[Q] I9000 and OpenVPN - Galaxy S I9000 Q&A, Help & Troubleshooting

Hi all!
I'm trying to connect my I9000 with OpenVPN server in my LAN using OpenVPN Settings. All configuration files seem to be correct, because connection is up, but no packet (even ICMP) goes through the tunnel. I have added special configuration to server's CCD folder for my I9000, but nothing changed. When I type in Terminal Emulator
Code:
ip route
I get the following:
Code:
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.102
default via 192.168.2.1 dev eth0
192.168.2.0/24 is my home network. VPN Server's address is 10.8.0.1 (192.168.2.200 in my LAN).
when I type in Terminal Emulator
Code:
ifconfig tun0
I get
Code:
Cannot assign requested address
I have another device Desire HD, and on this one OpenVPN works correctly.
When I type
Code:
ip routes
in Terminal Emulator, I have:
Code:
10.8.0.5 dev tun0 src 10.8.0.6
192.168.2.0/24 dev eth0 src 192.168.2.100
10.8.0.0/24 via 10.8.0.5 dev tun0
default via 192.168.2.1 dev eth0
All problems seem to be in routes and gateway settings. How can I add proper routes and gateway on my I9000? What's wrong? Can anybody help me?
Thanks

Solved
I solved all problems with OpenVpn by flashing CyanogenMod on I9000.

