SSH-Tunneled VPN on Stock Android

[InactiveUser 188]

Tutorial: SSH-Tunneled VPN on Stock Android

 

0. Notes

 

- no proprietary / commercial apps required. FOSS only! (Free and Open Source Software)
- no root / custom ROM required
- tested on Android 4.4.4

- minimum requirement: Android 4.x

 

 

1. Required apps

 

- OpenVPN for Android
- ConnectBot (any advanced SSH client will work, )
- CyanogenMod File Manager (or pick any file manager you like)

I highly recommend installing all of these apps via F-Droid, a Free Open Source Software platform:
https://f-droid.org/

In order to install F-Droid, you may need to temporarily "Allow installation of apps from unknown sources" in Android's security settings.

 

 

2. Generate config files

Use the AirVPN Generator (https://airvpn.org/generator/) to create SSH config files for Linux (not Android).

Only pick one specific server.
Screenshot #1: http://i.imgur.com/FWcuXH2.jpg


3. Transfer config files

 

We only need 2 out of the 3 generated files:
    - sshtunnel.key
    - the .ovpn profile

 

Screenshot #2: http://i.imgur.com/p2L7T0l.jpg

Transfer both of them to your Android's sdcard.
Also, open the .ovpn file in a text editor and look for a line that starts with "route", it contains the server's IP - we will need it in step 5.
Example:
 
route 199.19.94.12 255.255.255.255 net_gateway

That's the IP we will need.

 

 

4. Import key file in ConnectBot

Launch ConnectBot. Go into menu and "Manage Pubkeys".
Screenshot #3: https://i.imgur.com/uGT3UgC.jpg
Import the sshtunnel.key file.
Screenshot #4: https://i.imgur.com/ZPYhI6V.jpg

 

 

5. Configure SSH connection in ConnectBot

Go to ConnectBot's main screen.
At the bottom of the screen, enter:

sshtunnel@199.19.94.12

(Notice, that's the IP we took note of in step 3).

Screenshot #5A: http://i.imgur.com/ludTDgv.jpg

If the default port 22 is blocked, you can try an alternative port by appending it at the end:

sshtunnel@199.19.94.12:80
or
sshtunnel@199.19.94.12:53

- Press Enter on your keyboard. It will try to connect and ask you to continue. Choose "Yes".
Screenshot #5B: http://i.imgur.com/UJNpB9n.jpg

- Cancel the connection, we need to configure it now.
Long-press the newly created connection and choose "Edit host".

Screenshot #6: https://i.imgur.com/n3OtM2D.jpg

- Change "Use pubkey authentication" to "sshtunnel.key".
Screenshot #7: https://i.imgur.com/CwfFSoO.jpg

- Disable the option "Start shell session"
Screenshot #8: https://i.imgur.com/l2niHqG.jpg
- Consider enabling the option "Stay connected".

 

 

6. Configure SSH port forwarding

 

- Go to ConnectBot's main screen.
- Long-press the new connection again, but this time choose "Edit port forwards". "Add port forward" with the following values:

 

Type: Local
Source port: 1412
Destination: 127.0.0.1:2018

Screenshot #9: https://i.imgur.com/TBnsKQx.jpg

- Press "Create port forward".
Configuration of the SSH connection is now complete.

- Go back to ConnectBot's main screen and tap the connection entry to establish a connection.
Leave the ConnectBot app using your "home" button.

 

 

7. Import OpenVPN config

- Launch "OpenVPN for Android"
- Tap the folder icon. In the "Open from" dialog, choose "File Manager"
  Screenshot #10: https://i.imgur.com/Nhc6fDa.jpg

 

- Pick the AirVPN_...SSH-22.ovpn file
- OpenVPN will present you with an "import log", tap the "Save" file to accept.
- You may want to dive into the new profile's settings,
go to "ROUTING" and enable "Use default route".

- in the ALLOWED APPS tab, find and select ConnectBot to exclude it from OpenVPN's routing

 

 

8. Start OpenVPN connection

 

- In OpenVPN's main screen, tap the VPN profile to establish the connection.
- Provided that the SSH connection is still running, OpenVPN will be able to connect. Congratulations

 

 

9. How to connect / disconnect from now on

When establishing a connection, always
- start the SSH connection first
- then launch OpenVPN
When disconnecting, always
- disconnect the OpenVPN connection first
- then disconnect SSH in ConnectBot

 

 

10. Thoughts on reliabilty and firewalling

If avoiding network leaks is important to you: be careful on Android, especially on unreliable mobile or WiFi networks that might cause the connection to collapse quite often.

