I wanted to implement the application specific VPN client in android, that is vpn connection once established should be only available to our application and rest of the apps in android device should make use of normal internet connection.
To elaborate my need more, i have an application already which connects to corporate email, files and other data from internet normally but for some security reason we need it to be go through tunnel within our application and access everything within via tunnel basically want we are looking here is security while accessing company corporate network.
Since we are new to something like this we don't have a hint on how to start what protocols to use etc (we are assuming ipsec l2tp for now), any information, hint or redirects to useful resource will be really helpful.
And between we are just looking to send and receive data over tunnel, there is nothing more or need to control computer on the network all we need is to route data through corporate firewall and should support multiple vpn servers such as cisco, microsoft etc. Can any one say how complex or how feasible to implement it.
If your goal is just for establishing a secure connection and not controlling other computers or resource on network how about going with SSL encryption.
You are asking about complexity and i assume you are naive with this technology, as per my knowledge its quite a complex and may account to as big as your present application, Here are few pointers as you may look into: Split tunneling, Low level Network protocols, feasibility of implementation depends on size of your team and their expertise level in socket programming and remember your attempting to accomplish something which is already built into most of the OS and more complex. one of our dev team worked on split tunneling for months finally gave up since client settled for non PPTP application
__________________
Dave
Current Device: Samsung Galaxy Nexus
Fed up of bricking devices
Related
I am trying to set up a vpn connection on the xda. I can get this to work if I set up my firewall to accept un-encrypted data, but obviously this is not the best.
Does WM2003 support MPPE encryption? At what level (ie. 40 bit, 50-whatever bit, 128 bit)?
Thanks,
Cuinn.
VPN connection from XDA
Unless you use a client for your firewall (SecuRemote for Checkpoint / EasyVPN and others for Cisco) you can only initiate L2TP or PPTP connections which will terminate fine onto a 2000 server / ISA server even over a Natted connection.
Bear in mind if you use a client, SecuRemote grinds my connection to a halt over GPRS as the processing overhead on the XDA is horrendous. L2TP/PPTP terminated on an MS ISA server seems the best solution. You can always hide ISA behind your proper firewall for added security, but the licensing will cost you unless you already use it as a proxy etc.
Thanks Pete,
I am running a PPTP VPN currently, which should support MPPE Data Encryption, but which does not seem to work. I have a PIX firewall, so I have also tried Movian VPN client, but I also am unable to get this to work at all. I can use PPTP if I accept un-encrypted data, but would prefer all data to be encrypted. I am terminating the VPN on my PIX which supports either 40 bit or 128 bit MPPE and the question I really want answered is does WM2003 PPTP VPN support MPPE and at what encryption level?
Cuinn.
PPTP Vpn
Following earlier post, I found this in the Checkpoint SecureClient for PPC docs.
3. Is the Client supposed to be able to connect to the Check Point gateway when cradled?
When cradled, the client may use the ActiveSync pass-through connection mechanism.
Since the current version of Win CE SecureClient does not support encryption via pass-through connection, you will be able to authenticate to your gateway, if it allows unencrypted authentication. This means that you will be able to add a new site this way, but not to use VPN (encrypted) communications with it.
Just thought of your situ, maybe this helps. And it's about time Checkpoint write a client that works with WM2003!. Just my two penneth!
The pass-through connection only supports TCP/IP (up to a certain point) and does not support UDP at all.
Hence VPN connections via the cradle will not work (PPTP and L2TP both use UDP, and I assume the other VPN/IPSec implementations do as well)
VPN client connection over GPRS
After some serious texting I can confirm on Windows 2003 server (not 2000) and ISA server 2000 on it, you can successfully run GPRS connection with L2TP or PPTP happily via a natted GRPS IP address. This has saved me LOADS of hastle with a business implementation. It hands over between cells on the mobile network, can get new IP address (which seems to happen on Vodafone handover a lot) and still maintain the connection (well really quickly re-make it, almost seamlessley)
Finally, I have raised a call with Checkpoint about Securemote client for WM 2003 and they still will give no fixed date, stating still within 6 months..... I hate them!
