InactiveUser

I must be out of the loop. I've been using Stunnel and OpenVPN on my Google Pixel with no issues, and it released with Nougat pre-installed.
 
The only thing you need to do is exclude Terminal Emulator from the VPN tunnel using OpenVPN for Android.
 
The problem is, when you don't do this it tries to route Stunnel through OpenVPN, and OpenVPN is trying to route through Stunnel. By excluding Termninal Emulator you allow Stunnel to remain unrouted by OpenVPN, and OpenVPN can make it's connection with Stunnel properly.

ATTENTION: This tutorial is out of date, incomplete and deprecated. 
A new and improved version of this tutorial can be found here: https://airvpn.org/topic/24349-how-to-airvpn-via-sslstunnel-on-android-678/
 
 
This thread is only kept online for historical reference.
 
 
 
 
 


Goal and obstacles

We want to use AirVPN's SSL tunneling mode on Android. SSL tunneling can be very useful, especially to defeat firewalls that block OpenVPN or SSH on a protocol level. On Android, a few obstacles have to be worked around:

a. there is no AirVPN Eddie client for Android.
Solution: We will use OpenVPN and stunnel directly.
b. there is no stunnel app in any Android appstore.
Solution: we will download the stunnel Android binary (provided by the stunnel project itself) and run it from the commandline.
c. Android does not allow us to execute any programs from the sdcard.
Solution: we will move stunnel to a special location (owned by the Terminal app), which will allow the Terminal app to execute stunnel.
d. stunnel wants to write to /tmp/, but there's no /tmp/ on Android.
Solution: we will modify the .ssl config file to change the pidfile location to a writable directory.





Software RequirementsAndroid 4.0 or newer (device does not have to be rooted) stunnel compiled for Android (FOSS), via project website OpenVPN for Android (FOSS), via F-Droid or Play Store Jack Palevich's Terminal Emulator for Android (FOSS), via F-Droid or Play Store a separate computer to download/edit the necessary config files and binaries (entirely optional, but easier than doing everything on the Android device itself)



Setup instructions

1. Generate config files with AirVPN's config generatorchoose Linux pick one single server of your choice. I will use Nunki for this tutorial! for Connection Mode, choose SSL Tunnel, port 443 (visible after enabling Advanced Mode) enable Resolved hosts in .ovpn file leave all the other settings at their default values download and unzip the generated zip file this should result in an AirVPN folder, containing three files 2. Open the ssl config file (AirVPN_GB-Manchester_Nunki_SSL-443.ssl) in a text editor.

Find the line:
pid = /tmp/stunnel4.pidChange it to:
pid = /data/data/jackpal.androidterm/app_HOME/stunnel4.pidSave and close the file.
 
3. In a text editor, create a new file with the following contents:
#!/system/bin/shcd /data/data/jackpal.androidterm/app_HOME./stunnel AirVPN_GB-Manchester_Nunki_SSL-443.sslSave it to a file named nunki (no file extension).
Put the file into the AirVPN folder, next to our other config files.


4. Download and unzip stunnel for Android from the stunnel website (stunnel-X.XX-android.zip)

Put the stunnel file (only the file, not the folder) into the AirVPN folder.


5. Make sure your AirVPN folder now contains the following files:
AirVPN_GB-Manchester_Nunki_SSL-443.ovpnAirVPN_GB-Manchester_Nunki_SSL-443.sslnunkistunnelstunnel.crt6. Copy the whole AirVPN folder to your Android's SD card.

The path should be:
/sdcard/AirVPN/7. Install OpenVPN for Android via F-Droid or Play Store and import the .ovpn config file located at
/sdcard/AirVPN/AirVPN_GB-Manchester_Nunki_SSL-443.ovpnDon't try to connect just yet.


8. Install Terminal Emulator for Android, via F-Droid or Play Store


9. Open Terminal Emulator and successively run the following commands:
cdThe simple cd command should take you to the app's home directory (/data/data/jackpal.androidterm/app_HOME).
This is where we need to put our config files and the stunnel binary. Let's move them over by running:
mv /sdcard/AirVPN/* .It's important to type every character correctly (commandline is case sensitive); the "*" is a wildcard expanding to all files in the AirVPN folder, and the "." is a placeholder for the current directory /data/data/jackpal.androidterm/app_HOME. Typing commands on Android is a big pain, so I try to keep them as short as possible!

