For anyone interested in data security the ability to encrypt network traffic is obviously important-- especially in light of the myriad of recent well publicized reports of private and government electronic snooping. It is also relevant to mention that to date no one has come close to cracking "TwoFish" encryption which can be used by SSH. With this in mind, consider the following tutorial which describes a method for encrypting all 3g, 4g, and Wi-Fi data, thus beefing up phone and personal data security.
Setting up a global SSH Tunnel on Android phones
This tutorial assumes the reader possesses a fully configured SSH server and rooted phone. In lieu of a server, (eg., the reader only has only a Windows-based operating system), research into CYGWIN is recommended. I use CYGWIN to run my SSH server and I have found that it is the most robust option for Windows users; however, setting this up on Windows can be a daunting task.
Setting up global SSH Tunnel on Android
1. Download 2 apps from the Google Playstore: ConnectBot and ProxyDroid
2. Install ConnectBot and ProxyDroid on your phone.
3. In ConnectBot set up Port forwards for your SSH connection. For "Type" field use "Dynamic (SOCKS)." For “Source Port” use 56001 or any local port not being used. The reasoning behind using port 56001 is this: System Ports (0-1023), User Ports (1024-49151), and the Dynamic and/or Private Ports (49152-65535)
4. Open ProxyDroid and configure as follows:
Host: 127.0.0.1
Port: 56001 (or the port you chose to use in step 3)
Proxy Type: SOCKS5
Global Proxy: Check the box
The above procedure accomplishes several things. First, ConnectBot remotely connects to your SSH server. Next, the ConnectBot connection forwards to the local port 56001. ProxyDroid then redirects all network traffic through the localhost on port 56001. Once you are connected through ConnectBot and ProxyDroid is activated all of your data will be tunneled through the encrypted ConnectBot session. This is an excellent way to set up a global proxy because it does not require manual configuration of any applications to connect through the proxy. You can test the functionality of the connection by opening up your phone browser and performing the Google search: What is my IP. If the proxy is functional you will see the WAN IP of the network of your SSH server. Additional and more thorough testing can be done with packet sniffers such as WireShark.
An application called "SSH Tunnel" is an alternative to accomplishing the above. However, I find ConnectBot and ProxyDroid is more elegant and gives better control-- not to mention being more sophisticated/chic. When correctly performed the ConnectBot and ProxyDroid method encrypts all 3g, 4g and Wi-Fi data on your phone. This is obviously useful for phone access of sensitive materials especially using unfamiliar or alien network connections. With the current proliferation of identity theft via electronic snooping on mobile devices I do not advocate using cellular phones for any banking or electronic transactions without setting up a robust and reliable encrypted connection.
I would also add that you need to run connectbot first then run ProxyDroid. If you do it in reverse Connectbot will have problems connecting.
Dr.Tautology said:
For anyone interested in data security the ability to encrypt network traffic is obviously important-- especially in light of the myriad of recent well publicized reports of private and government electronic snooping. It is also relevant to mention that to date no one has come close to cracking "TwoFish" encryption which can be used by SSH. With this in mind, consider the following tutorial which describes a method for encrypting all 3g, 4g, and Wi-Fi data, thus beefing up phone and personal data security.
Setting up a global SSH Tunnel on Android phones
This tutorial assumes the reader possesses a fully configured SSH server and rooted phone. In lieu of a server, (eg., the reader only has only a Windows-based operating system), research into CYGWIN is recommended. I use CYGWIN to run my SSH server and I have found that it is the most robust option for Windows users; however, setting this up on Windows can be a daunting task.
