Related
hi all,
hope you can help me with this question.
how can i set up an SSH tunnel on the kindle and change system proxy to point to localhost:8080 ?
i am outside the US but have a netflix account that would like to access. normally i would just tunnel into my US webhost, set global proxy to localhost:80 for webrequests and netflix would see me with a US IP.
i have tried various things using the app SSH Tunnel but it does not seem to establish a connection.
connectbot runs fine and connects the server in ssh so i am just looking for a way to establish the tunnel. this should probably work via a terminal using ssh -p 22 -L 8080:localhost:3128 -l user hostname.com... or something alike.
that still leaves me with the question on how to change the global proxy?
i cant find anything in the settings and am too new to the whole android infrastructure. i m sure this is located in a file some where, no?
has anyone managed to get this to work some how?
i dont really want to use an app like hotspotshield or the likes because usually they cant cope with the streaming bandwidth or require you to pay for a premium account.
why pay when i am paying for my webhost already, right ?
edit: update
can now open and connect ssh to my server after installing droidssh and copying the ssh command to system/bin
using a terminal emulator i can ssh but the tunnel fails. ssh: failed local port forward (null):8080
not very firm with the commands but i used: ssh -p 22 -L 8080:localhost:3128 -l username hostname
i also realised i can set "global" proxy settings via the wireless connection. this seems to be working fine but i think i m screwing up the ssh command
EDIT: THIS SETUP IS FOR PEOPLE WHO WANT A RELIABLE ALTERNATE TO USING MAIN STREAM SERVICES. THIS IS YOUR OWN SERVER -- AND YOU WILL BE THE ONLY ONE USING IT AS OPPOSED TO HUNDREDS OR THOUSANDS OF OTHER USERS. I'VE BEEN USING THIS FOR SIX MONTHS WITH NO ISSUES. BEFORE THIS I WAS USING PBXES.ORG AND THE SERVICE WAS 'OK' AND I MISSED SOME CALLS. I'VE HAD ZERO ISSUES WITH THIS SETUP.
A few people have asked me for a guide on howto setup Asterisk on an Amazon EC2 micro instance for their Nexus 4. Amazon offers a free micro instance for one year (new signups). Even after your first year it's pretty cheap to keep it running. Amazon's bandwidth will be faster than setting up Asterisk on your own home server (in most cases).
Once you have the server up and running you can easily configure your favorite SIP client on your Nexus 4 to enjoy free calling with your Google Voice account. This is particularly useful for people such as myself who are on the $30 T-Mobile plan.
As a bonus, I've also included the steps to setup a PPTP VPN.
This guide assumes that you've already setup your AWS account and figured out how to set the security group. You will need to open some ports (TCP: 22, 1723, 5060. UDP: 5060, 10000-20000)
Step 1. Goto: http://uec-images.ubuntu.com/releases/10.04/release/ and pick the t1.micro instance (ebs 64 bit) for the region that you setup in AWS. Launch this instance (there is a button) and get it working with the security group that you configured. After it's launched you need to setup an Elastic IP and associate it with the instance. After that go ahead and log into your new micro instance server. Once you get to this point, then you can continue with the guide. There are TONS of resources (including youtube videos) on how to get to this point. It's not rocket science.
Step 2. Setup firewall settings for pptpd and asterisk. Lucid also has firewall settings that need to be adjusted.
Code:
#Uncomplicated Firewall
sudo ufw enable
sudo ufw allow 22/tcp
sudo ufw allow 1723/tcp
sudo ufw allow 5060/tcp
sudo ufw allow 5060/udp
sudo ufw allow 10000:20000/udp
#check status
sudo ufw status
#edit /etc/default/ufw and enable forward policy
DEFAULT_FORWARD_POLICY="ACCEPT"
#edit /etc/ufw/sysctl.conf and uncomment
net/ipv4/ip_forward=1
#edit /etc/ufw/before.rules and add this after the header comments
---<BEGIN>--- (DON'T COPY THIS LINE)
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic through eth0.
-A POSTROUTING -o eth0 -j MASQUERADE
# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT
---<END>--- (DON'T COPY THIS LINE)
#disable and enable to apply changes
sudo ufw disable && sudo ufw enable
Step 3. Recompile Kernel. The default kernel is set at 100HZ timing, this will give you HORRIBLE VOIP quality. The kernel needs to be recompiled to 1000HZ timing.
Code:
# Make yourself root
sudo su
# Update source list:
aptitude update
# Upgrade everything:
aptitude upgrade
# Install dependencies:
apt-get build-dep linux-image-$(uname -r)
apt-get build-dep linux
apt-get install fakeroot build-essential
apt-get install crash kexec-tools makedumpfile kernel-wedge
apt-get install libncurses5 libncurses5-dev
apt-get install libelf-dev asciidoc binutils-dev kernel-package
apt-get install git-core
cd /usr/src
git clone git://kernel.ubuntu.com/ubuntu/ubuntu-lucid.git
cd ubuntu*
git checkout --track -b ec2 origin/ec2
fakeroot debian/rules clean
fakeroot debian/rules editconfigs
# Configuration window should now appear, do the following:
Select YES
# Navigate to:
Processor type and features -> Timer frequency
# Select the 1000HZ frequency
Exit
Exit
Yes (Save)
#After saving and returning to prompt it may ask you to do it again for i386, select yes and repeat!
