InactiveUser 188 Posted ... GoalWe want to use AirVPN's SSL tunneling mode on Android. SSL tunneling can be very useful, especially to defeat firewalls that block OpenVPN or SSH on a protocol level. We will use the Termux Terminal Emulator to install and run stunnel and OpenVPN for Android to manage the OpenVPN connection.Requirements Android 6.0 or newer (5.0 and derivatives thereof such as FireOS should work too)the Android device does not have to be rootedGoogle PlayStore or the free & open source F-Droid market (recommended)OpenVPN for Android (FOSS) – or Air's official Eddie Android Edition Please stay tuned for future Eddie releases as they may include native SSL tunnel support (which would make this cumbersome guide unnecessary)Termux Terminal Emulator (FOSS)stunnel (FOSS), via Termux repositorya separate computer to download/edit the config files (entirely optional, but recommended) Setup instructionsPart 1: generate AirVPN config files1/7: open AirVPN's config generator. When asked for your operating system, pick Linux: 2/7: Choose servers: Pick a single server. Do not select more than one. Do not select a whole region. 3/7: Protocols: First, enable Advanced Mode: Now select the SSL mode, port 443: 4/7: Accept Terms of Service and generate the config files: 5/7: Download the generated zip archive: 6/7: unzip AirVPN.zip and open the *.ssl file in a text editor.find this line: pid = /tmp/stunnel4.pid replace it with: pid = /data/data/com.termux/files/home/stunnel4.pid 7/7: Now transfer the AirVPN folder to your phone's sdcard / main storage directory. For ease of use, don't put it into any subdirectories. Instead, put it into your "root" storage directory, meaning on the same level as your other default Android folders such as Documents, Download and Movies. Part 2: Install and prepare Android software1/3: Install OpenVPN for Android, via F-Droid or Play Store. Don't configure anything just yet.2/3: Install Termux Terminal Emulator, via F-Droid or PlayStore open Termux and run: termux-setup-storageAllow Termux to access files on your device. (Android 8.0 Oreo users, please read the note at the end of this tutorial).The pkg command is used to install und update software packages. Make sure your base packages are all up to date: pkg upgradenow install stunnel: pkg install stunnel 3/3: Still in Termux, jump to the AirVPN folder you copied to your phone: cd storage/shared/AirVPNThe command lsshould list 3 files:AirVPN*.ovpn (the OpenVPN config file)AirVPN*.ssl (the stunnel config file)stunnel.crt (stunnel certificate)Now start stunnel: stunnel AirVPN*.ssl press the Home button to get out of Termux.Start OpenVPN and import the AirVPN*.ovpn config fileEdit your new OpenVPN connection (tap the "pencil button")in the ALLOWED APPS tab, tick the box next to Termuxreturn to OpenVPN's connection listyour VPN connection is now configured. A tap on its name will establish the connection.verify that a connection has been established by looking for the log entry Initialization Sequence Completedbrowse to ipleak.net (or any similar site) to verify that your traffic is indeed routed through the VPN tunnelHere's a short video, demonstrating the steps above: https://vimeo.com/246306477 Part 3: Usage instructions Now that everything is configured, future usage will be much easier: open Termuxnavigate to your AirVPN folder: cd storage/shared/AirVPNnow run stunnel: stunnel AirVPN*.sslPress the Home button and open the OpenVPN appConnect to your VPN profileAddendum: Tips as an alternative to OpenVPN for Android, you can also use Air's official Eddie Android edition. Don't forget to dive into Eddie's settings to exclude ("blacklist") Termux from the VPN tunnel.don't forget to periodically run pkg upgradeto keep all of Termux' packages, including stunnel, up-to-date.To prevent leaks, it's recommended to let OpenVPN set the default route for both IPv4 and IPv6; as well disabling the LAN bypass: you may want to take a look at Termux:Widget (via F-Droid or Play Store. It's an extension to Termux. If you put your stunnel commands into shell scripts, stored in ~/.shortcuts/ , you can launch them via Home screen widgets.enable Termux' extended keyboard by sliding out the left-side menu and long-pressing the KEYBOARD button. This will enable a row of additional keys, such as CTRL, ALT and TAB which are very useful in a terminal environment -- especially the TAB key, allowing you to autocomplete command and path names. Here's a short video on Vimeo demonstrating the extended keyboard.you may generate config files for as many servers as you like, put them into your AirVPN folder on your phone and add the *.ovpn profiles to OpenVPN.you may want to consider AFWall+ for additional firewalling (root required)it is recommended to move the *.ssl and stunnel.crt files out of Android's shared storage and into Termux' private data directory, while also deleting the no longer needed *.ovpn file: cd ~ mkdir st cd storage/shared/AirVPN cp *.ssl stunnel.crt ~/st rm *.ssl stunnel.crt *.ovpn Moving those files obviously changes the paths of your Termux commands. Instead of running: