Net tips - Android General

These are very general, as long as android implements prop system at its core and is build on top of linux...
Prerequisites:
rooted device
#setprop net.hostname whateveryouwant
sets the host name reported on the network, instead of the default Android-number. This becomes useful if you're used to call (browse) the computers on your network by name...
if your kernel supports iptables you can use this command to force every dns request to a specific dns ip (instead of that one provided from dhcp):
#iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination IP
this works for all connections (interfaces), and is useful to override 3G and wifi ISP DNS to get more fast connections (as long as isp dns may become slow) and other advantages...
interfaces can be limited with -i interface option of iptables to set type of connection (3G, wifi, etc) uses the dns (if an interface is not listed than, will use its default, dhcp, dns).
Hope to be useful, despite it's not a guide.

Related

Tethering with OpenVPN: How to avoid ATT's prying eyes and possibly tether undetected

The purpose of this post is to explain how to tether with openvpn, which will hopefully avoid ATT's all seeing eyes, as well as prevent any detection during tethering.
All ATT will ever see is encrypted traffic between a connection that is initiated from my phone and ends at my vpn server. So the only way they would be able to determine if you are tethering, is if they are spying on you ala CIQ directly on your device, or your device phones home and tattles on you. That would open up a different can of worms and a **** storm would ensue.
This method requires a number of things.
* Openvpn server (preferably running on a static address, but will work with dynamic DNS services) with a reliable connection. I use a VPS server for $25 a month, but it is fast and reliable.
* Openvpn on your phone (any will work as long as it has the tun driver or tun built into the kernel(
* Some sort of gateway (your openvpn server can be running on it as well, or a seperate host), I use Freebsd/Openbsd. For linux, your on your own to figure out NAT and gateway functions.
Really, that is about it.
My Openvpn server config, you can set it up any way you like, but certain statements are required, specifically those in the hashed out box if you want your subnets to talk to each other, and route the traffic
Code:
port ****
proto tcp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/vps.server.crt
key /usr/local/etc/openvpn/keys/vps.server.key
dh /usr/local/etc/openvpn/keys/dh2048.pem
server 192.168.150.0 255.255.255.0
ifconfig-pool-persist ipp.txt
mode server
client-to-client
client-config-dir ccd
###############################################
# my phone and home subnets, can be any RFC1918 address space
# Advertise and note your home subnets in this section, unless you
# do not want the various subnets to talk to each other, then you
# can also remove the client-to-client statements
###############################################
push "route 192.168.15.0 255.255.255.0"
push "route 192.168.43.0 255.255.255.0"
route 192.168.15.0 255.255.255.0
route 192.168.43.0 255.255.255.0
###############################################
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 4
My client config on my phone (change the remote statement to match your openvpn server host and port)
Code:
client
proto tcp
dev tun
remote vpn.example.com 1234
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
/usr/local/etc/openvpn/ccd is where I have my client specific configs (match the location to that identified in the server.conf file for your vpn server). I also use certificates unique to each host that connects to my vpn, the names of the files in the "ccd" directory must match the name you gave the device when you created your certificates. I use easy-ssl to manage my certs.
for my phone, which I named "galaxy_s" I have the following (note the DNS option is optional, I was having problems with it so I just hardcoded 8.8.8.8, googles dns server into my network settings on my laptop)
/usr/local/etc/openvpn/ccd/galaxy_s
The iroute statement just tells the openvpn server what subnets you have behind your device, in this case the phone. I am guessing all of the android phones use 192.168.43.x as the NAT'd subnet, otherwise change it to whatever your phone is assigning.
Code:
push "redirect-gateway"
push "dhcp-option DNS 192.168.15.1"
iroute 192.168.43.0 255.255.255.0
The rest of the configurations are related to your primary gateway, which in my case also runs the openvpn server. I am using freebsd and pf, the configs needed for that are essentially natting statements, and firewall rules.
for pf, the following rules are what I use
I also trust all the traffic on my tun0 device, so I told pf to ignore it and pass all traffic
Code:
nat on $int from 192.168.150.0/24 to any -> $int/32
nat on $int from 192.168.43.0/24 to any -> $int/32
set skip on tun0
Hopefully this is useful to other folks, if not, let it be buried
THanks for an EXCELLENT guide!
Quick question. When I use this server conf file, my ssh on my local network hangs up and goes down.
In other words:
I am running openvpn on a home linux server. It is connected through a home router to the internet and has a network set up at 192.168.1.0.
Router is 192.168.1.1,
vpn server is on 192.168.1.51.
If I start openvpn, I cannot ssh from a local network (192.168.1.81) laptop. If I turn off openvpn I can. I changed your 192.168.15.0 addresses in server conf file to 192.168.1.0. I have a feeling it has to do with that.
Well, yes, you will need to modify the configs to suit your own address scheme. As for why you cannot ssh, I am not sure, is that .81 device on the same network as the openvpn server, or are you coming from a different network.