This next command will take about 7 hours to recompile the kernel. But, there is a shortcut. Amazon charges by the minute for each instance type that you use. I recommend shutting down your instance at this point and changing it to a m1 extra large instance type (this will cost you about 70 cents). This will increase your micro instance from:
613 MiB memory
Up to 2 EC2 Compute Units (for short periodic bursts)
EBS storage only
32-bit or 64-bit platform
I/O Performance: Low
EBS-Optimized Available: No
API name: t1.micro
to:
15 GiB memory
8 EC2 Compute Units (4 virtual cores with 2 EC2 Compute Units each)
1,690 GB instance storage
64-bit platform
I/O Performance: High
EBS-Optimized Available: 1000 Mbps
API name: m1.xlarge
The compiling time will be reduced to about 25 minutes.Once you got the instance backup with the m1.xlarge instance, continue like so:
Code:
sudo su
cd /usr/src/ubuntu*
fakeroot debian/rules binary
#Check if your deb files were created
cd ..
ls *.deb
#install new kernel
#IF A GRUB MENU POPS UP PICK PACKAGE VERSION
sudo dpkg -i linux-*.deb
Then shutdown your system again and change it back to a micro instance. Then boot it back up.
#Check your new Kernel version
Code:
uname -r
#Check if Kernel HZ value change persisted:
cat /boot/config-`uname -r` | grep HZ
#If value 1000HZ=yes then you did it right!
Step 4. Install Asterisk 11
Code:
#become root
sudo su
# Install dependencies:
apt-get install libiksemel-dev libsqlite3-dev libssl-dev libnewt-dev libxml2-dev
#get source
#note: dahdi needs to be installed to compile and install libpri -- we don't really need it for any other reason
cd /usr/src/
wget http://downloads.asterisk.org/pub/telephony/dahdi-linux-complete/dahdi-linux-complete-current.tar.gz
wget http://downloads.asterisk.org/pub/telephony/libpri/libpri-1.4-current.tar.gz
wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz
#extract source
tar zxvf dahdi-*
tar zxvf libpri-*
tar zxvf asterisk-11*
#resolve error for compiling dahdi
ln -nsf /usr/src/linux-headers-`uname -r`/include/asm-x86 /usr/src/linux-headers-`uname -r`/include/asm
#install dahdi
cd /usr/src/dahdi*
make && make install && make config
#install libpri
cd /usr/src/libpri-1.4*
make && make install
#install asterisk
#note: once the menu pops up check and make sure you have chan_motif and xmpp (should have a * next to them)
cd /usr/src/asterisk*
./configure && make menuselect && make && make install && make config && make samples
Step 5. Configure Google Voice
Backup original conf files (you should still be root)
Code:
cd /etc/asterisk
cp extensions.conf extensions.conf.orig
cp motif.conf motif.conf.orig
cp sip.conf sip.conf.orig
cp xmpp.conf xmpp.conf.orig
New Config files compiled by jhax01 - GO TO POST #85 FOR MORE DETAILS. Now you will want to replace the following files with these (change USERNAME to whatever you want and make sure you google account info is correct):
#extensions.conf - Don't forget the USERNAME on the last line
Code:
[general]
autofallthrough=yes
; If an unauthenticated request some how gets through, send them to free 411.
[default]
exten => 411,1,Answer()
same => n,Dial(Motif/google/[email protected])
[local]
exten => _1XXXXXXXXXX,1,Dial(Motif/google/${EXTEN}@voice.google.com,,r)
exten => _XXXXXXXXXX,1,Dial(Motif/google/${EXTEN}@voice.google.com,,r)
exten => _+1XXXXXXXXXX,1,Dial(Motif/google/${EXTEN}@voice.google.com,,r)
[incoming-motif]
exten => s,1,NoOp()
same => n,Set(crazygooglecid=${CALLERID(name)})
same => n,Set(stripcrazysuffix=${CUT(crazygooglecid,@,1)})
same => n,Set(CALLERID(all)=${stripcrazysuffix})
same => n,Dial(SIP/USERNAME,20,D(:1))
#motif.conf
Code:
[google]
context=incoming-motif
disallow=all
allow=ulaw
connection=google
#sip.conf - Pay attention to externhost, secret, and USERNAME
Code:
[general]
allow=all
allowguest=no
nat=force_rport,comedia
tcpbindaddr=0.0.0.0
tcpenable=yes
externhost=ELASTICIP
localnet=10.0.0.0/8
[USERNAME]
type=peer
secret=PASSWORDYOUGENERATE
host=dynamic
context=local
transport=udp,tcp
#xmpp.conf
Code:
[general]
[google]
type=client
serverhost=talk.google.com
[email protected]
secret=GMAILPASSWORD
priority=100
port=5222
usetls=yes
usesasl=yes
status=available
statusmessage="VOIP"
timeout=5
Code:
#
# Stop/Start asterisk
#
sudo /etc/init.d/asterisk stop
sudo /etc/init.d/asterisk start
If everything went at planned your Asterisk Server with Google voice should be working, you can now login with your SIP client utilizing the extension username and password that you chose in sip.conf.
BONUS STEP. PPTPD VPN
install (make sure you are still root)
Code:
apt-get install pptpd
Now take the following code and copy it into a script and execute as root:
Code:
echo "localip 10.40.1.1" >> /etc/pptpd.conf
echo "remoteip 10.40.1.20-50" >> /etc/pptpd.conf
echo "ms-dns 8.8.8.8" >> /etc/ppp/options.pptpd
echo "ms-dns 8.8.4.4" >> /etc/ppp/options.pptpd
echo "ms-dns 172.16.0.23" >> /etc/ppp/options.pptpd
pass=`openssl rand 8 -base64`
if [ "$1" != "" ]
then pass=$1
fi
echo "VPN pptpd ${pass} *" >> /etc/ppp/chap-secrets
echo -e "VPN service is installed, your VPN username is \033[1mVPN\033[0m, VPN password is \033[1m${pass}\033[1m"
Done. Just a reminder, do not upgrade the system to Ubuntu 12.04 or you will lose the recompiled Kernel. If you update the kernel you will need to recompile...
