Tutorial: SSH-Tunneled VPN on Stock Android
- no proprietary / commercial apps required. FOSS only! (Free and Open Source Software)
- no root / custom ROM required
- tested on Android 4.4.4
- minimum requirement: Android 4.x
1. Required apps
- OpenVPN for Android
- ConnectBot (any advanced SSH client will work, )
- CyanogenMod File Manager (or pick any file manager you like)
I highly recommend installing all of these apps via F-Droid, a Free Open Source Software platform:
In order to install F-Droid, you may need to temporarily "Allow installation of apps from unknown sources" in Android's security settings.
2. Generate config files
Use the AirVPN Generator (https://airvpn.org/generator/) to create SSH config files for Linux (not Android).
Only pick one specific server.
Screenshot #1: http://i.imgur.com/FWcuXH2.jpg
3. Transfer config files
We only need 2 out of the 3 generated files:
- the .ovpn profile
Screenshot #2: http://i.imgur.com/p2L7T0l.jpg
Transfer both of them to your Android's sdcard.
Also, open the .ovpn file in a text editor and look for a line that starts with "route", it contains the server's IP - we will need it in step 5.
route 220.127.116.11 255.255.255.255 net_gateway
That's the IP we will need.
4. Import key file in ConnectBot
Launch ConnectBot. Go into menu and "Manage Pubkeys".
Screenshot #3: https://i.imgur.com/uGT3UgC.jpg
Import the sshtunnel.key file.
Screenshot #4: https://i.imgur.com/ZPYhI6V.jpg
5. Configure SSH connection in ConnectBot
Go to ConnectBot's main screen.
At the bottom of the screen, enter:
(Notice, that's the IP we took note of in step 3).
Screenshot #5A: http://i.imgur.com/ludTDgv.jpg
If the default port 22 is blocked, you can try an alternative port by appending it at the end:
- Press Enter on your keyboard. It will try to connect and ask you to continue. Choose "Yes".
Screenshot #5B: http://i.imgur.com/UJNpB9n.jpg
- Cancel the connection, we need to configure it now.
Long-press the newly created connection and choose "Edit host".
Screenshot #6: https://i.imgur.com/n3OtM2D.jpg
- Change "Use pubkey authentication" to "sshtunnel.key".
Screenshot #7: https://i.imgur.com/CwfFSoO.jpg
- Disable the option "Start shell session"
Screenshot #8: https://i.imgur.com/l2niHqG.jpg
- Consider enabling the option "Stay connected".
6. Configure SSH port forwarding
- Go to ConnectBot's main screen.
- Long-press the new connection again, but this time choose "Edit port forwards". "Add port forward" with the following values:
Source port: 1412
Screenshot #9: https://i.imgur.com/TBnsKQx.jpg
- Press "Create port forward".
Configuration of the SSH connection is now complete.
- Go back to ConnectBot's main screen and tap the connection entry to establish a connection.
Leave the ConnectBot app using your "home" button.
7. Import OpenVPN config
- Launch "OpenVPN for Android"
- Tap the folder icon. In the "Open from" dialog, choose "File Manager"
Screenshot #10: https://i.imgur.com/Nhc6fDa.jpg
- Pick the AirVPN_...SSH-22.ovpn file
- OpenVPN will present you with an "import log", tap the "Save" file to accept.
- You may want to dive into the new profile's settings,
go to "ROUTING" and enable "Use default route".
- in the ALLOWED APPS tab, find and select ConnectBot to exclude it from OpenVPN's routing
8. Start OpenVPN connection
- In OpenVPN's main screen, tap the VPN profile to establish the connection.
- Provided that the SSH connection is still running, OpenVPN will be able to connect. Congratulations
9. How to connect / disconnect from now on
When establishing a connection, always
- start the SSH connection first
- then launch OpenVPN
When disconnecting, always
- disconnect the OpenVPN connection first
- then disconnect SSH in ConnectBot
10. Thoughts on reliabilty and firewalling
If avoiding network leaks is important to you: be careful on Android, especially on unreliable mobile or WiFi networks that might cause the connection to collapse quite often.
I don't have a solution for this potential issue on stock Android, but if you're on a rooted device, you should absolutely consider installing AFWall+ (available in F-Droid).
AFWall+ allows you to firewall individual apps, restricting their network access to VPN-only.
(You have to dive into its settings to enable VPN mode).
Finally: Good luck!