Install openvpn and then place your edited client vpn config files and certificate files on the storage of FireTV similar to the raspberry pi method in the thread below:
h**p xbmchub.com/forums/threads/24769-How-to-set-up-your-VPN-on-raspberry-pi-using-Brain-Hornsby-Openvpn-for-XBMC
Thanks for anyone that may know more than me that could maybe get this to work...
Hmm would be nice if that worked. Did u get a chance to try it?
Sent from my Nexus 5 using XDA Free mobile app
tdfsu said:
h**p xbmchub.com/forums/threads/24769-How-to-set-up-your-VPN-on-raspberry-pi-using-Brain-Hornsby-Openvpn-for-XBMC
Click to expand...
Click to collapse
I'm working on something like this just now. Here's the thing: in my logs for the simplest openvpn app to install (not straight openvpn, it turns out, as there's a windowing issue there that makes it difficult / impossible to navigate through setup, even with a keyboard and Droidmote) once I have a config, I get errors in logcat informing me
"Your image does not support the VPNService API, sorry "
There is a manually installable openvpn binary that I've looked at a bit but not yet configured. It is going to require adding a binary to /system/xbin directly, as the installer (at least on my phone) does not understand where /system/xbin really lives and issues a remount command to a nonexistent partition.
If you're running dd-wrt or similar configurable firewall, another option is to get an account with a provider who is set up to let you do a firewall to firewall connection, and then route either all of your traffic or the traffic from your firetv through that firewall-to-firewall connection.
I have a Private Internet Access vpn account.
Installed openvpn on FireTV--
http play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn.installer&hl=en
Installed busybox on FireTV--
http play.google.com/store/apps/details?id=stericson.busybox&hl=en
I created a pass.txt file with my PIA username on the first line and password on the second line, nothing else, then saved the file as a text file (pass.txt).
Download the following to PC--
http privateinternetaccess.com/openvpn/openvpn.zip
Extracted the zip file.
Edited the location specific .ovpn file (see below), changing the 'remote', 'ca', 'crl' and 'auth' lines to the following--
client
dev tun
proto udp
remote us-florida.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /storage/sdcard0/openvpn/ca.crt
tls-client
remote-cert-tls server
auth-user-pass /storage/sdcard0/openvpn/pass.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /storage/sdcard0/openvpn/crl.pem
Then, save the USFlorida.ovpn file.
Upload ca.crt, crl.pem, pass.txt, and .ovpn file to FireTV to /storage/sdcard0/openvpn/
Open terminal on FireTV. I use jackpal's terminal app below, but you can also use adb.
http play.google.com/store/apps/details?id=jackpal.androidterm
In terminal, type the following--
su
openvpn cd /storage/sdcard0/openvpn/USFlorida.ovpn
But I get several errors. Anyway, that's where I'm at. Maybe someone else more knowledgeable than me can figure it out. Sorry about the links, my low post-count will not allow me to post url's.
Also, you can sideload the following app to verify your external ip address, and it works great with the FireTV remote--
http play.google.com/store/apps/details?id=igit.WhatIsMyIp
The approach you've taken is where I'd be headed next on the client side.
One thing you might want to try is to do the same setup a less locked-down device and confirm that the config files work as expected there.
There's also a good discussion of the hardware approach (setting up a tunnel from your edge to a VPN provider) in the other VPN thread, http://forum.xda-developers.com/showthread.php?t=2797005
also, private internet access will sell a preconfigured router for this purpose!
Related
I installed adfree recently. At first I had it use 127.0.0.1 in my hosts file. That causes ads to perpetually have a spinner because I'm not running a website on my phone, obviously.
Then I read that I should use the "BCT IP" option. That option makes entries in hosts that point all of the domains to 119.161.80.12, which runs a script so that all 404 errors produce either an empty GIF or an empty HTML file for all requests (depending on the file type of the request.) This sounds really handy so that something gets served and the ad banners stop showing a spinner.
However, if I use the BCT IP option, is doesn't work! I get the ads. I even tried opening the browser and entering http://zango.com/foo.png (zango being one of the domains from the hosts file) and I got served a 404 page from zango.com instead of the blank image from the server at the BCT that IP address.
I double checked my hosts file by doing
Code:
adb pull /system/etc/hosts hosts.txt
and I can see that the zango domain is indeed pointing to that IP.