Finally, we need to modify permissions for the binary and the script, allowing us to execute them:
chmod 555 stunnel nunkiWe should be ready to go!





Usage instructions

I. Open Terminal Emulator and run the following two commands:
  cd ./nunkiA log message should appear: Configuration successful
Great! Keep the Terminal app running, but use the Home button to get out.

II. Open OpenVPN for Android and connect to the profile AirVPN_GB_Manchester_Nunki_SSL-443
Unless something went wrong, you should get Initialization Sequence Completed - great!
I recommend performing the usual leak tests and perhaps diving into OpenVPN's profile settings before relying on your configuration to work as you expect it to.


III. To disconnect:
Disconnect VPN in OpenVPN open Terminal Emulator, press VOLUME_DOWN + C to kill stunnel press the X button to close the terminal session IV. If stunnel isn't shutdown properly, you may see an error if you try to run stunnel again:
 
[!] Error binding service [openvpn] to 127.0.0.1:1413[!] bind: Address already in use (98)[ ] Closing service [openvpn][ ] Service [openvpn] closedThis means stunnel is still running in the background. You can kill it by running:
 
killall stunnel




Footnotes

I successfully followed my own tutorial using: CyanogenMod 12.1 nightly (≈ Android 5.1)stunnel 5.23OpenVPN for Android 0.6.35 (F-Droid)Terminal Emulator 1.0.70 (F-Droid)Testers welcome, especially if you're using different Android and software versions.

Credits:
Kevin Boone for the clever binary execution workaround.

Today Stefano Rodotà left us.
 
He was a co-writer of the Charter of Fundamental Rights of the European Union, which several years later became a binding, legal document for all EU Member States, and a member of the Council of Europe.
 
Between 1998 and 2005 he was the first Data Protection and Privacy Authority supervisor in Italy, a country which never had such a public body, and between 1998 and 2002 he was the President of the Data Protection Supervisors coordination group in the European Union.
 
In spite of limited funds and power, through his energy and incredibly lucid and competent vision, he sowed the seeds of public awareness on the importance of data protection and privacy and established an operative framework which has been successfully followed by his successors.
 
Just to recall a tiny gem, without Rodotà's work the historical decisions, by courts and by the Data Protection Authority, establishing the illegal behavior of the Peppermint company in the homonym case and sentencing the beginning of the end of the copyright trolls activities in Italy and Europe, would have been much more difficult in 2008.
 
It is impossible to mention here all the countless activities Mr. Rodota's was involved in during his life.
 
For us he was first and foremost a Champion of freedom and fundamental rights.
 
Goodbye Mr. Rodotà, you have been, you are and you will be a source of inspiration and strength for us in the pursuit of our mission.
 
The AirVPN founders

Two steps:
- Tell the AirVPN client to automatically connect when launched
- Add the AirVPN client to Mint's "Startup Applications".
​
Here's a screenshot detailing all the steps:

I tried this with Mint 17.1 MATE, but the Cinnamon edition features the same "Startup Applications" tool, afaik.

Caveat: You still have to enter your sudo/user password every time AirVPN starts.
If that bothers you, you can edit the "sudoers" file to let you run AirVPN as root without having to enter any password.
If you're totally new to sudo and its sudoers file, I'd recommend reading Ubuntu's documentation first:
​https://help.ubuntu.com/community/Sudoers
​The paragraph "Shutting Down From The Console Without A Password" describes a similar use case to what we're doing here.
The only way to edit sudoers is on the command line using:
 
sudo visudo Add the following line to the very end of that file (replace the word "user" with your own user name):
 
user ALL=(ALL) NOPASSWD: /usr/bin/airvpn Exit visudo with ctrl-x.
 
​
Go back into Mint's "Startup Applications", edit the AirVPN entry.
Change its command from ..
/usr/bin/airvpn to ..
sudo /usr/bin/airvpn and reboot.

Browsing pfSense forum I've found some intriguing quick OpenVPN performance test. I think this may be interesting because many people here asking about OpenVPN hardware for their needs.
 