Related

IPv6 Privacy Extensions

I just tested Privacy Extensions successfully under Virtuous 3.2.0 using the following command:
sysctl -w net.ipv6.conf.default.use_tempaddr=2
However I'd like to make the change permanent. Would it be better to create /etc/sysctl.conf which currently does not exist on my device, or add it to the /sys/module/ipv6/parameters directory? I tried the later, but was unable to create the file. Any ideas?
# pwd
/sys/module/ipv6/parameters
# echo 2 > use_tempaddr
cannot create use_tempaddr: directory nonexistent
code.google.com/p/android/issues/detail?id=14013
I'm on a Galaxy S but it doesn't matter.
I used the command from there https://bugs.launchpad.net/ubuntu/+source/procps/+bug/176125
on adb:" echo 2 >/proc/sys/net/ipv6/conf/all/use_tempaddr" but i get the erro:
"cannot create /proc/sys/net/ipv6/conf/all/use_tempaddr: directory nonexistent"
I made a textfile in windows and named it "use_tempaddr" and wrote "2" in the textfile. Removed the *.txt extension and copied it to /mnt/sdcard on my GalaxyS.
Then I made "busybox cp /mnt/sdcard/use_tempaddr /proc/sys/net/ipv6/conf/all/use_tempaddr" but I get the error: "cp: can't create '/proc/sys/net/ipv6/conf/all/use_tempaddr': No such file or directory"
Pls, help me how to get that file working.
You could use a sysctl.conf in /system/etc, just follow the steps here:
http://forum.xda-developers.com/showthread.php?t=814463
Very simple
failed to copy 'sysctl.conf' to '/system/etc/sysctl.conf': Permission denied
Why?
Can I do "adb shell" instead, then "su" to have access? But what is the command from inside adb shell instead of adb push?
EDIT: I pushed it to /mnt/sdcard but I can't copy it to /system/etc with Astro, the paste option is grayed out
EDIT2: Ok it worked. I downloaded "super manager" from the android market, and activated the root (rights) function of super manager.
Edit3: But going to for example http://test-ipv6.com on my Android device does show the MAC in the ipv6 address. So it didn't work
EDIT4: Another thing is, the Android Browser of Android 2.2 seems to only support ipv4
Polarfuchs said:
failed to copy 'sysctl.conf' to '/system/etc/sysctl.conf': Permission denied
Why?
Can I do "adb shell" instead, then "su" to have access? But what is the command from inside adb shell instead of adb push?
EDIT: I pushed it to /mnt/sdcard but I can't copy it to /system/etc with Astro, the paste option is grayed out
EDIT2: Ok it worked. I downloaded "super manager" from the android market, and activated the root (rights) function of super manager.
Edit3: But going to for example http://test-ipv6.com on my Android device does show the MAC in the ipv6 address. So it didn't work
Click to expand...
Click to collapse
You need root to modify the system partition.
Did you "sysctl -p" after the transfer? If not, open a terminal on your phone (or adb, whichever you prefer), and type that. The command should output the contents of your sysctl.conf
If that is successful, reboot, then try the website again.
If I enter sysctl -p it says sysctl:not found
if I enter sysctl.conf -p it says sysctl.conf: not found
But when I cd to /system/etc and do "ls" i can see the sysctl.conf file is present.
btw: I'm rooted.
Polarfuchs said:
If I enter sysctl -p it says sysctl:not found
if I enter sysctl.conf -p it says sysctl.conf: not found
But when I cd to /system/etc and do "ls" i can see the sysctl.conf file is present.
btw: I'm rooted.
Click to expand...
Click to collapse
Try:
Code:
busybox sysctl -p
Usually the update-script used to install roms will symlink this for you, but in this case, it's just one extra word lol.
Code:
$ export PATH=/data/local/bin:$PATH
$su
# busybox sysctl -p
sysctl: error: 'net.ipv6.conf.all.use_tempaddr' is an unknown key
#
hm.....
That's the extent of my knowledge sorry to say. Not too familiar with all of this
I hope someone can solve your issue!
Just for a sanity check, you could try looking at what is allowable in the context of your dinc: // I only looked at eth0, you can look at whatever you like using enough terms to get you into the neighborhood.
(from adb)
bash-3.2# sysctl -A | grep "net.ipv6.conf.eth0."