Setting up global SSH Tunnel on Android
1. Download 2 apps from the Google Playstore: ConnectBot and ProxyDroid
2. Install ConnectBot and ProxyDroid on your phone.
3. In ConnectBot set up Port forwards for your SSH connection. For "Type" field use "Dynamic (SOCKS)." For “Source Port” use 56001 or any local port not being used. The reasoning behind using port 56001 is this: System Ports (0-1023), User Ports (1024-49151), and the Dynamic and/or Private Ports (49152-65535)
4. Open ProxyDroid and configure as follows:
Host: 127.0.0.1
Port: 56001 (or the port you chose to use in step 3)
Proxy Type: SOCKS5
Global Proxy: Check the box
The above procedure accomplishes several things. First, ConnectBot remotely connects to your SSH server. Next, the ConnectBot connection forwards to the local port 56001. ProxyDroid then redirects all network traffic through the localhost on port 56001. Once you are connected through ConnectBot and ProxyDroid is activated all of your data will be tunneled through the encrypted ConnectBot session. This is an excellent way to set up a global proxy because it does not require manual configuration of any applications to connect through the proxy. You can test the functionality of the connection by opening up your phone browser and performing the Google search: What is my IP. If the proxy is functional you will see the WAN IP of the network of your SSH server. Additional and more thorough testing can be done with packet sniffers such as WireShark.
An application called "SSH Tunnel" is an alternative to accomplishing the above. However, I find ConnectBot and ProxyDroid is more elegant and gives better control-- not to mention being more sophisticated/chic. When correctly performed the ConnectBot and ProxyDroid method encrypts all 3g, 4g and Wi-Fi data on your phone. This is obviously useful for phone access of sensitive materials especially using unfamiliar or alien network connections. With the current proliferation of identity theft via electronic snooping on mobile devices I do not advocate using cellular phones for any banking or electronic transactions without setting up a robust and reliable encrypted connection.
Click to expand...
Click to collapse
I know that this is an old thread but is there any way to ssh-tunnel wifi traffic only ? Especially "untrusted wifi" traffic only?
Thanks
how to set up connect bot? please can you provide the information in detail?
Okay so I was using this setup of connect-bot and proxy-droid on kit kat. It was working great. I upgraded my phone to lollipop and connectbot would not port forward (the port data would be crossed out after connecting)
I decided to replace connectbot with ssh tunnel in this config
https://play.google.com/store/apps/details?id=org.sshtunnel
it did not work with global proxy in ssh-tunnel so I used proxy-droid like the OP did and it worked.
so basically substituting connect-bot with ssh-tunnel from the OP
setup:
root required
instead of connect-bot configure ssh-tunnel
host= ip address of ssh server
port= 22
user=ssh username
password=ssh passworrd
check use socks proxy box
set proxy port to 56001
do not check global proxy
now configure Proxy droid same as mentioned by OP
Open ProxyDroid and configure as follows:
Host: 127.0.0.1
Port: 56001
Proxy Type: SOCKS5
Global Proxy: Check the box
this should work great for devices absent of vpn files but have root access
launch and connect ssh-tunnel the proxy-droid. then use a browser to connect to local lan.
I have tested using a rasberry pi running ssh and in sshd_config allowed root access and maybe also tcp forwarding.
I have also tested on dd-wrt 3.0beta with tcp forwarding checked. (ssh is mostly broken/disabled in v2.4)
is there any other option instead of proxy droid ...because proxydroid is not working on Youwave..
Could an app like SSH Tunnel be used without ProxyDroid? I noticed that with ProxyDroid I was able to cloak my IP address at an IP reveal website, but couldn't do so without it. Unfortunately ProxyDroid requires root, which my current phone does not have. What good would SSH Tunnel be without ProxyDroid?
Not solve the problem, when ConnectBot connects first, and I enable SocksDroid second. ConnectBot will drop the SSH connection.
It's tool late, but the problem solved:
On SocksDroid, need select: Per-App proxy and select BypassMode, and add org.connectbot (NOT only ConnectBot) to the App List. With this settings, ConnectBot ALWAYS bypass the proxy.
Tesetd, working satble.
Related
Notice - This topic is for the very advanced computer users.
I will need help from WM6 developers and SUPER advanced users for a variant of this. Please go to the COMPLETE bottom to read what I need for help.
What is it for? : Gain full access to TCP ports while using carrier's WAP/GPRS/HTTP proxy. Access IMAP/POP3/Internet Radio/Streaming TV/Skype while still using your carrier's cheap/free GPRS APN.
(currently only works on tethered, but I am working on making it work directly from the phone, I need help from those in the know-how)
Summary: The PC is tethered to the phone for GPRS/3G internet. PuTTY client connects to a SSH server THROUGH the carrier's proxy and opens up a SSH tunnel with dynamic forwarding on port 1080.