I don't have a solution for this potential issue on stock Android, but if you're on a rooted device, you should absolutely consider installing AFWall+ (available in F-Droid).

AFWall+ allows you to firewall individual apps, restricting their network access to VPN-only.    
(You have to dive into its settings to enable VPN mode).

 

 

Finally: Good luck!

[foxwood 4]

This tutorial worked for me!    (edit: I'm running Android 5.0.1)

 

If possible I recommend pinning this somewhere in the site/forum for easy access to all. It deserves it! 

[foreshadowing 1]

I seem to have run into an error. When I click "Manage Pubkeys"  and "Import", I seem to be getting this: https://i.imgur.com/Sn32TlI.png Yet however I put the key file into my sd card area. It is not detecting these files.

[foreshadowing 1]

Nevermind on that, I found the problem. I put it in /sdcard1. However now OpenVpn for Android is telling me "Address is local, not protecting socket -- -"

[InactiveUser 188]

I followed my tutorial again and also got this message - it's not a critical error message. Whatever the problem is, it must lie elsewhere.
Some seconds later you should see:
 

TCP connection established with
[AF_INET]127.0.0.1:1412

Address is local, not protecting socket fd 4

TCP_CLIENT link local: (not bound)
TCP_CLIENT link remote: [AF_INET]127.0.0.1:1412

[server] Peer Connection Initiated with
[AF_INET]127.0.0.1:1412


Initialization Sequence Completed

If OpenVPN doesn't get to this point, check your SSH tunnel configuration in ConnectBot once again (especially the port forwarding) and make sure it's connecting.

Is "Address is local" really the last log message you see?
OpenVPN usually throws a "connection refused" error if it can't connect.
You might also want to read the extended OpenVPN logs (in the log window, press the menu icon (the 3 vertical dots) and select "Send log file", then open it in a text editor).

[lordlukan 3]

Thanks for the guide.

"You may want to dive into the new profile's settings, go to "ROUTING" and enable "Use default route".

I'm on Android 5.1.1 If I have this checked, the VPN will connect, but there will be no traffic and eventuzlly the VPN will disconnect. Leave the settings 'as is' in the .ovpn settings and everything works. Confirmed with dnsleakstest.

[abdorabih 2]

Thank you for this decent piece of work.   .  I have been looking for such a solution for some time now.  Finally!!!.  

I followed your tutorial, it worked like a charm.   Cheers for that. 

[tcraig37 0]

This should be starred as the THE guide for Android. I have had no luck getting it to work at all on either of my Android devices and have been using my laptop permanently. How is this method not advertised ahead of other solutions that just don't work?

 

Thanks again I am absolutely made up, cheers!

[kahosts 1]

Can I use OpenVPN on 443 port somehow on this with SSH on andriod? Port forwarding doesn't accept port below 1024 though.

[zarquon 1]

I followed this guide without any problem, yet when I launch connectbot and I start an sshtunnel the connection using public key  (stored in the file sshtunnel.key) fails and it revert to password authentication, at which point I am stuck, given that I have no password for the ssh session.

 

What can I do?

[snaggle 25]

Can I use OpenVPN on 443 port somehow on this with SSH on andriod? Port forwarding doesn't accept port below 1024 though.

Hi, same question here please.

[InactiveUser 188]

First off, sorry for not maintaining this thread, although the broad strokes of this guide still work to this day. I may write a new one if time permits.
 

 

 

Can I use OpenVPN on 443 port somehow on this with SSH on andriod? Port forwarding doesn't accept port below 1024 though.

Hi, same question here please.

 

I assume both of you want to want connect to Air's servers on port 443, using SSH?
That's currently not possible, but it's got nothing to do with your local port forwarding: Air's servers simply don't accept SSH connections on port 443.
The Config Generator only lists ports 22, 80, 53 and 38915 for SSH. I'd suggest opening a ticket to ask staff about the possibilities of SSH on 443.

[snaggle 25]

Thanks for the response,

I've tried using 22, 80 and 53, I get the same fail when editing the port forward.