If I enter the BCT IP in the browser and a random PNG file name I get redirected to the pixel.gif as expected. So all the pieces are there, it's just not using the BCT IP for the domains in the hosts file. However, using 127.0.0.1 works great. (Well, except I get a perpetual spinner on ad banners.)
If it matters, I'm on CM 6.1 Stable testing this on an Edge/3G connection. I should also note that I reboot after each time I change the hosts file.
Any idea what's going on?
Belated reply I know, but just to say, that manually setting it to use IP 119.161.80.12 works.
One benefit of leaving it set to 127.0.0.1 though is that apps which require ads to be "shown" (like Angry Birds, for example) will still run when you're in airplane mode.
With it set to the other IP, it will fail in that case, since obviously there wouldn't be any network connection to contact.
Short Version:
Got an OpenVPN server on my NAS. GN connects & works fine; remote resources are reachable. I now want to know how I can route all traffic through the tunnel. (Is this possible?)
Long Version:
For those times when I'm traveling (domestically and internationally) and/or using a questionable Internet connection, I'd like to secure the connection.
I've got a [stock] rooted GN running Jelly Bean with BusyBox installed. My NAS has two built-in VPN solutions one of which being OpenVPN so I got that setup which created an .ovpn file containing the following configuration:
Code:
dev tun
tls-client
remote YOUR_SERVER_IP 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
#redirect-gateway
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
#dhcp-option DNS DNS_IP_ADDRESS
pull
proto udp
script-security 2
ca ca.crt
comp-lzo
reneg-sec 0
auth-user-pass
After installing OpenVPN Installer & OpenVPN Settings, I had to manually symlink busybox, ifconfig, and route from /system/bin to /system/xbin in order for OpenVPN to run properly.
Code:
#Note: In an attempt to be thorough, and for any Googlers or forum searchers (+1)...
#First I had to mount /system as read/write via:
mount -o -rw,remount /system
#Then create the symlinks via:
ln -s /system/bin/busybox /system/xbin/busybox
ln -s /system/bin/ifconfig /system/xbin/ifconfig
ln -s /system/bin/route /system/xbin/route
#Then remount /system as read-only via:
mount -o ro,remount /system
Once all of the above was setup, I initiated the connection, successfully authenticated, and was able to reach remote resources without issue.
What I would like to do at this point is get it setup so that I can have a second profile that routes all traffic through the VPN. I assume its a client-side configuration change but I really don't know at this juncture.
Many thanks!
Doesn't CyanogenMod ROM have native OpenVPN support? I think the OpenVPN client on CM has an option to route all traffic through the VPN. I think for what you want to do you should need a custom ROM or kernel that supports iptables.
iptables is a system file that allows the system to redirect network traffic usually for apps like tethering, firewalls, and proxies.
Sent from my Galaxy Nexus using Tapatalk 2
Thanks for taking the time to reply KemikalElite.
I've got BusyBox 1.20.2 installed and I do have an iptables binary (v1.4.11.1). With solutions like Hotspot Shield VPN that don't require root yet supports encryption for all traffic, I figured root + OpenVPN + BusyBox + iptables would be sufficient.
My initial assumption was that I would need to make some changes to my OpenVPN configuration to encrypt & route all traffic through the tunnel. But maybe I've been thinking about this all wrong and its less about OpenVPN and more about running a custom script once connected to route everything through the tunnel; and vice versa when I disconnect to restore the original configuration.
Perhaps I should be scouring OpenVPN forums?
Phylum said:
Thanks for taking the time to reply KemikalElite.
I've got BusyBox 1.20.2 installed and I do have an iptables binary (v1.4.11.1). With solutions like Hotspot Shield VPN that don't require root yet supports encryption for all traffic, I figured root + OpenVPN + BusyBox + iptables would be sufficient.
My initial assumption was that I would need to make some changes to my OpenVPN configuration to encrypt & route all traffic through the tunnel. But maybe I've been thinking about this all wrong and its less about OpenVPN and more about running a custom script once connected to route everything through the tunnel; and vice versa when I disconnect to restore the original configuration.
Perhaps I should be scouring OpenVPN forums?
Click to expand...