sysctl -A | grep "net.ipv6.conf.eth0."
sysctl: error reading key 'net.ipv4.route.flush': Permission denied
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.hop_limit = 64
net.ipv6.conf.eth0.mtu = 1500
net.ipv6.conf.eth0.accept_ra = 1
net.ipv6.conf.eth0.accept_redirects = 1
net.ipv6.conf.eth0.autoconf = 1
net.ipv6.conf.eth0.dad_transmits = 1
net.ipv6.conf.eth0.router_solicitations = 3
net.ipv6.conf.eth0.router_solicitation_interval = 4
net.ipv6.conf.eth0.router_solicitation_delay = 1
net.ipv6.conf.eth0.force_mld_version = 0
net.ipv6.conf.eth0.use_tempaddr = 0
net.ipv6.conf.eth0.temp_valid_lft = 604800
net.ipv6.conf.eth0.temp_prefered_lft = 86400
net.ipv6.conf.eth0.regen_max_retry = 5
net.ipv6.conf.eth0.max_desync_factor = 600
net.ipv6.conf.eth0.max_addresses = 16
net.ipv6.conf.eth0.accept_ra_defrtr = 1
net.ipv6.conf.eth0.accept_ra_pinfo = 1
net.ipv6.conf.eth0.accept_ra_rtr_pref = 1
net.ipv6.conf.eth0.router_probe_interval = 60
net.ipv6.conf.eth0.proxy_ndp = 0
net.ipv6.conf.eth0.accept_source_route = 0
net.ipv6.conf.eth0.optimistic_dad = 0
net.ipv6.conf.eth0.disable_ipv6 = 0
net.ipv6.conf.eth0.accept_dad = 1
sysctl: error reading key 'net.ipv6.route.flush': Permission denied
bash-3.2#
So, maybe this line is of interest::
net.ipv6.conf.eth0.use_tempaddr = 0
-- I could echo 1 into the /proc FS spot you were trying to, as well as setting tempaddr=2. I am just guessing that some of the kernels aren't using built in ipv6, so maybe you've got to load the module? "modprobe ipv6"?
I'm also guessing you've tested something easy like "# ping6 -c 4 ::1" just to be sure ipv6 is alive at all.
Just some thoughts - Hashi
ping6 does show that:
Code:
$ export PATH=/data/local/bin:$PATH
$su
# ping6 -c 4 ::1
ping6: not found
# busybox ping6 -c 4 ::1
PING ::1 (::1): 56 data bytes
64 bytes from ::1: seq=0 ttl=64 time=0.191 ms
64 bytes from ::1: seq=1 ttl=64 time=0.924 ms
64 bytes from ::1: seq=2 ttl=64 time=0.968 ms
64 bytes from ::1: seq=3 ttl=64 time=0.198 ms
--- ::1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.191/0.570/0.968 ms
#
grep doesn't exist on the phone:
Code:
export PATH=/data/local/bin:$PATH
$ $su
# busybox sysctl -a | grep "net.ipv6.conf"
grep: not found
sysctl: error reading key 'net.ipv4.route.flush': Permission denied
sysctl: error reading key 'net.ipv6.route.flush': Permission denied
#
And modprobe ipv6 gives:
Code:
export PATH=/system/xbin:$PATH
$ $busybox modprobe ipv6
modprobe: chdir(2.6.32.9): No such file or directory
$
EDIT: "lsmod" doesn't show ipv6
and "insmod ipv6" says "can't open 'ipv6'"
Just a couple things since I've got to run now:
1) No grep on phone: I think it's just another bit of busybox. If you type in busybox and <enter>, then you should see a huge list of verbs / cmds, and you can use "busybox" <verb> (or for grep busybox grep) instead of grep.
2) modprobe ipv6 fails:: I hadn't really studied android much yet, so now I see that ipv6 is most often compiled into the kernel, not a module, so my mistake. It is unlikely to be module except on some early kernel or if someone really wanted it to be.
3) ping6 ::1 returns, is a good, but very embryonic good sign.
4) What are you after? Stateless configuration (DHCP for IPv6 only unique?). Have you had IPv6 working after any fashion (say with a "2001::xxxx:yyyy::z" homebrewed unique address working at all yet? Another thing: Are you behind some IPv6 unfriendly firewall or are you using 3g? If you're on wifi and say, behind an ATT UVerse setup, you are going to have use 6to4 tunnel to get anywhere. (hey, what's another 30 ms? )
--- I'm an IPv6 fan, but only really know configuring it on Cisco routers and true linux boxes thus far. -----
If you're in what maybe is the best of worlds on wifi over a dd-wrt setup, then try to configure an IPv6 tunnel on the firewall on the Outside and see if you can hit that with IPv6. Gotta start somewhere.
Hashi
I use a AVM Fritzbox 7240 with freetz image.
My ISP doesn't use IPv6 yet but the fritzbox router automatically negotiates if 6to4 is necessary. And because my ISP still has no ipv6 the router uses 6to4.