Anyway, the full MS implementation is working well, currently around 250 handsets on it, only another 350+ to go!
I recently have been using McDonald's wifi and also Starbucks near a university I am soon attending (For a master's in IT whee!!). Since knowing about droidsheep and wifikill, I was wondering what the best methods of protecting your devices from public spying are? I found this app, http://forum.xda-developers.com/showthread.php?t=1350941 but isn't there something else? Like setting up some kind of basic something that can guard against such spying?
I am also interested in knowing not only for an android device, but also for a laptop being used in a public place. Thanks for your help!
typhoonikan said:
I recently have been using McDonald's wifi and also Starbucks near a university I am soon attending (For a master's in IT whee!!). Since knowing about droidsheep and wifikill, I was wondering what the best methods of protecting your devices from public spying are? I found this app, http://forum.xda-developers.com/showthread.php?t=1350941 but isn't there something else? Like setting up some kind of basic something that can guard against such spying?
I am also interested in knowing not only for an android device, but also for a laptop being used in a public place. Thanks for your help!
Click to expand...
Click to collapse
On a public wifi all data you do is unencrypted, the only way to protect it, is doing some encrypting yourself.
On the apps that support it you should enable SSL encrpytion, that way, only your device and the receiving service can parse whats going on.
Not all apps support this, so if you come over an app that doesnt, but is really afraid of someone taking it, you need to do some more advanced stuff, and take use of a VPN.
This applies to both laptops and phones, but ssl support is usually less used on laptops
typhoonikan said:
I recently have been using McDonald's wifi and also Starbucks near a university I am soon attending (For a master's in IT whee!!). Since knowing about droidsheep and wifikill, I was wondering what the best methods of protecting your devices from public spying are? I found this app, http://forum.xda-developers.com/showthread.php?t=1350941 but isn't there something else? Like setting up some kind of basic something that can guard against such spying?
I am also interested in knowing not only for an android device, but also for a laptop being used in a public place. Thanks for your help!
Click to expand...
Click to collapse
Use "SSH Tunnel" app from Play Store to encrypt all of Internet traffic. You'll need just an internet server having root access or SSH access for that. There's no need of complex configuration on server at all.
All VPNs except OpenVPN have limited encryption level, but that's not the case of SSH Tunneling. When it comes to OpenVPN, its configuration is complex. And, little mistake can pose security risk. Plus, most of stock ROMs don't have OpenVPN client. Installing it is also more complex than installing SSH Tunnel.
SachinShekhar said:
Use "SSH Tunnel" app from Play Store to encrypt all of Internet traffic. You'll need just an internet server having root access or SSH access for that. There's no need of complex configuration on server at all.
All VPNs except OpenVPN have limited encryption level, but that's not the case of SSH Tunneling. When it comes to OpenVPN, its configuration is complex. And, little mistake can pose security risk. Plus, most of stock ROMs don't have OpenVPN client. Installing it is also more complex than installing SSH Tunnel.
Click to expand...
Click to collapse
This is great and what I had in mind- an app that secures the connection.
Though, walking into a starbucks or public wifi location where they have this kind of requisite (the server requirements)... isn't it doubtful they will have that set up?
Personally, I use OpenVPN. I would recommend using TUN, and at least 128 AES encryption. You need to have an always on internet connection somewhere. You set up a server there (dedicated computer, or buy a $40 linksys router and flash with dd-wrt or tomato vpn) and use a dynamic dns service to forward to that server's IP (such as DynDNS).
Most of that information is available on google.
You can find the OpenVPN HOWTO here:
openvpn.net/howto.html
Yes, as mentioned it is fairly complex, however worth the payoff in security in my opinion.
Hope that helps.
Tom
I appreciate the responses, but I think you're missing my point.
I'm talking about joining public wifi. Not a wifi spot where I can manage their server settings.
