Hi Guys
I need some help connecting to Wifi 802.1x with PEAP security at work.
I tried the following steps:
"Open Wi-Fi Settings from Settings, Wireless & Networks
If need be, write down the SSID of the 802.1x network (Case sensitive)
Select Add Wi-Fi network
Enter the SSID, select security 802.1x Enterprise, EAP method is PEAP, Phase 2 authentication is None, CA certificate and Client certificate are N/A, Identity is your RADIUS or Domain Authentication username, Anonymous Identity can be left blank, and Wireless password is the password to match your RADIUS or Domain Authentication password."
But after i finish the above config the SSID network is just saved in my WiFi list. It does not detect the network and connect to it. (it does not show the icon to the right which says the network is broadcasting)
Please help!
any answers???
You could try the FullWifi app. Something in the standard wifi app seems to be defunct at least on my captivate so I'm using the FullWifi app to setup the network.
Give it a shot. Can't hurt.
I run 802.1x encrypted with AES and EAP via a Win 2k8R2 server running NPS (RADIUS) and authenticating via MSCHAPv2 to Active Directory at home. Yeah, I'm kind of a geek.
Anyhow, try this: Delete (or 'forget') your network from Android. Since you said your network is brocadasting the SSID, just chose the right network from the list. Choose the following settings:
EAP method: PEAP
Phase 2 authentication: MSCHAPV2
CA cert: Unspecified (Adding certs to Android is a PITA)
User cert: Unspecified
Identity: <userid> (NOT <domain>\<userid> or any permutation and it is cASe SeNsiTivE).
Anonymous identity: _blank_
Password: <password>
Press Connect.
If this does not work, repeat using different Phase 2 Auth.
If the RADIUS server is Linux, try None, then PAP, then MSCHAP, then MSCHAPV2.
If the server is Windows, try MSCHAPV2, then MSCHAP, then None, then PAP. Try GTC last, as it is the least used that I've seen.
If the server is OS X, then just give up dude. Macs suck so hard that I'm surprised it hasn't swallowed up your network and given everyone that you've ever known cancer.
I really hope this helps.
Awesome fatbas202, your instructions worked for me. The default Phase 2 authentication won't work - TRY "MSCHAPV2" if you want to connect to PEAP wireless network at office/school. Thanks a million!
bking007 said:
Awesome fatbas202, your instructions worked for me. The default Phase 2 authentication won't work - TRY "MSCHAPV2" if you want to connect to PEAP wireless network at office/school. Thanks a million!
Click to expand...
Click to collapse
Word.
10char
The purpose of this post is to explain how to tether with openvpn, which will hopefully avoid ATT's all seeing eyes, as well as prevent any detection during tethering.
All ATT will ever see is encrypted traffic between a connection that is initiated from my phone and ends at my vpn server. So the only way they would be able to determine if you are tethering, is if they are spying on you ala CIQ directly on your device, or your device phones home and tattles on you. That would open up a different can of worms and a **** storm would ensue.
This method requires a number of things.
* Openvpn server (preferably running on a static address, but will work with dynamic DNS services) with a reliable connection. I use a VPS server for $25 a month, but it is fast and reliable.
* Openvpn on your phone (any will work as long as it has the tun driver or tun built into the kernel(
* Some sort of gateway (your openvpn server can be running on it as well, or a seperate host), I use Freebsd/Openbsd. For linux, your on your own to figure out NAT and gateway functions.
Really, that is about it.
My Openvpn server config, you can set it up any way you like, but certain statements are required, specifically those in the hashed out box if you want your subnets to talk to each other, and route the traffic
Code:
port ****
proto tcp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/vps.server.crt
key /usr/local/etc/openvpn/keys/vps.server.key
dh /usr/local/etc/openvpn/keys/dh2048.pem
server 192.168.150.0 255.255.255.0
ifconfig-pool-persist ipp.txt
mode server
client-to-client
client-config-dir ccd
###############################################
# my phone and home subnets, can be any RFC1918 address space
# Advertise and note your home subnets in this section, unless you
# do not want the various subnets to talk to each other, then you
# can also remove the client-to-client statements
###############################################
push "route 192.168.15.0 255.255.255.0"
push "route 192.168.43.0 255.255.255.0"
route 192.168.15.0 255.255.255.0
route 192.168.43.0 255.255.255.0
###############################################
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 4
My client config on my phone (change the remote statement to match your openvpn server host and port)
Code:
client
proto tcp
dev tun
remote vpn.example.com 1234
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
/usr/local/etc/openvpn/ccd is where I have my client specific configs (match the location to that identified in the server.conf file for your vpn server). I also use certificates unique to each host that connects to my vpn, the names of the files in the "ccd" directory must match the name you gave the device when you created your certificates. I use easy-ssl to manage my certs.