To test (theoretical) throughput:
 
1. generate secret:
 
openvpn --genkey --secret /tmp/secret 2. Test OpenVPN speed:
 
time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc 3. Your VPN performance is:
 
( 3200 / execution_time_seconds ) = Projected Maximum OpenVPN Performance in Mbps  
For my RT-AC87U router it gives 70s, meaning 45Mbps; for my pfSense Celeron C3150 box it gives 25s, meaning 126Mbps. Both values are actually pretty much identical with real client/server tests I did some time ago. Of course this formula is true to the some degree, where actually NIC performance starts to play role. However for casual, quick and dirty checks this seems very interesting.
 
I'm curios how are other's results.
 
 
Credits:
 
https://forum.pfsense.org/index.php?topic=105238.msg616743#msg616743

ATTENTION: This tutorial is out of date, incomplete and deprecated. 
A new and improved version of this tutorial can be found here: https://airvpn.org/topic/24349-how-to-airvpn-via-sslstunnel-on-android-678/
 
 
This thread is only kept online for historical reference.
 
 
 
 
 


Goal and obstacles

We want to use AirVPN's SSL tunneling mode on Android. SSL tunneling can be very useful, especially to defeat firewalls that block OpenVPN or SSH on a protocol level. On Android, a few obstacles have to be worked around:

a. there is no AirVPN Eddie client for Android.
Solution: We will use OpenVPN and stunnel directly.
b. there is no stunnel app in any Android appstore.
Solution: we will download the stunnel Android binary (provided by the stunnel project itself) and run it from the commandline.
c. Android does not allow us to execute any programs from the sdcard.
Solution: we will move stunnel to a special location (owned by the Terminal app), which will allow the Terminal app to execute stunnel.
d. stunnel wants to write to /tmp/, but there's no /tmp/ on Android.
Solution: we will modify the .ssl config file to change the pidfile location to a writable directory.





Software RequirementsAndroid 4.0 or newer (device does not have to be rooted) stunnel compiled for Android (FOSS), via project website OpenVPN for Android (FOSS), via F-Droid or Play Store Jack Palevich's Terminal Emulator for Android (FOSS), via F-Droid or Play Store a separate computer to download/edit the necessary config files and binaries (entirely optional, but easier than doing everything on the Android device itself)



Setup instructions

1. Generate config files with AirVPN's config generatorchoose Linux pick one single server of your choice. I will use Nunki for this tutorial! for Connection Mode, choose SSL Tunnel, port 443 (visible after enabling Advanced Mode) enable Resolved hosts in .ovpn file leave all the other settings at their default values download and unzip the generated zip file this should result in an AirVPN folder, containing three files 2. Open the ssl config file (AirVPN_GB-Manchester_Nunki_SSL-443.ssl) in a text editor.

Find the line:
pid = /tmp/stunnel4.pidChange it to:
pid = /data/data/jackpal.androidterm/app_HOME/stunnel4.pidSave and close the file.
 
3. In a text editor, create a new file with the following contents:
#!/system/bin/shcd /data/data/jackpal.androidterm/app_HOME./stunnel AirVPN_GB-Manchester_Nunki_SSL-443.sslSave it to a file named nunki (no file extension).
Put the file into the AirVPN folder, next to our other config files.


4. Download and unzip stunnel for Android from the stunnel website (stunnel-X.XX-android.zip)

Put the stunnel file (only the file, not the folder) into the AirVPN folder.


5. Make sure your AirVPN folder now contains the following files:
AirVPN_GB-Manchester_Nunki_SSL-443.ovpnAirVPN_GB-Manchester_Nunki_SSL-443.sslnunkistunnelstunnel.crt6. Copy the whole AirVPN folder to your Android's SD card.

The path should be:
/sdcard/AirVPN/7. Install OpenVPN for Android via F-Droid or Play Store and import the .ovpn config file located at
/sdcard/AirVPN/AirVPN_GB-Manchester_Nunki_SSL-443.ovpnDon't try to connect just yet.


8. Install Terminal Emulator for Android, via F-Droid or Play Store


9. Open Terminal Emulator and successively run the following commands:
cdThe simple cd command should take you to the app's home directory (/data/data/jackpal.androidterm/app_HOME).
This is where we need to put our config files and the stunnel binary. Let's move them over by running:
mv /sdcard/AirVPN/* .It's important to type every character correctly (commandline is case sensitive); the "*" is a wildcard expanding to all files in the AirVPN folder, and the "." is a placeholder for the current directory /data/data/jackpal.androidterm/app_HOME. Typing commands on Android is a big pain, so I try to keep them as short as possible!