My setup has the gateway the same as the openvpn server simply due to the fact that I am using a Virtual Private Server (VPS) and I only have that as the 1 external static system.
I would check the route statements, I'm not sure, but you might have a routing loop that would be causing the problem, can you traceroute or ping, or use any other protocol/application to see if you can connect). If you set the default gateway of the openvpn server as the .1 address, and then you are trying to connect to another internal address, the .81, when you ssh from whatever device is connected to the openvpn server, it may attempt to connect to the gateway at .1 and then return back into your network to .81.
I could be wrong, it is hard to tell when you are not sitting at the actual systems.
Got it to work! Here's some tips for others
Thanks again for your help jvanbrecht. Last night I was able to sit down, get a better understanding of how it worked via openvpn's HOWTO, and get it running.
I did need to make a few mods for it to work in my configuration (as is expected since very few network configs are the same).
My configuration:
Single home network, say on 192.168.15.0.
Single router, at 192.168.15.1.
Home server hosting VPN on 192.168.15.51. It is running Ubuntu Maverick.
Skyrocket on subnet 192.168.43.0
My modifications:
Since I don't need direct access between VPN clients and my home subnetwork, in the server config I commented out:
Code:
#push "route 192.168.1.0 255.255.255.0"
#route 192.168.1.0 255.255.255.0
It was giving me some problems SSHing into my home server from a local network machine so this was the quick fix.
Initially it wasn't routing ALL traffic, just that directed from VPN client to the VPN server. So I added this to the server conf:
Code:
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.150.1"
In my home (tomato) router, I just port forwarded any TCP traffic on 1194 to the home server (192.168.15.51)
I think openvpn does this already. But just in case, I added an iptable nat entry to forward packet from VPN network to eth0 (my NIC). As root:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
And I added the following entry to /etc/rc.local so it persists on restart.
Code:
iptables -t nat -A POSTROUTING -s 192.168.150.0/24 -o eth0 -j MASQUERADE
Some debugging tips for others
Simplest way to verify HTTP traffic is being forwarded is, after connecting to vpn from phone, go to www.whatismyip.com. Make sure it matches your phone.
If you are having trouble connecting to the VPN, watch the openvpn log for errors. "tail -f /var/log/openvpn/openvpn.conf"
After connecting, make sure you can ping from your home server to the phone.
From Server: "ping 192.168.150.10"
From Phone: Open Terminal Emulator and type "ping 192.168.150.1"
You can also validate the traffic is forwarding through VPN by using traceroute. You can test both forwarding and DNS
From Phone: Open Terminal Emulator, type
Code:
su
For no-DNS test first:
Code:
traceroute 74.125.115.104
For DNS test:
Code:
traceroute www.google.com
For each, do your tests on the cell network (NOT home wifi) and verify that the route passes through your vpn server and doesn't bypass it completely.
Lastly to make sure traffic is being piped, you can monitor VPN traffic from your openvpn server by typing:
Code:
tcpdump -i tun0
jvanbrecht:
Do you have any recommendations about dropped connections? I noticed while testing that sometimes my openvpn connection would drop and my phone browsing would immediately default to the direct default cell provider connection.
Of course if tethering, this could be very bad.
Any tips on ensuring that if VPN is enabled, but no connection, that it won't ever try and route around it?
would using any vpn do the same thing? or something making this special ? any one tested this ?
It's been a few weeks since I tried the openvpn app. Back then everything seemed to be working well. But I tried again today and am having problems.
- I can access everything fine via vpn if my phone is connected to my local wifi where the vpn server resides.
- I can access IP addresses (e.g. the ip address of google.com) if connected to vpn via AT&T's 3G network
- I CANNOT access websites by their name (e.g. www.google.com) anymore.
It seems the DNS forwarding over VNC is messed up. Any tips on what the problem could be?
I still have the same settings as above, e.g. push "dhcp-option DNS 192.168.150.1"
Is it possible I need to do any additional configuration on my phone?
Is it possible to replace my router DNS address with a public one like google's "8.8.8.8" or "4.2.2.2"?
Any tips greatly appreciated!
Deleted. Please ignore. Still having issues.
So I had the opportunity to play around with my config (listed above) a bit more this evening. I was at a location where I had good external WiFi (Panera) along with 3G.
If I connect from my phone to my home VPN server over EXTERNAL WIFI (Panera), I have no problems with VPN. everything works flawlessly.
If I connect from my phone to my home VPN server over AT&T 3G network, it fails. Essentially it can't resolve any DNS queries. I can type in a website's IP address and surf that way, but I can't say type in "www.cnn.com" and get a page to load.
For the latter, when I watch the web queries using "tcpdump -i tun0", I see the requests go out from my phone to the websites, but they don't come back. For example, I see:
"192.168.150.10 > a.b.c.d (www.cnn.com)",
but I don't see:
"a.b.c.d (www.cnn.com) > 192.168.150.10"
Is it possible that AT&T is somehow blocking VPN via DNS? At first I thought my openvpn dns settings were messed up ... but it works across external wifi no problem.