Another setting in the router config is, that the router addresses 'unique local addresses' to the network device as far as no ipv6 connection is present.
That setting can be changed too.
I'm not a professional network administrator, but I wanted to test ipv6 for the router. And I want to use the privacy extensions on android, because without them the MAC is shown on for example www.test-ipv6.com. Ipv6 does work on android but without privacy extensions at default.
Ah yes, I connect my android device via wifi to the router.
So, if ipv6 is built into the kernel, is there a via to set the use_tempaddr setting? Maybe via a file like rc.custom or how these files are called that load things at boot up.
Polarfuchs said:
I use a AVM Fritzbox 7240 with freetz image.
My ISP doesn't use IPv6 yet but the fritzbox router automatically negotiates if 6to4 is necessary. And because my ISP still has no ipv6 the router uses 6to4.
Another setting in the router config is, that the router addresses 'unique local addresses' to the network device as far as no ipv6 connection is present.
That setting can be changed too.
I'm not a professional network administrator, but I wanted to test ipv6 for the router. And I want to use the privacy extensions on android, because without them the MAC is shown on for example www.test-ipv6.com. Ipv6 does work on android but without privacy extensions at default.
Ah yes, I connect my android device via wifi to the router.
So, if ipv6 is built into the kernel, is there a via to set the use_tempaddr setting? Maybe via a file like rc.custom or how these files are called that load things at boot up.
Click to expand...
Click to collapse
OK: It sounds like you made a lot more progress than me on the droid if you got it working with any outside site with IPv6. One thing I notice is that although it "appears" I can set use_tempaddr, I then realized that no matter what I type in, it is usually echoed back to me on the command line, so that I have no idea if it was really set. I'm too new to the Dinc to know what it'll do and won't re ipv6.
It turns out I wasn't setting it using sysctl, but I was able to echo 2 > /proc/*/.../use_tempaddr, and that would show up in a 'cat /proc/*' statement. I don't think it actually is working on my ROM or that I haven't yet figured out how to transform the linux statements I'm comfortable with into the watered down droid busybox equivalents. I'm really not seeing much indication other than a few little hopeful things, that ipv6 is fully enough supported on my rev of software to get anywhere.
However, now I'm pretty interested in this and will be working on an ipv6 setup (just got an actual /48 block at work) so will be keeping this in mind.
I'm curious now to know what series of statements you used to get far enough to hit www.test-ipv6.com with ping6? (or did I get that wrong?)
There is a bug filed in the google codebase that implies that ipv6 just isn't working yet, but it looks fairly old. It may be pre-2.2. It is an enhancement request that is still alive and asking for ipv6 support in android, so I'm really interested in what you did before to get it working.
By the way, my results from test-ipv6.com are pretty bleak. 10/10 for ipv4 and 0/14 (I'm forgetting the exact numbers). That was after a lot of setup and attempting to do this the way I'd do a linux box. I do believe it's in the kernel, and sysctl -a seems to bear that out.
I did manage to figure out how to make a dinc kernel tonight, so I can get a better look now at the ipv6.c code and make sure it's in the config. This little linux box is really confusing me right now
Thanks -- Hashi
I didn't do much.
I have android 2.2 which already supports ipv6 but no privacy extensions.
ipv6 worked from the start.
Ipv6 does show me a 7/10 on my win7 pc.
But with my galaxy S android device it shows 0 or 2 (I don't remember)
I think the installed browser of android 2.2 doesn't support ipv6 yet.
I have made screenshots to compare ipv6 on win7 and on the android device via wifi.
Do you think the results for my android device on test.ipv6.com appear like that, because the browser doesn't show ipv6 sites, or do the results mean that I have an ipv6 address through 6to4 but my android device doesn't accept ipv6 yet?