Finally, we need to modify permissions for the binary and the script, allowing us to execute them:
chmod 555 stunnel nunkiWe should be ready to go!





Usage instructions

I. Open Terminal Emulator and run the following two commands:
  cd ./nunkiA log message should appear: Configuration successful
Great! Keep the Terminal app running, but use the Home button to get out.

II. Open OpenVPN for Android and connect to the profile AirVPN_GB_Manchester_Nunki_SSL-443
Unless something went wrong, you should get Initialization Sequence Completed - great!
I recommend performing the usual leak tests and perhaps diving into OpenVPN's profile settings before relying on your configuration to work as you expect it to.


III. To disconnect:
Disconnect VPN in OpenVPN open Terminal Emulator, press VOLUME_DOWN + C to kill stunnel press the X button to close the terminal session IV. If stunnel isn't shutdown properly, you may see an error if you try to run stunnel again:
 
[!] Error binding service [openvpn] to 127.0.0.1:1413[!] bind: Address already in use (98)[ ] Closing service [openvpn][ ] Service [openvpn] closedThis means stunnel is still running in the background. You can kill it by running:
 
killall stunnel




Footnotes

I successfully followed my own tutorial using: CyanogenMod 12.1 nightly (≈ Android 5.1)stunnel 5.23OpenVPN for Android 0.6.35 (F-Droid)Terminal Emulator 1.0.70 (F-Droid)Testers welcome, especially if you're using different Android and software versions.

Credits:
Kevin Boone for the clever binary execution workaround.

It's indeed a little confusing:
After launching the AirVPN client and entering your Mac user password, the AirVPN client does start - but it's minimized! Not even clicking on the dock icon will bring it up.

However, you will notice a new icon in your menu bar (right upper edge of your screen, next to the clock).
Click on the Air-themed icon (looks like a cloud in a circle). Select "Show Main Window" to bring up the main application window. Also notice that you can get to the separate "Preferences" pane by clicking on the menu bar icon.

1. Using (Air)VPN on a Pi is really no different from doing so on any other Linux machine. I'll assume you use Raspbian. Install the "openvpn" package, its daemon looks for .conf files in /etc/openvpn/ .
Put your generated AirVPN config file into that directory and change the suffix from .ovpn to .conf. You can control the daemon using the service command:
 
service status/stop/start/restart openvpn  
2. It would be a good idea to configure the iptables firewall in order to avoid any leaks. You will find examples in the How-to forum section.
If you don't feel comfortable with iptables, you can try ufw which is an iptables front-end that provides easier syntax.

3. Quick way to check your current IP on the Pi:
wget -qO - ifconfig.me/ip 4. One thing to look out for: The Pi does not keep time well (at all) on reboots or power outages. If time is off by too much, you won't be able to establish VPN or SSL connections so make sure your Pi can always communicate to an NTP timeserver. If your router comes with a timeserver (many routers do), you can add its IP address to the ntp config file.
https://raspberrypi.stackexchange.com/questions/24079/how-to-use-ntp-on-raspberry-pi-by-local-ntp-server

Firejail is going to be obsolete soon - Firefox is adding a native, long awaited sandbox in FF52:
https://wiki.mozilla.org/Security/Sandbox
 
More security focused forks like Tor Browser Hardened already use Selfrando, which is an additional layer against use-after-free whole class of vulnerabilities:
https://blog.torproject.org/blog/selfrando-q-and-georg-koppen
 
I don't think it's not advisable to use Firejail, it depends which class of vulnerabilities worries you most. What it aims to do is preventing any FF based
exploits gain persistence on your system, like the last years PDF.js exploit and the more recent FBI exploits against the Tor Browser.
So if this is your case, Firejail would come useful.
 