Click to collapse
You have the tun module as well right?
code.google.com/p/android-openvpn-settings/issues/list
Check through some of those issues. Something did say that the DNS servers may need to be manually set.
OpenVPN is so complex because of the config options. I find it easier to use native PPTP connections since there's no config only authentication and it routes all traffic automatically.
Sent from my Galaxy Nexus using Tapatalk 2
You need to enter "redirect-gateway" into your ovpn config file.... Just remove the # in the your config
Thanks for the reply ZiCoN!
I should have mentioned this sooner - terribly sorry for omitting this.
Once I got the VPN connected, I did the old 'what is my ip' to verify the route. It was still using the provider's network, but I could reach my NAS and other remote devices in the 192.168.x.x range - so the VPN itself was working. After reading the mini explanation in the config file I enabled 'redirect-gateway' and after reconnecting I could no longer access the Internet. I checked the OpenVPN Manual I added 'def1' after the 'redirect-gateway' statement, reconnected but still no go: I can no longer access the Internet. Remote resources are still accessible in both scenarios.
KemikalElite said:
You have the tun module as well right?
code.google.com/p/android-openvpn-settings/issues/list
Check through some of those issues. Something did say that the DNS servers may need to be manually set.
OpenVPN is so complex because of the config options. I find it easier to use native PPTP connections since there's no config only authentication and it routes all traffic automatically.
Sent from my Galaxy Nexus using Tapatalk 2
Click to expand...
Click to collapse
I somehow missed this when drafting my last reply. I think you're right about it being a DNS problem. I made a change to the config file (adding a few lines for 'dhcp-option DNS x.x.x.x') and within OpenVPN used the 'Fix DNS' button.
Thanks all for your time, thoughts, opinions and instructions!
Phylum said:
Thanks for the reply ZiCoN!
I should have mentioned this sooner - terribly sorry for omitting this.
Once I got the VPN connected, I did the old 'what is my ip' to verify the route. It was still using the provider's network, but I could reach my NAS and other remote devices in the 192.168.x.x range - so the VPN itself was working. After reading the mini explanation in the config file I enabled 'redirect-gateway' and after reconnecting I could no longer access the Internet. I checked the OpenVPN Manual I added 'def1' after the 'redirect-gateway' statement, reconnected but still no go: I can no longer access the Internet. Remote resources are still accessible in both scenarios.
Click to expand...
Click to collapse
You probably need to allow traffic to route back along the vpn film the internet. On your gateway, route vpn addresses to the VPN server and make sure forwarding is enabled on the vpn server.
Questions go in Q&A
Read forum rules and stickies before posting
Thread moved
FNM
Hi
I've got a paid VPN from ProXPN and I'm trying to set it up on my HTC One X using the official OpenVPN Connect app.
Copied my *.ovpn, *.crt and *.key files over from my laptop to the device, but get the following error:
"Error Parsing OpenVPN profile : ProXPN.ovpn : option_error: remote option not specified"
Does anyone know what I'm doing wrong, please?
Thanks
Rob
P.S. Not a huge issue if I can't get it working, as I'll just use the built-in VPN via pptp, but hopefully I'll be able to sort this out.
Rushey_Platt said:
Hi
I've got a paid VPN from ProXPN and I'm trying to set it up on my HTC One X using the official OpenVPN Connect app.
Copied my *.ovpn, *.crt and *.key files over from my laptop to the device, but get the following error:
"Error Parsing OpenVPN profile : ProXPN.ovpn : option_error: remote option not specified"
Does anyone know what I'm doing wrong, please?
Thanks
Rob
P.S. Not a huge issue if I can't get it working, as I'll just use the built-in VPN via pptp, but hopefully I'll be able to sort this out.
Click to expand...
Click to collapse
Judging by the error message I would say that your config file contains a typo or the line that specifies the remote address to connect to is missing or misformed.
http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote my-server-1 1194
Click to expand...
Click to collapse
And http://openvpn.net/index.php/open-source/documentation/howto.html#examples
Obviously you cannot copy paste the examples . Can you not get a ready made ovpn config file from those ProXPN dudes?
If this config file contains no sensitive information you could post it here for a quick syntax check?
pakjebakmeel said:
If this config file contains no sensitive information you could post it here for a quick syntax check?
Click to expand...
