ie the url to my webinterface of the local lan it tries to connect to it. It sometimes even manage to display the login screen.
I guess my routing on the tablet is wrong. Routing is set to automatic, only dns servers has been filled in manually, because they didn't get pushed right by the openvpn server on my synology. Notice that I don't have this problem on my ubuntu notebook.
Did someone manage to succesfully setup a vpn connection using L2TP/IPSec or openvpn?
If so I must take another look at the vpn servers on my synology, else I think I need to get root access to my tablet to manipulate the routing table.
BTW the goal is to rout all the traffic through the vpn expecially the internet. I need to access the internet through my home IP so I can use the live TV app from my cable/internet provider when I am on the road.
divx118
Click to expand...
Click to collapse
Solved with the official release of DSM 4.3 beta and vpn server update of my synology. As I expected not all the routes were pushed by the server. dns servers I still have to ad them manually.
I have a static ip cell phone, LTE service with public address: 25.25.25.25
USB-Tethered to an asus router
Router has WAN address of: 192.168.42.134,
Gateway and DNS is:192.168.43.129,
I Port-Forward 80,8080,554,etc... to Desktop Computer
Desktop Computer has HTTP Server and Darwin Streaming Server
Listening on 80,8080,554
Lan address is:192.168.1.2
I got the http server working by using an app on the cellphone called PortForarder https://play.google.com/store/apps/details?id=at.bherbst.net&hl=en
I forwarded port 8080 for incoming and 80 for target
...in settings I entered rmnet0 (25.25.25.25)for Public Interface (other choices were Lo(127.0.0.1),rndis0(192.168.42.129)
...for Target I entered router (192.168.42.134)
From the Outside (on a different internet connection)I'm able to access my html server with this http://25.25.25.25:8080
My Problem:
The app (portforwarder) is for non rooted phones, it will not let you forward ports lower than 1024,hence I cannot access my smtp stream on port 544
I'm trying to figure if the app uses iptables or routes traffic thru adb for forwarding
there are other portforwading apps for rooted phones that do use iptables (can allow to portforward lower than 1024) but I cannot get them to work with usb-tethering, it just may be I'm not understanding the correct iptable to write.
Can someone help me write an ip table that port forwards 544 from public interface(cell phone) to target host (router)
ca
Homefix said:
I have a static ip cell phone, LTE service with public address: 25.25.25.25
USB-Tethered to an asus router
Router has WAN address of: 192.168.42.134,
Gateway and DNS is:192.168.43.129,
I Port-Forward 80,8080,554,etc... to Desktop Computer
Desktop Computer has HTTP Server and Darwin Streaming Server
Listening on 80,8080,554
Lan address is:192.168.1.2
I got the http server working by using an app on the cellphone called PortForarder https://play.google.com/store/apps/details?id=at.bherbst.net&hl=en
I forwarded port 8080 for incoming and 80 for target
...in settings I entered rmnet0 (25.25.25.25)for Public Interface (other choices were Lo(127.0.0.1),rndis0(192.168.42.129)
...for Target I entered router (192.168.42.134)
From the Outside (on a different internet connection)I'm able to access my html server with this http://25.25.25.25:8080
My Problem:
The app (portforwarder) is for non rooted phones, it will not let you forward ports lower than 1024,hence I cannot access my smtp stream on port 544
I'm trying to figure if the app uses iptables or routes traffic thru adb for forwarding
there are other portforwading apps for rooted phones that do use iptables (can allow to portforward lower than 1024) but I cannot get them to work with usb-tethering, it just may be I'm not understanding the correct iptable to write.
Can someone help me write an ip table that port forwards 544 from public interface(cell phone) to target host (router)
ca
Click to expand...
Click to collapse
Not sure you can, and if you can, not sure it's allowed.
Sent from my SM-S903VL using Tapatalk
This started a couple of days ago, and I have now mitigated it with a couple of firewall rules on the VPN gateway, as well as shutting down the dhcpcd server on that server (which I don't need anyway, and which probably should have been stopped long ago).
My LAN has a raspberry pi 4 running their debian firmware that is configured as a VPN gateway. It connects my LAN via ProtonVPN to the internet. This gateway is set up with a static IP address (192.168.2.49) on the LAN, and is configured to use another RPI on my LAN to get its DNS (192.168.2.50).
My one month old running OOS 11 OnePlus8 is rooted with magisk, and I have blocked most of the google stuff from the internet using afwall, and suspended non-essential system services using greenify. When connected to my LAN, the phone has a static IP address (192.168.2.71), has its gateway set to the VPN gateway (192.168.2.49), and its DNS to my local rpi DNS (192.168.2.50).
DHCP on my LAN is provided by my router (192.168.2.1).
WIFI on my LAN is provided by an enterprise-grade tp-link hotspot.
Starting a few days ago, for reasons mysterious, when the phone connects to the LAN, the VPN gateway would promptly go offline. Because I run it headless, I would be forced to reboot it - which made diagnosis a bit of a pain. Finally, I found a log entry on the VPN gateway that informed me that my OnePlus was trying to claim the ip address of the VPN gateway as its own (192.168.2.49) in spite of being set to use 192.168.2.71. This duplicate IP was causing dhcpcd on the VPN gateway to immediately take down its eth0 interface. This would break ALL connectivity because I have wifi on that RPI disabled.
Prior to this problem involving the OnePlus, that RPI had been up continuously for over 400 days, so it should certainly be considered to be reliable at the job it does and almost certainly the problem is with the OnePlus.
So, for some reason the OnePlus is trying to assert its assigned gateway address as its IP rather than the 192.168.2.71 that is set, at least in some packet that it uses to announce itself; once it is connected it works properly (which means the right IP address is being used).
I have deleted, then re-created the wifi connection profile and doing that did not cause the problem to go away.
I have another RPI VPN gateway on my IOT VLAN (192.168.24.0/24). No DHCP is available on the VLAN (a security measure), and I do have a profile for the phone that allows it to connect to the VLAN. It works without issue there, but then dhcpcd has been and remains shut down on that RPI. I suppose I could start dhcpcd on that server and see if the phone then breaks it too. I won't do this unless there is some merit to doing so...if it would help find the basic problem.
As I say, shutting down dhcpcd and blocking all dhcp traffic to/from the LAN VPN gateway mitigated the problem. But that the problem could occur at all says something is wrong, and I'm pretty sure it isn't a problem on my network.
This seems most likely to be a bug in OnePlus firmware, though why it would manifest after a month is a mystery to me. Does anyone have any insight? Or does anyone have any suggestions for another place on XDA where this post might more appropriately be placed?
I was pretty sure no one would have any idea about this. I have mitigated it by turning off dhcpcd on the VPN gateway and I am not inclined to do a deeper dive; I have too much else to do.