What you need :
- PC with Windows or Linux
- PuTTY http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
- A simple SSH server directly connected to the internet (could be a modified Linksys WRT54G/GS/GL router with OpenWRT, no need for a PC)
optional - ProxyCap or SocksCap (commercial, look on bittorrent). They force softwares that required DIRECT internet acess to work with this guide
Settings:
1- Your SSH server needs to listen to port 443
2- In Windows go to Control Panel / Internet Options / Connections / LAN Settings / Proxy Server /
-Check the box "Use a Proxy Server for your LAN"
-Click advanced under SOCKS: , write: localhost" with port: 1080
3- In PuTTY
-Session TAB
Hostname = IPaddressOfYourSSHServer
port = 443
-Connection / Proxy
Proxy Type = HTTP
Proxy hostname = YourCarrierProxyAddress
Port = 80 or 8080 (whatever your carrier tells you to put)
-Connection / SSH / Tunnels
At the bottom, select Dynamic & IPv4
Source port = 1080
Click ADD
You should see "4D1080" appear in the white box under "forwarded ports"
-Session
Type any name you want under Saved Sessions
Click "Save" so that anytime you reload Putty, you click ony your sessions and load to restore all the above settings.
Final Step
- Disconnect your PC from any internet access
- Connect your PC to your phone's GPRS/3G internet
- In Putty, load the session and click on OPEN (This should open up a black window with no text)
- Wait a few seconds, you should see a new window asking you if you accept a new KEY for the new host you are connecting to. Click YES
NOTE: this will only happen the first time you connect to the SSH server through GPRS. It will never appear again
- You'll be asked to enter your username and password (those are the ones from your SSH server). You'll then gain SSH terminal access to your SSH server.
- type and enter "top" in your SSH terminal
WHY? : Your carrier's PROXY closes any IDLE connections. "top" makes the SSH server send you the server status every few seconds, keeping the connection active.
- Open internet explorer and see if you can load web pages.
- Congrats, you got non-carrier-proxied non-carrier-cached internet access.
TROUBLESHOOTING
Problem: PuTTY times out when I open my session
Diagnostic: PuTTY cant connect to your SSH server, this could be due to :
- Check if you got the right SSH server IP address
- SSH Server does not listen to TCP port 443
- SSH Server is behind a firewall that blocks port 443
- Your ISP may block port 443 (mine blocks port 80)
- Your wireless carrier may not allow SSL connections, test by loading a HTTPS web page while using their HTTP proxy (find a web page such as ebay, paypal, or whatever that requires an encrypted login, see if HTTPS is in the address bar). You're screwed if its blocked
- Your wireless carrier's proxy might not be on port 80/8080, please check
- Double check your Putty settings for your session.
Problem: PuTTY says "connection not allowed" "permission denied" or something
Diagnostic - Your wireless carrier probably does not allow SSL on 443, or scans your packets to see if it is TRUELY SSL. You're screwed in that case.
Problem: When I type my username and password, I get denied
Diagnostic: you don't know your OWN SSH server's access information, moron
Problem: Im connected to my SSH server, but IE won't load pages
Diagnostic: Either you forgot to set the dynamic port forwarding (review step 3 in settings) or you didn't set the proxy settings in IE (review step 2)
Please make sure you got NO other proxies entered other than in the SOCKS section of IE
WHAT I NEED FOR HELP
As you can see, this is only for using GPRS/3G on a PC/Laptop
Im very close to getting this to work directly on the phone.
PocketPutty is a conversion of PuTTY for WM5/6
http://www.pocketputty.net/
There is no Proxy tab in PocketPutty, but go in the registry
HKEY_current_user/Software/SimonTatham/Putty/Sessions/YourSessionName
This is IDENTICAL to what you'll find on your windows PC if you create a session. Create the proper session on your PC and copy the registry entries onto your phone's registry.
I got it to connect to my SSH server the same way you do on a PC, however, I can't get Pocket IE or any other software to use localhost:1080 socks proxy.
