Jump to content


Photo
* * * * * 6 votes

[How-To] [OBSOLETE] AirVPN through stunnel on Android


  • Please log in to reply
37 replies to this topic

#1 sheivoko

sheivoko

    Advanced Member

  • Members
  • PipPipPip
  • 212 posts
  • LocationPGP 0x823762e626318758

Posted 14 September 2015 - 08:18 PM

 
ATTENTION: This tutorial is out of date, incomplete and deprecated.

 

A new and improved version of this tutorial can be found here: https://airvpn.org/topic/24349-how-to-airvpn-via-sslstunnel-on-android-678/

 

 

This thread is only kept online for historical reference.

 

 

 

 

 

 

Goal and obstacles

We want to use AirVPN's SSL tunneling mode on Android. SSL tunneling can be very useful, especially to defeat firewalls that block OpenVPN or SSH on a protocol level. On Android, a few obstacles have to be worked around:

a. there is no AirVPN Eddie client for Android.
Solution: We will use OpenVPN and stunnel directly.
b. there is no stunnel app in any Android appstore.
Solution: we will download the stunnel Android binary (provided by the stunnel project itself) and run it from the commandline.
c. Android does not allow us to execute any programs from the sdcard.
Solution: we will move stunnel to a special location (owned by the Terminal app), which will allow the Terminal app to execute stunnel.
d. stunnel wants to write to /tmp/, but there's no /tmp/ on Android.
Solution: we will modify the .ssl config file to change the pidfile location to a writable directory.

 

Software Requirements

  • Android 4.0 or newer (device does not have to be rooted)
  • stunnel compiled for Android (FOSS), via project website
  • OpenVPN for Android (FOSS), via F-Droid or Play Store
  • Jack Palevich's Terminal Emulator for Android (FOSS), via F-Droid or Play Store
  • a separate computer to download/edit the necessary config files and binaries (entirely optional, but easier than doing everything on the Android device itself)

 

Setup instructions

1. Generate config files with AirVPN's config generator

  • choose Linux
  • pick one single server of your choice. I will use Nunki for this tutorial!
  • for Connection Mode, choose SSL Tunnel, port 443 (visible after enabling Advanced Mode)
  • enable Resolved hosts in .ovpn file
  • leave all the other settings at their default values
  • download and unzip the generated zip file
  • this should result in an AirVPN folder, containing three files

2. Open the ssl config file (AirVPN_GB-Manchester_Nunki_SSL-443.ssl) in a text editor.

Find the line:

pid = /tmp/stunnel4.pid

Change it to:

pid = /data/data/jackpal.androidterm/app_HOME/stunnel4.pid

Save and close the file.

 

3. In a text editor, create a new file with the following contents:

#!/system/bin/shcd /data/data/jackpal.androidterm/app_HOME./stunnel AirVPN_GB-Manchester_Nunki_SSL-443.ssl

Save it to a file named nunki (no file extension).
Put the file into the AirVPN folder, next to our other config files.


4. Download and unzip stunnel for Android from the stunnel website (stunnel-X.XX-android.zip)

Put the stunnel file (only the file, not the folder) into the AirVPN folder.


5. Make sure your AirVPN folder now contains the following files:

AirVPN_GB-Manchester_Nunki_SSL-443.ovpnAirVPN_GB-Manchester_Nunki_SSL-443.sslnunkistunnelstunnel.crt

6. Copy the whole AirVPN folder to your Android's SD card.

The path should be:

/sdcard/AirVPN/

7. Install OpenVPN for Android via F-Droid or Play Store and import the .ovpn config file located at

/sdcard/AirVPN/AirVPN_GB-Manchester_Nunki_SSL-443.ovpn

Don't try to connect just yet.


8. Install Terminal Emulator for Android, via F-Droid or Play Store


9. Open Terminal Emulator and successively run the following commands:

cd

The simple cd command should take you to the app's home directory (/data/data/jackpal.androidterm/app_HOME).
This is where we need to put our config files and the stunnel binary. Let's move them over by running:

mv /sdcard/AirVPN/* .

It's important to type every character correctly (commandline is case sensitive); the "*" is a wildcard expanding to all files in the AirVPN folder, and the "." is a placeholder for the current directory /data/data/jackpal.androidterm/app_HOME. Typing commands on Android is a big pain, so I try to keep them as short as possible!

Finally, we need to modify permissions for the binary and the script, allowing us to execute them:

chmod 555 stunnel nunki

We should be ready to go!

 

Usage instructions

I. Open Terminal Emulator and run the following two commands:
 

cd
./nunki

A log message should appear: Configuration successful
Great! Keep the Terminal app running, but use the Home button to get out.