---------- Post added at 01:24 AM ---------- Previous post was at 01:07 AM ----------
For those that are interested in the future, I think I narrowed down the issue:
It seems VPN connectivity is dependent on the AT&T Access Point Network (APN)
By default for my Skyrocket I was on the AT&T PTA APN wit settings:
Code:
APN: pta
MMSC: http://mmsc.mobile.att.net
MMS proxy: proxy.mobile.att.net
MMS Port: 80
...
I then switched to what is called the "AT&T Expanded" APN with settings:
Code:
APN: wap.cingular
User Name: [email protected]
(rest of settings somewhere here on xda ...)
... and that one worked perfectly.
I switched back and forth a few tiimes to confirm. It seems on pta, I can't resolve DNS over VPN. For the wap.cingular, I have no problems.
Anyone else can confirm this is most likely the issue I am seeing and that it can possibly make sense?

Solution to Tethering + OpenVPN issues on KitKat/4.4

I was previously using a stock rooted Nexus 4 (with 4.3) with "OpenVPN Connect" (net.openvpn.openvpn) and android built-in wifi tethering to tunnel tethered clients through the OpenVPN connection. This required some iptables modifications but worked fine.
With a stock rooted Nexus 5 (with 4.4.0) and OpenVPN Connect 1.1.12, this stopped working and that was really annoying.
Part of the issue was the one described here
But it was more complicated. It seems that there are routing table issues that I had to research a bunch.
Here are the iptables commands that I already had to run even on the Nexus 4 (with 4.3), which I got from here
Code:
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
These (above) are somewhat liberal firewall rules that you may what to refine for more security.
But below are additional routing entries that I needed to add specifically for the Nexus 5 (with 4.4.0). They force tethered clients to route through the VPN, unless their traffic is a broadcast or designated for the wifi LAN. Those exceptions are required for DHCP to work on the tethered client. They assume the tethered LAN is 192.168.43.XYZ and the OpenVPN interface is tun0.
Code:
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
This seems to all work best if I start OpenVPN after activating tethering, not before.
I'm not entirely clear whether this is a result of some change/bug in KitKat, or an incompatibility in "OpenVPN Connect", or both. I wonder if it would work ok with other OpenVPN clients like "OpenVPN for Android" (de.blinkt.openvpn)
Other Notes:
* Server is OpenVPN 2.3.2
* Server has this line set in its config:
Code:
push "redirect-gateway autolocal def1"
Running android 4.4.2 google stock image with SuperSU on LG Nexus 4. These routing commands worked great and allowed me to tunnel all WiFi tethered traffic through my VPN. Thanks for figuring this out it was bugging me!
Im stock 4.4.2 no root or anything just pure stock i download install openvpn from google play and imported my config files click connect then open PDAnet connect and the Ip is changed.
OK, so I'm having a bit of trouble understanding and implementing the fix for my nexus 5. I've already got WiFi tethering working through the sqlite db fix but now I can't get my connection to work when my VPN (PIA official app) is broadcasting. These commands you're sending, are they done on the phone terminal or computer and is that EXACTLY how theyre being entered. For rules in red where would I find the IP I would use. Thanks guys Id really appreciate any help given.
Worked!
scootley said:
This seems to all work best if I start OpenVPN after activating tethering, not before.
Click to expand...
Click to collapse
Thanks scootley! These worked me on 4.3. I activated my hotspot before OpenVPN, but I used
Code:
iptables --flush
first before entering your commands. Seems to help. My OpenVPN server config also has the following in addition to push redirect:
Code:
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway autolocal def1"
Jrock2t5 said:
OK, so I'm having a bit of trouble understanding and implementing the fix for my nexus 5. I've already got WiFi tethering working through the sqlite db fix but now I can't get my connection to work when my VPN (PIA official app) is broadcasting. These commands you're sending, are they done on the phone terminal or computer and is that EXACTLY how theyre being entered. For rules in red where would I find the IP I would use. Thanks guys Id really appreciate any help given.
Click to expand...
Click to collapse
These commands are entered on the phone. You can download Terminal Emulator or something similar through the app store.
First make sure you're connect to your hotspot from your computer. Next, let's find your local IP address. Here are the instructions for Windows:
Click on the Start menu and type cmd. When you see the cmd applications in Start menu panel, click it or just press enter.
A command line window will open. Type ipconfig and press enter.
You'll see a bunch of information, but the line you want to look for is "IPv4 Address." The number across from that text is your local IP address.
Here's how to do the same thing on a Mac:
Open System Preferences (via the Apple menu at the top lefthand corner of your screen).
When System Preferences opens, click on the icon labeled Network.