If someone will find an exploit in Firejail, and target you with it individually, knowing you are using it, it's an old question of who you are and what's you worth.
There was a nice talk on 33C3 about "Million Dollar dissidents" - if you are a worth target, then any well-funded adversary will find a way to target you without
difference of your software/hardware choices.

by Sebastian Krahmer. Quoted from: http://seclists.org/oss-sec/2017/q1/20
 
 
 
by Martin Carpenter. Quoted from: http://seclists.org/oss-sec/2017/q1/25
 
 
As someone who has mentioned and recommended Firejail, I want to share a couple thoughts:
On one hand, Firejail is still in relatively early development, which means flaws are to be expected.
 
On the other hand, it is worrying that both of these security researchers have also raised serious concerns regarding Firejail's general design. It makes you wonder whether Firejail can still be a viable solution, even after these particular flaws are fixed.
 
What have I personally learned from this? Actually, there's nothing new here.
But there are certain "truths" of IT security that I tend do downplay, despite being aware of them. Probably because they are inconvienent truths:
 
1. using unaudited software is dangerous
2. audits are rare and if they do happen, they often produce scary results
3. setuid is dangerous
4. more security measures != more security
5. desktop security is in a dreadful state
 
Finally, I want to stress that the purpose of this thread is not to disparage Firejail. It's an awesome project, a lot of effort is being put into it. I hope it can be salvaged. But for the time being, I'm just not sure it's advisable to use it.

Two steps:
- Tell the AirVPN client to automatically connect when launched
- Add the AirVPN client to Mint's "Startup Applications".
​
Here's a screenshot detailing all the steps:

I tried this with Mint 17.1 MATE, but the Cinnamon edition features the same "Startup Applications" tool, afaik.

Caveat: You still have to enter your sudo/user password every time AirVPN starts.
If that bothers you, you can edit the "sudoers" file to let you run AirVPN as root without having to enter any password.
If you're totally new to sudo and its sudoers file, I'd recommend reading Ubuntu's documentation first:
​https://help.ubuntu.com/community/Sudoers
​The paragraph "Shutting Down From The Console Without A Password" describes a similar use case to what we're doing here.
The only way to edit sudoers is on the command line using:
 
sudo visudo Add the following line to the very end of that file (replace the word "user" with your own user name):
 
user ALL=(ALL) NOPASSWD: /usr/bin/airvpn Exit visudo with ctrl-x.
 
​
Go back into Mint's "Startup Applications", edit the AirVPN entry.
Change its command from ..
/usr/bin/airvpn to ..
sudo /usr/bin/airvpn and reboot.

If network lock is enabled, it will take effect as soon the AirVPN client comes up.
I have posted some autostart instructions for Linux Mint but they are virtually identical for Ubuntu. They include a way to launch the application without having to enter your Linux user password each time.

There's quite a convenient solution for the setup I was looking for and I would like to share it for future visitors of this thread.
 
All you need to do is installing docker, download an image and adjust it to your needs, i.e. set folders, and minor things like that. the image in question runs on an Arch Linux base and contains Deluge, OpenVPN and Privoxy. Iptables are preconfigured. AirVPN is supported.
 
https://hub.docker.com/r/binhex/arch-delugevpn

Using containers definitely creates less resource overhead than using virtual machines.
 
I personally prefer LXC, here's the Arch Wiki entry:
https://wiki.archlinux.org/index.php/Linux_Containers
 
Example of how to use OpenVPN in an LXC container:
https://wiki.archlinux.org/index.php/OpenVPN_in_Linux_containers
 
I cannot vouch for this solution as I have yet to try it myself, but it should give you some ideas on how to proceed.
Maybe I'll come up with a tutorial on this topic but I'm not sure I can find the time, so, no promises.

Two steps:
- Tell the AirVPN client to automatically connect when launched
- Add the AirVPN client to Mint's "Startup Applications".
​
Here's a screenshot detailing all the steps:

I tried this with Mint 17.1 MATE, but the Cinnamon edition features the same "Startup Applications" tool, afaik.

Caveat: You still have to enter your sudo/user password every time AirVPN starts.
If that bothers you, you can edit the "sudoers" file to let you run AirVPN as root without having to enter any password.
If you're totally new to sudo and its sudoers file, I'd recommend reading Ubuntu's documentation first:
​https://help.ubuntu.com/community/Sudoers
​The paragraph "Shutting Down From The Console Without A Password" describes a similar use case to what we're doing here.
The only way to edit sudoers is on the command line using:
 
sudo visudo Add the following line to the very end of that file (replace the word "user" with your own user name):
 
user ALL=(ALL) NOPASSWD: /usr/bin/airvpn Exit visudo with ctrl-x.
 