for my phone, which I named "galaxy_s" I have the following (note the DNS option is optional, I was having problems with it so I just hardcoded 8.8.8.8, googles dns server into my network settings on my laptop)
/usr/local/etc/openvpn/ccd/galaxy_s
The iroute statement just tells the openvpn server what subnets you have behind your device, in this case the phone. I am guessing all of the android phones use 192.168.43.x as the NAT'd subnet, otherwise change it to whatever your phone is assigning.
Code:
push "redirect-gateway"
push "dhcp-option DNS 192.168.15.1"
iroute 192.168.43.0 255.255.255.0
The rest of the configurations are related to your primary gateway, which in my case also runs the openvpn server. I am using freebsd and pf, the configs needed for that are essentially natting statements, and firewall rules.
for pf, the following rules are what I use
I also trust all the traffic on my tun0 device, so I told pf to ignore it and pass all traffic
Code:
nat on $int from 192.168.150.0/24 to any -> $int/32
nat on $int from 192.168.43.0/24 to any -> $int/32
set skip on tun0
Hopefully this is useful to other folks, if not, let it be buried
THanks for an EXCELLENT guide!
Quick question. When I use this server conf file, my ssh on my local network hangs up and goes down.
In other words:
I am running openvpn on a home linux server. It is connected through a home router to the internet and has a network set up at 192.168.1.0.
Router is 192.168.1.1,
vpn server is on 192.168.1.51.
If I start openvpn, I cannot ssh from a local network (192.168.1.81) laptop. If I turn off openvpn I can. I changed your 192.168.15.0 addresses in server conf file to 192.168.1.0. I have a feeling it has to do with that.
Well, yes, you will need to modify the configs to suit your own address scheme. As for why you cannot ssh, I am not sure, is that .81 device on the same network as the openvpn server, or are you coming from a different network.
My setup has the gateway the same as the openvpn server simply due to the fact that I am using a Virtual Private Server (VPS) and I only have that as the 1 external static system.
I would check the route statements, I'm not sure, but you might have a routing loop that would be causing the problem, can you traceroute or ping, or use any other protocol/application to see if you can connect). If you set the default gateway of the openvpn server as the .1 address, and then you are trying to connect to another internal address, the .81, when you ssh from whatever device is connected to the openvpn server, it may attempt to connect to the gateway at .1 and then return back into your network to .81.
I could be wrong, it is hard to tell when you are not sitting at the actual systems.
Got it to work! Here's some tips for others
Thanks again for your help jvanbrecht. Last night I was able to sit down, get a better understanding of how it worked via openvpn's HOWTO, and get it running.
I did need to make a few mods for it to work in my configuration (as is expected since very few network configs are the same).
My configuration:
Single home network, say on 192.168.15.0.
Single router, at 192.168.15.1.
Home server hosting VPN on 192.168.15.51. It is running Ubuntu Maverick.
Skyrocket on subnet 192.168.43.0
My modifications:
Since I don't need direct access between VPN clients and my home subnetwork, in the server config I commented out:
Code:
#push "route 192.168.1.0 255.255.255.0"
#route 192.168.1.0 255.255.255.0
It was giving me some problems SSHing into my home server from a local network machine so this was the quick fix.
Initially it wasn't routing ALL traffic, just that directed from VPN client to the VPN server. So I added this to the server conf:
Code:
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.150.1"
In my home (tomato) router, I just port forwarded any TCP traffic on 1194 to the home server (192.168.15.51)
I think openvpn does this already. But just in case, I added an iptable nat entry to forward packet from VPN network to eth0 (my NIC). As root:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
And I added the following entry to /etc/rc.local so it persists on restart.