Polarfuchs said:
I didn't do much.
I have android 2.2 which already supports ipv6 but no privacy extensions.
ipv6 worked from the start.
Ipv6 does show me a 7/10 on my win7 pc.
But with my galaxy S android device it shows 0 or 2 (I don't remember)
I think the installed browser of android 2.2 doesn't support ipv6 yet.
I have made screenshots to compare ipv6 on win7 and on the android device via wifi.
Do you think the results for my android device on test.ipv6.com appear like that, because the browser doesn't show ipv6 sites, or do the results mean that I have an ipv6 address through 6to4 but my android device doesn't accept ipv6 yet?
Click to expand...
Click to collapse
I'll look around for the write-up(s) I found over the last day or two about various androids and ipv6, and they'll perhaps answer some of your questions, like the browser. This is the gist of what I got from reading.
Some 2.2+ androids support (marginally) the ipv6 stack, tunneled AND dual-stack. A couple people can get 'outside' using ipv6, and a couple more can 'browse' ipv6-only websites. The browser isn't the problem. At some low level on my Incredible, the stack doesn't "see" ipv6 addresses as "valid". I think that means it just has some holes left in it. You've got a 'newer' device (Samsung), so this may have been improved.
My scores are 10/10, ipv4, and 0/24? ipv6, and from a 0 score there's nothing it can tell you of use. It just doesn't work. Yours looks very promising.
One thing I'm wondering about is whether I've got a version of busybox that is sadly lacking in ipv6 functionality. All the network applets come out of that single executable. I've got busybox 1.16.0, and am curious which you've got. I could change busybox's version easily, in fact you can go to busybox.net, get source, fix it up, use toolchains and build it.
Also, life is easier if you just install it (./busybox --install .) since it'll make a symlink for each function in whatever folder it was in (like /system/xbin is pretty empty and on my path).
Let us know when you get it running. I'll do the same. Another thing missing in mine is ipv6 DNS. I have ipv6 DNS setup at work, and if I point it to that DNS server using "setprop x.y.sit1.DNS.*" (sorry, don't recall the exact setup procedure), than it still will not resolve ipv6 addresses. Nslookup (type=AAAA) doesn't work correctly either. Mine is heavily hacked stock 2.2 with a custom kernel. I just blew all the 'sense' layer away for the sake of battery life.
-- H
I use a cooked rom, not the official samsung 2.2
It has had busybox 1.16 installed.
But I went to the market and installed the app "BusyBox Installer" which then installed BusyBox 1.17.1 for me.
Sorry for not subscribing to my own thread, I had this problem licked back in January....at least on my Droid Inc. The problem is that /system is mounted as read-only. You need to remount with RW permissions and then copy or vi sysctl.conf to /system/etc/
skyblaster said:
Sorry for not subscribing to my own thread, I had this problem licked back in January....at least on my Droid Inc. The problem is that /system is mounted as read-only. You need to remount with RW permissions and then copy or vi sysctl.conf to /system/etc/
Click to expand...
Click to collapse
Thanks for checking back. I'd still like to get this working on my own Inc. The case I'm most interested in is probably using 3g rather than wifi. Do you have an idea whether the Verizon 3g supports ipv6? I know we should be able to get it working in , for example, a dd-wrt flashed router, but it would be nice to be able to use ipv6 when there's no handy wifi.
Thanks - Hashi
Thx for the feedback.
I remounted system rw (can be done easily with "SGS Toolbox", or manually)
Ifconfig shows as long as wifi is turned on, there is an interface called eth0.
I added to the sysctl.conf this: "net.ipv6.conf.eth0.use_tempaddr=2"
I rebooted and ifconfig shows an ipv4 and ipv6 address.
But www.test-ipv6.com shows 0/10 at the ipv6 rating.
EDIT: Does /system have to be kept rw or can I change it to Read-only after placing the sysctl.conf?

