Related
I installed adfree recently. At first I had it use 127.0.0.1 in my hosts file. That causes ads to perpetually have a spinner because I'm not running a website on my phone, obviously.
Then I read that I should use the "BCT IP" option. That option makes entries in hosts that point all of the domains to 119.161.80.12, which runs a script so that all 404 errors produce either an empty GIF or an empty HTML file for all requests (depending on the file type of the request.) This sounds really handy so that something gets served and the ad banners stop showing a spinner.
However, if I use the BCT IP option, is doesn't work! I get the ads. I even tried opening the browser and entering http://zango.com/foo.png (zango being one of the domains from the hosts file) and I got served a 404 page from zango.com instead of the blank image from the server at the BCT that IP address.
I double checked my hosts file by doing
Code:
adb pull /system/etc/hosts hosts.txt
and I can see that the zango domain is indeed pointing to that IP.
If I enter the BCT IP in the browser and a random PNG file name I get redirected to the pixel.gif as expected. So all the pieces are there, it's just not using the BCT IP for the domains in the hosts file. However, using 127.0.0.1 works great. (Well, except I get a perpetual spinner on ad banners.)
If it matters, I'm on CM 6.1 Stable testing this on an Edge/3G connection. I should also note that I reboot after each time I change the hosts file.
Any idea what's going on?
Belated reply I know, but just to say, that manually setting it to use IP 119.161.80.12 works.
One benefit of leaving it set to 127.0.0.1 though is that apps which require ads to be "shown" (like Angry Birds, for example) will still run when you're in airplane mode.
With it set to the other IP, it will fail in that case, since obviously there wouldn't be any network connection to contact.
Short Version:
Got an OpenVPN server on my NAS. GN connects & works fine; remote resources are reachable. I now want to know how I can route all traffic through the tunnel. (Is this possible?)
Long Version:
For those times when I'm traveling (domestically and internationally) and/or using a questionable Internet connection, I'd like to secure the connection.
I've got a [stock] rooted GN running Jelly Bean with BusyBox installed. My NAS has two built-in VPN solutions one of which being OpenVPN so I got that setup which created an .ovpn file containing the following configuration:
Code:
dev tun
tls-client
remote YOUR_SERVER_IP 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
#redirect-gateway
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
#dhcp-option DNS DNS_IP_ADDRESS
pull
proto udp
script-security 2
ca ca.crt
comp-lzo
reneg-sec 0
auth-user-pass
After installing OpenVPN Installer & OpenVPN Settings, I had to manually symlink busybox, ifconfig, and route from /system/bin to /system/xbin in order for OpenVPN to run properly.
Code:
#Note: In an attempt to be thorough, and for any Googlers or forum searchers (+1)...
#First I had to mount /system as read/write via:
mount -o -rw,remount /system
#Then create the symlinks via:
ln -s /system/bin/busybox /system/xbin/busybox
ln -s /system/bin/ifconfig /system/xbin/ifconfig
ln -s /system/bin/route /system/xbin/route
#Then remount /system as read-only via:
mount -o ro,remount /system
Once all of the above was setup, I initiated the connection, successfully authenticated, and was able to reach remote resources without issue.
What I would like to do at this point is get it setup so that I can have a second profile that routes all traffic through the VPN. I assume its a client-side configuration change but I really don't know at this juncture.
Many thanks!
Doesn't CyanogenMod ROM have native OpenVPN support? I think the OpenVPN client on CM has an option to route all traffic through the VPN. I think for what you want to do you should need a custom ROM or kernel that supports iptables.
iptables is a system file that allows the system to redirect network traffic usually for apps like tethering, firewalls, and proxies.
Sent from my Galaxy Nexus using Tapatalk 2
Thanks for taking the time to reply KemikalElite.
I've got BusyBox 1.20.2 installed and I do have an iptables binary (v1.4.11.1). With solutions like Hotspot Shield VPN that don't require root yet supports encryption for all traffic, I figured root + OpenVPN + BusyBox + iptables would be sufficient.
My initial assumption was that I would need to make some changes to my OpenVPN configuration to encrypt & route all traffic through the tunnel. But maybe I've been thinking about this all wrong and its less about OpenVPN and more about running a custom script once connected to route everything through the tunnel; and vice versa when I disconnect to restore the original configuration.
Perhaps I should be scouring OpenVPN forums?
Phylum said:
Thanks for taking the time to reply KemikalElite.
I've got BusyBox 1.20.2 installed and I do have an iptables binary (v1.4.11.1). With solutions like Hotspot Shield VPN that don't require root yet supports encryption for all traffic, I figured root + OpenVPN + BusyBox + iptables would be sufficient.