Code:
iptables -t nat -A POSTROUTING -s 192.168.150.0/24 -o eth0 -j MASQUERADE
Some debugging tips for others
Simplest way to verify HTTP traffic is being forwarded is, after connecting to vpn from phone, go to www.whatismyip.com. Make sure it matches your phone.
If you are having trouble connecting to the VPN, watch the openvpn log for errors. "tail -f /var/log/openvpn/openvpn.conf"
After connecting, make sure you can ping from your home server to the phone.
From Server: "ping 192.168.150.10"
From Phone: Open Terminal Emulator and type "ping 192.168.150.1"
You can also validate the traffic is forwarding through VPN by using traceroute. You can test both forwarding and DNS
From Phone: Open Terminal Emulator, type
Code:
su
For no-DNS test first:
Code:
traceroute 74.125.115.104
For DNS test:
Code:
traceroute www.google.com
For each, do your tests on the cell network (NOT home wifi) and verify that the route passes through your vpn server and doesn't bypass it completely.
Lastly to make sure traffic is being piped, you can monitor VPN traffic from your openvpn server by typing:
Code:
tcpdump -i tun0
jvanbrecht:
Do you have any recommendations about dropped connections? I noticed while testing that sometimes my openvpn connection would drop and my phone browsing would immediately default to the direct default cell provider connection.
Of course if tethering, this could be very bad.
Any tips on ensuring that if VPN is enabled, but no connection, that it won't ever try and route around it?
would using any vpn do the same thing? or something making this special ? any one tested this ?
It's been a few weeks since I tried the openvpn app. Back then everything seemed to be working well. But I tried again today and am having problems.
- I can access everything fine via vpn if my phone is connected to my local wifi where the vpn server resides.
- I can access IP addresses (e.g. the ip address of google.com) if connected to vpn via AT&T's 3G network
- I CANNOT access websites by their name (e.g. www.google.com) anymore.
It seems the DNS forwarding over VNC is messed up. Any tips on what the problem could be?
I still have the same settings as above, e.g. push "dhcp-option DNS 192.168.150.1"
Is it possible I need to do any additional configuration on my phone?
Is it possible to replace my router DNS address with a public one like google's "8.8.8.8" or "4.2.2.2"?
Any tips greatly appreciated!
Deleted. Please ignore. Still having issues.
So I had the opportunity to play around with my config (listed above) a bit more this evening. I was at a location where I had good external WiFi (Panera) along with 3G.
If I connect from my phone to my home VPN server over EXTERNAL WIFI (Panera), I have no problems with VPN. everything works flawlessly.
If I connect from my phone to my home VPN server over AT&T 3G network, it fails. Essentially it can't resolve any DNS queries. I can type in a website's IP address and surf that way, but I can't say type in "www.cnn.com" and get a page to load.
For the latter, when I watch the web queries using "tcpdump -i tun0", I see the requests go out from my phone to the websites, but they don't come back. For example, I see:
"192.168.150.10 > a.b.c.d (www.cnn.com)",
but I don't see:
"a.b.c.d (www.cnn.com) > 192.168.150.10"
Is it possible that AT&T is somehow blocking VPN via DNS? At first I thought my openvpn dns settings were messed up ... but it works across external wifi no problem.
---------- Post added at 01:24 AM ---------- Previous post was at 01:07 AM ----------
For those that are interested in the future, I think I narrowed down the issue:
It seems VPN connectivity is dependent on the AT&T Access Point Network (APN)
By default for my Skyrocket I was on the AT&T PTA APN wit settings:
Code:
APN: pta
MMSC: http://mmsc.mobile.att.net
MMS proxy: proxy.mobile.att.net
MMS Port: 80
...
I then switched to what is called the "AT&T Expanded" APN with settings:
Code:
APN: wap.cingular
User Name: [email protected]
(rest of settings somewhere here on xda ...)
... and that one worked perfectly.
I switched back and forth a few tiimes to confirm. It seems on pta, I can't resolve DNS over VPN. For the wap.cingular, I have no problems.
Anyone else can confirm this is most likely the issue I am seeing and that it can possibly make sense?
