Jump to content
Not connected, Your IP: 3.21.159.223
InactiveUser

[How-To] AirVPN via SSL/stunnel on Android 6/7/8

Recommended Posts

Goal

We want to use AirVPN's SSL tunneling mode on Android. SSL tunneling can be very useful, especially to defeat firewalls that block OpenVPN or SSH on a protocol level. We will use the Termux Terminal Emulator to install and run stunnel and OpenVPN for Android to manage the OpenVPN connection.



Requirements

 

  • Android 6.0 or newer (5.0 and derivatives thereof such as FireOS should work too)
  • the Android device does not have to be rooted
  • Google PlayStore or the free & open source F-Droid market (recommended)
  • OpenVPN for Android (FOSS) – or Air's official Eddie Android Edition Please stay tuned for future Eddie releases as they may include native SSL tunnel support (which would make this cumbersome guide unnecessary)
  • Termux Terminal Emulator (FOSS)
  • stunnel (FOSS), via Termux repository
  • a separate computer to download/edit the config files (entirely optional, but recommended)

 



 

Setup instructions

Part 1: generate AirVPN config files


1/7: open AirVPN's config generator. When asked for your operating system, pick Linux:

 

 

ntWVGIN.jpg



 

2/7: Choose servers: Pick a single server. Do not select more than one. Do not select a whole region.

 

4sObEsX.jpg




 

 

3/7: Protocols: First, enable Advanced Mode:

 

DUSc0cz.jpg



 

 

Now select the SSL mode, port 443:

 

xJDAaql.jpg



 

4/7: Accept Terms of Service and generate the config files:

 

 

 

MlignLu.jpg



 

5/7: Download the generated zip archive:

 

 

5ARa0lG.jpg

 



 

6/7: unzip AirVPN.zip and open the *.ssl file in a text editor.
find this line:

pid = /tmp/stunnel4.pid

 

replace it with:

pid = /data/data/com.termux/files/home/stunnel4.pid

VtDSREn.jpg



 

7/7: Now transfer the AirVPN folder to your phone's sdcard / main storage directory. For ease of use, don't put it into any subdirectories. Instead, put it into your "root" storage directory, meaning on the same level as your other default Android folders such as Documents, Download and Movies.
 





Part 2: Install and prepare Android software

1/3: Install OpenVPN for Android, via F-Droid or Play Store. Don't configure anything just yet.
2/3: Install Termux Terminal Emulator, via F-Droid or PlayStore

 

  • open Termux and run:
    termux-setup-storage
  • Allow Termux to access files on your device. (Android 8.0 Oreo users, please read the note at the end of this tutorial).
  • The pkg command is used to install und update software packages. Make sure your base packages are all up to date:
    pkg upgrade
  • now install stunnel:
    pkg install stunnel




 

3/3: Still in Termux, jump to the AirVPN folder you copied to your phone:

cd storage/shared/AirVPN

The command

ls

should list 3 files:

  • AirVPN*.ovpn (the OpenVPN config file)
  • AirVPN*.ssl  (the stunnel config file)
  • stunnel.crt (stunnel certificate)

Now start stunnel:

stunnel AirVPN*.ssl

 

  • press the Home button to get out of Termux.
  • Start OpenVPN and import the AirVPN*.ovpn config file
  • Edit your new OpenVPN connection (tap the "pencil button")
  • in the ALLOWED APPS tab, tick the box next to Termux
  • return to OpenVPN's connection list
  • your VPN connection is now configured. A tap on its name will establish the connection.
  • verify that a connection has been established by looking for the log entry Initialization Sequence Completed
  • browse to ipleak.net (or any similar site) to verify that your traffic is indeed routed through the VPN tunnel

Here's a short video, demonstrating the steps above: https://vimeo.com/246306477

 

 





 

Part 3: Usage instructions

 

Now that everything is configured, future usage will be much easier:

 

  • open Termux
  • navigate to your AirVPN folder:
  • cd storage/shared/AirVPN
  • now run stunnel:
  • stunnel AirVPN*.ssl
  • Press the Home button and open the OpenVPN app
  • Connect to your VPN profile





Addendum: Tips

 

  • as an alternative to OpenVPN for Android, you can also use Air's official Eddie Android edition. Don't forget to dive into Eddie's settings to exclude ("blacklist") Termux from the VPN tunnel.
  • don't forget to periodically run
    pkg upgrade
    to keep all of Termux' packages, including stunnel, up-to-date.
  • To prevent leaks, it's recommended to let OpenVPN set the default route for both IPv4 and IPv6; as well disabling the LAN bypass:

O8yBZFg.jpg

 

