Jump to content


Photo
- - - - -

Implementing L2TP/IPsec?

l2tp ipsec

Best Answer Staff, 18 October 2013 - 02:21 PM

Hello!

 

You're not missing anything: if your Android device is configured to send out unencrypted login and password as soon as it connects to any WiFi network, it will do so. However, we miss how it is possible, as far as we know all the services you cite allow secure authentication (over SSL/TLS).

 

In any case, you already have cited the solution. In openvpn-connect "Settings", make sure that the option:

 

"Seamless tunnel - Block Internet while VPN is paused or reconnecting" is ticked

 

and do not turn on WiFi if openvpn-connect is not running (i.e. first you run openvpn-connect, THEN you turn on the WiFi).

 

You might also like to tick "Reconnect on reboot".

 

Kind regards

Go to the full post


  • Please log in to reply
16 replies to this topic

#1 maatre

maatre

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 05 August 2013 - 11:39 AM

Is there any plans to implement it? its much easier to set up on atleast android, and secure enough on the move.



#2 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7792 posts

Posted 05 August 2013 - 12:33 PM

Hello,

 

sorry, no plans at all at the moment.

 

Kind regards



#3 Abeyance

Abeyance

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 05 September 2013 - 03:03 AM

Isn't it supposed to be better over satellite?  If so it would be a huge improvement for some people like me.



#4 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7792 posts

Posted 05 September 2013 - 01:49 PM

Hello!

 

We don't think so, why...? Also, with the new openvpn-connect by OpenVPN Tehchnologies and our configuration generator, at least on Android 4 and higher it's actually simpler to configure OpenVPN than IPsec.

 

For older than 4 Android versions you're right, OpenVPN installation is more complex because the device needs rooting.

 

Kind regards



#5 swissglobetrotter

swissglobetrotter

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 18 October 2013 - 12:09 PM

Just tried openvpn app, extremely easy setup with your conf files and worked immediately!

I don't see however how I can force Android to work only through openvpn by default.

 

My main reason for using a vpn is security on public wifi, android has a lot of automatic connections (updates, downloads, uploads) as soon as it connects on wifi. If I can only connect manually to vpn after establishing connection to pubblic wifi, my accounts will already have been compromised...

 

This is easily avoided with L2TP native android settings by forcing vpn only, is there a way to do so with openvpn?



#6 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7792 posts

Posted 18 October 2013 - 12:28 PM

Hello!

 

It would be the same with L2TP or any other protocol. You can establish a VPN connection only AFTER you are connected to a network, obviously. This is true for any system, not only Android. If your device is correctly set up you don't compromise anything.

 

Anyway, we're sorry, we have no plans to offer PPTP/L2TP/SSTP or IPsec

 

Kind regards



#7 swissglobetrotter

swissglobetrotter

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 18 October 2013 - 01:34 PM

You are correct stating the vpn connection will start only after the other connection but it is definitely NOT the same.


Native android vpn has the option "always-on vpn"

https://support.google.com/nexus/answer/2819573?hl=en

This means that although vpn will connect after wifi has been established, the system will not allow any data transfer of any kind on the wifi which is not through vpn.

 

Since openvpn is an "add-on" app independent of android, I first have to turn on wifi, then manually open openvpn and ask to connect. Opening app and connecting may only take a few seconds but by that time the system will already have connected with google, facebook, samsung, cloud,.... sending all my logins unprotected over the wifi... reason why I needed a vpn in the first place!

 

I am new to openvpn so I may be missing something here, is there a way to force vpn only connections with it?



#8 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7792 posts

Posted 18 October 2013 - 02:21 PM   Best Answer

Hello!

 

You're not missing anything: if your Android device is configured to send out unencrypted login and password as soon as it connects to any WiFi network, it will do so. However, we miss how it is possible, as far as we know all the services you cite allow secure authentication (over SSL/TLS).

 

In any case, you already have cited the solution. In openvpn-connect "Settings", make sure that the option:

 

"Seamless tunnel - Block Internet while VPN is paused or reconnecting" is ticked

 

and do not turn on WiFi if openvpn-connect is not running (i.e. first you run openvpn-connect, THEN you turn on the WiFi).

 

You might also like to tick "Reconnect on reboot".

 

Kind regards



#9 swissglobetrotter

swissglobetrotter

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 19 October 2013 - 04:22 AM

Thank you for your answer!

 

Indeed all my accounts are using SSL, so does this mean that using a vpn will not add any security layer to it?

I know it is possible to decrypt SSL passwords with a "middle man attack" which is not too difficult to setup, especially if operating the wifi.

I thought a vpn would be much more secure, I have read in several places that combining a vpn with ssl connections will make it very safe to use public wifi, this is why I want a vpn. If it does than there is not much sense in connecting my services without it and using one once my logins already went out... and if it doesn't add any security than I don't need one!

 

I have been playing a bit with the openvpn android app, "Seamless tunnel - Block Internet while VPN is paused or reconnecting", is not the same as having a vpn always on. How that option works is for example if the users looses connection from either the VPN or WIFI, all traffic will be put on hold and only transfered once connection to both WiFi and VPN are established again. This does NOT apply until the VPN is connected for the first time in the session.

I attempted your suggested fix of opening openvpn and trying to connect before I turn on wifi, this speeds things up but still takes around 5 seconds to confirm connection, in the meanwhile I am already connecting to services.

 

I understand your position of not offering L2TP\IPsec and I am surely not blaming you for this, google has been asked since years to add openvpn support natively into android so they are part of this problem. But if things are as they are it seems to me that you are not able to offer me a valid Android solution that works 100%, which is a shame because I loved everything else about Air and was ready to buy a yearly membership.