[Q]Modify Milestone's MAC address

Hi Experts,
Is it possible to modify my milestone's WIFI MAC address?
How to do this?
Thanks!
You can try
ip link set dev <interface> addr <MAC>
or
ifconfig <interface> hw ether <MAC>
but for me it didn't worked. Only got a SIOCSIFHWADDR or "bad address hw".
(interface is tiwlan0)
Redh3ad said:
You can try
ip link set dev <interface> addr <MAC>
or
ifconfig <interface> hw ether <MAC>
but for me it didn't worked. Only got a SIOCSIFHWADDR or "bad address hw".
(interface is tiwlan0)
Click to expand...
Click to collapse
I have tried, what I use is "busybox ifconfig", it seems works in the terminal session but when I back to the system information to check if it works, the MAC is still the old one.

Openvpn

One of the top reasons I wished root was openvpn. Anybody knows about working binary and TUN/TAP driver for D3? If yes, it could save me time, if not I'll build it over the weekend. TIA.
Since the sources are available, we just need somebody bright enough to compile the module against those sources. I am sure it is coming shortly. That's the sole reason I would use root too.
Not a big problem, I'll do it later.
Even if you built the driver using the moto source code, I don't know if you could inject the driver into the kernel area anyway. I'm pretty new to Moto Android, but doesn't the locked bootloader prevent tampering with the kernel?
You only need to be root to load kernel modules. It's not a new kernel.
I see, so you plan on loading the module manually every time? what a pain. I guess its a small cost compared to the alternative.
If you use OpenVPN Settings, it will load the kernel module for you.
I must say though, Motorola did a good job expanding on Android's VPN support. I was able to connect to my IPSEC VPN, stock, unlike every other Android phone I've had.
It looks like the tun driver is built into the stock kernel. I built the kernel from Moto's source and in its .config, tun is set to be compiled in the kernel.
So to verify this, I installed the openvpn binaries using OpenVPN Installer from the market and tried giving it a whirl. It connected and created a tun device, but failed on running ifconfig and route. Not sure where its pulling these bins from, but links in both bin and xbin point to busybox.
I can configure tun0 and the routing table manually and successfully pass traffic through the tunnel. This isn't ideal, so I'd like to find out why openvpn is unable to use these tools. Any ideas?
First thanks, you are right, tun/tap is built-in. I wouldn't have expected this.
Second, could you please point me to .config? I must be blind, I cannot find it.
I see the strange behaviour as you. However it doesnt't bother me much, because I write a start script anyway.
I can only imagine there is something wrong with the binary of OpenVPN Installer. I found a hint to this:
http://code.google.com/p/android-openvpn-installer/issues/detail?id=2
However I tried the workaround with the symlink to /system/xbin/bb, it didn't work neither.
It is surprising to see tun built in - I wonder if they were considering adding OpenVPN support out of the box.
You're probably right that there's something wrong with the OpenVPN Installer binaries. I made a script in GScript for the time being, but prefer using OpenVPN Settings.
.config is nowhere to be found, but it is generated when the Moto kernel source is built. Now I'm assuming this is the same config used on the prod device, but that's a pretty big assumption.
Anyway, see attached. It sure is odd I can't attach a gzipped tarball on a forum focused on Linux development.
Anybody try the root version of Cisco AnyConnect? It is the only client I know that works with my work VPN. From what I can tell all it needs is root and tun built into the kernel.
calash said:
Anybody try the root version of Cisco AnyConnect? It is the only client I know that works with my work VPN. From what I can tell all it needs is root and tun built into the kernel.
Click to expand...
Click to collapse
I don't know if anyone has tried this yet, but you can always be the first! We have both root and tun, so if that's all you need it should work.
I am too surprised to see tun/tap built-in (I didn't even bother checking in source!)
I wonder if they have done this because of the IPsec VPN device supports. But on D2 global where similar client was present, they were using different module (not the standard tun/tap device). Maybe D3's VPN client was altered to use the tun/tap module instead?
Is anyone else able to have OpenVPN connect just fine, yet no traffic going through the VPN?
Here is the output when OpenVPN is connected:
Code:
C:\Users\Matt\Desktop>"C:\Program Files (x86)\Android\android-sdk-windows\platform-tools\adb.exe" shell
[email protected]_solana:/$ ip route
ip route
10.10.0.5 dev tun0 proto kernel scope link src 10.10.0.6
98.145.116.191 via 66.174.201.132 dev ppp0
66.174.201.132 dev ppp0 scope link
66.174.201.132 dev ppp0 proto kernel scope link src 10.228.114.160
default via 66.174.201.132 dev ppp0
[email protected]_solana:/$ ip addr
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: usb0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 8e:cd:9b:8e:73:75 brd ff:ff:ff:ff:ff:ff
3: gether0: <BROADCAST,MULTICAST> mtu 1428 qdisc noop state DOWN qlen 1000
link/ether 5e:bf:ba:15:68:12 brd ff:ff:ff:ff:ff:ff
4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
5: ip6tnl0: <NOARP> mtu 1460 qdisc noop state DOWN
link/tunnel6 :: brd ::
6: tun: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
link/ether 56:65:b5:b7:5c:98 brd ff:ff:ff:ff:ff:ff
10: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
inet 10.228.114.160 peer 66.174.201.132/32 scope global ppp0
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/[65534]
inet 10.10.0.6 peer 10.10.0.5/32 scope global tun0
[email protected]_solana:/$
My OpenVPN server IP is 98.145.116.191, yet when I go to whatismyip.com on my phone it is still 174.255.162.200.
Here is my OpenVPN server config
Code:
port 5555
dev tun
proto tcp
comp-lzo
float
keepalive 10 60
ping-timer-rem
resolv-retry 60
status openvpn-status.txt
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.10.0.0 255.255.255.0
verb 4
mode server
push "redirect-gateway def1"
My client config
Code:
client
remote zone117x.dyndns.info 5555
proto tcp
comp-lzo
dev tun
float
ping-timer-rem
resolv-retry infinite
route-gateway 10.10.0.1
dhcp-option DNS 10.10.0.1
keepalive 10 120
ca ca.crt
cert client1.crt
key client1.key