II. Open OpenVPN for Android and connect to the profile AirVPN_GB_Manchester_Nunki_SSL-443
Unless something went wrong, you should get Initialization Sequence Completed - great!
I recommend performing the usual leak tests and perhaps diving into OpenVPN's profile settings before relying on your configuration to work as you expect it to.


III. To disconnect:

  • Disconnect VPN in OpenVPN
  • open Terminal Emulator, press VOLUME_DOWN + C to kill stunnel
  • press the X button to close the terminal session

IV. If stunnel isn't shutdown properly, you may see an error if you try to run stunnel again:
 

[!] Error binding service [openvpn] to 127.0.0.1:1413[!] bind: Address already in use (98)[ ] Closing service [openvpn][ ] Service [openvpn] closed

This means stunnel is still running in the background. You can kill it by running:
 

killall stunnel

 


Footnotes

I successfully followed my own tutorial using:

CyanogenMod 12.1 nightly (≈ Android 5.1)stunnel 5.23OpenVPN for Android 0.6.35 (F-Droid)Terminal Emulator 1.0.70 (F-Droid)

Testers welcome, especially if you're using different Android and software versions.

Credits:


all of my content is released under CC-BY-SA 2.0

PGP: A6440E1F195A962035455B22823762E626318758


#2 eyes878

eyes878

    Advanced Member

  • Members
  • PipPipPip
  • 211 posts

Posted 15 September 2015 - 07:44 PM

Thank you very much for this. I've been wanting to find some way of bypassing OpenVPN blocks on Android for a while.  EDIT: Everything seems to have worked, I'm posting this through the SSL tunnel right now.



#3 Zaroad

Zaroad

    Advanced Member

  • Members
  • PipPipPip
  • 164 posts
  • LocationSpain

Posted 19 September 2015 - 03:29 PM

Hi, after ./nunki I got

 

 

/system/bin/sh: nunki: not found
 

Ideas? nunki has 555 permission

 

And it's ridiculous slow: 0.3 Mbps



#4 sheivoko

sheivoko

    Advanced Member

  • Members
  • PipPipPip
  • 212 posts
  • LocationPGP 0x823762e626318758

Posted 19 September 2015 - 04:55 PM

@Zaroad:

 

before running "./nunki", did you run "cd" to jump into Terminals home directory? That's where all the stunnel files should be.

After running "cd", the command "pwd" (print working directory) should output this path: /data/data/jackpal.androidterm/app_HOME

nunki and all the other stunnel-related files shoud be in there, you can check with the "ls" command.

 

Speed issue: I've noticed slow speeds as well, not as terrible as yours, but a very noticeable decrease. Try a server closest to you, but I think there might be something else going on: stunnel does not tax my phone's CPU much at all. Considering that you can easily get 50Mbit/s stunnel+OpenVPN throughput on an AC68 router, there must be some optimization problem with stunnel's Android build.

I'll try to look into it on Sunday.


all of my content is released under CC-BY-SA 2.0

PGP: A6440E1F195A962035455B22823762E626318758


#5 eyes878

eyes878

    Advanced Member

  • Members
  • PipPipPip
  • 211 posts

Posted 19 September 2015 - 05:00 PM

On my 75mbps line at home, I was able to achieve 1.6-2.0MB/s (12-20mbps~). I can rarely get above this speed when using raw OpenVPN on TCP.

 

I have the Google Nexus 6 on Android 5.1.1.



#6 maxiel

maxiel

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 03 October 2015 - 02:47 PM

Gents, 

 

I've installed all programs and copied over all files as the instruction above.

 

However, I am using the Samsung Galaxy S6 (Edge) which does not have an SD card slot.

Would it be possible to alter the command line in the terminal emulator in some way to make this work?

 

I've made a folder called /sdcard/AirVPN to try a workaround, to no avail.

 

Terminal emulator.png

 



#7 sheivoko

sheivoko

    Advanced Member

  • Members
  • PipPipPip
  • 212 posts
  • LocationPGP 0x823762e626318758

Posted 04 October 2015 - 12:18 PM

Hi maxiel, I tried my instructions on a phone that doesn't have an SD card slot, and I didn't have to modify any instructions.

An SD card is not required; Android usually maps the /sdcard/ directory to the main directory of the internal storage if there's no sdcard slot.

I'm not an Android expert, so I don't know if all Android versions and devices work that way.

In any case, when transferring the AirVPN folder to your device, you're free to choose any writable location on your device - it does not have to be /sdcard/.

