Jump to content
Not connected, Your IP:


  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by InactiveUser

  1. ConnectBot's text output disappears sometimes but I think that's just a glitch, not a problem. My Android and software versions are identical to yours. I haven't had much time to debug this, but here are my results: Capricornus: fail (sshtunnel not established, local port 1412 stays closed) Agena: success (I don't think I did anything differently) Iskanda attempt #1: fail (sshtunnel not established, local port 1412 stays closed) Iskanda attempt #2: fail (ConnectBot opens local port 1412, but no response from VPN server) Iskanda attempt #3: fail (ssh connection refused (ECONNREFUSED) I didn't have much time, but during my limited experiments using Linux instead of Android, I saw some similar problems. I doubt Android is the culprit here! TL;DR + suggestions: I got it to work exactly once (that's not a lot, but at least it proves that it can and should work)other attempts failed with different errorsplease try some different servers, different regionssomething might be wonky on Air's sideperhaps ask Air support whether they can confirm that SSH connections work reliably at the moment (regardless of operating system)
  2. First, enable the extended keyboard as described in the Addendum: Tips section. Then you can press CTRL + c to stop stunnel.
  3. I'm sorry for my late reply. Do you still need help? If so, please tell me the version numbers of your apps and Android OS. Also, please double-check that you excluded ConnectBot from OpenVPN's routing in the ALLOWED APPS tab.
  4. The *.ssl files contain server-specific entry IP addresses and the *.ovpn files contain server-specific route addresses. Therefore you can't mix *.ovpn and *.ssl files from different servers. It don't think it makes a difference at all. The main purpose of SSL/SSH modes is firewall/censorship circumvention, not security. If your ISP does not block or throttle direct OpenVPN connections, I see little reason to use SSL or SSH.
  5. @333_half_evil: That's correct, please select Linux instead of Android. If you selected Android, the SSL connection mode would be unavailable as it is not one of the officially supported modes for this platform. However, the generated config files for Linux work perfectly fine on Android. Only one adjustment is necessary, which is described in step #6 of part 1.
  6. Yes, there are some reasons: First, I have doubts regarding the app's maintenance status (last updated July 2015) and its obscure developer (website SmallApps.eu = 403 Forbidden). Maybe most importantly though, I avoid recommending software that is exclusively available through proprietary channels (Google Play Store). There is no F-Droid version or access to source code available.
  7. Thanks for your suggestions, mikevvl. I do agree that it's generally a good idea to move those files out of shared storage. I'll add this suggestion to my "Tips" section. Regarding your second suggestion: I wrote this tutorial with the goal of minimizing the number of required steps, which is why I won't be incorporating your second suggestion. While additional tweaks and scripts may improve EoU, they also add a certain level of complexity.
  8. Check your VPN connection settings, is Use default Route enabled for IPv6?
  9. I think I know why: You're calling /bin/bash which likely does not exist on your phone. The shebang line (#!/bin/bash) is not necessary here, just leave it out. I've created a quick tutorial for Termux:Widget, including a small video, please try it out and compare it to your approach: Termux:Widget usage The following steps assume that you have successfully followed the main tutorial. Instead of manually typing the two commands necessary to launch stunnel, we can do the same with a script. A script is nothing more than a text file that contains the commands we need to run. Here is a video on Vimeo that demonstrates steps 3 to 6. 1. Create a text file with the following contents. Please adjust the second line to whatever server you happen to be using! For this tutorial, I'll be using the server BE-Brussels_Capricornus: cd storage/shared/AirVPN stunnel AirVPN_BE-Brussels_Capricornus_SSL-443.ssl 2. Save the file; choose whatever file name you want, but make sure you use the .sh file extension. For this tutorial, I'll name the file: capricornus.sh Put your file into the AirVPN folder on your phone (the same folder you have already been using for the main tutorial). 3. Open Termux and run: cd This makes sure we are in stunnel's home directory. Now run: mkdir .shortcuts This will create a (hidden) folder that is required for Termux:Widget. That's where we need to copy our script to: cp storage/shared/AirVPN/capricornus.sh .shortcuts 4. Leave Termux. Now install Termux:Widget from your preferred app store (FDroid or Google Play) 5. On your phone's home screen, enter your widget/wallpaper settings by long-pressing on a free spot on your home screen. Tap the WIDGETS button and find the Termux:Widget item. Drag one of the Termux:Widget items onto your home screen. For this tutorial, I'll use the "All shortcuts 2x2" option. 6. You should now see your script listed within that new widget on your home screen. Tap on your script to run it. 7. You can add and use as many .sh scripts for different stunnel connections as you like, as long as you also create/generate the corresponding .ovpn and .ssl files.