  • you may want to take a look at Termux:Widget (via F-Droid or Play Store. It's an extension to Termux. If you put your stunnel commands into shell scripts, stored in ~/.shortcuts/ , you can launch them via Home screen widgets.
  • enable Termux' extended keyboard by sliding out the left-side menu and long-pressing the KEYBOARD button. This will enable a row of additional keys, such as CTRL, ALT and TAB which are very useful in a terminal environment -- especially the TAB key, allowing you to autocomplete command and path names. Here's a short video on Vimeo demonstrating the extended keyboard.
  • you may generate config files for as many servers as you like, put them into your AirVPN folder on your phone and add the *.ovpn profiles to OpenVPN.
  • you may want to consider AFWall+ for additional firewalling (root required)
  • it is recommended to move the *.ssl and stunnel.crt files out of Android's shared storage and into Termux' private data directory, while also deleting the no longer needed *.ovpn file:

    cd ~
    mkdir st        
    cd storage/shared/AirVPN        
    cp *.ssl stunnel.crt ~/st
    rm *.ssl stunnel.crt *.ovpn
    
    Moving those files obviously changes the paths of your Termux commands. Instead of running:

    cd storage/shared/AirVPN
    stunnel AirVPN*.ssl
    
    You'd now need to run:

     

    cd ~/st
    stunnel AirVPN*.ssl
    

     

 




 

Addendum: Caveats

 

  • Following this tutorial will add the Termux app to OpenVPN's exclusion list, allowing it connect to the VPN server. But this also means that anything else you may do via Termux will also bypass the VPN tunnel. If you need a VPN-tunneled terminal app, I recommend using Termux only to run stunnel; using another terminal emulator app for your other tasks.



 

 

Addendum: Testing and bugs

This tutorial has been tested on:

  • Stock Android 6.0
  • Stock Android 7.0
  • Stock Android 8.0
  • LineageOS 14.1 (~ Android 7.1.x)
  • Fire OS 5.6.0.0 (~ Android 5.x), testing done by user steve74it



Important Notice for Android 8.0+ (Oreo) users:

The command termux-setup-storage does not work (yet). Instead, follow this workaround to access storage:
https://github.com/termux/termux-app/issues/157#issuecomment-246659496

The workaround will no longer be necessary once this bug is resolved:
https://github.com/termux/termux-packages/issues/1578

 



 

EDIT LOG

  • Thu Dec  7 20:24 UTC 2017: initial release
  • Thu Dec  7 20:40 UTC 2017: formatting corrections
  • Thu Dec  7 20:58 UTC 2017: spelling
  • Fri Dec 8 18:47 UTC 2017: add recommended route settings. credit and thanks to Darkspace-Harbinger
  • Fri Jan  5 17:30 UTC 2018: add note that this guide is functional on FireOS 5.6 (Android 5.x). testing done by user steve74it, thank you!
  • Mon Jan 22 18:34 UTC 2018: add mikevvl's security tip to move files out of shared storage. thank you!
  • Sun Jul 15 12:16 UTC 2018: recommend against alternative VPN apps (thanks steve74it)
  • Tue Jul 17 12:20 UTC 2018: mention Eddie compatibility (thanks steve74it)

 

Any corrections, further testing, as well as general suggestions for improvement would be much appreciated.


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

One other thing that should be mentioned, in OpenVPN for Android you have to have "Bypass VPN for local networks" unchecked.

 

This option has exposed my IPv6 address in the past.

 

Your also going to want use default route checked for IPv4 and IPv6 checked as well.

Share this post


Link to post

Hello!

 

Thank you. What an absolutely stellar guide. The formatting alone is fantastic!

 

I hope you won't mind that I add it to my own guide's index.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

Amazing work! Again, thank you so much! Helped me a lot in China!

 

Only one question (sorry I am a real idiot):

 

you may want to take a look at Termux:Widget (via F-Droid or Play Store. It's an extension to Termux. If you put your stunnel commands into shell scripts, stored in $HOME/.shortcuts/ , you can launch them via Home screen widgets.

 

how is that working? how do I have to safe the commands as script? (which format/how to safe them/how to write them)

 

edit: so i found the .shortcuts folder, i added a file (AirVPN.sh) with the following lines:

 

#!/bin/bash

cd storage/shared/AirVPN

stunnel AirVPN*.ssl

 

but when i run it with the widget, it says "Permission denied". Can anyone help me?

Share this post


Link to post

but when i run it with the widget, it says "Permission denied". Can anyone help me?

 

I think I know why: You're calling /bin/bash which likely does not exist on your phone. The shebang line (#!/bin/bash) is not necessary here, just leave it out. I've created a quick tutorial for Termux:Widget, including a small video, please try it out and compare it to your approach:

 

Termux:Widget usage

 

The following steps assume that you have successfully followed the main tutorial.

Instead of manually typing the two commands necessary to launch stunnel, we can do the same with a script. A script is nothing more than a text file that contains the commands we need to run.