Click to collapse
I don't think any of this is sensitive (hopefuly!) so here it is:
Code:
client
dev tun
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
ca ssl/ca.crt
cert ssl/client.crt
key ssl/client.key
cipher BF-CBC
keysize 512
comp-lzo
verb 4
mute 5
tun-mtu 1500
mssfix 1450
auth-user-pass
reneg-sec 0
route-method exe
route-delay 1 10
route-metric 512
route 0.0.0.0 0.0.0.0
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failure
;http-proxy [proxy server] [proxy port #]
So yes, you're missing the 'remote' statement in your config file.. Client doesn't know to which server it has to connect if this line is omitted.
That explains.
Also, this config looks like a config for a Windows client. Can you not just use a prefab config file for linux?
Think this is what you're on about: http://www.proxpn.com/ ?
I don't know this service but maybe use something like this: http://downgoat.net/2013/04/20/proxpn-openvpn-on-linux-configuration/
client
dev tun
proto tcp
remote uk.proxpn.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher BF-CBC
keysize 512
comp-lzo
verb 3
mute 5
tun-mtu 1500
mssfix 1450
auth-user-pass
reneg-sec 0
redirect-gateway def1
Click to expand...
Click to collapse
Also, it uses this config to connect to VPN but you still need to provide a username and password because of the auth-user-pass statement. I've not seen this option in my Android client but maybe it appears on the connection preferences when it sees this statement? Or maybe it will ask you upon connecting.. Not sure but try this and see if you get an option to configure username and pass or whether it asks you upon connecting..
Make sure the ca.crt, client.crt and client.key files are in the same folder as the ovpn config file. I use /sdcard/openvpn.
If you get stuck enable logging on the connection and post that. (AFTER YOU HAVE REMOVED ANY SENSITIVE INFORMATION).
Great, thanks, that tip enabled me to successfully import the linux-based profile.
After import I was indeed asked for a username and password, and then it connected to ProXPN. However, it then got stuck in some sort of connect / disconnect loop, with the disconnect message disappearing so fast I can't actually read what it says!
Rob
Rushey_Platt said:
Great, thanks, that tip enabled me to successfully import the linux-based profile.
After import I was indeed asked for a username and password, and then it connected to ProXPN. However, it then got stuck in some sort of connect / disconnect loop, with the disconnect message disappearing so fast I can't actually read what it says!
Rob
Click to expand...
Click to collapse
Enable logging, that's what it's for.
Some loops are terminating because of session invalidated; others because of a transport error.
Rushey_Platt said:
Some loops are terminating because of session invalidated; others because of a transport error.
Click to expand...
Click to collapse
Maybe if you post the full log file we can see what's happening. As I don't know what the correct settings should be for this provider it makes it harder to troubleshoot.
I looked through all 4 pages of posts as well as the working apps list and thus far I have not found anyone who has gotten a proxy to work. Has anyone been able to use a VPN on the firetv? What about with xbmc on the firetv?
Thanks :good:
mcsephoenix said:
I looked through all 4 pages of posts as well as the working apps list and thus far I have not found anyone who has gotten a proxy to work. Has anyone been able to use a VPN on the firetv? What about with xbmc on the firetv?
Thanks :good:
Click to expand...
Click to collapse
can you list the VPN apps you have used? so im not repeating any
The only VPN I own is PIA which does not work. The rest I am just reading about. I did see a thread where droidvpn might work with tun.ko but I am trying to find out more about this method.
mcsephoenix said:
The only VPN I own is PIA which does not work. The rest I am just reading about. I did see a thread where droidvpn might work with tun.ko but I am trying to find out more about this method.
Click to expand...
Click to collapse
I'm making pretty good progress with PIA - I'm down to an issue with SSL verification. The core problem with newer guides is that the software assumes a device running Android 4.2 has access to the Google VPN API, which the FireTV does not.
I'm using the tools outlined in this guide
https://strongvpn.com/setup_android_open.shtml
which include an openvpn binary installer which I was surpised to see did work on the FTV (it didn't work on a cm11 device.)
I've added the Tun installer to the mix, so the process for me has been:
- have ADB available and working
- have a wifi keyboard available and working
- have Droidmote client able to access the system - there are times when it's super helpful to be able to yank down a menu
Setup and test openVPN - and get a known working config - on another device.