Eh? Understood none of that. What even is Asterisk?
CrazyPeter said:
Eh? Understood none of that. What even is Asterisk?
Click to expand...
Click to collapse
https://www.asterisk.org/
1. What is the advantage of this method over centos 6.3 + PIAF on EC2?
2. It seems you are using UDP transport on sip port 5060. How's the battery life when you are on 3g?
acegolfer said:
1. What is the advantage of this method over centos 6.3 + PIAF on EC2?
2. It seems you are using UDP transport on sip port 5060. How's the battery life when you are on 3g?
Click to expand...
Click to collapse
1. No advantage really, other than less resource are used. This is just using Asterisk 11 -- does centos/piaf combo use Asterisk 11?
2. Yes, I do use UDP because my SIP client is not running all the time. I mostly only use it for outgoing calls. The above steps could be easily adjusted for TCP use.
Or you can download the obi app from play store and use that with Google voice to make WiFi calls.
Much easier to setup all you need is your login info.
Sent from my Nexus 4 using xda premium
errorcod3 said:
1. No advantage really, other than less resource are used. This is just using Asterisk 11 -- does centos/piaf combo use Asterisk 11?
2. Yes, I do use UDP because my SIP client is not running all the time. I mostly only use it for outgoing calls. The above steps could be easily adjusted for TCP use.
Click to expand...
Click to collapse
1. I just managed to install centos + PIAF on EC2. It was a major struggle. It's using asterisk 1.8 but can add gtalk trunk with GV motif.
2. When csip uses TCP transport to connect to PIAF in EC2, I continue to experience the same hangup issue. I guess it will happen to your setup as well if you use TCP.
kthejoker20 said:
Or you can download the obi app from play store and use that with Google voice to make WiFi calls.
Much easier to setup all you need is your login info.
Sent from my Nexus 4 using xda premium
Click to expand...
Click to collapse
No offense, but there is a reason this thread was made. It was spawned by the efforts of TWO other threads as an alternative solution to making VOIP work RELIABLY over 3G.
OP, you should add a blurb at the very beginning of the post that notes why this thread was made so we can curb responses like this in advance.
Is there any advantage to doing this as opposed to getting service from a reputable VOIP provider (voip.ms, callcentric, etc) and just connecting to their servers? Surely their connection/service is going to be pretty reliable and call rates are more than reasonable (like 0.01 per minute).
These providers support G.729 so you could connect with csipsimple and have pretty good quality over 3G I think.
Are you guys doing this to avoid paying 0.01 a minute or to try to get more reliable service? I don't understand...
cmaxwe said:
Is there any advantage to doing this as opposed to getting service from a reputable VOIP provider (voip.ms, callcentric, etc) and just connecting to their servers? Surely their connection/service is going to be pretty reliable and call rates are more than reasonable (like 0.01 per minute).
These providers support G.729 so you could connect with csipsimple and have pretty good quality over 3G I think.
Are you guys doing this to avoid paying 0.01 a minute or to try to get more reliable service? I don't understand...
Click to expand...
Click to collapse
Yeah, we REALLY need that blurb about this in the OP.
We are trying to avoid any very small cost by doing this, although that was AceGolfer's original intent. The problem is that, so far, will all the previous setups using VOIP providers + GV + SIP client, there is always one thing eluding us: RELIABILITY. Really, the problem seems to stem from the fact that a single provider does not offer everything needed to make this work reliably on 3G. This stuff works great on WiFi. Even call out USUALLY work flawlessly. But INCOMING calls have been missed, traveling calls (in car) can be sketchy, and even 1 bad connection in 10 is just plain lousy.
Frankly, I can deal with some of those problems. Mine, and I'm sure many other posters', wives and business partner/clients, cannot. This is just another method to try to figure out the best and most reliable way to get VOIP on our phones.
cmaxwe said:
Is there any advantage to doing this as opposed to getting service from a reputable VOIP provider (voip.ms, callcentric, etc) and just connecting to their servers? Surely their connection/service is going to be pretty reliable and call rates are more than reasonable (like 0.01 per minute).
These providers support G.729 so you could connect with csipsimple and have pretty good quality over 3G I think.
Are you guys doing this to avoid paying 0.01 a minute or to try to get more reliable service? I don't understand...
Click to expand...
Click to collapse
Here's what we (smartphone users over 3g) want: G729 (or iLBC) and TCP.
The 2 VoIP providers that you mentioned only offer UDP connection, which will kill smartphone batteries. I have heard that some people even use pbxes as the gateway for voip.ms so that they can use TCP connection.
Fortunately, there are several methods we have found that don't cost anything.
acegolfer said:
1. I just managed to install centos + PIAF on EC2. It was a major struggle. It's using asterisk 1.8 but can add gtalk trunk with GV motif.
2. When csip uses TCP transport to connect to PIAF in EC2, I continue to experience the same hangup issue. I guess it will happen to your setup as well if you use TCP.
Click to expand...
Click to collapse
What's the hang up issue that you are experiencing? I can switch my configuration over to TCP and see if I get the same issue.
bluespire said:
Yeah, we REALLY need that blurb about this in the OP.
We are trying to avoid any very small cost by doing this, although that was AceGolfer's original intent. The problem is that, so far, will all the previous setups using VOIP providers + GV + SIP client, there is always one thing eluding us: RELIABILITY. Really, the problem seems to stem from the fact that a single provider does not offer everything needed to make this work reliably on 3G. This stuff works great on WiFi. Even call out USUALLY work flawlessly. But INCOMING calls have been missed, traveling calls (in car) can be sketchy, and even 1 bad connection in 10 is just plain lousy.
