Jump to content


Photo
* * * * * 1 votes

SSH-Tunneled VPN on Stock Android

ssh ssl android tutorial

  • Please log in to reply
15 replies to this topic

#1 sheivoko

sheivoko

    Advanced Member

  • Members
  • PipPipPip
  • 213 posts
  • LocationPGP 0x823762e626318758

Posted 08 February 2015 - 09:10 PM

Tutorial: SSH-Tunneled VPN on Stock Android

 

0. Notes

 

- no proprietary / commercial apps required. FOSS only! (Free and Open Source Software)
- no root / custom ROM required
- tested on Android 4.4.4

- minimum requirement: Android 4.x

 

 

1. Required apps

 

- OpenVPN for Android
- ConnectBot (any advanced SSH client will work, )
- CyanogenMod File Manager (or pick any file manager you like)

I highly recommend installing all of these apps via F-Droid, a Free Open Source Software platform:
https://f-droid.org/

In order to install F-Droid, you may need to temporarily "Allow installation of apps from unknown sources" in Android's security settings.

 

 

2. Generate config files

Use the AirVPN Generator (https://airvpn.org/generator/) to create SSH config files for Linux (not Android).

Only pick one specific server.
Screenshot #1: http://i.imgur.com/FWcuXH2.jpg


3. Transfer config files

 

We only need 2 out of the 3 generated files:
    - sshtunnel.key
    - the .ovpn profile

 

Screenshot #2: http://i.imgur.com/p2L7T0l.jpg

Transfer both of them to your Android's sdcard.
Also, open the .ovpn file in a text editor and look for a line that starts with "route", it contains the server's IP - we will need it in step 5.
Example:
 
route 199.19.94.12 255.255.255.255 net_gateway

That's the IP we will need.

 

 

4. Import key file in ConnectBot

Launch ConnectBot. Go into menu and "Manage Pubkeys".
Screenshot #3: https://i.imgur.com/uGT3UgC.jpg
Import the sshtunnel.key file.
Screenshot #4: https://i.imgur.com/ZPYhI6V.jpg

 

 

5. Configure SSH connection in ConnectBot

Go to ConnectBot's main screen.
At the bottom of the screen, enter:

sshtunnel@199.19.94.12

(Notice, that's the IP we took note of in step 3).

Screenshot #5A: http://i.imgur.com/ludTDgv.jpg

If the default port 22 is blocked, you can try an alternative port by appending it at the end:

sshtunnel@199.19.94.12:80
or
sshtunnel@199.19.94.12:53

- Press Enter on your keyboard. It will try to connect and ask you to continue. Choose "Yes".
Screenshot #5B: http://i.imgur.com/UJNpB9n.jpg

- Cancel the connection, we need to configure it now.
Long-press the newly created connection and choose "Edit host".

Screenshot #6: https://i.imgur.com/n3OtM2D.jpg

- Change "Use pubkey authentication" to "sshtunnel.key".
Screenshot #7: https://i.imgur.com/CwfFSoO.jpg

- Disable the option "Start shell session"
Screenshot #8: https://i.imgur.com/l2niHqG.jpg
- Consider enabling the option "Stay connected".

 

 

6. Configure SSH port forwarding

 

- Go to ConnectBot's main screen.
- Long-press the new connection again, but this time choose "Edit port forwards". "Add port forward" with the following values:

 

Type: Local
Source port: 1412
Destination: 127.0.0.1:2018

Screenshot #9: https://i.imgur.com/TBnsKQx.jpg

- Press "Create port forward".
Configuration of the SSH connection is now complete.

- Go back to ConnectBot's main screen and tap the connection entry to establish a connection.
Leave the ConnectBot app using your "home" button.

 

 

7. Import OpenVPN config

- Launch "OpenVPN for Android"
- Tap the folder icon. In the "Open from" dialog, choose "File Manager"
  Screenshot #10: https://i.imgur.com/Nhc6fDa.jpg

 

- Pick the AirVPN_...SSH-22.ovpn file
- OpenVPN will present you with an "import log", tap the "Save" file to accept.
- You may want to dive into the new profile's settings,
go to "ROUTING" and enable "Use default route".

- in the ALLOWED APPS tab, find and select ConnectBot to exclude it from OpenVPN's routing

 

 

8. Start OpenVPN connection

 

- In OpenVPN's main screen, tap the VPN profile to establish the connection.
- Provided that the SSH connection is still running, OpenVPN will be able to connect. Congratulations :)

 

 

9. How to connect / disconnect from now on

When establishing a connection, always
- start the SSH connection first
- then launch OpenVPN
When disconnecting, always
- disconnect the OpenVPN connection first
- then disconnect SSH in ConnectBot

 

 

10. Thoughts on reliabilty and firewalling

If avoiding network leaks is important to you: be careful on Android, especially on unreliable mobile or WiFi networks that might cause the connection to collapse quite often.