Root the FTV
Install Busybox (actually did that long ago)
Install "OpenVPN Installer" - this will get you the openvpn binary; you can confirm you have it by running openvpn in adb - if the openvpn binary isn't in your path, it'll error out otherwise it'll give you all the openvpn options.
Install the tun.ko installer from droidvpn
Install the "Open VPN Settings" app - this was very important for me, as with more recent openvpn installers, I was not able to import / export config files.
Import a working openvpn config file into openVPN settings (default path is /sdcard/openvpn/
Attempt to connect, fail, long press on the failing connection in order to
- enable logging
- make config changes on the fly
I currently have the PIA cert inline in my openvpn config and am pointing the config to their CRL file.
Most of the config seems to work; the remaining issue is in the TLS handshakes.
There are two rounds of verification, depth 0 and depth 1 - and one is failing. I forget which one just now.
Editing and testing the ovpn config in a gui and then reexporting us super helpful - looking over the guide at
https://www.privateinternetaccess.c...iguration-on-android-instead-of-pptp-ipsec/p1
gives a good walkthrough on the basics.
The openvpn binary installed for use on the ftv does not support all the options that the config generated there supports, though, which is why looking at the logs and editing the configs on the fly is so helpful.
mcsephoenix said:
The only VPN I own is PIA which does not work. The rest I am just reading about. I did see a thread where droidvpn might work with tun.ko but I am trying to find out more about this method.
Click to expand...
Click to collapse
Use Hola, it requires a mouse
http://forum.xda-developers.com/fire-tv/help/mlb-blackout-restriction-dns-unblock-t2825086
Post #9
L2TP work as well.
IKEv2 not route , and can not get the vaild IP address.
Can anyone solve this problem?
0oVicero0 said:
L2TP work as well.
IKEv2 not route , and can not get the vaild IP address.
Can anyone solve this problem?
Click to expand...
Click to collapse
are you on Redstone build ?
seems VPN broken on Redstone , not only IKEV2
It's working fine for me. IKEv2 IPsec, Strongswan server.
Requires editing the connections file on the phone, though. Windows 10 mobile (same for PC) will not use the default route provided by the VPN server and there is no toggle to send all the traffic through the VPN like there was on Windows Phone 8/8.1 in the VPN connection settings GUI.
So, 'IpPrioritizeRemote=1' has to be set manually for the connection in rasphone.pbk on the phone. This can be achieved and requires an NTFS formatted SD card with the modified rasphone.pbk and a symbolic link to 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections' (you can make this symbolic link on the PC).
First you have to create a VPN connection on the phone, then delete it. This will make 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections\Pbk\' user writable and you can put a modified rasphone.pbk file in that location by accessing it through the symbolic link on the SD card.
If you don't know how to make the rasphone.pbk file, first configure the connection as it should be on the phone, then copy rasphone.pbk from the phone, edit it on PC and add 'IpPrioritizeRemote=1'. Delete the VPN connection from the phone, and put the modified rasphone file in its place.
Reboot might be required after copying the file manually.
^ This is for phones that can't be interop unlocked like my Lumia 950XL. It's much easier for other phones which can be unlocked and full FS access is achievable.
Pretty stupid omission on Microsoft's part. I've been shouting about it on windows feedback since Windows 10 Mobile was released to insiders, but no one listens.
VPN is broken in Windows 10. Period! Microsoft it's not going to fix it.
w.bogdan said:
VPN is broken in Windows 10. Period! Microsoft it's not going to fix it.
Click to expand...
Click to collapse
No period. It's broken, but it can be made to work. Who put you in charge of dropping the period?
DLS123 said:
No period. It's broken, but it can be made to work. Who put you in charge of dropping the period?
Click to expand...
Click to collapse
Search for "Windows 10 DNS resolution" or other VPN related issues in Windows 10. It's not a bug, it's a feature ... for NSA, the government of China and so on.
w.bogdan said:
Search for "Windows 10 DNS resolution" or other VPN related issues in Windows 10. It's not a bug, it's a feature ... for NSA, the government of China and so on.
Click to expand...
Click to collapse
I know about it and took measures against it. They call it Smart multi-homed name resolution. It can be disabled on Desktop and also the order of DNS servers used can be set for each VPN connection. This isn't really caused by the broken built-in VPN client, but the way Windows 10 itself works out of the box.