​
Go back into Mint's "Startup Applications", edit the AirVPN entry.
Change its command from ..
/usr/bin/airvpn to ..
sudo /usr/bin/airvpn and reboot.

It's important to remember ProtonMail is a commercial business designed to produce profit, whereas Riseup is an anarchist collective offering services to activists in tune with their set of ideals. Charging for a premium version of Riseup would be at odds with the purpose of the project. I'd love to see Riseup secure a more stable income, but I'm not sure ProtonMail or Posteo are the right places to look.

Tutorial: SSH-Tunneled VPN on Stock Android
 
0. Notes
 
- no proprietary / commercial apps required. FOSS only! (Free and Open Source Software)
- no root / custom ROM required
- tested on Android 4.4.4
- minimum requirement: Android 4.x
 
 
1. Required apps
 
- OpenVPN for Android
- ConnectBot (any advanced SSH client will work, )
- CyanogenMod File Manager (or pick any file manager you like)
I highly recommend installing all of these apps via F-Droid, a Free Open Source Software platform:
https://f-droid.org/

In order to install F-Droid, you may need to temporarily "Allow installation of apps from unknown sources" in Android's security settings.
 
 
2. Generate config files

Use the AirVPN Generator (https://airvpn.org/generator/) to create SSH config files for Linux (not Android).
Only pick one specific server.
Screenshot #1: http://i.imgur.com/FWcuXH2.jpg


3. Transfer config files
 
We only need 2 out of the 3 generated files:
    - sshtunnel.key
    - the .ovpn profile
 
Screenshot #2: http://i.imgur.com/p2L7T0l.jpg
Transfer both of them to your Android's sdcard.
Also, open the .ovpn file in a text editor and look for a line that starts with "route", it contains the server's IP - we will need it in step 5.
Example:
 
route 199.19.94.12 255.255.255.255 net_gateway
That's the IP we will need.
 
 
4. Import key file in ConnectBot

Launch ConnectBot. Go into menu and "Manage Pubkeys".
Screenshot #3: https://i.imgur.com/uGT3UgC.jpg
Import the sshtunnel.key file.
Screenshot #4: https://i.imgur.com/ZPYhI6V.jpg
 
 
5. Configure SSH connection in ConnectBot

Go to ConnectBot's main screen.
At the bottom of the screen, enter:

sshtunnel@199.19.94.12
(Notice, that's the IP we took note of in step 3).
Screenshot #5A: http://i.imgur.com/ludTDgv.jpg

If the default port 22 is blocked, you can try an alternative port by appending it at the end:
sshtunnel@199.19.94.12:80
or
sshtunnel@199.19.94.12:53

- Press Enter on your keyboard. It will try to connect and ask you to continue. Choose "Yes".
Screenshot #5B: http://i.imgur.com/UJNpB9n.jpg

- Cancel the connection, we need to configure it now.
Long-press the newly created connection and choose "Edit host".
Screenshot #6: https://i.imgur.com/n3OtM2D.jpg

- Change "Use pubkey authentication" to "sshtunnel.key".
Screenshot #7: https://i.imgur.com/CwfFSoO.jpg

- Disable the option "Start shell session"
Screenshot #8: https://i.imgur.com/l2niHqG.jpg
- Consider enabling the option "Stay connected".
 
 
6. Configure SSH port forwarding
 
- Go to ConnectBot's main screen.
- Long-press the new connection again, but this time choose "Edit port forwards". "Add port forward" with the following values:
 
Type: Local
Source port: 1412
Destination: 127.0.0.1:2018
Screenshot #9: https://i.imgur.com/TBnsKQx.jpg
- Press "Create port forward".
Configuration of the SSH connection is now complete.
- Go back to ConnectBot's main screen and tap the connection entry to establish a connection.
Leave the ConnectBot app using your "home" button.
 