Frankly, I can deal with some of those problems. Mine, and I'm sure many other posters', wives and business partner/clients, cannot. This is just another method to try to figure out the best and most reliable way to get VOIP on our phones.
Click to expand...
Click to collapse
I have been using this setup for about 6 months. It's incredibly reliable. I'm the only one using this server as opposed to more main stream options where hundreds or thousands of people are using the service. Plus, I can use it for other things such as a VPN server when I need it.
ADD TCP SUPPORT
On your security group settings for the Amazo EC2 open port 5060/tcp.
login and execute:
Code:
sudo ufw allow 5060/tcp
Edit sip.conf and add the following under the [general] section:
Code:
tcpbindaddr = 0.0.0.0
tcpenable = yes
Under your [USERNAME] in sip.conf add the following:
Code:
transport=udp,tcp
restart asterisk
ADDED TO OP.
It looks like you're only using G711u/a, and GSM for codecs. Have you tried installing G729? Or allowing G722?
errorcod3 said:
What's the hang up issue that you are experiencing? I can switch my configuration over to TCP and see if I get the same issue.
Click to expand...
Click to collapse
When Csipsimple is registered remotely (obviously is the case for EC2) using TCP, it takes 30 seconds to hangup after pressing the "end" call button. The voice gets transmitted during these 30 seconds.
OTOH, the call hangs up normally, if CSS uses UDP or I use a different client which costs to use G729.
osi13 said:
It looks like you're only using G711u/a, and GSM for codecs. Have you tried installing G729? Or allowing G722?
Click to expand...
Click to collapse
No, I haven't tried it. Asterisk 11 supports G722. If anyone is interested in using it just add an allow=g722 to the sip.conf file under [general].
Does Google Voice support G729?
acegolfer said:
When Csipsimple is registered remotely (obviously is the case for EC2) using TCP, it takes 30 seconds to hangup after pressing the "end" call button. The voice gets transmitted during these 30 seconds.
OTOH, the call hangs up normally, if CSS uses UDP or I use a different client which costs to use G729.
Click to expand...
Click to collapse
I just changed my configuration to TCP and I could not reproduce your problem. My calls terminate normally..
errorcod3 said:
No, I haven't tried it. Asterisk 11 supports G722. If anyone is interested in using it just add an allow=g722 to the sip.conf file under [general].
Does Google Voice support G729?
Click to expand...
Click to collapse
gtalk trunk only supports PCMU (g711 ulaw), which is used at PSTN. asterisk will transcode PCMU to other codecs such as G729.
errorcod3 said:
I just changed my configuration to TCP and I could not reproduce your problem. My calls terminate normally..
Click to expand...
Click to collapse
Forgot to mention, I'm also using CSS.
Ok so a while back I discovered that after you gain root access to the BIONIC (probably works with other too. idk...) you can make changes to iptables. For those who don't know what that is: It's a built in firewall that handles packets as they come in and leave your phone. This is pretty much the defacto standard for any Linux machine to date (please enlighten me if I'm wrong). Anyhow, after discovering this I came up with an idea to see if I could pipe my hotspot directly into my openvpn tunnel. Well, after a bit of web research on how iptables works I was able to get it up and running. HOWEVER I'm not an expert at this yet, and my config definitely has a flaw in the fact that I leave the phone completely vulnerable on the "rmnetX" interface, as I completely flush the old tables to add mine, leavign the firewall WIDE OPEN. I'll post a fix as soon as I can come up with one. In the mean time here's the steps to take to get your phone to be a hotspot access point to your openvpn network!
**PHONE MUST HAVE ROOT!!!!***
1) Follow along and setup an OpenVPN server http://openvpn.net/howto.html
2) Install "OpenVPN Installer" and "OpenVPN settings" from Google Play marketplace (both are free)
3) Run OpenVPN Installer and install OpenVPN client to your phone. The defaults should be fine.
4) Create a folder called "openvpn" ont he root of your INTERNAL sdcard. IE "/sdcard/openvpn
5) Copy your client keys that you made during your OpenVPN setup to your phone into the /sdcard/openvpn directory (client.crt, client.key, ca.crt, and ta.key)
6) Copy over the client.conf file as well. You will need to tweek this a bit to call your certs from the /sdcard/openvpn file as well as putting in the public IP to connect to. Keep in mind if you are doing this at home you will need to PAT/NAT this connection accross your firewall on udp port 1194.
7)Ok, at this point you just want to make sure your OpenVPN connection works. So open up OpenVPN settings and try and connect to your VPN, if you can connect and brows to shares inside your network over the 4g connection EXCELENT! MOVE ON! If not refer to the OpenVPN HOW TO!!!
8) After that's done you neet to get the Verizon HotSpot Tether working, There's a hack for it on the web. Google "BIONIC Hotspot SQLite Editor"... in the mean time I'll try and walk you through it.
a) get SQLite Editor from Google Play
b) open it and scroll down to "Settings Storage" (the one with the hammer icon), open "settings.db", then click settings. You should see a long list of database entries. Click the magnifying glass and under "Filter Value" type "check".
c) you should then see 4 results, one being "entitlement_check". Long press on the "1" next to "entitlement_check". Click "Edit Field" and change the "1" to a "0".
d) Reboot and try running the stock "Hotspot" app, it should work now!
9) Run the Hotspot app and confirm it works properly and can connect clients.
10) After you have a working Hotspot and a work OpenVPN you can then start the iptables magic!!!
**This is fairly safe, no need to worry about bricking just reboot if you screw up!***
11) Download and install "Android Terminal Emulator" and run it.