DLS123 said:
I know about it and took measures against it. They call it Smart multi-homed name resolution. It can be disabled on Desktop and also the order of DNS servers used can be set for each VPN connection. This isn't really caused by the broken built-in VPN client, but the way Windows 10 itself works out of the box.
Click to expand...
Click to collapse
It's not just desktop. On W10M, DNS leaks, VPN connected icon is barely visible and you don't get notified if the VPN connection drops. Is hard to believe Satya Nadella is so dumb not to notice.
w.bogdan said:
It's not just desktop. On W10M, DNS leaks, VPN connected icon is barely visible and you don't get notified if the VPN connection drops. Is hard to believe Satya Nadella is so dumb not to notice.
Click to expand...
Click to collapse
I know there are DNS leaks on W10Mobile and multi-homing can't be disabled, but I don't have a problem with that. The purpose of VPN for me is to gain access to other private networks and encrypt the communication with them. DNS leaks aren't that critical. It's not like I don't want my employer to know what websites I access while connecting to VPNs from their network. I couldn't care less to be honest that they're logging my DNS querries. And I also don't live in China.
Even if they have my DNS records they still won't ever be able to break the encrypted IPsec tunnels and get any glimpse of what's passing through them.
Wasn't able to download rasphone.pbk from the phone but could upload one.
I used my Windows 10 PC and created the connections there. Then I disabled IpPrioritizeRemote and used the powershell cmdlet Add-VpnConnectionRoute to add a route to the pbk file pointing to my local subnet.
I am now able to connect to the internet and access corporate resources at the same time.
I however couldn't connect from one particular app which worked in 8.1. There may be issues with non universal apps.
DLS123 said:
It's working fine for me. IKEv2 IPsec, Strongswan server.
Requires editing the connections file on the phone, though. Windows 10 mobile (same for PC) will not use the default route provided by the VPN server and there is no toggle to send all the traffic through the VPN like there was on Windows Phone 8/8.1 in the VPN connection settings GUI.
So, 'IpPrioritizeRemote=1' has to be set manually for the connection in rasphone.pbk on the phone. This can be achieved and requires an NTFS formatted SD card with the modified rasphone.pbk and a symbolic link to 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections' (you can make this symbolic link on the PC).
First you have to create a VPN connection on the phone, then delete it. This will make 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections\Pbk\' user writable and you can put a modified rasphone.pbk file in that location by accessing it through the symbolic link on the SD card.
If you don't know how to make the rasphone.pbk file, first configure the connection as it should be on the phone, then copy rasphone.pbk from the phone, edit it on PC and add 'IpPrioritizeRemote=1'. Delete the VPN connection from the phone, and put the modified rasphone file in its place.
Reboot might be required after copying the file manually.
^ This is for phones that can't be interop unlocked like my Lumia 950XL. It's much easier for other phones which can be unlocked and full FS access is achievable.
Pretty stupid omission on Microsoft's part. I've been shouting about it on windows feedback since Windows 10 Mobile was released to insiders, but no one listens.
Click to expand...
Click to collapse
Thanks!!! It's working fine!
I think Microsoft do not want to fix it.
0oVicero0 said:
I think Microsoft do not want to fix it.
Click to expand...
Click to collapse
Yeah, looks like that's the case. There is very little feedback in insider hub about VPN problems. Very few care about these issues so probably MS has no incentive to fix and prefer to rely on MDM for VPN configuration on these devices. Now if only that were an option for mere mortals...
How to import self-signed key or export builtin cert for a strongswan server?
DLS123 said:
It's working fine for me. IKEv2 IPsec, Strongswan server.
Click to expand...
Click to collapse
How did you get the VPN connection set up properly (aside from the IpPrioritizeRemote setting)?
I've set up a strongswan server and generated my own self-signed keys using ipsec pki, but when I import the key to my Lumia 1520 (by tapping it using the Files app and tapping import at the prompt), the VPN connection will not send that cert. Instead it sends a certificate issued by CN=Microsoft Genuine Windows Phone CA15" with an OU that looks like a GUID.
So I tried punting and just exporting that certificate to place on my strongswan server ... but I can't figure out how to get the certificate off the phone either. So how do I do either one?
rlively said:
How did you get the VPN connection set up properly (aside from the IpPrioritizeRemote setting)?