 
7. Import OpenVPN config

- Launch "OpenVPN for Android"
- Tap the folder icon. In the "Open from" dialog, choose "File Manager"
  Screenshot #10: https://i.imgur.com/Nhc6fDa.jpg
 
- Pick the AirVPN_...SSH-22.ovpn file
- OpenVPN will present you with an "import log", tap the "Save" file to accept.
- You may want to dive into the new profile's settings,
go to "ROUTING" and enable "Use default route".
- in the ALLOWED APPS tab, find and select ConnectBot to exclude it from OpenVPN's routing
 
 
8. Start OpenVPN connection
 
- In OpenVPN's main screen, tap the VPN profile to establish the connection.
- Provided that the SSH connection is still running, OpenVPN will be able to connect. Congratulations
 
 
9. How to connect / disconnect from now on

When establishing a connection, always
- start the SSH connection first
- then launch OpenVPN
When disconnecting, always
- disconnect the OpenVPN connection first
- then disconnect SSH in ConnectBot
 
 
10. Thoughts on reliabilty and firewalling

If avoiding network leaks is important to you: be careful on Android, especially on unreliable mobile or WiFi networks that might cause the connection to collapse quite often.

I don't have a solution for this potential issue on stock Android, but if you're on a rooted device, you should absolutely consider installing AFWall+ (available in F-Droid).
AFWall+ allows you to firewall individual apps, restricting their network access to VPN-only.    
(You have to dive into its settings to enable VPN mode).
 
 
Finally: Good luck!

Two steps:
- Tell the AirVPN client to automatically connect when launched
- Add the AirVPN client to Mint's "Startup Applications".
​
Here's a screenshot detailing all the steps:

I tried this with Mint 17.1 MATE, but the Cinnamon edition features the same "Startup Applications" tool, afaik.

Caveat: You still have to enter your sudo/user password every time AirVPN starts.
If that bothers you, you can edit the "sudoers" file to let you run AirVPN as root without having to enter any password.
If you're totally new to sudo and its sudoers file, I'd recommend reading Ubuntu's documentation first:
​https://help.ubuntu.com/community/Sudoers
​The paragraph "Shutting Down From The Console Without A Password" describes a similar use case to what we're doing here.
The only way to edit sudoers is on the command line using:
 
sudo visudo Add the following line to the very end of that file (replace the word "user" with your own user name):
 
user ALL=(ALL) NOPASSWD: /usr/bin/airvpn Exit visudo with ctrl-x.
 
​
Go back into Mint's "Startup Applications", edit the AirVPN entry.
Change its command from ..
/usr/bin/airvpn to ..
sudo /usr/bin/airvpn and reboot.

When that person didn't buy a separate laptop, a prepaid SIM card, and a VPN to manage his website - and -only- his website,
no encryption in the world could help.
That is a common compartmentalization mistake of people who think they are fine without it.
 
The details and the time-stamps, are already everywhere. I expected some twist but it was quite a simple and boring read.

(from https://news.ycombinator.com/item?id=10039306)
 
Starting with Windows 8, Microsoft even facilitates this process:
 
(from https://news.ycombinator.com/item?id=10046957. More info on Windows Platform Binary Table)
 
 
My thoughts on this:
 
Proprietary software makes free and secure computing impossible.
 
"Just install Linux" doesn't fix anything: Your BIOS/UEFI still runs proprietary code, doing stuff behind your back and against your will.
 
"Just install a free BIOS (coreboot)" doesn't fix anything either: Recent intel CPUs are managed by a "separate CPU within the CPU". That separate CPU (Intel Management Engine) has its own, proprietary, irreplacable firmware.
(from http://www.coreboot.org/Binary_situation)
 
 
Under the guise of providing new feautures for "convenience" and even "security" (see Secure Boot), hardware companies turn free computers into proprietary appliances.
 
 
What can we do?
Support alternative vendors such as System76, ThinkPenguin and Purism Support "open hardware" projects such as Novena, with the hope of carving out a niche for truly free, open source and secure computing Support organizations such as FSF and EFF Engage politically! Lobby against freedom-inhibiting developments such as compulsory non-free routers 

Hello !
 
Slight thread necro here, but I think it's worth it, due to the good content OP posted, which deserves more attention. I just wanted to add to it:
 
A security researcher found exploitable SMM code in Lenovo Thinkpads.
 