Yes, we are as well. VPN and SSH tunneling are used primarily to encrypt traffic. You want to do that to protect your data from Man in the Middle attacks. These types of encryption do not require any sort of administrative access to the wireless access point. That's the idea. You encrypt your data on your computer and send it over unsecured wifi to a server that is hard-wired to the internet, where the traffic is decrypted and send out to the internet as normal. The return traffic will then also be encrypted until it is decrypted by your computer. I would look into these two options for securing your data on unsecured wifi networks...
Tom
tomg09 said:
Yes, we are as well. VPN and SSH tunneling are used primarily to encrypt traffic. You want to do that to protect your data from Man in the Middle attacks. These types of encryption do not require any sort of administrative access to the wireless access point. That's the idea. You encrypt your data on your computer and send it over unsecured wifi to a server that is hard-wired to the internet, where the traffic is decrypted and send out to the internet as normal. The return traffic will then also be encrypted until it is decrypted by your computer. I would look into these two options for securing your data on unsecured wifi networks...
Tom
Click to expand...
Click to collapse
Thank you !
Sent from my EVO using xda premium
typhoonikan said:
This is great and what I had in mind- an app that secures the connection.
Though, walking into a starbucks or public wifi location where they have this kind of requisite (the server requirements)... isn't it doubtful they will have that set up?
Click to expand...
Click to collapse
Server will be your own outside public wifi. It may reside in your home. Or, you may purchase a VPS from Linode, RackSpace etc.
The concept: Your Android device will create an encrypted SSH tunnel to server at home... all over insecure wifi network. If a black hat guy traps your traffic in the middle, he will not get usable data from that because of encrypted tunnel.
Hi everyone,
I am trying to get my head around on what can be done to bypass the tethering filter on 3UK.
Below are different scenarios I have come up with and would like any volunteers who could try out any of the following for me. Of course I will be doing these myself as and when time permits but its always helpful to have others view on it too.
Please and I say please, do not turn this thread into Right and Wrongs of tethering or Terms and conditions of 3 mobile contracts. Please keep your views to yourself regarding if its lawful or unlawful or ethical or unethical or whatever you seem to come up with. I would like this to be a productive thread, instead of random comments on tethering.
Option 1: Use SSH Tunnel * Should I use SSH tunnel on my phone and use my PC to connect to it to use internet. Is there a reverse option?
Option 2: Use OpenVPN Install OpenVPN on your pc, and connect your phone to your pc using default VPN function on your phone in my case GT-I9100 comes with VPN function. You could also try to reverse this method and install OpenVPN on your phone and use your PC to connect to it. *
Option 3: Use the above two together in combination As the heading says, use SSH tunnel to connect to your OpenVPN.
Option 4: Use a proxy on your pc and connect to your phone or reverse, install proxy app on your phone and point your pc web browser to that proxy address. You could use the SSH tunnel here to connect too.
So, tools at hand are vpn with any encryption available, ssh tunnel, proxy server.
Tools to ignore - TOR (onion), garlic based TOR like, changing User Agent on web browsers or paid VPN.
3 UK has two APN settings, three.co.uk for mobiles (NATd ip address) and 3internet (dongle users) has external IP address and I believe it’s an Open NAT or no NAT.
Please feel free to mix and match any options and also share your views on what is technically possible.
I hope to see something useful and learn a bit more. Even if we fail to achieve the desired results, it will still be enlightening to find the facts on how 3 detects tethering.