[How-To] Enable internet web access through proxy servers

I have found that you can enable www access through a proxy server by inserting new iptables rules in Android. I have used it successfully to browse internet throughput the wifi at my office, it should be the same for school networks with proxy servers as well.
Requirements:
Root access
Kernel with iptable and netfilter support
Known working kernels:
Doomkernel v10
Have been tested on .368 firmware and Doomkernel v10, all iptable and netfilter modules are included in his kernel.
1. Open a terminal emulator or use a scripting app, I have been using ScriptManager.
2. Add iptables entry, root access is needed to manipulate the iptables.
Replace ip address and port in the --to parameter to match your own proxy server address
$ su
# iptables -t nat -A OUTPUT -p tcp -o wlan0 -d internal.ericsson.com -j ACCEPT
# iptables -t nat -A OUTPUT -p tcp -o wlan0 --dport 80 -j DNAT --to 153.140.40.150:3132
# iptables -t nat -L (to list newly added rule)
All apps will now connect to the proxy when accessing port 80
To remove iptables:
$ su
# iptables -t nat -F OUTPUT
You might see several error messages, they can be ignored
modprobe: module 'ip_tables' not found
getsocket for multiport failed strangely: No such file or directory
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:378
Please let me know if you know how to improve the ruleset and if other kernels are working as well.
Updated ruleset:
Have added additional rule to configure iptales to bypass proxy for intranet web addresses, it would otherwise try to open up intranet web pages trough the proxy server.
The easy way
http://forum.xda-developers.com/showthread.php?t=766569
w1000i said:
The easy way
http://forum.xda-developers.com/showthread.php?t=766569
Click to expand...
Click to collapse
Thanks for the url, have you tried it? Might give it a try but is sounds like it is just a frontend to manipulating the iptables, I prefer to change it myselft, that gives full flexibility to do whatever I wish with the iptables
Did give DroidProxy a try from the android marked but it did not seem to work which is why I started to setup the proxy manually in iptables.
---------- Post added at 10:08 AM ---------- Previous post was at 09:43 AM ----------
w1000i said:
The easy way
http://forum.xda-developers.com/showthread.php?t=766569
Click to expand...
Click to collapse
Found out that, the transporxy project has been discontinued and replaced with autoproxy which according to the forum members should work very well.
http://forum.xda-developers.com/showthread.php?t=1083284
It should work as long as multiports are not used as this is not included in Doomkernel v10. This only mean that you will have to add a seperate rule for each port you wish to forward ie. one for port 80 and one for port 443 instead of having both included in the same rule.

[Q] OpenVPN on Droid3?