You should see a few options on the left with labels like Wi-Fi, Ethernet, Bluetooth, etc. The ones with green dots have IP addresses assigned to them. Click the one on top (if it isn't already selected) and look to the right. There should be a sentence that reads something like "Wi-Fi is connected to Chocolate and has the IP address 192.168.1.102." The number at the end of that sentence is your local IP address.
Thanks for this thread, I've nearly got tethering working through Private Internet Access/Open VPN.
When running the commands
Code:
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
i get an error "RTNETLINK answers: File exists"
I tethered up while connected to the VPN and could ping out to external IP addresses but no DNS resolution. So in my windows settings I manually specified DNS settings and can now browse the web through the VPN on my Galaxy s4!
But how do I fix the DNS issue? I want the clients that connect to pick up the DNS settings that actually work, without having to manually specify.
Thanks for any help
Vpn problem
Hi I havent tried the above options..yet
I have a sgs3 sgh-t999 . a comercial vpn account with the xxx.ovpn cert files.
after getting the details entered into open vpn and importing the cert file all is good untill I go to connect [see attachment]
phone is v4.3, baseband mjc, kernel v 3.0.31, rom S3rx v3.0 1-27-14
any suggestions on how to proceed?
RXP said:
Thanks for this thread, I've nearly got tethering working through Private Internet Access/Open VPN.
When running the commands
Code:
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
i get an error "RTNETLINK answers: File exists"
I tethered up while connected to the VPN and could ping out to external IP addresses but no DNS resolution. So in my windows settings I manually specified DNS settings and can now browse the web through the VPN on my Galaxy s4!
But how do I fix the DNS issue? I want the clients that connect to pick up the DNS settings that actually work, without having to manually specify.
Thanks for any help
Click to expand...
Click to collapse
1) RTNETLINK answers: File exists
This just means you already ran the command before during this reboot session and it's saved into the route table. If you restart your phone, and run the commands again, it will go through first time, but repeated commands will yield same error. Should be normal. Table clears on reboot.
2) Please see the thread at http://forum.xda-developers.com/galaxy-s2/help/solved-wifi-hotspot-issue-samsung-t1689242
It seems like in order for OpenVPN DNS push to work, you have to change your APN settings on your phone to have it automatically register and push out to your other devices. I had the same problem and came across this during a search.
Massive thanks to the OP for posting this here and to everyone helping out in this thread.
The above rules route wifi tethered traffic via the vpn but I was wondering if there are similar rules to route usb tether too?
Cheers
It seems to work once, but when Data connection is lost or openvpn reconnects, wifi tathering stops working, need to do everything again (switch all off, connect to 3G, vpn, create wifi hotspot and apply fix script). And somehow DNS doesn't work. Tryed on Galaxy S5, LG L70, both on 4.4.2
But in general, this workaround is working, just needs a little bit of tweaking
This is fantastic.
For those of you using VPN on your phone as well, does it seem to stay connected? My VPN (OpenVPN) was flawless on 4.3 ... I mean smooth as ice with no disconnects.
When I upgraded to Kitkat, I wanted to immediately hide in a hole from embarrassment. Only after trying to connect and stay connected did I start to read around to check what the heck was going on. Biggest mistake ever. But then again, who would have thought right? I mean come on...who would have thought it would make using VPN a nightmare after an update that's suppose to be improved? Whatever...
Anyhow, lesson learned. Now I'm waiting desperately for someone to figure out how to downgrade from 4.4 back to 4.3 and/or to find a patch/fix for this issue so we don't have to run a script on every boot or reset.
At the end of the day, at least there is a solution thanks to folks like you. Kudos to the OP and everyone else who has contributed to the work around...for the time being lets hope...
:good:
For anyone interested, I played with the commands to have it work over a USB tether instead of Wifi. Why? Because my battery life stinks and this way my phone is charging also. What the heck. works great.
The only change was in the two spots where it has "wlan0" change them to "usb0". Another change was that the subnet of the USB connection is 192.168.42.0/24 (versus 192.168.43.0/24 on wifi). I get it working in this order:
1) reboot phone (to make sure to other lingering route tables are wiped out
2) turn off wifi
3) establish VPN connection
4) start USB tethering (and have your phone usb connected to your computer
5) After eveything is hooked up, open a terminal window, make sure you have superuser access (su) and execute the commands below. I just have them saved in a text file on my phone's sd card, copy them and just paste them all at once into the terminal window. Haven't figured out how to get this to run automatically using init.d (yet - assuming you can because upon phone reboot, I have to assuming that it will spit out errors because the tun0 and usb0 devices will not exist!)