12) at the prompt type in "su" to gain super user access
13) you should now be at a root shell ("#") NOT $
14) at the prompt(#) type this: iptables -S <-This shows you the entire iptables rules, as you can see it's crazy complicated!
15) Run OpenVPN and Hotspot and confirm both are connected and runnign before issuing rule changes in iptables. So run both applications now.
16) Confirm VPN is connected and Hotspot is runnign by issuing the command "busybox ifconfig". If your VPN is up you will have a "tun0" interface and if the Hotspot is up there should be a "wlan1" interface.
17) If both are up then all you need to do in order to give hotspot clients access to your VPN resources is this:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -i tun0 -o wlan1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan1 -o tun0 -m state --state INVALID -j DROP
iptables -A FORWARD -i wlan1 -o tun0 -j ACCEPT
The first 10 commands flush your old iptables, and the last 3 commands masqarade your wlan1 interface to your tun0 interface, funneling your clients down the VPN. Keep in mind that you will have to allow this via your openvpn server.conf file. See HOWTO For OpenVPN.
Enjoy!!!
I am confused and would like to know why we want net on VPN if we have WiFi hack for a router
Could Could we link a com port on bochs emulated windows xp?
With the WiFi hack edit or tether for root user you can use this IP addr add like below to add router capabilities, or change wlan0 to your phone's 4g rmnet or tun0 to add router to any connection, can you tell us what we would use VPN for give an example
su
ip addr add 192.168.1.0/24 dev wlan0
http://www.filedropper.com/comgooglecodeandroidwifitether-1
I use this apk to wifi tether, same as wifi router, will probably need root to use it I am not sure, but you dont need to type: ip addr add 192168.1.0/24 dev wlan0, I do just because it helps make good connections for most wifi devices
This will make your WiFi capable of being used as a router, you still need root WiFi tether or the hotspot hack like you posted but this makes wlan0 a router
I mainly use this to share files that I have on my NAS at home with friends at work. First I create a hot spot, then I connect my VPN, then I masquerade the traffic. On the server side my openvpn configuration is set up so that it trusts a specific subnet coming from behind the openvpn host (IE my phone's hotspot subnet) This provides a nice and easy means of giving friends controlled access via your mobile hotspot without needing to generate RSA keys for each of your friends. Another thing I like to use it for is when I travel I just set it up in the corner and watch movies from home on my laptop over the VPN through the hotspot.
-Ed
DroidisLINUX said:
I am confused and would like to know why we want net on VPN if we have WiFi hack for a router
Could Could we link a com port on bochs emulated windows xp?
With the WiFi hack edit or tether for root user you can use this IP addr add like below to add router capabilities, or change wlan0 to your phone's 4g rmnet or tun0 to add router to any connection, can you tell us what we would use VPN for give an example
su
ip addr add 192.168.1.0/24 dev wlan0
http://www.filedropper.com/comgooglecodeandroidwifitether-1
I use this apk to wifi tether, same as wifi router, will probably need root to use it I am not sure, but you dont need to type: ip addr add 192168.1.0/24 dev wlan0, I do just because it helps make good connections for most wifi devices
This will make your WiFi capable of being used as a router, you still need root WiFi tether or the hotspot hack like you posted but this makes wlan0 a router
Click to expand...
Click to collapse
edw00rd said:
I mainly use this to share files that I have on my NAS at home with friends at work. First I create a hot spot, then I connect my VPN, then I masquerade the traffic. On the server side my openvpn configuration is set up so that it trusts a specific subnet coming from behind the openvpn host (IE my phone's hotspot subnet) This provides a nice and easy means of giving friends controlled access via your mobile hotspot without needing to generate RSA keys for each of your friends. Another thing I like to use it for is when I travel I just set it up in the corner and watch movies from home on my laptop over the VPN through the hotspot.
-Ed
Click to expand...
Click to collapse
Or you could get Qloud Media Server, and be able to assign access to different sets of folders in your home network using username/passwords. And it costs $3.00 or $0.00 if you have a getjar pass.
This is a really cool idea, thanks for sharing.
On a somewhat unrelated note, is the VirtualBox method still the preferred means of rooting a Bionic on 4.1.2 (98.72.22)? Trying to figure out how easily I can root a friend's phone but I can't really find any consolidated source of up-to-date information. =\
TweakerL said:
Or you could get Qloud Media Server, and be able to assign access to different sets of folders in your home network using username/passwords. And it costs $3.00 or $0.00 if you have a getjar pass.
Click to expand...
Click to collapse
I think you might be confusing folder access/authentication with network access/authentication. The VPN would give you access to your network remotely via 4g/3g and yes i suppose you could use the Qloud Media Server to provide access to folders. I'm not really sure what that is, never used it but it sounds like something that provides a service via 3rd party to get access to you remotely. The third party is avoided all together witht he VPN solution. You don't have to give any sort of ingress access to any third party app. You're phone will think it's part of your home network. Also someone asked about having network bridged when you have a wifi hack... it would be purely up to you weather or not you'd want your HTTP traffic to go through the VPN or not... that's different than what I'm providing here. This is strictly for using your phone as a WiFi hotspot router that forwards all of your traffic to your VPN connection (IE your house) so that connected wifi clients would be accessable via your home network and visa versa. You could also just make a VPN hotspot and generate RSA keys for each host connecting to the hotspot.... your choice. Mine works better in a way that I maintain constant view over every device including the phone that is acting as the VPN mifi hotspot.:silly:
how to undo this? i cant connect my hotspot.
I have a rooted Samsung Galaxy Exhibit II (SGH-T679) and I am attempting to do some MAC filtering, but opposite of what most people do.