  10. I cannot reproduce your port forwarding error. Just to clarify: The purely local port fowarding is not affected by your choice of the AirVPN server port (22, 80, 53, 38915). Port forwarding is always the same, forwarding to I also don't understand the error message "ports under 1024 or port already used". No local ports under 1024 are involved. Is maybe another instance of sshtunnel, or some other app, somehow using 1412 or 2018? What's your Android version? Works for me on 7 and 8. Not directly related, but I should also add that some Air entry IPs don't listen on all of the SSH ports (22, 80, 53, 38915). That's why you can't just manually change the SSH port in your config files. Instead, use the Config Generator to generate new configs for your desired port in order to get the correct entry IP.
  11. First off, sorry for not maintaining this thread, although the broad strokes of this guide still work to this day. I may write a new one if time permits. Hi, same question here please. I assume both of you want to want connect to Air's servers on port 443, using SSH? That's currently not possible, but it's got nothing to do with your local port forwarding: Air's servers simply don't accept SSH connections on port 443. The Config Generator only lists ports 22, 80, 53 and 38915 for SSH. I'd suggest opening a ticket to ask staff about the possibilities of SSH on 443.
  12. Attention everybody: A new and improved version of this tutorial can be found here: https://airvpn.org/topic/24349-how-to-airvpn-via-sslstunnel-on-android-678/
  13. Goal We want to use AirVPN's SSL tunneling mode on Android. SSL tunneling can be very useful, especially to defeat firewalls that block OpenVPN or SSH on a protocol level. We will use the Termux Terminal Emulator to install and run stunnel and OpenVPN for Android to manage the OpenVPN connection. Requirements Android 6.0 or newer (5.0 and derivatives thereof such as FireOS should work too)the Android device does not have to be rootedGoogle PlayStore or the free & open source F-Droid market (recommended)OpenVPN for Android (FOSS) – or Air's official Eddie Android Edition Please stay tuned for future Eddie releases as they may include native SSL tunnel support (which would make this cumbersome guide unnecessary)Termux Terminal Emulator (FOSS)stunnel (FOSS), via Termux repositorya separate computer to download/edit the config files (entirely optional, but recommended) Setup instructions Part 1: generate AirVPN config files 1/7: open AirVPN's config generator. When asked for your operating system, pick Linux: 2/7: Choose servers: Pick a single server. Do not select more than one. Do not select a whole region. 3/7: Protocols: First, enable Advanced Mode: Now select the SSL mode, port 443: 4/7: Accept Terms of Service and generate the config files: 5/7: Download the generated zip archive: 6/7: unzip AirVPN.zip and open the *.ssl file in a text editor. find this line: pid = /tmp/stunnel4.pid replace it with: pid = /data/data/com.termux/files/home/stunnel4.pid 7/7: Now transfer the AirVPN folder to your phone's sdcard / main storage directory. For ease of use, don't put it into any subdirectories. Instead, put it into your "root" storage directory, meaning on the same level as your other default Android folders such as Documents, Download and Movies. Part 2: Install and prepare Android software 1/3: Install OpenVPN for Android, via F-Droid or Play Store. Don't configure anything just yet. 2/3: Install Termux Terminal Emulator, via F-Droid or PlayStore open Termux and run: termux-setup-storageAllow Termux to access files on your device. (Android 8.0 Oreo users, please read the note at the end of this tutorial).The pkg command is used to install und update software packages. Make sure your base packages are all up to date: pkg upgradenow install stunnel: pkg install stunnel 3/3: Still in Termux, jump to the AirVPN folder you copied to your phone: cd storage/shared/AirVPNThe command lsshould list 3 files: AirVPN*.ovpn (the OpenVPN config file)AirVPN*.ssl (the stunnel config file)stunnel.crt (stunnel certificate)Now start stunnel: stunnel AirVPN*.ssl press the Home button to get out of Termux.Start OpenVPN and import the AirVPN*.ovpn config fileEdit your new OpenVPN connection (tap the "pencil button")in the ALLOWED APPS tab, tick the box next to Termuxreturn to OpenVPN's connection listyour VPN connection is now configured. A tap on its name will establish the connection.verify that a connection has been established by looking for the log entry Initialization Sequence Completedbrowse to ipleak.net (or any similar site) to verify that your traffic is indeed routed through the VPN tunnelHere's a short video, demonstrating the steps above: https://vimeo.com/246306477 Part 3: Usage instructions Now that everything is configured, future usage will be much easier: open Termuxnavigate to your AirVPN folder: cd storage/shared/AirVPNnow