I've tried the obvious "proxy settings" in the connections manager, but IE still tries to connect directly unless I specify a HTTP proxy. Putty cannot do HTTP proxy so I can't just open up a second dynamic port on 80.
I tried in the registry to manually enter data. I noticed that even if you got NO proxy settings, you still got two proxy entries in the registry
HTTP , which uses "new-inet" on 1118
null-corp, which uses "new-corp" on 1118
I've made some tests and come to the conclusion that IE will only listen to the HTTP proxy entry in the registry. However, it will not use it if the "type" is set to "0". Setting it to "4" (SOCKS) gives me an error that IE cannot use my GPRS connection.
Im at loss here since im not a programmer or anything. Im wondering if any programmer/developper/professionals knew anything on the matter. It's only a matter of dynamic forwarding. I know PocketPutty can do it.
I was wondering if this was possible myself... I run a linux server at home and when I am at school/work/etc. I like to use my server as a socks proxy (using the method you stated) in order to get around those pesky firewalls and content filters. I've found that in general I like to tunnel everything through my home ISP's connection. It just 'feels' more secure, albeit a lot slower due to roadrunner's poor upstream bandwidth.
Pocket IE apparently did leave out the SOCKS proxy feature, and I don't know if it's even possible to tunnel through SOCKS on a WinMo phone.
This ancient guide from 1999 says that SOCKS is not implemented on WinCE, but surely this is outdated and useless information, right?
So I ask: Does anyone out there know how to use a SOCKS proxy on a PocketPC?
I don't know how much this will help you, I'm not nearly as advanced, but I saw the word SOCKS and a bell rang. Under Settings > Connections > Connections, when you setup or edit the proxy server, the SOCKS option is at the bottom. I always manually put in the AT&T proxy settings when I need to so it sounded familiar. Hope that helps.
Hey alkizmo !
I think that your idea is not really good, because there is an easier solution, with OpenVPN. This vpn allows you to do HTTP encapsulation, like PuTTY ...
And OpenVPN server/client is faster to install.
TKz said:
Hey alkizmo !
I think that your idea is not really good, because there is an easier solution, with OpenVPN. This vpn allows you to do HTTP encapsulation, like PuTTY ...
And OpenVPN server/client is faster to install.
Click to expand...
Click to collapse
A VPN connection cannot be initiated through a proxy where all ports are blocked except 8080/80/443
VPN is not the solution to proxy bypass.
Then again, go ahead, try to prove me wrong and you'd have found a much simpler solution.
oh and this thread is outdated, I did finalize this project and have it working now.
http://forum.xda-developers.com/showthread.php?t=316890
alkizmo said:
A VPN connection cannot be initiated through a proxy where all ports are blocked except 8080/80/443
VPN is not the solution to proxy bypass.
Then again, go ahead, try to prove me wrong and you'd have found a much simpler solution.
oh and this thread is outdated, I did finalize this project and have it working now.
http://forum.xda-developers.com/showthread.php?t=316890
Click to expand...
Click to collapse
Ok, i know your solution work, but three things :
1. Mine too (sorry, I bypass proxy through vpn)
2. Mine is easier ... that's all !
3. http://ovpnppc.ziggurat29.com/ovpnppc-main.htm
Personaly, I think the problem inlies with the way Pocket PC use proxys. If there was a way to make the Phone use the same proxy for everything it would work. but from what I can tell, the phone choses the right proxy for the right thing. by looking at the proxy settings it has a for Http wap, etc.
Well, the other programs don't work with these proxies, as far as I can tell. The best wayt, IMHO, would be to make a program that routes all connections to one proxy, and maybe then the prxys would work correctly.
TKz said:
Ok, i know your solution work, but three things :
1. Mine too (sorry, I bypass proxy through vpn)
2. Mine is easier ... that's all !
3. (deleted link, no url posting privileges for new members)
Click to expand...
Click to collapse
excellent.