 

Here is a video on Vimeo that demonstrates steps 3 to 6.

 

1. Create a text file with the following contents. Please adjust the second line to whatever server you happen to be using! For this tutorial, I'll be using the server BE-Brussels_Capricornus:

cd storage/shared/AirVPN
stunnel AirVPN_BE-Brussels_Capricornus_SSL-443.ssl

2. Save the file; choose whatever file name you want, but make sure you use the .sh file extension. For this tutorial, I'll name the file:

capricornus.sh

Put your file into the AirVPN folder on your phone (the same folder you have already been using for the main tutorial).

 

3. Open Termux and run:

cd

This makes sure we are in stunnel's home directory. Now run:

mkdir .shortcuts

This will create a (hidden) folder that is required for Termux:Widget. That's where we need to copy our script to:

cp storage/shared/AirVPN/capricornus.sh .shortcuts

4. Leave Termux. Now install Termux:Widget from your preferred app store (FDroid or Google Play)

 

5. On your phone's home screen, enter your widget/wallpaper settings by long-pressing on a free spot on your home screen. Tap the WIDGETS button and find the Termux:Widget item.

Drag one of the Termux:Widget items onto your home screen. For this tutorial, I'll use the "All shortcuts 2x2" option.

 

6. You should now see your script listed within that new widget on your home screen. Tap on your script to run it.

7. You can add and use as many .sh scripts for different stunnel connections as you like, as long as you also create/generate the corresponding .ovpn and .ssl files.


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

Thanks, sheivoko! Big help to start work. I want to suggest You a few additions for more Security and Ease of Use (EoU).

 

  1. Security:(Add:In2:3/3) Move work files *.ssl and stunnel.crt into Termux home (cd ~/; ->/data/data/com.termux/files/home/ - private Termux app data area, When OpenVPN import the *.ovpn - its saved into private OpenVPN app data area too)
    cd storage/shared/AirVPN
    mkdir ~/st
    cp -r *.ssl stunnel.crt ~/st/
  2. EoU:(Add:In2:6/7) Create:
    into Termux home (~/) file ".bash_profile":
    alias st1=". ~/st/1"
    alias st2=". ~/st/2"
    alias kist='killall stunnel'
    . ~/st/sthlp
    st1
    

    into ~/st/ file "sthlp":

    echo -e "For Stop(Kill) any/all of stunnels: Type kist & Press enter"
    echo -e "For (Re)Start stunnel: Type (st1 OR st2) & Press enter"
    echo -e "For Stop Termux: Type exit & Press enter twice" 

     

    into ~/st/ file "1":

    killall stunnel
    cd ~/st
    . ~/st/sthlp
    stunnel AirVPN_BE-Brussels_Capricornus_SSL-443.ssl
    cd
    

    may be into ~/st/ file "2":

    killall stunnel
    cd ~/st
    . ~/st/sthlp
    stunnel AirVPN_SG-Singapore_Reticulum_SSL-443.ssl
    cd
    
    As result - at the next start Termux stunnel will run automatically (in this case - AirVPN_BE-Brussels_Capricornus_SSL-443.ssl). If we commented "foreground = yes" into *.ssl then we will be able to stop(any), to restart and choose which *.ssl used (If foreground = no OR absent then we may be need add options log = overwrite and output = st1.log).
     
    (Add:In2:7/7 & 3/3) I think we can combine the additions 1.&2. by creating a folder "AirVPN/st/" with files: stunnel.crt, changed (*.ssl) and created (.bash_profile,1, 2, sthlp, ...). After "transfer the AirVPN folder to your phone's sdcard / main storage directory" & install termux with stunnel we can
    cp -r storage/shared/AirVPN/st ~/
    cp ~/st/.bash_profile ~/
    . ~/.bash_profile
    and use (st1, st2, kist, etc.) as command w/o restart Termux.

Share this post


Link to post

Thanks for your suggestions, mikevvl.

I do agree that it's generally a good idea to move those files out of shared storage. I'll add this suggestion to my "Tips" section.

 

Regarding your second suggestion: I wrote this tutorial with the goal of minimizing the number of required steps, which is why I won't be incorporating your second suggestion. While additional tweaks and scripts may improve EoU, they also add a certain level of complexity.


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

Welcome Always;)! 

 

 

While additional tweaks and scripts may improve EoU, they also add a certain level of complexity.

 

Ok. It's need to work w/o Termux:Widget & Up One stunnel on start Termux. The one to whom it is necessary - uses (and/or expand) it.

Share this post


Link to post

Is there a reason why you are not using the stunnel app in android?

Yes, there are some reasons:

 

First, I have doubts regarding the app's maintenance status (last updated July 2015) and its obscure developer (website SmallApps.eu = 403 Forbidden).