[InactiveUser 188]

I've tried using 22, 80 and 53, I get the same fail when editing the port forward.

 

 

I cannot reproduce your port forwarding error. Just to clarify: The purely local port fowarding is not affected by your choice of the AirVPN server port (22, 80, 53, 38915).

Port forwarding is always the same, forwarding 127.0.0.1:1412 to 127.0.0.1:2018.

I also don't understand the error message "ports under 1024 or port already used". No local ports under 1024 are involved. Is maybe another instance of sshtunnel, or some other app, somehow using 1412 or 2018?

 

What's your Android version? Works for me on 7 and 8.

 

Not directly related, but I should also add that some Air entry IPs don't listen on all of the SSH ports (22, 80, 53, 38915). That's why you can't just manually change the SSH port in your config files. Instead, use the Config Generator to generate new configs for your desired port in order to get the correct entry IP.

[zarquon 1]

I carefully followed this guide and configured everything accordingly.

 

Connectbot correctly starts ssh connection and port forwarding,

 

When I start openvpn it starts but the logs keep on saying

 

TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:1412

Attempting to establish with [AF_INET]127.0.0.1:1412

TCP connection established with [AF_INET]127.0.0.1:1412

TCP_CLIENT link local: (not bound)

TCP_CLIENT link remote: [AF_INET]127.0.0.1:1412

Connection reset, restarting [0]

SIGUSR1[soft,connection-reset] received, process restarting

 

and noting works... 

[InactiveUser 188]

I carefully followed this guide and configured everything accordingly.

 

Connectbot correctly starts ssh connection and port forwarding,

 

When I start openvpn it starts but the logs keep on saying

 

Connection reset, restarting [0]

SIGUSR1[soft,connection-reset] received, process restarting

 

and noting works... 

 

 

I'm sorry for my late reply. Do you still need help?

If so, please tell me the version numbers of your apps and Android OS.

Also, please double-check that you excluded ConnectBot from OpenVPN's routing in the ALLOWED APPS tab.

[vinhtee 0]

 

I carefully followed this guide and configured everything accordingly.

 

Connectbot correctly starts ssh connection and port forwarding,

 

When I start openvpn it starts but the logs keep on saying

 

Connection reset, restarting [0]

SIGUSR1[soft,connection-reset] received, process restarting

 

and noting works... 

 

 

I'm sorry for my late reply. Do you still need help?

If so, please tell me the version numbers of your apps and Android OS.

Also, please double-check that you excluded ConnectBot from OpenVPN's routing in the ALLOWED APPS tab.

 

Would you be able to assist? I've got the same issue. ConnectBot is on the ALLOWED APPS list. The SSH tunnel dialog shell on the app does this weird thing where the text disappears after it establishes a connection (Which I presume is normal). ConnectBot v1.9.2 and OpenVPN v0.7.5 and Android v 8.1.0.

[InactiveUser 188]

ConnectBot's text output disappears sometimes but I think that's just a glitch, not a problem.
My Android and software versions are identical to yours. I haven't had much time to debug this, but here are my results:

Capricornus: fail (sshtunnel not established, local port 1412 stays closed)
Agena: success (I don't think I did anything differently)
Iskanda attempt #1: fail (sshtunnel not established, local port 1412 stays closed)
Iskanda attempt #2: fail (ConnectBot opens local port 1412, but no response from VPN server)
Iskanda attempt #3: fail (ssh connection refused (ECONNREFUSED)

I didn't have much time, but during my limited experiments using Linux instead of Android, I saw some similar problems. I doubt Android is the culprit here!

 

TL;DR + suggestions:

• I got it to work exactly once (that's not a lot, but at least it proves that it can and should work)
• other attempts failed with different errors
• please try some different servers, different regions
• something might be wonky on Air's side
• perhaps ask Air support whether they can confirm that SSH connections work reliably at the moment (regardless of operating system)

[Jeremyx3 2]

I'm getting the same problem as others.