I
Code encode decode
Found on giff gaff forum useful info
Well, they have a few ways..TTL: In my opinion, the most likely telltale signal of tethering. For example, *iOS packets originate with a TTL of 64, so if they see anything else they know something is up. This is very easy to check, as the TTL is checked by each router as the packet is handled. (the address on the envelope - doesn't require opening the letter, to use an analog analogy)APN: Another possible sign of tethering is data being routed over the access point set up for the built-in tethering feature. But giffgaff does NOT have a separate APN for Tethering. Again, this is easy to check without deep packet inspection.User-agent: This is where carriers would need to get heavy-duty equipment and a willingness to be invasive to detect tethering. Your browser sends information about itself to remote web servers, and this information could be checked. I do not think giffgaff is doing this (to detect tethering at least,) as it is not proof of tethering since anyone can easily use another browser on your phone that reports a different User Agent.Web Sites Visited: Again, highly invasive, though it doesn't require DPI. If you're using the DNS servers of the carrier, they could look for requests for certain domain names like windowsupdate.com etc. This wouldn't be proof either, though.I would bet that they are using TTL. So tunneling the TCP/IP packets that way probably resets the TTL to the default of the WAN interface on the phone.
Code encode decode
Why do you have to make 2 threads for the same subject?
Well I wasn't sure at the time of writing first one if I had to go down the route of testing which the second one is for. So, the first one is literally to know if its happening to new contracts only and second is for testing different scenarios and finding how.
Hope this helps and if not then jog on.
Code encode decode
Invincible29 said:
Hope this helps and if not then jog on.
Click to expand...
Click to collapse
Less of the attitude please and more of the reading of forum rules. Stick to one thread for the same thing.
Thread closed, use the other one (it was created first).
I was trolling thru the settings and saw there's a built in VPN that can be used is it worth it or is this one that Verizon has control over and would just hand over your info to the mafiaa anyway ? Anyone know more about this or have you used it yet ?
It's just a remote access client. Stock Android comes with one, which you can still use here, LG has provided a more advanced one that has better compatibility with more advanced forms of IPSec encryption, haven't really played with it to see what else it does.
I highly doubt that Verizon has instructed LG to intentionally compromise the security of their VPN client, the legal ramifications alone would make this a very foolish decision, even for Big Red. The security of the traffic sent over the tunnel depends on what type of encryption was used, and we can't currently be positive that there is a type of encryption out there the NSA can't crack, they don't need Verizon's help to do so.
What type of VPN are you trying to connect to? If this is corporate or educational the security of the traffic isn't your responsibility anyway.
I just use the stock Android on. I have been using it for years so I stuck with it. I played with the LG one but for what I need, the stock is all I need. I use it to stream movies to me phone from my home server and I can access my drives.
Sent from my VZW LG G3 (tapatalk)
I never used it before and all I would need it for would be the occasional stream when Netflix don't have something. So I guess the LG one would work just fine. I didn't know much about there VPN being on he in the first place or android. So thanx I leaned a bit tonight. ?
And ya I know all about if the nsa wants you they'll get you lol. Which is why I won't even step near anything like Expendables. Lions gate is like a pack of wild dogs going after people right now. ?
Given the actions of our Broadband and Cellular companies over the last few years, i have decided i wont use my computer and phone without a VPN. They have no right snooping.
I use VYPRVPN and i have tried many Vpn services over the last 2 years. VyprVpn seems to be the best bang for the Buck and the have the fastest speeds and a large amount of servers. Two things that separate Vypr from all the other VPN services is they use their own proprietary Protocol called Chameleon Protocol which is built on top of OpenVPN. It adds another 256bit layer of encryption on top of OpenVpns 256bit encryption and keeps our ISP's from knowing if were are using a VPN at all. The other added Benefit is they use their own DNS servers and detect and prevent DNS leakage also built in kill switches for in case you loose your VPN connection for what ever reason it will disable your internet all together to keep whatever you were working on from leaking out for prying eyes. They do minimal logging. They would prefer you not to do any torrenting but they dont block you from torrenting. But if you are someone who likes to torrent then use a server outside the US that doesn't have strict piracy laws.
Like i said i have used many VPN services and VyprVPN is by far the best ive ever used. There are tons of perks that others cant come close to offering. I have the premier plan and its worth it.