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.42.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.42.0/24 dev usb0 scope link table 61
ip route add broadcast 255.255.255.255 dev usb0 scope link table 61
Vpn api delete route joy downgraded
@grogargh
Have you tried Tasker, run shell
To run after booting [or from widget or otherwise]
http://forum.xda-developers.com/showthread.php?t=1110775

Problem with VPN tether gateway setup

I have a G930F running Superman ROM rooted on MM with a ported XAA CSC. I have set it up to run a VPN gateway using iptables and ip route. I am able to get tethered devices to connect to the Internet through the VPN if I manually set the IP addresses and DNS servers on the clients connecting. I do however have some devices that do not have the ability to manually set the IP and DNS servers and it's also a pain to set every device up manually. I ran a Wireshark capture and found several ARP requests not being responded to from dhcpd/dnsmasq trying to hand out ip addresses to the clients. My goal is to get DHCP up and running on wlan0 to hand out IP and DNS configuration. I suspect it is not working due to the nature of the changes I've made with iptables and ip route. I'm thinking the dhcp is being forwarded to the tun0 interface. My question is how to exclude the DHCP from being forwarded to the tun0 interface... Or if someone else can come up with a more elegant solution to my problem, as I'm currently reading up on ip and iptables syntax and commands and my current knowledge is fairly basic. The process I'm using to connect my tethered devices is as follows: connect VPN, turn on tether, run commands listed below to connect the wlan0 and tun0 interfaces and connect clients to the phone after manually setting the IP and DNS.
Code:
su
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
Any help would be greatly appreciated!
SystematiQ said:
Any help would be greatly appreciated!
Click to expand...
Click to collapse
Did you ever get this to work nicely? I am very intrigued.
Also, what VPN software are you using? I am using NCP which does most of what I want, though it is frustrating that I can't programmatically control connection/disconnection/profile selection nor even get it to connect at boot.

How to access wifi hotspot on phone with active VPN connectio?

I have to access the Internet through my phone data connection, from both Windows 10 laptop and Android 6.0.1 tablet. Both devices can connect fine to the wifi hotspot and they can use the Internet. However, if I connect the VPN client (Private Internet Access), neither the Windows 10 laptop, nor the Android tablet can connect anymore. If they were already connected before activating VPN, Internet access stops on both devices. The OnePlus One phone is rooted.
I googled for a solution and I found something with using iptables. The following commands should be pasted in a terminal window under root:
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
After these commands, the Windows 10 laptop can access the Internet, even if the VPN connection is active. However, the traffic from the laptop doesn't go through the VPN connection on the phone. If I check the IP address at whatismyip.com from the laptop, I get the T-Mobile ip address. If I do the same thing from the phone, I get the PIA server ip address.
Unfortunately, this solution does not work for the Android tablet. If already connected to the wifi hotspot, before activating VPN on the phone, Internet access stops. If I try to connect the tablet after activating VPN, it gets stuck in "obtaining IP address".
It seems that somehow, the Windows DHCP client knows how to access the DHCP server running on the phone (at 192.168.143.1). However, the request from the Android tablet is probably sent to the Internet, and does not reach the DHCP server (or the DNS server.) I suspect the local network (192.168.143.0/24) should be somehow excluded in iptables, but I don't know how to do that. Also, I'm not sure if I exclude it, the connection from Windows laptop will be affected.
So my main question is:
Is there a solution to access the wifi hotspot on the phone while VPN is active, from BOTH Windows and Android devices?
My second question is:
Is there a solution to direct the network traffic coming from the devices connected to the wifi hotspot, THROUGH the VPN connection running on the phone?
XDA:DevDB Information
Tethering with active VPN connection, Kernel for the OnePlus One
Contributors
alanPr
Kernel Special Features:
Version Information
Status: Testing
Created 2018-07-09
Last Updated 2018-07-09

[GUIDE] Tethering through VPN over USB-OTG-ACA Ethernet /w IPv6 Support

This is a guide for tethering over USB Ethernet adapter. The purpose of this is to reliably USB tether to any router, without the need for a USB port or stable USB/RNDIS support(Broadcom MIPS is particularly bad). USB-OTG-ACA means the phone is powered externally while also operating in host mode. I used a cheap micro-USB Y-cable for this that lets me plug in a power source, USB Ethernet adapter, and phone together. IPv6 is supported via masquerading, so you share public IPs with your phone(thus hiding devices behind it). In this example I tether to a VPN tun0 interface, but you can tether to and from any interface you want.
This guide is targeted to more advanced users, but I included a E5 Play kernel and the files required at the bottom of this post for those who wouldn't be able to try this otherwise.
The first step is to enable the kernel IPv6 NAT table, with iptables and masquerading support. To do this I used LSM Kernel. My device is the E5 Play, steps for other devices are a little different.
https://forum.xda-developers.com/moto-e5/development/kernel-lowspecmoto-kernel-v0-1a-t3882378
These need to be set in james_defconfig. You can also enable any necessary kernel modules for your Ethernet adapter here.
Code:
CONFIG_NF_NAT_IPV6=y
CONFIG_IP6_NF_TARGET_MASQUERADE=y
CONFIG_IP6_NF_NAT=y
I had to disable the WireGuard install script and use jury_rig.sh instead, as well as fix a minor typo in the build script(misspelled and erroneous compile command) and one of the source files (extra const declaration).