Synopsis:
Need to bypass corporate web proxy for unfiltered Internet access. Google Chrome is the preferred and tested browser, but Firefox should work as well. Corporate environment utilizes an automated global proxy setting, which must be bypassed using run-time arguments. Since I have a Squid proxy running at home on my cable connection, all I need to do is establish a port-forwarding tunnel from my phone to my house, then another from my laptop to my phone. This will allow me to browse the web and proxy any traffic through my phone to my proxy server at home, around our corporate proxy and firewall. The phone utilizes a DSL connection typically used for testing and other non-business traffic and is isolated from the corporate LAN.
Requirements:
A Web Proxy (Squid instance or other third-party available)
Atrix 2 Rooted (others not tested)
SSHDroid from Google Play
BusyBox (with ssh binary)
Google Chrome or Firefox
Putty SSH Client for Windows or other SSH client software AND a familiarization with SSH tunneling.
Procedure
On the Atrix 2, be sure 'Motorola Phone Portal' mode is configured for the USB connection. This will tell the phone to assign an IP address to the USB interface of the phone. In my case, it is 192.168.16.2. Once that is done, connect your phone to your PC via the USB cable. This may auto-launch IE on your desktop to your phone to the web portal on port 8080 and is not necessary.
On the Atrix 2, launch SSHDroid to enable inbound SSH connections. No special settings were configured in that app for any of this to work.
On your PC, manipulate your Chrome shortcut to use different proxy settings than the default. By default Chrome utilizes the Internet Settings on the PC, so this is necessary if you already have a proxy defined at the OS level. To do this, you must create a new shortcut to Chrome, then right-click on that shortcut, go to properties, and change the 'Target' field to include this information:
--proxy-server="localhost:3128" (don't forget the quotes)
Be sure to use this shortcut to launch Chrome or you will continue to use the OS-level Internet Settings.
Now, launch the Putty SSH client and create a new SSH session to your Android device. Enter the appropriate connection information, and under the Connection/SSH/tunnel section, define the port forward information for the web proxy. In my case I set it to port 3128 forwarding to 192.168.16.2:3128. Save this session. This will tell your PC when the SSH session is established to set up local TCP port 3128 to listen for requests, then forward them to the Android phone across the USB connection on the same port.
Try to connect to your SSH server on your phone. By default, the username is 'root' and password is 'admin' for SSHdroid. You should now be successfully logged into your phone.
In the Putty SSH session on your phone, you will now have to launch a command-line SSH session where you will establish the real tunnel to the real proxy server. Enter 'ssh <REMOTE SSH USERNAME>@<REMOTE SSH HOST> -L <IP OR HOSTNAME OF PROXY>:<PROXYPORT>:<USB NETWORK IP ADDRESS>:<LOCAL PROXY PORT>' (without quotes) to establish the SSH tunnel. Here is what my connection (sanitized) looks like. You can also run 'ssh -?' to get an idea of command-line options for the ssh binary.
ssh [email protected] -L 192.168.1.1:3128:192.168.16.2:3128
This will set your phone to listen on TCP port 3128 on the 192.168.16.2 interface and forward any requests to 192.168.1.1 on the same port. It is important to specify the USB interface as by default it will only set up connections on the localhost (127.0.0.1) interface, which won't accept connections from other remote hosts.
Finally, launch Chrome using the shortcut you created and you should now be sending all web traffic out the USB interface and through your phone to your remote proxy server. You can verify this by connecting to a resource such as your home Internet router on the LAN interface to verify. If you are running Squid at home, you should also be able to view your /var/log/squid/access.log and see your requests.
I have not tested remote web proxies or other methods, but in principle it should work.
Feedback and ideas for improvement are welcome!
I just USB tether and use Tunnelier (because putty does not have auto reconnect) and Proxifier (so I don't have to set the proxy settings in each application I want proxied)
I have created a L2TP VPN server. I want to use it easily on my phone. I know I can set VPN from Settings--> more --> vpn but it is not my favorite method. Because it is really annoying! I need a free simple application without advertisement to set my L2TP credentials and manage it from the app. The built in vpn configuration is really annoying; when I disconnect wifi I have to connect it manually, if I activate 'always on vpn' it disconnects with my wifi network up and down. I formerly used Psiphon with an HTTP server which I created. I need an app like Psiphon in order to set my L2TP configurations and manage it easily. I installed strongSwan but it does not support L2TP/IPSec PSK.