My initial assumption was that I would need to make some changes to my OpenVPN configuration to encrypt & route all traffic through the tunnel. But maybe I've been thinking about this all wrong and its less about OpenVPN and more about running a custom script once connected to route everything through the tunnel; and vice versa when I disconnect to restore the original configuration.
Perhaps I should be scouring OpenVPN forums?
Click to expand...
Click to collapse
You have the tun module as well right?
code.google.com/p/android-openvpn-settings/issues/list
Check through some of those issues. Something did say that the DNS servers may need to be manually set.
OpenVPN is so complex because of the config options. I find it easier to use native PPTP connections since there's no config only authentication and it routes all traffic automatically.
Sent from my Galaxy Nexus using Tapatalk 2
You need to enter "redirect-gateway" into your ovpn config file.... Just remove the # in the your config
Thanks for the reply ZiCoN!
I should have mentioned this sooner - terribly sorry for omitting this.
Once I got the VPN connected, I did the old 'what is my ip' to verify the route. It was still using the provider's network, but I could reach my NAS and other remote devices in the 192.168.x.x range - so the VPN itself was working. After reading the mini explanation in the config file I enabled 'redirect-gateway' and after reconnecting I could no longer access the Internet. I checked the OpenVPN Manual I added 'def1' after the 'redirect-gateway' statement, reconnected but still no go: I can no longer access the Internet. Remote resources are still accessible in both scenarios.
KemikalElite said:
You have the tun module as well right?
code.google.com/p/android-openvpn-settings/issues/list
Check through some of those issues. Something did say that the DNS servers may need to be manually set.
OpenVPN is so complex because of the config options. I find it easier to use native PPTP connections since there's no config only authentication and it routes all traffic automatically.
Sent from my Galaxy Nexus using Tapatalk 2
Click to expand...
Click to collapse
I somehow missed this when drafting my last reply. I think you're right about it being a DNS problem. I made a change to the config file (adding a few lines for 'dhcp-option DNS x.x.x.x') and within OpenVPN used the 'Fix DNS' button.
Thanks all for your time, thoughts, opinions and instructions!
Phylum said:
Thanks for the reply ZiCoN!
I should have mentioned this sooner - terribly sorry for omitting this.
Once I got the VPN connected, I did the old 'what is my ip' to verify the route. It was still using the provider's network, but I could reach my NAS and other remote devices in the 192.168.x.x range - so the VPN itself was working. After reading the mini explanation in the config file I enabled 'redirect-gateway' and after reconnecting I could no longer access the Internet. I checked the OpenVPN Manual I added 'def1' after the 'redirect-gateway' statement, reconnected but still no go: I can no longer access the Internet. Remote resources are still accessible in both scenarios.
Click to expand...
Click to collapse
You probably need to allow traffic to route back along the vpn film the internet. On your gateway, route vpn addresses to the VPN server and make sure forwarding is enabled on the vpn server.
Questions go in Q&A
Read forum rules and stickies before posting
Thread moved
FNM
Install openvpn and then place your edited client vpn config files and certificate files on the storage of FireTV similar to the raspberry pi method in the thread below:
h**p xbmchub.com/forums/threads/24769-How-to-set-up-your-VPN-on-raspberry-pi-using-Brain-Hornsby-Openvpn-for-XBMC
Thanks for anyone that may know more than me that could maybe get this to work...
Hmm would be nice if that worked. Did u get a chance to try it?
Sent from my Nexus 5 using XDA Free mobile app
tdfsu said:
h**p xbmchub.com/forums/threads/24769-How-to-set-up-your-VPN-on-raspberry-pi-using-Brain-Hornsby-Openvpn-for-XBMC
Click to expand...
Click to collapse
I'm working on something like this just now. Here's the thing: in my logs for the simplest openvpn app to install (not straight openvpn, it turns out, as there's a windowing issue there that makes it difficult / impossible to navigate through setup, even with a keyboard and Droidmote) once I have a config, I get errors in logcat informing me
"Your image does not support the VPNService API, sorry "
There is a manually installable openvpn binary that I've looked at a bit but not yet configured. It is going to require adding a binary to /system/xbin directly, as the installer (at least on my phone) does not understand where /system/xbin really lives and issues a remount command to a nonexistent partition.
If you're running dd-wrt or similar configurable firewall, another option is to get an account with a provider who is set up to let you do a firewall to firewall connection, and then route either all of your traffic or the traffic from your firetv through that firewall-to-firewall connection.
I have a Private Internet Access vpn account.