 

Maybe most importantly though, I avoid recommending software that is exclusively available through proprietary channels (Google Play Store). There is no F-Droid version or access to source code available.


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

I am confused and just want to make sure this works on my Android based phone.. So  i just click on the Linux OS system and pick SSL/SSH and it will be fine even though it's a different operating system? Sorry i am sure this is a noob question. 

Share this post


Link to post

@333_half_evil:

That's correct, please select Linux instead of Android.

If you selected Android, the SSL connection mode would be unavailable as it is not one of the officially supported modes for this platform. However, the generated config files for Linux work perfectly fine on Android. Only one adjustment is necessary, which is described in step #6 of part 1.


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

Thank you so much!

@333_half_evil:

That's correct, please select Linux instead of Android.

If you selected Android, the SSL connection mode would be unavailable as it is not one of the officially supported modes for this platform. However, the generated config files for Linux work perfectly fine on Android. Only one adjustment is necessary, which is described in step #6 of part 1.

Share this post


Link to post

A question please,
lets say i created an SSL connection to 3 different servers each in different country, when i open the Termux, Do i have to connect the the server specific .ssl? 

or is okay if connect in Termux to lets say airvpn_NL.ssl and when connect in OpenVPN i use Bulgaria.ovpn?

 

1 more noobie question, Which is safer? AirVpn over SSL or SSH?

Share this post


Link to post

Do i have to connect the the server specific .ssl? 

or is okay if connect in Termux to lets say airvpn_NL.ssl and when connect in OpenVPN i use Bulgaria.ovpn?

 

The *.ssl files contain server-specific entry IP addresses and the *.ovpn files contain server-specific route addresses. Therefore you can't mix *.ovpn and *.ssl files from different servers.

 

 

Which is safer? AirVpn over SSL or SSH?

 

It don't think it makes a difference at all. The main purpose of SSL/SSH modes is firewall/censorship circumvention, not security. If your ISP does not block or throttle direct OpenVPN connections, I see little reason to use SSL or SSH.


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

Thank you for the guide.

 

One question, how do I stop stunnel from running within termux? It won't respond to TERM or QUIT and I find myself doing killall stunnel after I hard restart termux.

Share this post


Link to post

For Android 6 ("Marshmallow") on a Galaxy S2 Tab, I found it necessary to have all the stunnel files (.ssl, stunnel.crt) located in a folder on the sd card, and then place a link to that folder in the Termux "HOME" directory. Then I could just "cd" to the link in Termux, and successfully execute "stunnel AirVPN*.ssl".

 

For whatever reason, Marshmallow would not allow Termux to access files I copied to the HOME directory using "Root Explorer". I tried elevating to root, changing the SE context, ownership, and permissions. Nothing worked until I tried that link idea. I did not try coping the files from within Termux -- maybe that would have worked, but the link is very convenient.

 

Hope some find this useful.

 

Note: I subsequently discovered that the problem here was the "SE Context" tag in the copied files. The easiest fix is to just use the "cp" command in Termux to bring the .ssl and stunnel.crt files into the Termux HOME directory. Changing the "SE Context" to that created by the "cp" command will also work, but just using "cp" is easier.

Share this post


Link to post

Hello,

although everything I did, I could not overcome the issue.sh file gives me this error: can't cd to /data/data/com.termux/files/home/storage/shared/AirVPN and invalid configuration file name "*ssl"

What is wrong with this? I want to set up Termux:Widget. Any help would be great.

Share this post


Link to post
Posted ... (edited)
On 4/13/2020 at 5:01 AM, myblank said:

Hello,

although everything I did, I could not overcome the issue.sh file gives me this error: can't cd to /data/data/com.termux/files/home/storage/shared/AirVPN and invalid configuration file name "*ssl"

What is wrong with this? I want to set up Termux:Widget. Any help would be great.


I experienced the same problem . For some reason, the widget won't cd to the airvpn directory, while in regular termux it changes directories just fine.
 
On 12/7/2017 at 11:24 PM, InactiveUser said:

it is recommended to move the *.ssl and stunnel.crt files out of Android's shared storage and into Termux' private data directory, while also deleting the no longer needed *.ovpn file:
 


cd ~
mkdir st        
cd storage/shared/AirVPN        
cp *.ssl stunnel.crt ~/st
rm *.ssl stunnel.crt *.ovpn

 

is there a reason not to copy the files to "home" directory without creating additional directories?
For example:
cd storage/shared/AirVPN
cp *.ssl stunnel.crt ~

Then, it is no longer needed to "cd" in Termux. just launch Termux and type "stunnel whatevername.ssl", and then go to OpenVPN. Same would apply to creating script for Termux:Widget. The script will contain only one line:
stunnel whatevername.ssl

this solved the problem with cd command in Termux:widget. Edited ... by valentins

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...