YES VPN IS WORTH IT. Anonymity is a must for me and should be for everyone else. What i do with my connection is none of anyone else's business. Especially since i pay a buttload of money to have internet. Hope that helps.
jmotyka said:
YES VPN IS WORTH IT. Anonymity is a must for me and should be for everyone else. What i do with my connection is none of anyone else's business. Especially since i pay a buttload of money to have internet. Hope that helps.
Click to expand...
Click to collapse
My ISP (Sonic.net) allows VPN if you have a valid account.
The LG VPN works fine. Still getting LTE speeds through their backbone.
I guess I'll keep VPN enable permanently.
Sounds good. Now to learn how to use it properly lol. But ya my thoughts exactly no one needs to see what I have on my connection but me. And with all the snooping going on and intrusive adds grabbing info to see what sites you visit just to send you relevant adds (cough cough ) it's a great idea.
Most routers support VPN so its free to setup and easy to do
Sent from my VZW LG G3 (tapatalk)
Hi all. Trying to get the lg VPN going but I've only ever set one up for my home comps n they basica9did everything for you. One click setup so to speak.
I got to name the VPN then it asks for the ip address but is that my ip or the one I want it to show (masked) ?gotta admit I don't know much bout this lol thanx in advance guys .
VPN on Android
VPN on Android has kind of been a sore subject since KitKat. I used to connect to L2TP on Mac OS X Server (snow leopard) from my phones as far back as Gingerbread, but with KitKat, L2TP became incompatible with Apple's implementation. That being said, PPTP works fine although being slightly less secure than L2TP. Android connects just fine to my Ubuntu Server PPTP, but no matter what I do I can not get get OpenSwan (Linux L2TP) to work outside my local LAN. Considering I have the EXACT same problem with OS X L2TP over the Internet but iOS devices can still manage to "phone home" to my L2TP server, I'm sure has something to do with my ISP considering L2TP an "enterprise" application and blocking my traffic, but iOS devices use some form of non-standard/undocumented L2TP.
I use VPN all the time for the simple fact that it provides a secure tunnel back home so I can grab files off my server, etc. Not only that, but it's a good way to provide at least some security when using public wifi. The thought of using public wifi without VPN gives me chills. It is disappointing that Android has deemed PPTP not secure enough to enable "always on vpn", which would tunnel 100% of your data through your VPN whenever a data connection (4G or WiFi) are available.
hello lads, I am interested in making Android application that can be use as VPN server, any tips where I can start from ? Is it possible ? I have not see any good topic about this in net
I just wonder why you consider an Android app as a VPN server.
Is it just a portal for a specific LAN? Or do you need a general VPN server for encrypted internet connections?
Even if you can implement basic functions of this VPN server, don't you worry about its concurrent & load capacity as a 'server'? ......
Its definitely possible but you'll have to likely root the phone first.
I turned a rooted Android phone into a VPN server by using the Linux Deploy app and UNIX tools "busy box app" then running CentOS on Linux Deploy. I installed SoftEther VPN Server on CentOS through SSH on the phone.
I wrote about it in a forum. If you google "Turn a flashed to verizon phone into vpn server" it will come up in Aspkin forum and you can see me work through it.
This way is 100% free and SoftEther will tunnel straight through a firewall using port 443 unlike any paid app so you can leave the phone hidden anywhere connected to WiFi and as long as you use SoftEther Client and the DNS host name to connect to the server. It wont work if you use a openVPN or L2TP/IPsec client without opening ports on the router of the wifi connection, or the server IP address (which would be a local ip if connected to wifi hidden somewhere).
Click to expand...
Click to collapse
James_Watson said:
I just wonder why you consider an Android app as a VPN server.
Is it just a portal for a specific LAN? Or do you need a general VPN server for encrypted internet connections?
Even if you can implement basic functions of this VPN server, don't you worry about its concurrent & load capacity as a 'server'? ......
Click to expand...
Click to collapse
Thank you for your reply. I just want to make a VPN server that uses a mobile network and accepts connection from 1 device(concurrent or load capacity or encryption does not matter). It is a small part of my application and not for commercial use. so, everything is possible, to root a device or another way to do my goal.