 

2018-10-24 13:58:40 official build 0.7.6 running on google Pixel XL (marlin), Android 9 (PPR2.181005.003) API 28, ABI arm64-v8a, (google/marlin/marlin:9/PPR2.181005.003/4984323:user/release-keys)

2018-10-24 13:58:40 App restriction version (not set) does not match expected version 1

2018-10-24 13:46:57 MANAGEMENT: >STATE:1540403217,EXITING,init_instance,,,,,

2018-10-24 13:46:57 SIGINT[hard,init_instance] received, process exiting

2018-10-24 13:46:57 MANAGEMENT: CMD 'signal SIGINT'

2018-10-24 13:46:54 Waiting 2s seconds between connection attempt

2018-10-24 13:46:54 MANAGEMENT: >STATE:1540403214,RECONNECTING,connection-reset,,,,,

2018-10-24 13:46:54 SIGUSR1[soft,connection-reset] received, process restarting

2018-10-24 13:46:54 TCP/UDP: Closing socket

2018-10-24 13:46:54 Connection reset, restarting [0]

2018-10-24 13:46:54 MANAGEMENT: >STATE:1540403214,WAIT,,,,,,

2018-10-24 13:46:54 TCP_CLIENT link remote: [AF_INET]127.0.0.1:1412

2018-10-24 13:46:54 TCP_CLIENT link local: (not bound)

2018-10-24 13:46:54 TCP connection established with [AF_INET]127.0.0.1:1412

2018-10-24 13:46:54 MANAGEMENT: >STATE:1540403214,TCP_CONNECT,,,,,,

2018-10-24 13:46:54 Attempting to establish TCP connection with [AF_INET]127.0.0.1:1412 [nonblock]

2018-10-24 13:46:54 Socket Buffers: R=[2097152->2097152] S=[524288->524288]

2018-10-24 13:46:54 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:1412

2018-10-24 13:46:54 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'

2018-10-24 13:46:54 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'

2018-10-24 13:46:54 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]

2018-10-24 13:46:54 Control Channel MTU parms [ L:1624 D:1154 EF:96 EB:0 ET:0 EL:3 ]

2018-10-24 13:46:54 LZO compression initializing

2018-10-24 13:46:54 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2018-10-24 13:46:54 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2018-10-24 13:46:54 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2018-10-24 13:46:54 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2018-10-24 13:46:53 MANAGEMENT: CMD 'state on'

2018-10-24 13:46:53 MANAGEMENT: CMD 'bytecount 2'

2018-10-24 13:46:53 MANAGEMENT: CMD 'proxy NONE'

2018-10-24 13:46:53 MANAGEMENT: CMD 'hold release'

2018-10-24 13:46:48 MANAGEMENT: >STATE:1540403208,RECONNECTING,connection-reset,,,,,

2018-10-24 13:46:48 SIGUSR1[soft,connection-reset] received, process restarting

2018-10-24 13:46:48 TCP/UDP: Closing socket

2018-10-24 13:46:48 Waiting 2s seconds between connection attempt

[icecat 0]

Hello, please tell me if this manual is relevant, I can’t connect at this IP address 199.19.94.12 and is it possible to update this leadership

[damir.petrov 0]

Manual works fine!
Try to use in Config Generator:
OpenVPN | SSH | 22 | Entry IP=1 |

 

[kanawa 0]

As of now I can confirm it is working. But only when selecting entry IP 1 though. I tried with entry IP 3 and it's not working (OpenVPN failed to connect)

Edited ... by kanawa
Wrong application

[Bill_Cipher 1]

I think I've followed the guide (did everything from scratch 3 times) apart from the "go to OpenVPN profile settings, routing and allowed apps" - these settings do not exist in OpenVPN Connect android app as of August 2024, I tried googling but to no avail. Whenever I try turning the switch on in OpenVPN app, my SSH connection is terminated with the message "Software caused connection abort", and subsequently OpenVPN app itself says that the connection could not be completed

[Staff 9971]

11 hours ago, Bill_Cipher said:

"go to OpenVPN profile settings, routing and allowed apps" - these settings do not exist in OpenVPN Connect android app as of August 2024,

Hello!

That's why the instructions tell you to use OpenVPN for Android and not OpenVPN Connect. Eddie Android edition should be fine as well.

Kind regards
 

[Bill_Cipher 1]

9 hours ago, Staff said:

Hello!

That's why the instructions tell you to use OpenVPN for Android and not OpenVPN Connect. Eddie Android edition should be fine as well.

Kind regards
 

Ooops, so sorry for the confusion then. I didn't even know there were 2 different apps. I will try again later and will try not to forget to post updates here.