 

(analog to step 6)

  • Copy the AirVPN folder to your Android device, to a location of your choice.
  • Figure out the exact path name of that location, perhaps by browsing to it in a file manager. Make note of that path and modify step 9 accordingly:

(analog to step 9)
 

cd
mv /some/other/Android/path/AirVPN/* .

all of my content is released under CC-BY-SA 2.0

PGP: A6440E1F195A962035455B22823762E626318758


#8 cm0s

cm0s

    Advanced Member

  • Members
  • PipPipPip
  • 288 posts
  • LocationClarion, PA

Posted 31 December 2015 - 01:04 AM

some other notes on droid from Arceon's thread
https://airvpn.org/topic/19859-android-601-openvpn-for-android-vpn-api-permission-dialog-cancelled/
hope this helps

cheerz

#9 Spyker

Spyker

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 17 March 2016 - 04:34 PM

Hi. I'm stuck on step #9. When I enter "mv /sdcard/AirVPN/* .", I get the following:

 

Spoiler

 

It seems the files are not moved to the app_HOME.

Any suggestions?



#10 nemoAnon

nemoAnon

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 18 March 2016 - 07:24 PM

Hi. I'm stuck on step #9. When I enter "mv /sdcard/AirVPN/* .", I get the following:

 

Spoiler

 

It seems the files are not moved to the app_HOME.

Any suggestions?

 

I had the same problem, try copy instead "cp /sdcard/AirVPN/* .".

 

Also if you edited your text files on Windows make sure that your

text editor can save files with unix EOL, otherwise you'll get

"no such file or directory" when you run ./nunki.



#11 sheivoko

sheivoko

    Advanced Member

  • Members
  • PipPipPip
  • 212 posts
  • LocationPGP 0x823762e626318758

Posted 22 March 2016 - 04:37 PM

Good observations by nemoAnon, thank you!

 

Unrelated addition: For those that find it inconvenient to get the stunnel binary from the project's website (and manually keep it up to date!), I can recommend Termux. It's a nice alternative terminal emulator that allows you to install additional packages from their repositories with the apt package manager. Stunnel is among the available packages.

 

To some extent you're trading security for convenience as you won't be getting the stunnel binary directly from the stunnel project, but from the Termux repos.

 

I haven't actually tried using Termux yet, but I don't see any reason why it wouldn't work for our purpose. I might post new instructions if anyone needs help adapting them to Termux. Or maybe another friendly soul helps out :)


all of my content is released under CC-BY-SA 2.0

PGP: A6440E1F195A962035455B22823762E626318758


#12 sleightofthenavigator

sleightofthenavigator

    Newbie

  • New Members
  • Pip
  • 3 posts

Posted 08 April 2016 - 12:11 AM

Nice well-written guide.  Didn't work for me though as written.  I'm on rooted 4.4.2 on a Galaxy Note 10.1.  For the sake of simplicity, I used server nunki so I could follow your example without too much messing around.
 
Upon entering command:

chmod 555 stunnel nunki

I got the response:

Unable to chmod stunnel: Operation not permitted

I can confirm I have the required files in the specified folder.

 

Any ideas why I'm unable to change the permissions?  Any tips greatly appreciated.



#13 zhang888

zhang888

    Donald Trump of IT/Security

  • Moderators
  • 2194 posts

Posted 08 April 2016 - 12:25 AM

Try replacing

chmod 555 stunnel

with

chmod +x stunnel


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.


#14 sleightofthenavigator

sleightofthenavigator

    Newbie

  • New Members
  • Pip
  • 3 posts

Posted 08 April 2016 - 01:27 AM

Try replacing

chmod 555 stunnel

with

chmod +x stunnel

 

Thanks for the suggestion, but sadly when I try this I get:

Bad mode


#15 sprositut

sprositut

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 24 April 2016 - 08:12 PM

Instead of stunnel it is much more convenient to use TLS/SSL Tunnel. To import certificate from the phone it is possible to install Simple HTTP Server. And to import certificates to "Custom Cert Store" just copy the link from the browser which points to the stunnel.crt (I just renamed this file for convenience)

 

The order of actions is the following: 

  1. Install TLS/SSL Tunnel
  2. Install Simple HTTP Server
  3. Copy folder with extracted xxx.ovpn and stunnel.crt to the phone
  4. In Simple HTTP Server
    1. Start it. It will show the link to the local content of the phone
    2. Open in the browser on your phone folder where you copied folder with xxx.ovpn and stunnel.crt 
    3. Long tap on stunnel.crt and copy the link to clipboard
  5. In TLS/SSL Tunnel:
    1. Import stunnel.crt (or xxx.crt if you renamed it) Screenshot
      1. In upper right corner choose "Manage Certificates"
      2. Press the button "IMPORT CERTIFICATE"
      3. Paste the link from clipboard and press "LOAD"
      4. Give any name for certificate you like i.e. stunnel
    2. Create connection Screenshot
      1. Choose "New" in the right upper corner
      2. Give any name you like in the field "Name"
      3. In the field "Connect to" type IP address and port from xxx.ssl from the same folder where you took xxx.ovpn and stunnel.crt. It is after string "connect = xxx.xxx.xxx.xxx:443"
      4. In the field local port type 1413
      5. In the field Root-Certificate choose "Custom Cert Store"
      6. Check all 3 boxes (first is already checked)
      7. Press "SAVE" button
    3. Now use it
      1. Click on connection name
      2. Press the button "START TUNNEL" Screenshot
      3. You will have green light if it tries to establish connection Screenshot
      4. You check log in upper right corner "Show connection Info". If it is successful in the end you will see long list of lines with hexadecimal numbers with Signature Algorithm Screenshot
    4. Delete "Simple HTTP Server"
    5. Go to OpenVPN
      1. import the xxx.ovpn config file
      2. Connect
    6. Use established secure internet connection