I don't have a solution for this potential issue on stock Android, but if you're on a rooted device, you should absolutely consider installing AFWall+ (available in F-Droid).

AFWall+ allows you to firewall individual apps, restricting their network access to VPN-only.    
(You have to dive into its settings to enable VPN mode).

 

 

Finally: Good luck!


all of my content is released under CC-BY-SA 2.0

PGP: A6440E1F195A962035455B22823762E626318758


#2 foxwood

foxwood

    Member

  • Members
  • PipPip
  • 18 posts

Posted 09 February 2015 - 08:42 AM

This tutorial worked for me!  :up:  (edit: I'm running Android 5.0.1)

 

If possible I recommend pinning this somewhere in the site/forum for easy access to all. It deserves it! 



#3 foreshadowing

foreshadowing

    Newbie

  • New Members
  • Pip
  • 3 posts

Posted 15 February 2015 - 10:04 AM

I seem to have run into an error. When I click "Manage Pubkeys"  and "Import", I seem to be getting this: https://i.imgur.com/Sn32TlI.png Yet however I put the key file into my sd card area. It is not detecting these files.



#4 foreshadowing

foreshadowing

    Newbie

  • New Members
  • Pip
  • 3 posts

Posted 15 February 2015 - 10:25 AM

Nevermind on that, I found the problem. I put it in /sdcard1. However now OpenVpn for Android is telling me "Address is local, not protecting socket -- -"



#5 sheivoko

sheivoko

    Advanced Member

  • Members
  • PipPipPip
  • 213 posts
  • LocationPGP 0x823762e626318758

Posted 15 February 2015 - 02:35 PM

I followed my tutorial again and also got this message - it's not a critical error message. Whatever the problem is, it must lie elsewhere.
Some seconds later you should see:
 

TCP connection established with
[AF_INET]127.0.0.1:1412

Address is local, not protecting socket fd 4

TCP_CLIENT link local: (not bound)
TCP_CLIENT link remote: [AF_INET]127.0.0.1:1412

[server] Peer Connection Initiated with
[AF_INET]127.0.0.1:1412


Initialization Sequence Completed

If OpenVPN doesn't get to this point, check your SSH tunnel configuration in ConnectBot once again (especially the port forwarding) and make sure it's connecting.

Is "Address is local" really the last log message you see?
OpenVPN usually throws a "connection refused" error if it can't connect.
You might also want to read the extended OpenVPN logs (in the log window, press the menu icon (the 3 vertical dots) and select "Send log file", then open it in a text editor).


all of my content is released under CC-BY-SA 2.0

PGP: A6440E1F195A962035455B22823762E626318758


#6 lordlukan

lordlukan

    Member

  • Members
  • PipPip
  • 18 posts

Posted 16 May 2015 - 12:45 PM

Thanks for the guide.

"You may want to dive into the new profile's settings, go to "ROUTING" and enable "Use default route".

I'm on Android 5.1.1 If I have this checked, the VPN will connect, but there will be no traffic and eventuzlly the VPN will disconnect. Leave the settings 'as is' in the .ovpn settings and everything works. Confirmed with dnsleakstest.



#7 abdorabih

abdorabih

    Newbie

  • New Members
  • Pip
  • 4 posts

Posted 20 May 2015 - 02:13 AM

Thank you for this decent piece of work.  :ok: .  I have been looking for such a solution for some time now.  Finally!!!.  

I followed your tutorial, it worked like a charm.   Cheers for that. 



#8 tcraig37

tcraig37

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 29 July 2016 - 03:45 PM

This should be starred as the THE guide for Android. I have had no luck getting it to work at all on either of my Android devices and have been using my laptop permanently. How is this method not advertised ahead of other solutions that just don't work?

 

Thanks again I am absolutely made up, cheers!



#9 kahosts

kahosts

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 05 November 2016 - 01:04 AM

Can I use OpenVPN on 443 port somehow on this with SSH on andriod? Port forwarding doesn't accept port below 1024 though.

#10 zarquon

zarquon

    Member

  • Members
  • PipPip
  • 10 posts

Posted 18 September 2017 - 08:27 PM

I followed this guide without any problem, yet when I launch connectbot and I start an sshtunnel the connection using public key  (stored in the file sshtunnel.key) fails and it revert to password authentication, at which point I am stuck, given that I have no password for the ssh session.