#10 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7792 posts

Posted 19 October 2013 - 01:29 PM

Hello,

 

 

I attempted your suggested fix of opening openvpn and trying to connect before I turn on wifi, this speeds things up but still takes around 5 seconds to confirm connection, in the meanwhile I am already connecting to services.

 

Absolutely not, we have tested and re-tested it on a dozen of different Android 4.2 and 4.3 tablets. If you experience this, there's something wrong in your device or something we're missing. openvpn-connect will not allow any packet out until the VPN connection is established. You can easily verify that with a packet sniffer.

 

"Seamless tunnel" is exactly what you want. Five seconds is a perfectly normal time for an OpenVPN connection to be established. The "trick" to make openvpn-connect behave exactly how you wish is to never shut it down (just like you do with any other VPN application installed by default) and tick "Reconnect on reboot".

 

Adding a trusted & secure VPN (i.e. encrypted tunnel), even if you connect to web sites over SSL/TLS, makes actually a lot of sense, for a series of important reasons: you avoid encrypted cookies exploits, you make BEAST etc. attacks impotent, you don't let your hot-spot administrators know what you are doing and which addresses you contact over the Internet, you prevent hi-jacks and other malicious attacks, you avoid DNS poisoning and you bypass protocol and destination IP censorship performed by the hot-spot (if any).

 

We run only OpenVPN because it's the most secure VPN solution and because it provides some flexibility and options (needed in certain countries) that are not easily implementable with any other tunneling protocol. Under a security point of view, the  paramount advantages of OpenVPN over IPsec are that the first runs in the user space, while the second in the kernel space, and that IPsec has been allegedly declared to be an NSA target for easy breaking, maybe through backdoors (according to these allegations, IPsec has been polluted by NSA since years ago).

 

Kind regards



#11 swissglobetrotter

swissglobetrotter

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 20 October 2013 - 10:54 AM

Just tried again at least 5 times:

 

1) Open OpenVPNconnect and press Connect

2) Open Browser and write url

3) Turn on Wifi

4) Press refresh and load page in browser BEFORE OpenVPN has connected

5) couple of seconds and OpenVPN changes from "Connecting..." to "Connected" and I get the key symbol on the left corner of the screen.

 

It may be my device (not rooted Galaxy S3 Android 4.1.2) but I doubt it is. "Seamless Tunnel" states clearly "Block Internet while VPN is paused or reconnecting"

If I try to turn off the WiFi, OpenVPN goes into Pausing and then YES, even when turning WiFi back on I can't load anything till OpenVPN changes status to Connected.

 

Connecting for the first time is not a pause neither a reconnect, "Seamless Tunnel" cannot interfere until the first connection is established, until then all traffic is direct and NOT through VPN.

 

Once again, this is not your fault but a shortage of Android in not implementing OpenVPN natively and the OpenVPN application. From what I have seen the service and customer care you are providing are great, but it seems I have no way in using your service to tunnel ALL my data on my smartphone.

 

The only solution I found researching online would be to root my device and switch OS to Cyanogenmod, cmd apparently has native OpenVPN... At this moment I don't have too much time to play around with my device and want to keep it as it is.



#12 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7792 posts

Posted 20 October 2013 - 12:38 PM

Hello!

 

It's not even your device fault, it's an expected behavior. That's why we told you that the "trick" is to never shut down openvpn-connect: after the "bootstrap", i.e. after the first connection/tunnel establishment, you should have no more "leaks" for ever, not even after a reboot, as long as you do NOT shut down openvpn-connect.

 

Kind regards



#13 swissglobetrotter

swissglobetrotter

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 20 October 2013 - 05:30 PM

"For ever" if I had a server in an office. The use of a smartphone is to be on the move with it and continuosly connect/disconnect to different WiFi, each time having "leaks" before starting the session.



#14 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7792 posts

Posted 20 October 2013 - 07:48 PM

"For ever" if I had a server in an office. The use of a smartphone is to be on the move with it and continuosly connect/disconnect to different WiFi, each time having "leaks" before starting the session.

 

Hello!

 

As we have already told you, this is not what we experience, not even with reboots of the device in different networks (assuming of course that openvpn-connect is never shut down or put on "Disconnect" status). Are you sure that you have leaks when you change network? If so, maybe you have discovered a previously undetected openvpn-connect bug that you might like to report.

 

In this case, here's an immediate work-around:

 

1) set your device DNS to VPN DNS IP addresses (10.4.0.1 etc.) https://airvpn.org/specs

 

2) use only configuration files which include IP addresses and not names (tick "Advanced Options" in the Configuration Generator, then tick "Resolved hosts in .ovpn files" and "All servers for area or region").

 

In this way your device will not be able to resolve any name until it's in the private network, while maintaining the ability to connect to any VPN server, preventing therefore leaks to all services that need DNS resolution (all of the services which you cited).

 

Kind regards



#15 shitbook

shitbook

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 18 February 2016 - 07:24 PM

Where I work, they permit IPSec connections through the companies WiFi. But no OpenVPN. 

Otherwise AirVPN would have been an instant buy.

 

Best regards



#16 Khariz

Khariz

    Advanced Member

  • Members
  • PipPipPip
  • 417 posts

Posted 19 February 2016 - 12:54 AM

They can't stop you from establishing an OpenVPN connection if you know how to configure it properly. AirVPN is one of the only companies that ensures you can do this.

#17 airvipien

airvipien

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 25 February 2016 - 08:49 PM

What if the only port open lets you use IPsec?
I have the same problem. I can establish an IPSec connection, but no OpenVPN connections.
Seems the only port open behind the companies firewall is port 500 for IPSec?
So in the office AirVPN is useless for me to connect to the internet :-(





Similar Topics Collapse

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 15914 - BW: 71243 Mbit/sYour IP: 34.229.194.198Guest Access.