To close internet connection you need:

  1. In OpenVPN: Disconnect with button "Disconnect" 
  2. In Tunnel: press the button "STOP ALL TUNNELS"


#16 nizammufid

nizammufid

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 20 September 2016 - 05:11 AM

it say no root but need the permission how ?



#17 InEvX

InEvX

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 11 December 2016 - 06:15 PM

Instead of stunnel it is much more convenient to use TLS/SSL Tunnel. To import certificate from the phone it is possible to install Simple HTTP Server. And to import certificates to "Custom Cert Store" just copy the link from the browser which points to the stunnel.crt (I just renamed this file for convenience)

 

The order of actions is the following: 

  1. Install TLS/SSL Tunnel
  2. Install Simple HTTP Server
  3. Copy folder with extracted xxx.ovpn and stunnel.crt to the phone
  4. In Simple HTTP Server
    1. Start it. It will show the link to the local content of the phone
    2. Open in the browser on your phone folder where you copied folder with xxx.ovpn and stunnel.crt 
    3. Long tap on stunnel.crt and copy the link to clipboard
  5. In TLS/SSL Tunnel:
    1. Import stunnel.crt (or xxx.crt if you renamed it) Screenshot
      1. In upper right corner choose "Manage Certificates"
      2. Press the button "IMPORT CERTIFICATE"
      3. Paste the link from clipboard and press "LOAD"
      4. Give any name for certificate you like i.e. stunnel
    2. Create connection Screenshot
      1. Choose "New" in the right upper corner
      2. Give any name you like in the field "Name"
      3. In the field "Connect to" type IP address and port from xxx.ssl from the same folder where you took xxx.ovpn and stunnel.crt. It is after string "connect = xxx.xxx.xxx.xxx:443"
      4. In the field local port type 1413
      5. In the field Root-Certificate choose "Custom Cert Store"
      6. Check all 3 boxes (first is already checked)
      7. Press "SAVE" button
    3. Now use it
      1. Click on connection name
      2. Press the button "START TUNNEL" Screenshot
      3. You will have green light if it tries to establish connection Screenshot
      4. You check log in upper right corner "Show connection Info". If it is successful in the end you will see long list of lines with hexadecimal numbers with Signature Algorithm Screenshot
    4. Delete "Simple HTTP Server"
    5. Go to OpenVPN
      1. import the xxx.ovpn config file
      2. Connect
    6. Use established secure internet connection

To close internet connection you need:

  1. In OpenVPN: Disconnect with button "Disconnect" 
  2. In Tunnel: press the button "STOP ALL TUNNELS"

 

Thank you for this! Works beautifully :)

Screenshots don't work unfortunately, but it's not that hard to figure out! 



#18 usefulvid

usefulvid

    Member

  • Members
  • PipPip
  • 14 posts

Posted 07 February 2017 - 11:45 AM

Instead of stunnel it is much more convenient to use TLS/SSL Tunnel. To import certificate from the phone it is possible to install Simple HTTP Server. And to import certificates to "Custom Cert Store" just copy the link from the browser which points to the stunnel.crt (I just renamed this file for convenience)

 

Thanks for this tutorial! I created a (german) youtube video based on your instructions. I also linked to your posting. I hope thats fine for you.



#19 pyq

pyq

    Member

  • Members
  • PipPip
  • 18 posts

Posted 26 March 2017 - 04:19 AM

I followed the first guide and it seems everything worked fine, except, that the profile doesn't show up in OpenVPN for Android after running ./antares (I used the antares server). Did I miss something?



#20 greenclaydog

greenclaydog

    Advanced Member

  • Members
  • PipPipPip
  • 254 posts

Posted 26 March 2017 - 04:27 AM

I followed the first guide and it seems everything worked fine, except, that the profile doesn't show up in OpenVPN for Android after running ./antares (I used the antares server). Did I miss something?

 

You have to add the .ovpn in OpenVPN for Android after running ./antares

 

Make sure it's the .ovpn for SSL 443 from the other files you generated in the config generator.







Similar Topics Collapse

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 15543 - BW: 47666 Mbit/sYour IP: 54.80.185.137Guest Access.