 

What can I do?



#11 snaggle

snaggle

    Advanced Member

  • Members
  • PipPipPip
  • 107 posts

Posted 04 January 2018 - 04:46 PM

Can I use OpenVPN on 443 port somehow on this with SSH on andriod? Port forwarding doesn't accept port below 1024 though.

Hi, same question here please.

t03nBMP.png



#12 sheivoko

sheivoko

    Advanced Member

  • Members
  • PipPipPip
  • 213 posts
  • LocationPGP 0x823762e626318758

Posted 06 January 2018 - 02:42 PM

First off, sorry for not maintaining this thread, although the broad strokes of this guide still work to this day. I may write a new one if time permits.
 

 

Can I use OpenVPN on 443 port somehow on this with SSH on andriod? Port forwarding doesn't accept port below 1024 though.

Hi, same question here please.

 

I assume both of you want to want connect to Air's servers on port 443, using SSH?
That's currently not possible, but it's got nothing to do with your local port forwarding: Air's servers simply don't accept SSH connections on port 443.
The Config Generator only lists ports 22, 80, 53 and 38915 for SSH. I'd suggest opening a ticket to ask staff about the possibilities of SSH on 443.


all of my content is released under CC-BY-SA 2.0

PGP: A6440E1F195A962035455B22823762E626318758


#13 snaggle

snaggle

    Advanced Member

  • Members
  • PipPipPip
  • 107 posts

Posted 14 January 2018 - 05:08 PM

Thanks for the response,

I've tried using 22, 80 and 53, I get the same fail when editing the port forward.



#14 sheivoko

sheivoko

    Advanced Member

  • Members
  • PipPipPip
  • 213 posts
  • LocationPGP 0x823762e626318758

Posted 15 January 2018 - 03:11 PM

I've tried using 22, 80 and 53, I get the same fail when editing the port forward.

 

 

I cannot reproduce your port forwarding error. Just to clarify: The purely local port fowarding is not affected by your choice of the AirVPN server port (22, 80, 53, 38915).

Port forwarding is always the same, forwarding 127.0.0.1:1412 to 127.0.0.1:2018.

I also don't understand the error message "ports under 1024 or port already used". No local ports under 1024 are involved. Is maybe another instance of sshtunnel, or some other app, somehow using 1412 or 2018?

 

What's your Android version? Works for me on 7 and 8.

 

Not directly related, but I should also add that some Air entry IPs don't listen on all of the SSH ports (22, 80, 53, 38915). That's why you can't just manually change the SSH port in your config files. Instead, use the Config Generator to generate new configs for your desired port in order to get the correct entry IP.


all of my content is released under CC-BY-SA 2.0

PGP: A6440E1F195A962035455B22823762E626318758


#15 zarquon

zarquon

    Member

  • Members
  • PipPip
  • 10 posts

Posted 17 March 2018 - 03:32 PM

I carefully followed this guide and configured everything accordingly.

 

Connectbot correctly starts ssh connection and port forwarding,

 

When I start openvpn it starts but the logs keep on saying

 

TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:1412

Attempting to establish with [AF_INET]127.0.0.1:1412

TCP connection established with [AF_INET]127.0.0.1:1412

TCP_CLIENT link local: (not bound)

TCP_CLIENT link remote: [AF_INET]127.0.0.1:1412

Connection reset, restarting [0]

SIGUSR1[soft,connection-reset] received, process restarting

 

and noting works...  :(



#16 sheivoko

sheivoko

    Advanced Member

  • Members
  • PipPipPip
  • 213 posts
  • LocationPGP 0x823762e626318758

Posted 29 March 2018 - 04:22 PM

I carefully followed this guide and configured everything accordingly.

 

Connectbot correctly starts ssh connection and port forwarding,

 

When I start openvpn it starts but the logs keep on saying

 

Connection reset, restarting [0]

SIGUSR1[soft,connection-reset] received, process restarting

 

and noting works...  :(

 

 

I'm sorry for my late reply. Do you still need help?

If so, please tell me the version numbers of your apps and Android OS.

Also, please double-check that you excluded ConnectBot from OpenVPN's routing in the ALLOWED APPS tab.


all of my content is released under CC-BY-SA 2.0

PGP: A6440E1F195A962035455B22823762E626318758






Similar Topics Collapse


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Servers online. Online Sessions: 14024 - BW: 36448 Mbit/sYour IP: 54.162.227.37Guest Access.