I've set up a strongswan server and generated my own self-signed keys using ipsec pki, but when I import the key to my Lumia 1520 (by tapping it using the Files app and tapping import at the prompt), the VPN connection will not send that cert. Instead it sends a certificate issued by CN=Microsoft Genuine Windows Phone CA15" with an OU that looks like a GUID.
So I tried punting and just exporting that certificate to place on my strongswan server ... but I can't figure out how to get the certificate off the phone either. So how do I do either one?
Click to expand...
Click to collapse
I don't know what self generated certificate your phone sends, but you shouldn't use that.
You should generate a client certificate on the strongswan server then you should include both the root CA and the client certificate and pack them together in a PKCS 12 file (.p12) which you open on the phone and import. The phone will choose the proper certificate stores to import to. Did you do that?
https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/
Just follow this tutorial., with the only mention that you should add "--flag clientAuth" to the command line for generating the client certificate.
DLS123 said:
I don't know what self generated certificate your phone sends, but you shouldn't use that.
You should generate a client certificate on the strongswan server then you should include both the root CA and the client certificate and pack them together in a PKCS 12 file (.p12) which you open on the phone and import. The phone will choose the proper certificate stores to import to. Did you do that?
Just follow this tutorial., with the only mention that you should add "--flag clientAuth" to the command line for generating the client certificate.
Click to expand...
Click to collapse
Thanks, that is a good tutorial - I definitely did not use the clientAuth flag (the ipsec tutorial for openWRT didn't include it: openwrt doc/howto/vpn.ipsec.roadwarrior), so I tried generating new certs with clientAuth. Unfortunately I got the same results. My Win10 phone sent the same "Microsoft Genuine Windows Phone CA15" cert.
Did you import the PKCS 12 file just by tapping it in the Microsoft "Files" app on the phone or did you use another method? I'm verifying the certs with the Microsoft "Certificates" app, which does show that the original cert I generated has no "Enhanced usages" but the second has "Client Authentication." Still the builtin VPN client won't pick it to send to my strongSwan server.
I did away completely with my configuration and started over with the win7 configuration here: strongswan wiki: Win7CertReq but none of it will help if I can't get my phone to actually send the correct certificate ... this configuration did something a little different though:
My phone sent the correct certificate in the "received TLS peer certificate" line followed by these error messages:
no trusted certificate found for 'my-CN-here' to verify TLS peer
sending fatal TLS alert 'certificate unknown'
Despite the fact that I have the certificate pem in /etc/ipsec.d/certs ...
in any case it continues on and sends the Microsoft cert afterwards and then the server throws "no peer config found" (since I don't have the public cert loaded for that MS cert).
Followed up on the error here: strongswan wiki /issues/785
I also tried it with "eap_identity=%identity" instead of "eap_identity=%any".
Frustrating that it works great for Win7 but I just can't get a Win10 phone working. Any guides out there specifically for Windows phone + Strongswan?
rlively said:
Thanks, that is a good tutorial - I definitely did not use the clientAuth flag (the ipsec tutorial for openWRT didn't include it: openwrt doc/howto/vpn.ipsec.roadwarrior), so I tried generating new certs with clientAuth. Unfortunately I got the same results. My Win10 phone sent the same "Microsoft Genuine Windows Phone CA15" cert.
Did you import the PKCS 12 file just by tapping it in the Microsoft "Files" app on the phone or did you use another method? I'm verifying the certs with the Microsoft "Certificates" app, which does show that the original cert I generated has no "Enhanced usages" but the second has "Client Authentication." Still the builtin VPN client won't pick it to send to my strongSwan server.
I did away completely with my configuration and started over with the win7 configuration here: strongswan wiki: Win7CertReq but none of it will help if I can't get my phone to actually send the correct certificate ... this configuration did something a little different though:
My phone sent the correct certificate in the "received TLS peer certificate" line followed by these error messages:
no trusted certificate found for 'my-CN-here' to verify TLS peer
sending fatal TLS alert 'certificate unknown'
Despite the fact that I have the certificate pem in /etc/ipsec.d/certs ...
in any case it continues on and sends the Microsoft cert afterwards and then the server throws "no peer config found" (since I don't have the public cert loaded for that MS cert).