run stunnel: stunnel AirVPN*.sslPress the Home button and open the OpenVPN appConnect to your VPN profile Addendum: Tips as an alternative to OpenVPN for Android, you can also use Air's official Eddie Android edition. Don't forget to dive into Eddie's settings to exclude ("blacklist") Termux from the VPN tunnel.don't forget to periodically run pkg upgradeto keep all of Termux' packages, including stunnel, up-to-date.To prevent leaks, it's recommended to let OpenVPN set the default route for both IPv4 and IPv6; as well disabling the LAN bypass: you may want to take a look at Termux:Widget (via F-Droid or Play Store. It's an extension to Termux. If you put your stunnel commands into shell scripts, stored in ~/.shortcuts/ , you can launch them via Home screen widgets.enable Termux' extended keyboard by sliding out the left-side menu and long-pressing the KEYBOARD button. This will enable a row of additional keys, such as CTRL, ALT and TAB which are very useful in a terminal environment -- especially the TAB key, allowing you to autocomplete command and path names. Here's a short video on Vimeo demonstrating the extended keyboard.you may generate config files for as many servers as you like, put them into your AirVPN folder on your phone and add the *.ovpn profiles to OpenVPN.you may want to consider AFWall+ for additional firewalling (root required)it is recommended to move the *.ssl and stunnel.crt files out of Android's shared storage and into Termux' private data directory, while also deleting the no longer needed *.ovpn file: cd ~ mkdir st cd storage/shared/AirVPN cp *.ssl stunnel.crt ~/st rm *.ssl stunnel.crt *.ovpn Moving those files obviously changes the paths of your Termux commands. Instead of running: cd storage/shared/AirVPN stunnel AirVPN*.ssl You'd now need to run: cd ~/st stunnel AirVPN*.ssl Addendum: Caveats Following this tutorial will add the Termux app to OpenVPN's exclusion list, allowing it connect to the VPN server. But this also means that anything else you may do via Termux will also bypass the VPN tunnel. If you need a VPN-tunneled terminal app, I recommend using Termux only to run stunnel; using another terminal emulator app for your other tasks. Addendum: Testing and bugs This tutorial has been tested on: Stock Android 6.0Stock Android 7.0Stock Android 8.0LineageOS 14.1 (~ Android 7.1.x)Fire OS (~ Android 5.x), testing done by user steve74it Important Notice for Android 8.0+ (Oreo) users: The command termux-setup-storage does not work (yet). Instead, follow this workaround to access storage: https://github.com/termux/termux-app/issues/157#issuecomment-246659496 The workaround will no longer be necessary once this bug is resolved: https://github.com/termux/termux-packages/issues/1578 EDIT LOG Thu Dec 7 20:24 UTC 2017: initial releaseThu Dec 7 20:40 UTC 2017: formatting correctionsThu Dec 7 20:58 UTC 2017: spellingFri Dec 8 18:47 UTC 2017: add recommended route settings. credit and thanks to Darkspace-HarbingerFri Jan 5 17:30 UTC 2018: add note that this guide is functional on FireOS 5.6 (Android 5.x). testing done by user steve74it, thank you!Mon Jan 22 18:34 UTC 2018: add mikevvl's security tip to move files out of shared storage. thank you!Sun Jul 15 12:16 UTC 2018: recommend against alternative VPN apps (thanks steve74it)Tue Jul 17 12:20 UTC 2018: mention Eddie compatibility (thanks steve74it) Any corrections, further testing, as well as general suggestions for improvement would be much appreciated.
  14. Thursday/Friday unless somebody else beats me to it.
  15. DarkSpace-Harbinger's solution works, thanks! This whole tutorial needs a make-over, it contains too many outdated statements. I'll work on a new version soon, unless somebody else wants to take over which would be much appreciated. I'm not an Android power user at all.
  16. Are you on Android 7.0 or newer? It looks like Android 7.0 introduced some changes that make it impossible to use OpenVPN through stunnel. Unfortunately, this tutorial is obsolete unless a solution is found. Related bug reports: https://www.stunnel.org/pipermail/stunnel-users/2017-October/005845.html https://github.com/schwabe/ics-openvpn/issues/740 https://productforums.google.com/forum/#!topic/nexus/8SybHHQoEDg
  17. Don't use scripts, NetworkManager will override your manual changes sooner or later. There is a more reliable way to get rid of your default DNS: Go into GNOME's network settings. Edit your Wi-Fi connection. Disable "automatic" DNS and configure Air's server instead. Screenshot attached.
  18. Thanks zhang888, I agree you make a very valid point: Most of Firejail's flaws that are currently discussed don't concern sandbox escapes. Even in its current state, using firejail can go a long way to prevent certain classes of attacks. That said, I still feel squeamish about putting something on my system that is known to contain lots of avenues for privilege escalation.