I want to setup OpenVPN on my device, but the installer is saying that it needs a TAP/TUN module. After doing some research it looks like it's tun.ko that I'm looking for, but I'm not that famaliar with the android devices (this is my first droid, had it for about a month now) and would like some help or recommendations
I'm actually running an Bell branded XT860.
tun/tap is built in D3 stock kernel, so you need no module tun.ko.
Which OpenVPN Installer did you try? The app from the market? It worked fine for me, only shortcoming is the openvpn binary seems to have a bug on D3, the built-in route and ifconfig commands do not work. But no big deal for me, since I use a start script anyway and add these commands to this script.
Can you elaborate how your using the startup scripts? I'm using OpenVPN on CM7 on another device and it works well. My D3 is getting shipped to me and I'd like to also get OpenVPN running on it.
Thanks
How detailled do you need it? I can show you what I did, but you need some Linux / OpenVPN skills to alter it for your needs. Unfortunately, I currently don't have the time to write a failsave HowTo. But if you have further questions, feel free to ask.
1. remount /system read-write
2. mkdir -p /system/scripts/openvpn and copy your OpenVPN configfiles there
3. Create script /system/scripts/ovpn.sh:
#! /system/bin/sh
openvpn --cd /system/scripts/openvpn --config openvpn.conf --daemon
sleep 1
ifconfig tun0 172.31.254.10 pointopoint 172.31.254.9
/system/sbin/route add -net 10.0.0.0/8 dev tun0
exit 0
4. Make a widget with app Script Manager
5. remount /system read-only
EDIT: What I missed to mention before: I had some MTU problemes. Configuring "mssfix 1200" solved it.
So let me get this right.
I have openvpn settings and the binary installed.
config files are in /sdcard/openvpn/
both the -> swissvpn.ovpn and ca.crt
openvpn binary is in /system/xbin/openvpn
I modified script in /system/scripts/openvpn to read
openvpn.conf to swissvpn.ovpn
--------------------------------------
#! /system/bin/sh
openvpn --cd /system/scripts/openvpn --config swissvpn.ovpn --daemon
sleep 1
ifconfig tun0 172.31.254.10 pointopoint 172.31.254.9
/system/sbin/route add -net 10.0.0.0/8 dev tun0
exit 0
-----------------------------------
saved to /system/scripts/ovpn.sh
Questions
1.) Do I need to point openvpn to the config files in /system/scripts/openvpn or /sdcard/openvpn for it to work?
2.)Will this finally fix the routing problem with the browser not tunneling properly?
3.)Do I need to issue "Load tun kernel module" in "openvpn settings" or is this already solved with the stock kernel?
Regarding your first question, yes you have to, and this isn't your only mistake. You cannot just adopt my ifconfig and route settings.
OK, how could we start? I fear you are using a server-pushed configuration and I further fear this will just not work with this "broken" openvpn binary.
Could you please post your swissvpn.ovpn?
And please do the following, on command line as root:
openvpn --cd /sdcard/openvpn --config swissvpn.ovpn
... and please post the output.
output
-----------------------------------------------
export PATH=/data/local/bin:$PATH
[email protected]_solana:/$ export PATH=/data/local/bin:$PATH
[email protected]_solana:/$ su
[email protected]_solana:/# openvpn --cd /sdcard/openvpn --config swissvpn.ovpn
Tue Oct 11 17:19:08 2011 OpenVPN 2.1.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Feb 2 2010
Enter Auth Username:
------------------------------------------
also config file swissvpn.ovpn contents
------------------------------------------
dev tun
client
proto tcp-client
remote connect-openvpn.swissvpn.net 443
ca ca.crt
auth-user-pass
reneg-sec 86400
ns-cert-type server
-----------------------------------------
I messed up on my last post.
I meant the ovpn.sh script is in /system/scripts/
the 2 config files swissvpn.opvn and ca.crt are in /system/scripts/openvpn/
The openvpn binary is in /system/xbin/openvpn/ and was installed by 'OpenVPN Installer' from the Market. "OpenVPN Settings" is the app I'm using to configure all of this.
also if I execute your ovpn.sh in script manager as root it just outputs this
--------------------------------------------
http ://oi51.tinypic.com/2n21vdx. jpg
http ://oi52.tinypic.com/2vw8bbt. jpg
http ://oi54.tinypic.com/c7vck. jpg
http ://oi52.tinypic.com/15hh4au. jpg
--------------------------------------------
You are obviously prompted for a Username. What happens when you type your username (and then password, I guess).
RE:
Well what it says in a message
this is with your script in there
Take note that I had clicked SwissVPN.ovpn
The green checkbox had turn off and displayed this message.
http ://oi52.tinypic.com/2a7cwzl.jpg
OK, it seams my workaround doesn't work for you because your ifconfig and route parameters are pushed by the server. There is more investigation needed, either in a new build of the openvpn binary or another workaround. I'll have a closer look at it, but really cannot promise you a timeline.
I was having your same problem with "FATAL:Linux ifconfig failed:could not execute external program."
There is a fix in this thread http://forum.xda-developers.com/archive/index.php/t-1074492.html
cd /system/xbin
ln -s /system/xbin /system/xbin/bb
this will create a correct link for ifconfig and route commands
Click to expand...
Click to collapse
I've got OpenVPN to connect successfully, yet no traffic routes through VPN.
This thread discusses the issue
http://forum.xda-developers.com/archive/index.php/t-1235954.html
Someone said
I can configure tun0 and the routing table manually and successfully pass traffic through the tunnel.
Click to expand...
Click to collapse
I don't understand the configuration he posted
vpnc work well with cisco vpn
download vpnc from market. works well with cisco vpn.

Categories

Resources