The next step is to disable the IPv4 DHCP client for the Ethernet adapter's interface eth0. After a little reverse engineering, I found this state was controlled by /data/misc/ethernet/ipconfig.txt, and there is already a tool I can use to generate configurations.
https://github.com/jhswartz/ipconfigstore
I just feed it an empty static assignment and DHCP is then disabled.
Code:
ipAssignment: STATIC
id: 0
Next was to cross-compile radvd to support RA for IPv6. Modern versions of OpenWRT support spoofing so you don't need this, but everything else requires you run a RA server from the gateway device. I needed to use android-ifaddrs to get around an unsupported feature in the NDK. The version I built expects the config to exist at /sdcard/radvd.conf.
Now comes the scripting to make everything work. I made an application for this, but you can also accomplish this with something like Tasker or even run it manually.
At boot:
*Launch radvd as a root daemon
*Start your VPN
*Delete the file /sdcard/tether.state
*Execute tether.sh as root
On Intent.ACTION_POWER_CONNECTED:
*Execute tether.sh as root
tether.state keeps the script from applying NAT rules more than once, so the connection is just restored when the script is re-ran.
Code:
#!/system/bin/sh
echo 'Waiting for tether interfaces'
for waitTime in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
do
if [ -d '/sys/class/net/eth0' ] && [ -d '/sys/class/net/tun0' ] ; then break ; fi
echo "$waitTime"
sleep 1
done
sleep 2
if [ -d '/sys/class/net/eth0' ] && [ -d '/sys/class/net/tun0' ]
then
echo 'Preparing tether interface'
ip link set dev eth0 down
ip link set dev eth0 mtu 1280
sysctl -w net.ipv6.conf.eth0.mtu=1280
sysctl -w net.ipv6.conf.eth0.autoconf=0
sysctl -w net.ipv6.conf.eth0.accept_ra=0
ip addr flush dev eth0
echo 'Setting IP addresses'
ip -6 addr add fd00::1/64 dev eth0 scope global
ndc interface setcfg eth0 192.168.42.129 24 up
echo 'Waiting for interface to come up'
for waitTime in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
do
if [ "$(cat /sys/class/net/eth0/operstate)" = 'up' ] ; then break ; fi
echo "$waitTime"
sleep 1
done
sleep 3
ip -6 route add fd00::/64 dev eth0 src fd00::1
echo 'Enabling IP forwarding'
ndc ipfwd enable tethering
echo 'Adding marked routes'
ndc network interface add 99 eth0
ndc network route add 99 eth0 192.168.42.0/24
ndc network route add 99 eth0 fd00::/64
ndc network route add 99 eth0 fe80::/64
if [ ! -f '/sdcard/tether.state' ]
then
echo 'Setting up NAT'
touch /sdcard/tether.state
ndc nat enable eth0 tun0 99
ndc ipfwd add eth0 tun0
ip6tables -t nat -N natctrl_nat_POSTROUTING
ip6tables -t nat -A POSTROUTING -j natctrl_nat_POSTROUTING
ip6tables -t nat -A natctrl_nat_POSTROUTING -o tun0 -j MASQUERADE
ip6tables -t filter -A natctrl_FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -g natctrl_tether_counters
ip6tables -t filter -A natctrl_FORWARD -i eth0 -o tun0 -m state --state INVALID -j DROP
ip6tables -t filter -A natctrl_FORWARD -i eth0 -o tun0 -g natctrl_tether_counters
ip6tables -t filter -A natctrl_FORWARD -j DROP
fi
else
echo 'Skipping operation, USB not connected'
fi
eth0 is the Ethernet adapter and tun0 is the VPN interface. I also use a very similar script to do the same thing with RNDIS, you can setup all kinds of interesting tethering setups with these commands. If you want to run DHCP on the phone for use with a switch or cross-over cable or whatever, this command should work as root:
Code:
dnsmasq --keep-in-foreground --no-resolv --no-poll --dhcp-authoritative --dhcp-range=192.168.42.10,192.168.42.99,1h --dhcp-option=6,8.8.8.8,8.8.4.4 --dhcp-option-force=43,ANDROID_METERED --dhcp-leasefile=/sdcard/dnsmasq.leases --pid-file=/sdcard/dnsmasq.pid --listen-mark 0xf0063
Since this is a powered tethering setup, you probably want to use something to control charging:
https://play.google.com/store/apps/details?id=com.slash.batterychargelimit&hl=en&gl=US
On the router, set it's IP to 192.168.42.1, gateway to 192.168.42.129, DNS servers, and DHCP range to 192.168.42.10-192.168.42.99. Disable IPv6 support if it has it. Don't plug anything into the WAN (yellow) port, the phone connects to LAN.