Installed openvpn on FireTV--
http play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn.installer&hl=en
Installed busybox on FireTV--
http play.google.com/store/apps/details?id=stericson.busybox&hl=en
I created a pass.txt file with my PIA username on the first line and password on the second line, nothing else, then saved the file as a text file (pass.txt).
Download the following to PC--
http privateinternetaccess.com/openvpn/openvpn.zip
Extracted the zip file.
Edited the location specific .ovpn file (see below), changing the 'remote', 'ca', 'crl' and 'auth' lines to the following--
client
dev tun
proto udp
remote us-florida.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /storage/sdcard0/openvpn/ca.crt
tls-client
remote-cert-tls server
auth-user-pass /storage/sdcard0/openvpn/pass.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /storage/sdcard0/openvpn/crl.pem
Then, save the USFlorida.ovpn file.
Upload ca.crt, crl.pem, pass.txt, and .ovpn file to FireTV to /storage/sdcard0/openvpn/
Open terminal on FireTV. I use jackpal's terminal app below, but you can also use adb.
http play.google.com/store/apps/details?id=jackpal.androidterm
In terminal, type the following--
su
openvpn cd /storage/sdcard0/openvpn/USFlorida.ovpn
But I get several errors. Anyway, that's where I'm at. Maybe someone else more knowledgeable than me can figure it out. Sorry about the links, my low post-count will not allow me to post url's.
Also, you can sideload the following app to verify your external ip address, and it works great with the FireTV remote--
http play.google.com/store/apps/details?id=igit.WhatIsMyIp
The approach you've taken is where I'd be headed next on the client side.
One thing you might want to try is to do the same setup a less locked-down device and confirm that the config files work as expected there.
There's also a good discussion of the hardware approach (setting up a tunnel from your edge to a VPN provider) in the other VPN thread, http://forum.xda-developers.com/showthread.php?t=2797005
also, private internet access will sell a preconfigured router for this purpose!
Is there a way to "permanently" set the mac address of wlan0 to something of my choosing? I have been able to do this temporarily through ADB and with busybox, but it does not always work. I want to have a specific mac address on wlan0 for when I use my phone as a hotspot for portable gaming devices. I have google's this, and it seems at least in previous versions of CM, this was stored in a file and could be changed, but I cannot find that file on the build I am running (CM 12.1-20150705-NIGHTLY). Does anyone know how to do this? Currently, I have to enable the hotspot, use ADB cli like:
# busybox ifconfig wlan0 down
# busybox ifconfig hw ether 00:11:22:33:44:55
# busybox ifconfig wlan0 up
# busybox ip link show wlan0
If I check the mac address after this, sometimes it changes, sometimes it does not. And sometimes when "ip link" reports the changed mac, it is not really changed (I check with other devices and they still see the old mac). But it does work... sometimes (rarely.. but I have had it working). I'd really like to make this more permanent.
I have looked in /data/misc/wifi but I don't see any nvram file in there anymore where I think you used to be able to set it.
This thread may help you. http://forum.xda-developers.com/showthread.php?t=2286440 I haven't tried it myself but a friend of mine said it worked for him.
In the latest 5.0.3 build for the 5T, I see dnsmasq is running in /system/bin/dnsmasq
Awesome, I want to use it. The question is, if I put my config file in /system/etc/dnsmasq.conf will dnsmasq see it and run my config? If not there, where does it need to go in order to work?
Interesting.
I'll give it a try later today.
I'd say put your configuration and see if that works. Not sure if cycling the connection would work or if you'll need a full reboot tho.
W.
Awesome, please let us know.
For those who are unfamiliar with dnsmasq, it allows users to block domains (e.g. malware.com) without having to also block all of its subdomains (e.g. www.malware.com, infect.malware.com, hidden01.malware.com, hidden02.malware.com, etc).
The /etc/hosts file commonly used to block connections cannot do this, it requires you to list every subdomain, which turns blocking sites into a game of whack-a-mole as malware sites simply invent new subdomains every day.
That's why dnsmasq is so important, and I'm glad to see that the service is running on Android.
dnsmasq is used only during tethering. Right?
Actually, you cannot find dnsmasq.conf in any directory. I think it is hard-coded in settings app.
But, you can follow these steps to use your own dnsmasq.conf
turn on tethering
kill dnsmasq
Code:
killall dnsmasq
run dnsmasq with your own configuration
Code:
dnsmasq -C /path/to/dnsmasq.conf -x /path/to/dnsmasq.pid
enjoy
This requires your device to be rooted. I use this method to host captive portal on my android device.