As of this writing, the link is still alive. And the latest release of openvpn ppc is 2.1 released December 10/2009. Or, about a month ago.
see:
the changelog
Hello everyone,
I am looking into the idea of being able to run an SSH or VNC server on the Windows Mobile, specifically our Rhodium, platform over cellular (3G). I know for a fact Tmobile can assign a 'route-able' IP address to a phone here in the USA (this has been tested). I can ping this IP address from any computer on the internet (albeit with some substantial latency). Perhaps there is a way to use the Tmobile allowed "pinging your device" to tunnel SSH or VNC traffic.
I would like to figure out a way to reach an SSH or VNC server on my phone using this method. We would need to somehow "open" an inbound port to the phone (this would function like basic port forwarding).
All of this works perfectly over WiFi, of course, but the goal is to get this working over cellular 3G (in particular, Tmobile). I see this as a technical challenge we can overcome as a group.
Does anyone have any ideas on this?
Folks, someone must have some ideas on this!
Here's a few links I came across:
http://kar1107.blogspot.com/2006/03/running-servers-on-cell-phones.html
http://digg.com/software/Run_a_web_server_from_your_phone
it isnt possible they close all ports except if you use port 80 on your phone for the server then you can run vnc server mobile
Antonius123,
So you're saying I can run a vnc server on port 80 on Tmobile? I have tried to run a web server on port 80 with no success.
Which mobile VNC server allows you to set the listening port?
its a program that is in alpha mode.
you can get your ip adress from your mobile phone trough php it is sending the real ip and not the fake.
But you must be aware that ip changes every time you get tro a difrent tower (gsm tower).
create a php page on a webserver with this code
PHP:
<?php
echo $_SERVER['REMOTE_ADDR'];
?>
Thanks for your reply, but I have additional questions.
I am able to get my real IP address from the phone by using VxUtil. This application tells me my IP address. Remember, I am able to have Tmobile assign me a 'route-able' IP address.
What is this program you speak of, which is in "alpha mode"?
The PHP code you provided, as I understand it, will simply give me my IP address, which VxUtil is able to do.
Were you able to somehow successfully access your device using the cellular connection? Which VNC software did you use, or did you use a different protocol?
It's interesting to note that when I check connectivity to my phone by doing "telnet IP_ADDRESS_HERE 80" I do not get a failure, the screen does hang as expected (Telnet can be used to see if ports are open without having a Telnet service running on my phone).
Can anyone please provide input?
Below is my experience. I hope this can help you.
WiFi LAN
phone<------------------> laptop <-------> Proxy<----->Internet
10.1.1.10 10.1.1.1 NATed
Prerequisite:
1. laptop or pc has wireless adapter that support configured as AP.
2. OS that support NAT (LAN as public network, wifi as private network).
My laptop is Windows XP SP3
3. A DHCP/DNS server. I use DualServer
Steps:
1. Configure wireless adapter as AP mode and give a static IP. (10.1.1.1, netmask is 255.255.255.0
2. Configure DualServer in laptop.
I just modified DualServer.ini with following line based on defalut installation.
[LISTEN-ON]
10.1.1.1 # only listen this interface, not affect office network
[DHCP-RANGE]
DHCP_Range=10.1.1.100-10.1.1.119
DNS_Server=10.1.1.1 # all phone's DNS query request will be forwarded to latptop
Router=10.1.1.1 # all phone's traffic will be routed to laptop
[xx:xx:xx:ea:a5:8d] # phone's wifi interface MAC Address, in order to given fixed IP.
IP_Addr=10.1.1.10
DNS_Server=10.1.1.1
Router=10.1.1.1
3. Configure NAT on XP laptop
In command window:
a). net stop remoteaccess
b). netsh routing ip nat install
c). netsh routing ip nat delete interface "Local Area Connection" full
d). netsh routing ip nat add interface "Wireless Network Connection 5" private
e). netsh routing ip nat add interface Internal private
f). net start remoteaccess
Please replace your interface name on step c) and d).
4. Start wireless AP on laptop. Make sure laptop can access internet.
Open wifi on phone, find laptop's AP and link to. Then phone will be allocated a IP (10.1.1.10).
You can configure some security protocol on phone and laptop.
5. In most case, Your office internet access is via proxy.
You should also install a proxy app called TransProxy in phone.
Then configure your proxy info to TransProxy.