I want to prevent my phone from accessing a specific router (I have the router BSSID). I downloaded "Android Terminal Emulator" and typed
Code:
su
and pressed enter. I enabled access to superuser. Then I typed
Code:
iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
(obviously substituting the mac address for the BSSID of the router). It just went to a new line (no message or anything). Then I typed
Code:
iptables -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -j DROP
and pressed enter. Still the same thing (new line; no message). I opened another app to see if it would connect to the internet. I still had a internet connection. I want the connection to drop for that specific router.
What is going on? Does my phone even support MAC address filtering? Especially the way in which I'm trying to do it? I even tried downloading AFWall+, Android Firewall and DroidWall, and entered the iptables in them. Still won't block me off of the internet for that specific BSSID.
Is this even possible?
P.S. The reason why I am trying to do this is that I'm testing this on my own phone and router before I implement it for a friend. I have set up Tomato with Access Restrictions and OpenDNS on my friend's router, but his son has been using his neighbour's wifi in the middle of the night to get online. I have the BSSID of the neighbour's router (thanks to Tomato's Wireless Survey). Maybe someone has another idea of how I can prevent him from accessing the neighbour's router? (and no, we don't want to ask the neighbour to change the password, because the neighbour's son will likely just give the password to my friend's son again).
That command updates the firewall rules, which has nothing to do with whether the phone connects to a particular wifi connection.
Other than not trying to connect to begin with, I'm not sure there is a way to do that. But it may depend on the rom you have.
Sent from my SGH-T679 using xda app-developers app
---------- Post added at 03:32 PM ---------- Previous post was at 03:18 PM ----------
Found an app that does what you are looking for.
https://market.android.com/details?id=com.hogdex.WifiRuler
Haven't tried it myself, as I just don't connect automatically and don't manually connect very often outside of a few places.
Sent from my SGH-T679 using xda app-developers app
I figured things out. For one, after I added the iptable rule, I needed to REBOOT my phone for it to apply (which I wasn't doing). Secondly, I needed to use the LAN Mac Address (NOT the BSSID/Wireless MAC address) in order for the iptable rule to work.
Thirdly, I downloaded AFWall+. It allowed me to set it as administrator to prevent uninstallation. The only thing missing is that the developer needs to password protect removing the app as administrator.
Then I downloaded Android Terminal Emulator. In order to find the LAN MAC address for the connection that I am looking to block, I typed this into the emulator:
Code:
arp -n
Then I used the MAC address that was given in the terminal and put that into this rule here to be place in "custom scripts" in the firewall:
Code:
$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
Firewall Rules for MAGISK
About the Module:
This module is actually a simple script that executes a series of IPtables commands on boot in order to block inbound connections not directly related to outbound. There is no app or commands to execute in order for it to achieve it's results, so no impact to system performance. Just flash the ZIP, reboot and protection will be in place. Due to it's nature things require direct connections to the devices IP will break... With that exception, most users should notice little to no interference in their daily use. All core networking functionality should remain intact and if not I will modify accordingly. Advanced users may specify custom rules to allow incoming connections by editing the script included in the ZIP/Install location. Eventually I will provide some examples to allow commonly used services.
Current Release v1.0.2
TLDR;
When rooting devices with Magisk or other solutions I have noticed services & apps running services getting exposed to connected networks and or the internet. This can spell big trouble for your security and privacy. For instance running an app such as Share GPS from the play store which is typically safe on non-rooted phones will make your unencrypted GPS coordinates available on any network via simple command line tools. This is just one example of an app out of millions. With more and more mobile carriers such as T-Mobile and Sprint adopting IPv6 you can be assured that you're receiving a globally accessible non NAT'd IP address. All it would take is one shady app masqueraded as something you like, running a dynamic ip address updater script and an attacker with little know how to completely compromise your life. Trust me I have done the research here & proved every bit of this to be completely possible without being a certified security researcher.
Let's be honest here, the fact that you're holding a phone in your hand means that your life has already been compromised but at least we can mitigate some risk. Running a device with absolutely no firewall because you rooted shouldn't be one of those risk. There are apps out there that can be used as firewalls like AFWall+ but they don't typically act on lower level processes, just the apps. Instead we should implicitly deny all inbound traffic and only allow inbound related to your established connections, which is exactly what this module does. Future versions of the mod will allow advanced users to specify rules, however for most people that won't be needed for day to day activity.
Customizing Rules:
You may wish to customize rules to allow inbound connections to services or apps running on your device. Notice how each "custom" rule contains "-I" option which inserts to top of chain. In this way each new rule will end up on top of the previous. Be careful in how you write rules because they could completely override rules down lower in the chain. Best practice is to make the rule as specific as possible. In general shorter the rule, the more traffic will match and be ACCEPT or REJECTED. Hopefully the rules below can paint the picture. You should always test your rules first using a terminal emulator or ADB shell before saving them to be ran on startup.
The main script for this module is located at:
Code:
/sbin/.core/img/com.geofferey.fw/post-fs-data.sh
Allow ALL IN from ANYWHERE: (DON'T DO IT!!!!)
Code:
iptables -I INPUT -j ACCEPT
Allow IN ADB on ALL WiFi:
Code:
iptables -I INPUT -i wlan0 -p tcp --dport 5555 -j ACCEPT
Allow IN ADB only on WiFi Network X:
Code:
iptables -I INPUT -i wlan0 -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp --dport 5555 -j ACCEPT
(Assuming IP range 192.168.1.0-255)
Allow IN All WIFI on Network X:
Code:
iptables -I INPUT -i wlan0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
(Assuming IP range 192.168.1.0-255)
Recent Changes:
• v1.0 - Initial Release
• v1.0.1 - Added rules to support hotspot func. US T-Mobile users get native IPv6 global addresses. Switch to post-fs-data. Drop packets after rules are in place. Drop tcp and udp to hotspot and clients.