The problem is: this stuff runs like 2 layers below the BIOS. Meaning that virusscans, changing the OS and even firewall/networking rules don't work.
 
So even if Lenovo did fix these things, it still shows the importance of fighting for our hardware & software freedoms.

(from https://news.ycombinator.com/item?id=10039306)
 
Starting with Windows 8, Microsoft even facilitates this process:
 
(from https://news.ycombinator.com/item?id=10046957. More info on Windows Platform Binary Table)
 
 
My thoughts on this:
 
Proprietary software makes free and secure computing impossible.
 
"Just install Linux" doesn't fix anything: Your BIOS/UEFI still runs proprietary code, doing stuff behind your back and against your will.
 
"Just install a free BIOS (coreboot)" doesn't fix anything either: Recent intel CPUs are managed by a "separate CPU within the CPU". That separate CPU (Intel Management Engine) has its own, proprietary, irreplacable firmware.
(from http://www.coreboot.org/Binary_situation)
 
 
Under the guise of providing new feautures for "convenience" and even "security" (see Secure Boot), hardware companies turn free computers into proprietary appliances.
 
 
What can we do?
Support alternative vendors such as System76, ThinkPenguin and Purism Support "open hardware" projects such as Novena, with the hope of carving out a niche for truly free, open source and secure computing Support organizations such as FSF and EFF Engage politically! Lobby against freedom-inhibiting developments such as compulsory non-free routers 

(from https://news.ycombinator.com/item?id=10039306)
 
Starting with Windows 8, Microsoft even facilitates this process:
 
(from https://news.ycombinator.com/item?id=10046957. More info on Windows Platform Binary Table)
 
 
My thoughts on this:
 
Proprietary software makes free and secure computing impossible.
 
"Just install Linux" doesn't fix anything: Your BIOS/UEFI still runs proprietary code, doing stuff behind your back and against your will.
 
"Just install a free BIOS (coreboot)" doesn't fix anything either: Recent intel CPUs are managed by a "separate CPU within the CPU". That separate CPU (Intel Management Engine) has its own, proprietary, irreplacable firmware.
(from http://www.coreboot.org/Binary_situation)
 
 
Under the guise of providing new feautures for "convenience" and even "security" (see Secure Boot), hardware companies turn free computers into proprietary appliances.
 
 
What can we do?
Support alternative vendors such as System76, ThinkPenguin and Purism Support "open hardware" projects such as Novena, with the hope of carving out a niche for truly free, open source and secure computing Support organizations such as FSF and EFF Engage politically! Lobby against freedom-inhibiting developments such as compulsory non-free routers 

(from https://news.ycombinator.com/item?id=10039306)
 
Starting with Windows 8, Microsoft even facilitates this process:
 
(from https://news.ycombinator.com/item?id=10046957. More info on Windows Platform Binary Table)
 
 
My thoughts on this:
 
Proprietary software makes free and secure computing impossible.
 
"Just install Linux" doesn't fix anything: Your BIOS/UEFI still runs proprietary code, doing stuff behind your back and against your will.
 
"Just install a free BIOS (coreboot)" doesn't fix anything either: Recent intel CPUs are managed by a "separate CPU within the CPU". That separate CPU (Intel Management Engine) has its own, proprietary, irreplacable firmware.
(from http://www.coreboot.org/Binary_situation)
 
 
Under the guise of providing new feautures for "convenience" and even "security" (see Secure Boot), hardware companies turn free computers into proprietary appliances.
 
 
What can we do?
Support alternative vendors such as System76, ThinkPenguin and Purism Support "open hardware" projects such as Novena, with the hope of carving out a niche for truly free, open source and secure computing Support organizations such as FSF and EFF Engage politically! Lobby against freedom-inhibiting developments such as compulsory non-free routers 

I agree with you about Purism, there are a lot of question marks and unfulfilled promises. I chose to include it in my (non-exhaustive) list because supporting any alternative vendor helps in the sense that it shows demand for alternatives. None of the projects I listed are truly free: the Novena comes closest, but even they had to reverse-engineer the 3d/video drivers.
Once we show demand in the millions, we can push hardware companies to build stuff that doesn't require reverse engineering. If Purism and all their publicity helps us get to such numbers - even if Purism are mostly hype with little substance - I'm fine with that.