6. Does not work?
Install Android SDK if not. run "abd shell"
ping 10.1.1.1, It should be OK, other You have wireless configuration error.
ping address1 is OK (address1 is IP address of your LAN interface),
Other Your NAT configuration contains error.
Now you can surf internet on phone now.
If your wireless adapter does not support AP mode.
Please refer to another thread, (forum.xda-developers.com/showpost.php?p=8686601&postcount=17)
It still can share laptop's internet.
How does DNS work?
I am trying to use transproxy but I have not idea how the DNS could work. My understanding is all the traffic will go through transproxy. But my phone doesn't know anything about it, right? The iptables redirects the traffic from port 80, 443, etc. to redsocks. If my phone's applications don't know the proxy, how can they use GET http instead of DNS query?
I'm still not able to use my SSH tunnel connecting to my server at home to tunnel Http web traffic on the browser. First the proxy settings in wireless/network doesn't work even on WIFI, I don't think it is the correct type of proxy, and secondly it doesn't work on 3G.
Although my work uses a VPN(Cisco) and that works fine with VPN connections app. So I'm wondering if it's possible to have an app that makes proxy settings same way?
I really don't want to open up a VPN server at home, I like SSH with it's public/private key to be more secure, especially with a 8192bit key.
I'm trying to use internet passthrough at work. The problem is that we have a proxy that requires NTLM authentication. So I tried setting up an intermediate proxy on my windows xp machine, then I setup DHD to use the intermidate proxy (using Proxy Settings from the market).
This only works with the browser as it has built in support for communicating with proxy servers. other application don't work.
I'm wondering if any of the following is possible:
1- setup proxy in dhd in a way that is invisible to most applications and don't have to rely of application support for using a proxy server.
2- use some program/setting on my computer that manages connections with the proxy server in a way that is invisible to HTC Sync and DHD
+1 for the same question.
I hope someone know the procedure and I hope even more it's possible.
It would be a shame that shuch device doesn't offer that feature.
hatemk said:
I'm trying to use internet passthrough at work. The problem is that we have a proxy that requires NTLM authentication. So I tried setting up an intermediate proxy on my windows xp machine, then I setup DHD to use the intermidate proxy (using Proxy Settings from the market).
This only works with the browser as it has built in support for communicating with proxy servers. other application don't work.
I'm wondering if any of the following is possible:
1- setup proxy in dhd in a way that is invisible to most applications and don't have to rely of application support for using a proxy server.
2- use some program/setting on my computer that manages connections with the proxy server in a way that is invisible to HTC Sync and DHD
Click to expand...
Click to collapse
+1 for that!!
I'm in the same boat, anyone have a solution to this yet?
+1
still no solution?
+1 too.
Kind of glad to see I'm not the only one looking for a solution
i tried with no luck with widecap to proxify the process htcnat.exe adb.exe and another 2 but it's a really overwhelming configuration, furthermore the service in windows is run by the SYSTEM user and it should be changed to the user running widecap to have it trying recognizing it.
unfortunately even with all configured i think in the correct way i was not able to use the proxy, widecap was still refusing to proxify internet pass trhough.
there is another product called freecap on which is based widecap but i still havn't tried it (and the next week i will be on holidays so i won't try it soon ^^' )
solved by installing TransProxy 3.0.8 beta on android
http://forum.xda-developers.com/showthread.php?t=766569
ProxyDroid
I used ProxyDroid (needs root). It also supports NTLM authentication.
hatemk said:
I'm trying to use internet passthrough at work. The problem is that we have a proxy that requires NTLM authentication. So I tried setting up an intermediate proxy on my windows xp machine, then I setup DHD to use the intermidate proxy (using Proxy Settings from the market).
This only works with the browser as it has built in support for communicating with proxy servers. other application don't work.
I'm wondering if any of the following is possible:
1- setup proxy in dhd in a way that is invisible to most applications and don't have to rely of application support for using a proxy server.
2- use some program/setting on my computer that manages connections with the proxy server in a way that is invisible to HTC Sync and DHD
Click to expand...
Click to collapse
Hey did you find a solution? I'm facing the same issue for a long time !!!