cd storage/shared/AirVPN stunnel AirVPN*.ssl You'd now need to run: cd ~/st stunnel AirVPN*.ssl Addendum: Caveats Following this tutorial will add the Termux app to OpenVPN's exclusion list, allowing it connect to the VPN server. But this also means that anything else you may do via Termux will also bypass the VPN tunnel. If you need a VPN-tunneled terminal app, I recommend using Termux only to run stunnel; using another terminal emulator app for your other tasks. Addendum: Testing and bugsThis tutorial has been tested on:Stock Android 6.0Stock Android 7.0Stock Android 8.0LineageOS 14.1 (~ Android 7.1.x)Fire OS 5.6.0.0 (~ Android 5.x), testing done by user steve74itImportant Notice for Android 8.0+ (Oreo) users:The command termux-setup-storage does not work (yet). Instead, follow this workaround to access storage:https://github.com/termux/termux-app/issues/157#issuecomment-246659496The workaround will no longer be necessary once this bug is resolved:https://github.com/termux/termux-packages/issues/1578 EDIT LOGThu Dec 7 20:24 UTC 2017: initial releaseThu Dec 7 20:40 UTC 2017: formatting correctionsThu Dec 7 20:58 UTC 2017: spellingFri Dec 8 18:47 UTC 2017: add recommended route settings. credit and thanks to Darkspace-HarbingerFri Jan 5 17:30 UTC 2018: add note that this guide is functional on FireOS 5.6 (Android 5.x). testing done by user steve74it, thank you!Mon Jan 22 18:34 UTC 2018: add mikevvl's security tip to move files out of shared storage. thank you!Sun Jul 15 12:16 UTC 2018: recommend against alternative VPN apps (thanks steve74it)Tue Jul 17 12:20 UTC 2018: mention Eddie compatibility (thanks steve74it) Any corrections, further testing, as well as general suggestions for improvement would be much appreciated. 11 Mad_Max, valentins, snaggle and 8 others reacted to this Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
DarkSpace-Harbinger 11 Posted ... One other thing that should be mentioned, in OpenVPN for Android you have to have "Bypass VPN for local networks" unchecked. This option has exposed my IPv6 address in the past. Your also going to want use default route checked for IPv4 and IPv6 checked as well. 1 InactiveUser reacted to this Quote Share this post Link to post
LZ1 672 Posted ... Hello! Thank you. What an absolutely stellar guide. The formatting alone is fantastic! I hope you won't mind that I add it to my own guide's index. 1 InactiveUser reacted to this Quote Hide LZ1's signature Hide all signatures Hi there, are you new to AirVPN? Many of your questions are already answered in this guide. You may also read the Eddie Android FAQ. Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you. Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily. Share this post Link to post
B3nB3n 4 Posted ... Amazing work! Again, thank you so much! Helped me a lot in China! Only one question (sorry I am a real idiot): you may want to take a look at Termux:Widget (via F-Droid or Play Store. It's an extension to Termux. If you put your stunnel commands into shell scripts, stored in $HOME/.shortcuts/ , you can launch them via Home screen widgets. how is that working? how do I have to safe the commands as script? (which format/how to safe them/how to write them) edit: so i found the .shortcuts folder, i added a file (AirVPN.sh) with the following lines: #!/bin/bashcd storage/shared/AirVPNstunnel AirVPN*.ssl but when i run it with the widget, it says "Permission denied". Can anyone help me? Quote Share this post Link to post
InactiveUser 188 Posted ... but when i run it with the widget, it says "Permission denied". Can anyone help me? I think I know why: You're calling /bin/bash which likely does not exist on your phone. The shebang line (#!/bin/bash) is not necessary here, just leave it out. I've created a quick tutorial for Termux:Widget, including a small video, please try it out and compare it to your approach: Termux:Widget usage The following steps assume that you have successfully followed the main tutorial.Instead of manually typing the two commands necessary to launch stunnel, we can do the same with a script. A script is nothing more than a text file that contains the commands we need to run. Here is a video on Vimeo that demonstrates steps 3 to 6. 1. Create a text file with the following contents. Please adjust the second line to whatever server you happen to be using! For this tutorial, I'll be using the server BE-Brussels_Capricornus: cd storage/shared/AirVPN stunnel AirVPN_BE-Brussels_Capricornus_SSL-443.ssl 2. Save the file; choose whatever file name you want, but make sure you use the .sh file extension. For this tutorial, I'll name the file: capricornus.sh Put your file into the AirVPN folder on your phone (the same folder you have already been using for the main tutorial). 3. Open Termux and run: cd This makes sure we are in stunnel's home directory. Now run: mkdir .shortcuts This will create a (hidden) folder that is required for Termux:Widget. That's where we need to copy our script to: cp storage/shared/AirVPN/capricornus.sh .shortcuts 4. Leave Termux. Now install Termux:Widget from your preferred app store (FDroid or Google Play) 5. On your phone's home screen, enter your widget/wallpaper settings by long-pressing on a free spot on your home screen. Tap the WIDGETS button and find the Termux:Widget item.Drag one of the Termux:Widget items onto your home screen. For this tutorial, I'll use the "All shortcuts 2x2" option. 6. You should now see your script listed within that new widget on your home screen. Tap on your script to run it.7. You can add and use as many .sh scripts for different stunnel connections as you like, as long as you also create/generate the corresponding .ovpn and .ssl files. 2 valentins and B3nB3n reacted to this Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