Moto E5 Play kernel with IPv6 NAT support
https://drive.google.com/file/d/15IDtuuOn60bgw5FHVnoacexe2fjzuHcg/view?usp=sharing
ipconfig.txt, radvd, radvd.conf, tether.sh
https://drive.google.com/file/d/18YL4rYyF9tFu34WI_wzBLNtiUDp9U7_a/view?usp=sharing
I wrote an app to manage this, but it still needs a bit of work to handle custom configurations.
fddm said:
This is a guide for tethering over USB Ethernet adapter. The purpose of this is to reliably USB tether to any router, without the need for a USB port or stable USB/RNDIS support(Broadcom MIPS is particularly bad). USB-OTG-ACA means the phone is powered externally while also operating in host mode. I used a cheap micro-USB Y-cable for this that lets me plug in a power source, USB Ethernet adapter, and phone together. IPv6 is supported via masquerading, so you share public IPs with your phone(thus hiding devices behind it). In this example I tether to a VPN tun0 interface, but you can tether to and from any interface you want.
This guide is targeted to more advanced users, but I included a E5 Play kernel and the files required at the bottom of this post for those who wouldn't be able to try this otherwise.
The first step is to enable the kernel IPv6 NAT table, with iptables and masquerading support. To do this I used LSM Kernel. My device is the E5 Play, steps for other devices are a little different.
https://forum.xda-developers.com/moto-e5/development/kernel-lowspecmoto-kernel-v0-1a-t3882378
These need to be set in james_defconfig. You can also enable any necessary kernel modules for your Ethernet adapter here.
Code:
CONFIG_NF_NAT_IPV6=y
CONFIG_IP6_NF_TARGET_MASQUERADE=y
CONFIG_IP6_NF_NAT=y
I had to disable the WireGuard install script and use jury_rig.sh instead, as well as fix a minor typo in the build script(misspelled and erroneous compile command) and one of the source files (extra const declaration).
The next step is to disable the IPv4 DHCP client for the Ethernet adapter's interface eth0. After a little reverse engineering, I found this state was controlled by /data/misc/ethernet/ipconfig.txt, and there is already a tool I can use to generate configurations.
https://github.com/jhswartz/ipconfigstore
I just feed it an empty static assignment and DHCP is then disabled.
Code:
ipAssignment: STATIC
id: 0
Next was to cross-compile radvd to support RA for IPv6. Modern versions of OpenWRT support spoofing so you don't need this, but everything else requires you run a RA server from the gateway device. I needed to use android-ifaddrs to get around an unsupported feature in the NDK. The version I built expects the config to exist at /sdcard/radvd.conf.
Now comes the scripting to make everything work. I made an application for this, but you can also accomplish this with something like Tasker or even run it manually.
At boot:
*Launch radvd as a root daemon
*Start your VPN
*Delete the file /sdcard/tether.state
*Execute tether.sh as root
On Intent.ACTION_POWER_CONNECTED:
*Execute tether.sh as root
tether.state keeps the script from applying NAT rules more than once, so the connection is just restored when the script is re-ran.
Code:
#!/system/bin/sh
echo 'Waiting for tether interfaces'
for waitTime in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
do
if [ -d '/sys/class/net/eth0' ] && [ -d '/sys/class/net/tun0' ] ; then break ; fi
echo "$waitTime"
sleep 1
done
sleep 2
if [ -d '/sys/class/net/eth0' ] && [ -d '/sys/class/net/tun0' ]
then
echo 'Preparing tether interface'
ip link set dev eth0 down
ip link set dev eth0 mtu 1280
sysctl -w net.ipv6.conf.eth0.mtu=1280
sysctl -w net.ipv6.conf.eth0.autoconf=0
sysctl -w net.ipv6.conf.eth0.accept_ra=0
ip addr flush dev eth0
echo 'Setting IP addresses'
ip -6 addr add fd00::1/64 dev eth0 scope global
ndc interface setcfg eth0 192.168.42.129 24 up
echo 'Waiting for interface to come up'
for waitTime in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
do
if [ "$(cat /sys/class/net/eth0/operstate)" = 'up' ] ; then break ; fi
echo "$waitTime"
sleep 1
done
sleep 3
ip -6 route add fd00::/64 dev eth0 src fd00::1
echo 'Enabling IP forwarding'
ndc ipfwd enable tethering
echo 'Adding marked routes'
ndc network interface add 99 eth0
ndc network route add 99 eth0 192.168.42.0/24
ndc network route add 99 eth0 fd00::/64
ndc network route add 99 eth0 fe80::/64
if [ ! -f '/sdcard/tether.state' ]
then
echo 'Setting up NAT'
touch /sdcard/tether.state
ndc nat enable eth0 tun0 99
ndc ipfwd add eth0 tun0
ip6tables -t nat -N natctrl_nat_POSTROUTING
ip6tables -t nat -A POSTROUTING -j natctrl_nat_POSTROUTING
ip6tables -t nat -A natctrl_nat_POSTROUTING -o tun0 -j MASQUERADE
ip6tables -t filter -A natctrl_FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -g natctrl_tether_counters
ip6tables -t filter -A natctrl_FORWARD -i eth0 -o tun0 -m state --state INVALID -j DROP
ip6tables -t filter -A natctrl_FORWARD -i eth0 -o tun0 -g natctrl_tether_counters
ip6tables -t filter -A natctrl_FORWARD -j DROP
fi
else
echo 'Skipping operation, USB not connected'
fi
eth0 is the Ethernet adapter and tun0 is the VPN interface. I also use a very similar script to do the same thing with RNDIS, you can setup all kinds of interesting tethering setups with these commands. If you want to run DHCP on the phone for use with a switch or cross-over cable or whatever, this command should work as root:
Code:
dnsmasq --keep-in-foreground --no-resolv --no-poll --dhcp-authoritative --dhcp-range=192.168.42.10,192.168.42.99,1h --dhcp-option=6,8.8.8.8,8.8.4.4 --dhcp-option-force=43,ANDROID_METERED --dhcp-leasefile=/sdcard/dnsmasq.leases --pid-file=/sdcard/dnsmasq.pid --listen-mark 0xf0063
Since this is a powered tethering setup, you probably want to use something to control charging:
https://play.google.com/store/apps/details?id=com.slash.batterychargelimit&hl=en&gl=US
On the router, set it's IP to 192.168.42.1, gateway to 192.168.42.129, DNS servers, and DHCP range to 192.168.42.10-192.168.42.99. Disable IPv6 support if it has it. Don't plug anything into the WAN (yellow) port, the phone connects to LAN.