  19. by Sebastian Krahmer. Quoted from: http://seclists.org/oss-sec/2017/q1/20 by Martin Carpenter. Quoted from: http://seclists.org/oss-sec/2017/q1/25 As someone who has mentioned and recommended Firejail, I want to share a couple thoughts: On one hand, Firejail is still in relatively early development, which means flaws are to be expected. On the other hand, it is worrying that both of these security researchers have also raised serious concerns regarding Firejail's general design. It makes you wonder whether Firejail can still be a viable solution, even after these particular flaws are fixed. What have I personally learned from this? Actually, there's nothing new here. But there are certain "truths" of IT security that I tend do downplay, despite being aware of them. Probably because they are inconvienent truths: 1. using unaudited software is dangerous 2. audits are rare and if they do happen, they often produce scary results 3. setuid is dangerous 4. more security measures != more security 5. desktop security is in a dreadful state Finally, I want to stress that the purpose of this thread is not to disparage Firejail. It's an awesome project, a lot of effort is being put into it. I hope it can be salvaged. But for the time being, I'm just not sure it's advisable to use it.
  20. Using containers definitely creates less resource overhead than using virtual machines. I personally prefer LXC, here's the Arch Wiki entry: https://wiki.archlinux.org/index.php/Linux_Containers Example of how to use OpenVPN in an LXC container: https://wiki.archlinux.org/index.php/OpenVPN_in_Linux_containers I cannot vouch for this solution as I have yet to try it myself, but it should give you some ideas on how to proceed. Maybe I'll come up with a tutorial on this topic but I'm not sure I can find the time, so, no promises.
  21. Good observations by nemoAnon, thank you! Unrelated addition: For those that find it inconvenient to get the stunnel binary from the project's website (and manually keep it up to date!), I can recommend Termux. It's a nice alternative terminal emulator that allows you to install additional packages from their repositories with the apt package manager. Stunnel is among the available packages. To some extent you're trading security for convenience as you won't be getting the stunnel binary directly from the stunnel project, but from the Termux repos. I haven't actually tried using Termux yet, but I don't see any reason why it wouldn't work for our purpose. I might post new instructions if anyone needs help adapting them to Termux. Or maybe another friendly soul helps out
  22. I actually wouldn't want MUC backlog to be disabled, but if Air staff agree with you, they would have to set history_size 0 in ejabberd's global config. There is no per-room configuration option AFAIK.
  23. Thanks for pointing that out, because the Cryptostorm people certainly didn't: Pattern_Juggled still holds the title Site Admin. Forums usually allow you to ban accounts or change at least their title, but apparently Cryptostorm don't think it's necessary to visibly distance themselves from their former admin, now convicted zoophilic, snitching drug-smuggler. Is that how you handle this correctly? Really? Now you're the one stretching and reaching. Read my post, I don't claim CS to be a honeypot. I'm expressing how CS excude a terribly seedy atmosphere, underlined not only by Spink's prior involvement, but (more importantly even) also the ridiculous amount of gobbledegook and hot air. All of their material reads like it's written by 15-year olds. For example, first, they don't even think about declaring their software license. Then, they pick a non-free license. Seriously? Who approaches software development like that? Yeah, I think they are inattentive to a lot of things. Like proper, clear documentation. Is their forum section "how it works | guides, whitepapers, tech details [cryptostorm.org/howto]" the right place to look for whitepapers and tech details? Because all I see are connection howtos and a lot of hot air. Please, point me to whitepapers, audit reports, or at least server-side tech details. I'm happy that you're confident in their network but I can't find anything that would convince me. Their pompous forum posts are void of any technical information. This is the "best" description of their token system I could dig up. They're rambling and rambling and spewing gobbledegook. Nothing of substance, no specification, no server-side code, nothing. Whitepapers? Specs? Implementation details about their their "darknet"? Anything remotely like this or this? I'm not wearing any: My disdain for CS is not fueled by paranoia, but lack of credible information that would support anything CS do. All there is to be found is evidence to the contrary: a poorly run project with a dubious past.
  24. Oh, now this is delicious. Cryptostorm on trust and honeypots? Well they would know, that's for sure. Let's do some investigatory journalism googling. 1. Who's behind CryptoStorm? source 2. Any interesting people @ Baneki? Let's ask Bloomberg: source 3. Spink, Spink, I've heard that funny name before... source 4. But wait, there's more: source 5. Fast forward to that 2014 CryptoStorm post: People "associated with CryptoCloud/CryptoStorm" have been up to strange things indeed, wouldn't you say? Postscript My post is, I hope that's obvious, polemical. I don't claim that Spink still pulls the strings over there (which would be difficult anyway because I think he is, once more, back in jail). However, these are my serious points: Considering Baneki's "backstory", any serious person would run for the hills. Yet, CryptoStorm is still a thing. That should make you wonder about those who willingly associate themselves with such a tarnished project. CryptoStorm try to up their "street cred" by talking some "real shit" about "LEOs", "spooks", "paid shills", and who to trust. They want to teach you how to spot dodgy people. For me, that itself is the biggest warning sign of all. That's exactly how I would advertise my own honeypots.
  • Create New...