• v1.0.2- Removed unnecessary rules not required for IPv6 hotspot tethering. Added anti spoofing for loopback. Drop all invalid packets. Allow dhcpv6 & ping as its essential.
Current Ruleset:
Code:
Log "[postfs.d] [Simple Firewall Rules for Magisk] - Applying IPv4 IPtables"
iptables -I INPUT -i wlan0 -s 192.168.43.0/24 -d 192.168.43.0/24 -j ACCEPT
iptables -I INPUT -i wlan0 -p udp --dport 53 --sport 53 -j ACCEPT
iptables -I INPUT -i wlan0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -I INPUT -p icmp -j ACCEPT -m limit --limit 3/sec --limit-burst 10 -j ACCEPT
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -s 127.0.0.0/8 ! -i lo -j REJECT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -j REJECT
Log "[postfs.d] [Simple Firewall Rules for Magisk] - Applying IPv6 IPtables"
ip6tables -I INPUT -d ff02::/64 -j ACCEPT
ip6tables -I INPUT -m conntrack --ctstate NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT
ip6tables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -I INPUT -i lo -j ACCEPT
ip6tables -I INPUT -s ::1/128 ! -i lo -j REJECT
ip6tables -I INPUT -p icmp -j ACCEPT -m limit --limit 3/sec --limit-burst 10 -j ACCEPT
ip6tables -I INPUT -p ipv6-icmp -m limit --limit 3/sec --limit-burst 10 -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -j REJECT
Resources:
https://www.ultratools.com/tools/ipv6CIDRToRange
http://www.ipv6scanner.com/cgi-bin/main.py
https://blogs.cisco.com/security/securing-ipv6
https://www.digitalocean.com/commun...essentials-common-firewall-rules-and-commands
https://www.sixxs.net/wiki/IPv6_Firewalling
https://test-ipv6.com/
Attached below is the module. Let me know how it works and if there are any improvements needed. Any suggestions or comments will be taken into consideration. I don't mind users voting that my module is crap (I made the poll) just have the decency to explain to others why.
Geofferey said:
Firewall for MAGISK
When rooting devices with Magisk or other solutions I have noticed that any services or apps running services get exposed to connected networks and or the internet. This can spell big trouble for your security and privacy. For instance running an app such as Share GPS from the play store which is typically safe on non-rooted phones will make your unencrypted GPS coordinates available on any network via simple command line tools. This is just one example of an app out of millions. With more and more mobile carriers such as T-Mobile and Sprint adopting IPv6 you can be assured that you're receiving a globally accessible non NAT'd IP address. All it would take is one shady app masqueraded as something you like, running a dynamic ip address updater script and an attacker with little know how to completely compromise your life. Trust me I have done the research here & proved every bit of this to be completely possible without being a certified security researcher.
Let's be honest here, the fact that you're holding a phone in your hand means that your life has already been compromised but at least we can mitigate some risk. Running a device with absolutely no firewall because you rooted shouldn't be one of those risk. There are apps out there that can be used as firewalls like AFWall+ but they don't typically act on lower level processes, just the apps. Instead we should implicitly deny all inbound traffic and only allow inbound related to your established connections, which is exactly what this module does. Future versions of the mod will allow advanced users to specify rules, however for most people that won't be needed for day to day activity.
Attached below is the module. Please let me know how it works and if there are any improvements I may provide. As users of highly connected devices I believe we should all take security a lil more seriously. Any suggestions or comments will be taken into consideration
Click to expand...
Click to collapse
Is it like the adguard firewall
[emoji3436]I Willl Scarfice For Those That I Love [emoji3434]
@PoochyX No, it runs at a lower level applying a simple set of 'iptables' rules on boot with no user intervention required. There is no user interface for the mod at the moment. I'm not sure how the app you specified operates. I honestly believe most users should have this installed and it shouldn't affect day to day use unless you are trying to connect directly to something running on phone which most users don't typically do.
In actuality the app you mention might not be needed if you just want to limit inbound. As for outbound connections my policy allows all, which an app like that would be good for limiting if you wish to do so.
Think of my mod as a base set of rules that should already be in place.
For experts .... Let me know if there's something I should add
Code:
iptables -A INPUT -j DROP
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -I INPUT -s fe80::/10 -j ACCEPT
ip6tables -I INPUT -d ff02::/10 -j ACCEPT
ip6tables -I INPUT -i lo -j ACCEPT
Does it change dns?
jaggillararla said:
Does it change dns?
Click to expand...
Click to collapse
I haven't noticed any DNS changes in the way traffic is being routed
[emoji3436]I Will Sacrifice For Those That I Love [emoji3434]
---------- Post added at 08:58 PM ---------- Previous post was at 08:45 PM ----------
Geofferey said:
@PoochyX No, it runs at a lower level applying a simple set of 'iptables' rules on boot with no user intervention required. There is no user interface for the mod at the moment. I'm not sure how the app you specified operates. I honestly believe most users should have this installed and it shouldn't affect day to day use unless you are trying to connect directly to something running on phone which most users don't typically do.
In actuality the app you mention might not be needed if you just want to limit inbound. As for outbound connections my policy allows all, which an app like that would be good for limiting if you wish to do so.
Think of my mod as a base set of rules that should already be in place.
For experts .... Let me know if there's something I should add
Code:
iptables -A INPUT -j DROP
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -I INPUT -s fe80::/10 -j ACCEPT
ip6tables -I INPUT -d ff02::/10 -j ACCEPT
ip6tables -I INPUT -i lo -j ACCEPT
Click to expand...