InactiveUser 188 Posted ... [accidental double post] Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
B3nB3n 4 Posted ... Thank you very much. Works like charme! Thank you so much! Quote Share this post Link to post
mikevvl 1 Posted ... Thanks, sheivoko! Big help to start work. I want to suggest You a few additions for more Security and Ease of Use (EoU). Security:(Add:In2:3/3) Move work files *.ssl and stunnel.crt into Termux home (cd ~/; ->/data/data/com.termux/files/home/ - private Termux app data area, When OpenVPN import the *.ovpn - its saved into private OpenVPN app data area too) cd storage/shared/AirVPN mkdir ~/st cp -r *.ssl stunnel.crt ~/st/ EoU:(Add:In2:6/7) Create: into Termux home (~/) file ".bash_profile": alias st1=". ~/st/1" alias st2=". ~/st/2" alias kist='killall stunnel' . ~/st/sthlp st1 into ~/st/ file "sthlp": echo -e "For Stop(Kill) any/all of stunnels: Type kist & Press enter" echo -e "For (Re)Start stunnel: Type (st1 OR st2) & Press enter" echo -e "For Stop Termux: Type exit & Press enter twice" into ~/st/ file "1": killall stunnel cd ~/st . ~/st/sthlp stunnel AirVPN_BE-Brussels_Capricornus_SSL-443.ssl cd may be into ~/st/ file "2": killall stunnel cd ~/st . ~/st/sthlp stunnel AirVPN_SG-Singapore_Reticulum_SSL-443.ssl cd As result - at the next start Termux stunnel will run automatically (in this case - AirVPN_BE-Brussels_Capricornus_SSL-443.ssl). If we commented "foreground = yes" into *.ssl then we will be able to stop(any), to restart and choose which *.ssl used (If foreground = no OR absent then we may be need add options log = overwrite and output = st1.log). (Add:In2:7/7 & 3/3) I think we can combine the additions 1.&2. by creating a folder "AirVPN/st/" with files: stunnel.crt, changed (*.ssl) and created (.bash_profile,1, 2, sthlp, ...). After "transfer the AirVPN folder to your phone's sdcard / main storage directory" & install termux with stunnel we can cp -r storage/shared/AirVPN/st ~/ cp ~/st/.bash_profile ~/ . ~/.bash_profile and use (st1, st2, kist, etc.) as command w/o restart Termux. Quote Share this post Link to post
InactiveUser 188 Posted ... Thanks for your suggestions, mikevvl.I do agree that it's generally a good idea to move those files out of shared storage. I'll add this suggestion to my "Tips" section. Regarding your second suggestion: I wrote this tutorial with the goal of minimizing the number of required steps, which is why I won't be incorporating your second suggestion. While additional tweaks and scripts may improve EoU, they also add a certain level of complexity. Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
mikevvl 1 Posted ... Welcome Always;)! While additional tweaks and scripts may improve EoU, they also add a certain level of complexity. Ok. It's need to work w/o Termux:Widget & Up One stunnel on start Termux. The one to whom it is necessary - uses (and/or expand) it. 1 InactiveUser reacted to this Quote Share this post Link to post
usefulvid 18 Posted ... I published also a video on how to set up SSL (stunnel) + OpenVPN on my homepage and on youtube.I used the tunnel app in android. Is there a reason why you are not using the stunnel app in android? Quote Share this post Link to post
InactiveUser 188 Posted ... Is there a reason why you are not using the stunnel app in android?Yes, there are some reasons: First, I have doubts regarding the app's maintenance status (last updated July 2015) and its obscure developer (website SmallApps.eu = 403 Forbidden). Maybe most importantly though, I avoid recommending software that is exclusively available through proprietary channels (Google Play Store). There is no F-Droid version or access to source code available. Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
333_half_evil 6 Posted ... I am confused and just want to make sure this works on my Android based phone.. So i just click on the Linux OS system and pick SSL/SSH and it will be fine even though it's a different operating system? Sorry i am sure this is a noob question. Quote Share this post Link to post
InactiveUser 188 Posted ... @333_half_evil:That's correct, please select Linux instead of Android.If you selected Android, the SSL connection mode would be unavailable as it is not one of the officially supported modes for this platform. However, the generated config files for Linux work perfectly fine on Android. Only one adjustment is necessary, which is described in step #6 of part 1. 1 333_half_evil reacted to this Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