Followed up on the error here: strongswan wiki /issues/785
I also tried it with "eap_identity=%identity" instead of "eap_identity=%any".
Frustrating that it works great for Win7 but I just can't get a Win10 phone working. Any guides out there specifically for Windows phone + Strongswan?
Click to expand...
Click to collapse
I import the certificates from file explorer on phone or from the OneDrive app, doesn't matter.
Have you actually set the EAP identity correctly in the client certificate? CN has to be exactly the same as --san
That's the eap_identity which has to be known if you use EAP-TLS.
I don't know what else to say, maybe post your ipsec.conf with censored IPs
DLS123 said:
I import the certificates from file explorer on phone or from the OneDrive app, doesn't matter.
Have you actually set the EAP identity correctly in the client certificate? CN has to be exactly the same as --san
That's the eap_identity which has to be known if you use EAP-TLS.
I don't know what else to say, maybe post your ipsec.conf with censored IPs
Click to expand...
Click to collapse
For the moment I just have mschap authentication with no certificate and it works. The certificate is just giving me fits.
On my client certificate my CN is not the same as the san. My san is set to the FQDN of my VPN server ... the CN of my client certificate is an identifier for my client.
What does the VPN server use for eap_identity - the CN from the client certificate when set to eap_identity=%identity ?
---------- Post added at 10:01 PM ---------- Previous post was at 09:35 PM ----------
rlively said:
For the moment I just have mschap authentication with no certificate and it works. The certificate is just giving me fits.
On my client certificate my CN is not the same as the san. My san is set to the FQDN of my VPN server ... the CN of my client certificate is an identifier for my client.
What does the VPN server use for eap_identity - the CN from the client certificate when set to eap_identity=%identity ?
Click to expand...
Click to collapse
My server certificate does have a CN and san that match. I thought I read somewhere that having that same value in the client san would help the client match up the cert to send to the server, at least for Windows Phone. Of course I can't find that guide now, so maybe I misread. I do see that in the example on https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/ that the server CN and san match and the client CN and san match each other.
In the client certificate you should have [email protected]_FQDN --san server_FQDN --flag clientAuth
the eap_identity used by strongswan is the part before @ from CN.
It won't match anything when using eap_idenity=%identity if you don't do it like this.
Are there any relevant registry files we can access with interop tools?
DLS123 said:
It's working fine for me. IKEv2 IPsec, Strongswan server.
Requires editing the connections file on the phone, though. Windows 10 mobile (same for PC) will not use the default route provided by the VPN server and there is no toggle to send all the traffic through the VPN like there was on Windows Phone 8/8.1 in the VPN connection settings GUI.
So, 'IpPrioritizeRemote=1' has to be set manually for the connection in rasphone.pbk on the phone. This can be achieved and requires an NTFS formatted SD card with the modified rasphone.pbk and a symbolic link to 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections' (you can make this symbolic link on the PC).
First you have to create a VPN connection on the phone, then delete it. This will make 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections\Pbk\' user writable and you can put a modified rasphone.pbk file in that location by accessing it through the symbolic link on the SD card.
If you don't know how to make the rasphone.pbk file, first configure the connection as it should be on the phone, then copy rasphone.pbk from the phone, edit it on PC and add 'IpPrioritizeRemote=1'. Delete the VPN connection from the phone, and put the modified rasphone file in its place.
Reboot might be required after copying the file manually.
^ This is for phones that can't be interop unlocked like my Lumia 950XL. It's much easier for other phones which can be unlocked and full FS access is achievable.
Pretty stupid omission on Microsoft's part. I've been shouting about it on windows feedback since Windows 10 Mobile was released to insiders, but no one listens.
Click to expand...
Click to collapse
Hi I tried your manual, unfortunately without any success
If I Read it correctly you do the following steps:
1) Format sd card on NTFS
2) On the sd card create symbolic link to: C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections
3) Insert sd in phone
4) Create a vpn connection on the phone
5) Delete al the vpn connections on the phone
6) Use the phone to put a new (modified) rasphone.pbk file on the sd card (though onedrive??). I cant access my sd om my pc when usb is connected
7) Reboot the phone
8) Make a new vpn connection (can it have a different name?)
Can someone verify if i miss something?
I'll be very happy if this works