Click to collapse
Let's say I want to deny a certain app or process internet can this module do that or that's considered an outbound connection...
[emoji3436]I Will Sacrifice For Those That I Love [emoji3434]
@PoochyX That would be a task more suited for an app like AFWall +. I think you could also use AFWall + to allow inbound connections that this module doesn't in case need arises. You're correct, if you wanted to limit an app from accessing the internet then you would block it's outgoing connections. This mod shouldn't be considered a replacement for apps like those.
Think of it like closing all the doors to your house so randoms can't walk in. Anyone can leave at anytime and relatives are welcome. I am not deadbolting the home so nothing can escape.
@Geofferey
Worth pointing out this breaks hotspot...
@Geofferey AfWall+ also uses iptables and it allows us to specify custom iptables scripts, which serve the same purpose as your Magisk Module, but can be changed dynamically at runtime.
// EDIT AfWall+ has a setting for dis-/enabling incoming connections in their "experimental" section.
I did not check if it works though.
73sydney said:
@Geofferey
Worth pointing out this breaks hotspot...
Click to expand...
Click to collapse
Gotcha bro. v1.0.2 should fix hotspot and allow global IPv6 assignment to US users of T-Mobile. Thanks for pointing it out. I would've got to it sooner but IPv6 is very new to me. I got NAT'd IPv4 hotspot working right away but IPv6 was also something I had to look into.
Let me know if you guys experience any other issues with day to day usage of your phone in regards to internet connectivity with this module in place. For other users on different carriers who desire v6 functionality for tethered clients I will need the name of your carrier, country, and v6 prefixes.
If anyone with background in networking or net security has anything to add please do. I've done my best to make sure these rules are solid but I'm not an expert, especially on IPv6.
GoPro Live preview
Geofferey said:
Gotcha bro. v1.0.2 should fix hotspot and allow global IPv6 assignment to US users of T-Mobile. Thanks for pointing it out. I would've got to it sooner but IPv6 is very new to me. I got NAT'd IPv4 hotspot working right away but IPv6 was also something I had to look into.
Let me know if you guys experience any other issues with day to day usage of your phone in regards to internet connectivity with this module in place. For other users on different carriers who desire v6 functionality for tethered clients I will need the name of your carrier, country, and v6 prefixes.
If anyone with background in networking or net security has anything to add please do. I've done my best to make sure these rules are solid but I'm not an expert, especially on IPv6.
Click to expand...
Click to collapse
version 1.0.2 fixed the Wifi HotSpot issue. But i found another problem.
I'm using the GoPro App to control the cam. With your module the camera live preview does not work. managing the camera setting works well, only live preview is broken.
any idea how to fix this?
@Geofferey
Sadly I have an issue when i tested the new build...
I use the terminal debloat module and load my launcher (Nova) via a module too...
When using your firewall module, these fail to load, and because I remove the stock launcher via debloat, this means your module makes my device unusable
This is due to the fact you're using post-fs-data, it's blocking by nature and can, as described, have REALLY bad side effects.
You should be using service.d (non blocking) to run your scripts. Later today I'll post you a modified module zip which uses service d.....I've recently modded a script I have from post-fs-data to service d, complete with uninstall script....
73sydney said:
@Geofferey
Sadly I have an issue when i tested the new build...
I use the terminal debloat module and load my launcher (Nova) via a module too...
When using your firewall module, these fail to load, and because I remove the stock launcher via debloat, this means your module makes my device unusable
This is due to the fact you're using post-fs-data, it's blocking by nature and can, as described, have REALLY bad side effects.
You should be using service.d (non blocking) to run your scripts. Later today I'll post you a modified module zip which uses service d.....I've recently modded a script I have from post-fs-data to service d, complete with uninstall script....
Click to expand...
Click to collapse
So you had no nanodroid of your device because you was just buliding up your daily driver and was implementing his module into your drivers configuration and it was a no go
([emoji813]9/[emoji725]/9[emoji813])
PoochyX said:
So you had no nanodroid of your device because you was just buliding up your daily driver and was implementing his module into your drivers configuration and it was a no go
([emoji813]9/[emoji725]/9[emoji813])
Click to expand...
Click to collapse
Not sure what youre trying to say here, sorry....
73sydney said:
Not sure what youre trying to say here, sorry....
Click to expand...
Click to collapse
Nanodroid aka Twrp backup of your phone
([emoji813]9/[emoji725]/9[emoji813])
Edited zip with proposed fixes and change to service.d sent to @Geofferey
---------- Post added at 06:20 PM ---------- Previous post was at 06:14 PM ----------
PoochyX said:
Nanodroid aka Twrp backup of your phone
([emoji813]9/[emoji725]/9[emoji813])
Click to expand...
Click to collapse
I always have one, but nothing i was talking about yesterday was in any related to nandroid backups....
Ahhh....maybe you misunderstood thinking i couldnt get back in after enabling the firewall module?
No, i just rebooted to recovery and disabled the module via this: https://forum.xda-developers.com/apps/magisk/tool-magisk-manager-recovery-tool-v1-0-t3866502
Everyone should have a copy of that on their external sdcard, just in case
All good
Module seems as if it could use a look at for magisk mask 19 on lineage 12.1 android 5.1.1 , I installed thru twrp recovery and after reboot I had no internet access , all my magisk modules stop working an all my installed apps were reset their data was wiped . I had to disable an uninstall your fire wall module for tings to work again like Internet access an my magisk modules etc....... ? Any idea wat went wrong without logs !
@Geofferey
Hello with your module YouTube Vanced - Magisk Repo no longer works could you coriger this thank you
How can I run this on my phone?
Does this work on android 13?