333_half_evil 6 Posted ... Thank you so much!@333_half_evil:That's correct, please select Linux instead of Android.If you selected Android, the SSL connection mode would be unavailable as it is not one of the officially supported modes for this platform. However, the generated config files for Linux work perfectly fine on Android. Only one adjustment is necessary, which is described in step #6 of part 1. Quote Share this post Link to post
Mad_Max 15 Posted ... A question please,lets say i created an SSL connection to 3 different servers each in different country, when i open the Termux, Do i have to connect the the server specific .ssl? or is okay if connect in Termux to lets say airvpn_NL.ssl and when connect in OpenVPN i use Bulgaria.ovpn? 1 more noobie question, Which is safer? AirVpn over SSL or SSH? Quote Share this post Link to post
InactiveUser 188 Posted ... Do i have to connect the the server specific .ssl? or is okay if connect in Termux to lets say airvpn_NL.ssl and when connect in OpenVPN i use Bulgaria.ovpn? The *.ssl files contain server-specific entry IP addresses and the *.ovpn files contain server-specific route addresses. Therefore you can't mix *.ovpn and *.ssl files from different servers. Which is safer? AirVpn over SSL or SSH? It don't think it makes a difference at all. The main purpose of SSL/SSH modes is firewall/censorship circumvention, not security. If your ISP does not block or throttle direct OpenVPN connections, I see little reason to use SSL or SSH. 1 Mad_Max reacted to this Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
peebs 0 Posted ... Thank you for the guide. One question, how do I stop stunnel from running within termux? It won't respond to TERM or QUIT and I find myself doing killall stunnel after I hard restart termux. Quote Share this post Link to post
InactiveUser 188 Posted ... how do I stop stunnel from running within termux? First, enable the extended keyboard as described in the Addendum: Tips section.Then you can press CTRL + c to stop stunnel. Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
LeeHilliard 0 Posted ... For Android 6 ("Marshmallow") on a Galaxy S2 Tab, I found it necessary to have all the stunnel files (.ssl, stunnel.crt) located in a folder on the sd card, and then place a link to that folder in the Termux "HOME" directory. Then I could just "cd" to the link in Termux, and successfully execute "stunnel AirVPN*.ssl". For whatever reason, Marshmallow would not allow Termux to access files I copied to the HOME directory using "Root Explorer". I tried elevating to root, changing the SE context, ownership, and permissions. Nothing worked until I tried that link idea. I did not try coping the files from within Termux -- maybe that would have worked, but the link is very convenient. Hope some find this useful. Note: I subsequently discovered that the problem here was the "SE Context" tag in the copied files. The easiest fix is to just use the "cp" command in Termux to bring the .ssl and stunnel.crt files into the Termux HOME directory. Changing the "SE Context" to that created by the "cp" command will also work, but just using "cp" is easier. Quote Share this post Link to post
antar81 0 Posted ... Any update on when the Android app will include native support for OVPN through SSL tunnels? Quote Share this post Link to post
myblank 0 Posted ... Hello, although everything I did, I could not overcome the issue.sh file gives me this error: can't cd to /data/data/com.termux/files/home/storage/shared/AirVPN and invalid configuration file name "*ssl" What is wrong with this? I want to set up Termux:Widget. Any help would be great. Quote Share this post Link to post
valentins 0 Posted ... (edited) On 4/13/2020 at 5:01 AM, myblank said: Hello, although everything I did, I could not overcome the issue.sh file gives me this error: can't cd to /data/data/com.termux/files/home/storage/shared/AirVPN and invalid configuration file name "*ssl" What is wrong with this? I want to set up Termux:Widget. Any help would be great. I experienced the same problem . For some reason, the widget won't cd to the airvpn directory, while in regular termux it changes directories just fine. On 12/7/2017 at 11:24 PM, InactiveUser said: it is recommended to move the *.ssl and stunnel.crt files out of Android's shared storage and into Termux' private data directory, while also deleting the no longer needed *.ovpn file: cd ~ mkdir st cd storage/shared/AirVPN cp *.ssl stunnel.crt ~/st rm *.ssl stunnel.crt *.ovpn is there a reason not to copy the files to "home" directory without creating additional directories? For example: cd storage/shared/AirVPN cp *.ssl stunnel.crt ~ Then, it is no longer needed to "cd" in Termux. just launch Termux and type "stunnel whatevername.ssl", and then go to OpenVPN. Same would apply to creating script for Termux:Widget. The script will contain only one line: stunnel whatevername.ssl this solved the problem with cd command in Termux:widget. Edited ... by valentins Quote Share this post Link to post