Moto E5 Play kernel with IPv6 NAT support
https://drive.google.com/file/d/15IDtuuOn60bgw5FHVnoacexe2fjzuHcg/view?usp=sharing
ipconfig.txt, radvd, radvd.conf, tether.sh
https://drive.google.com/file/d/18YL4rYyF9tFu34WI_wzBLNtiUDp9U7_a/view?usp=sharing
I wrote an app to manage this, but it still needs a bit of work to handle custom configurations.
Click to expand...
Click to collapse
For those who don't have a kernel with the network modules you've mentioned, but want to get ipv6 working (thinking of Tmobile) and have access to openwrt router, would adding the mentioned ip6tables command work?
In my router, I added something like this,
ip6tables -t mangle -I POSTROUTING -o usb0 -j HL --hl-set 65
but ipv6 connection didn't work. If I remove that line from the router firewall, then ipv6 connection works but it counts as tethered.
aznxwill said:
For those who don't have a kernel with the network modules you've mentioned, but want to get ipv6 working (thinking of Tmobile) and have access to openwrt router, would adding the mentioned ip6tables command work?
In my router, I added something like this,
ip6tables -t mangle -I POSTROUTING -o usb0 -j HL --hl-set 65
but ipv6 connection didn't work. If I remove that line from the router firewall, then ipv6 connection works but it counts as tethered.
Click to expand...
Click to collapse
One option is to use your phone's native tether and set up IPv6 nat on your router. This will make your iptables rule work and only requires provisioning and dun bypasses on the phone. The downside is your tethered traffic will go through a separate IPv6 address from your phone, so it's more risky.
The other option is to proxy, but getting UDP support is a real hurdle. Ideas are porting Shadowsocks or one of those Socks5 proxies written in Go. Adding UDP support to microsocks is also possible, but way more work. You'd use the Shadowsocks client or transocks-wong on the router to serve clients with no knowledge of the proxy.
Edit: also, what phone/rom/router are you working with?
fddm said:
One option is to use your phone's native tether and set up IPv6 nat on your router. This will make your iptables rule work and only requires provisioning and dun bypasses on the phone. The downside is your tethered traffic will go through a separate IPv6 address from your phone, so it's more risky.
The other option is to proxy, but getting UDP support is a real hurdle. Ideas are porting Shadowsocks or one of those Socks5 proxies written in Go. Adding UDP support to microsocks is also possible, but way more work. You'd use the Shadowsocks client or transocks-wong on the router to serve clients with no knowledge of the proxy.
Edit: also, what phone/rom/router are you working with?
Click to expand...
Click to collapse
I'm working with OnePlus 8 (phone) + GL.iNET MT-1300 (router) on TMO network.
I am able to get USB tethering to work with the router for IPv4. My setup is as follows:
Phone (USB) <---> MT-1300 (router) <---> clients (PC/phones/TVs)
For IPv4, I added the following line to router firewall:
iptables -t mangle -I POSTROUTING -o usb0 -j TTL --ttl-set 65
Click to expand...
Click to collapse
Currently trying to figure out IPv6...
This is the guide to enable nat6 on openwrt:
NAT66 and IPv6 masquerading
NAT66 and IPv6 masquerading This article relies on the following: * Accessing web interface / command-line interface * Managing configs / packages / services / logs Introduction * This how-to describes the method for setting up NAT66 aka NAT6 with IPv6 masquerading on your OpenWrt...
openwrt.org
Make sure usb0 is bridged to wan, not lan. Then your iptables rule will work.

Categories

Resources