Proxy, http analyzer, mitm, transparent proxy
NO NEED FOR ROOTED PHONE
Why would you use it:
- behind corporate firewall/proxy, needing to connect to squid, isa/forefront proxy with authentication
http://code.google.com/p/sandrop/wiki/HowToConnectToOtherProxy
- developer to examine http traffic, with embedded chrome devtools that can be used as ide
- security analyst examining how apps communicate with servers
- ...
Features:
- can act as pass-through proxy, traffic is not stored, ssl tunnel remains the same to server.
- capture,intercept request/response, replay, change before sending further
- can use client certificate to make connection to web server
- creates server certificates on the fly with proper host name
- transparent proxy needs superuser, su, iptables (1.4.10 or higher) to listens on port 80, 443
- request/response are stored as files so can be examined later on
- can bind only local or on all adapters
- client cache headers can be removed so content is always fetched from server (no 304 Not Modified responses)
- custom proxy plugins http://code.google.com/p/sandrop/issues/detail?id=31
- custom search criteria on show request/responses with scripting
- can connect to another proxy (Squid, ISA proxy, ForeFront TMG proxy) (basic, digest, ntlm authentication supported)
- can act as web server to filter/examine captured data
- can connect to insecure sites, switch on/off in preferences
- can use chrome devtools to examine captured data
- chorme devtools 3D panel
- websockets support
!!!!
there are ads on log tab and google analytic events on switching tabs
sorry for that
!!!!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
custom proxy plugins:
manual requests:
market.android.com/details?id=org.sandroproxy
http://code.google.com/p/sandrop/
Proxy acts as SSL man-in-the-middle. It generates sites certificates on the fly.
Issuer is named UNTRUSTED.
Based on WebScarab so all credits goes there.
www.owasp.org/index.php/Category:eek:WASP_WebScarab_Project
********************
Requests/Responses are stored in getExternalCacheDir()
/mnt/sdcard/Android/data/org.sandroproxy/cache
http://developer.android.com/reference/android/content/Context.html#getExternalCacheDir()
There is no security enforced with these files. All applications can read and write files placed here.
********************
Use stock browser and change that wi-fi uses proxy on localhost:8008
code.google.com/p/sandrob/issues/detail?id=41#c27
Copy from app thread, because it can also be used as development tool.
For example to store application/server http/https comunication.
This is sweet, good job!
wow.. this is what I'm looking for...! thanks, downloading it.
is it tracking request from internet browser only or any request from every app and any protocol maybe? in spite of the title HTTP/HTTPS analyzer
Just for http/https.
It can act as
proxy -> you must specify proxy in browser settings
transparent proxy -> you must somehow change where tcp packets are going (iptables)
http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
Now I am working on tab where redirection on phone can be done from gui for all processes that have network permissions.
It creates iptable rules as:
iptables -t nat -A OUTPUT -m owner --uid-owner <xxxxx> -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
But still long way to make it work properly...
It can track any app that uses http/https.
Not quite sure about ports. Probably just 80/433 but I could change that can be value in preferences.
New feature: gui for process->trasparent proxy redirection
It activated additional iptables rules so the process is redirected to transparent proxy.
iptables -t nat -A OUTPUT -m owner --uid-owner <xxxxx> -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
new feature: browser cache on/off
There is setting that removes browser cache headers.
dumb question: would your app help to make gTalk work on corporate networks protected by Forefront ?
Many thanks
Sorry, not yet.
Probably you need NTLM authentication to proxy?
Chaining Sandroproxy to ntlm proxy is on the list of future features.
I can't find it on the Market/Play crap.
Device: GT-i9100 on 4.0.3 rooted. Country: Greece
Current Operator:Vodafone GR, tried also with GR COSMOTE. Any ideas?
MemoryController said:
I can't find it on the Market/Play crap.
Device: GT-i9100 on 4.0.3 rooted. Country: Greece
Current Operator:Vodafone GR, tried also with GR COSMOTE. Any ideas?
Click to expand...
Click to collapse
I'm assuming you clicked on he link in the OP? Have you tried searching the Play Store from a browser while logged into Google? It will tell you if your device is compatible or not.
It should work on all devices from 2.3 OS up.
New feature: user custom proxy plugins
You can make your own custom plugin to handle http request/response flow
http://code.google.com/p/sandrop/issues/detail?id=31#c3
New feature: user custom CA certificate, import CA to android store
User can set custom CA for generating site certificates.
Or use generated one.
Password can be set. if not, default ("password") will be used.
There is option to store SandroProxy certificate in android store.
If custom, not generated is used, be careful that it contains BasicConstraints with isCA flag set to true.
Otherwise will not be recognised as CA certificate.
New feature: user custom search critera on show request/responses
User can specify with scripting (BeanShell) which request/responses are show on the list
http://code.google.com/p/sandrop/issues/detail?id=23
It does nothing...
Hi
I'm on a rooted xperia SK17i, I set it as transparent proxy, but it does collect nothing, does not display any app...
Should I use an external proxy app to redirect traffic on a specific port (for ex. 8008) on which sandroproxy is listening?
Transparent proxy setup for app
How to redirect app on device to local sandroproxy:
1. first you check on which app would you like to redirect to transparent proxy. APPS tab
2. check in preferences that transparent proxy is enabled. Transparent proxy = ON
3. check version of iptables. It should not be 1.3.x because have problems with nat table.
----You can fix iptables with this app from market
----https://play.google.com/store/apps/details?id=com.mgranja.iptables
4. start proxy
You can check iptables rules when proxy is active with Info Menu action.
Or from adb shell:
iptables -L
iptables -t nat -L
Publiuss said:
Hi
I'm on a rooted xperia SK17i, I set it as transparent proxy, but it does collect nothing, does not display any app...
Should I use an external proxy app to redirect traffic on a specific port (for ex. 8008) on which sandroproxy is listening?
Click to expand...
Click to collapse
Tried this on ICS9, iptables -V = 1.4.x, transparent proxy
HTTP traffic is pushing through the App with no problems. But HTTPS traffic capturing seems like not working...
Saw some FIX ME! comments in the log, maybe that's the reason?...
Proxy listening on 127.0.0.1:8010
Proxy listening on 127.0.0.1:8009
Proxy listening on 127.0.0.1:8008
Finished loading session from /mnt/sdcard/Android/data/org.sandroproxy/cache
Done!
Loading cookies
Loading urls
Loading conversations
Loading session from /mnt/sdcard/Android/data/org.sandroproxy/cache
Using CA from file: /mnt/sdcard/Android/data/org.sandroproxy/cache/.keystoreca
CA cert exported to /mnt/sdcard/Android/data/org.sandroproxy/cache/.keystoreca_export.crt
Loading keys from /mnt/sdcard/Android/data/org.sandroproxy/cache/.keystoreca
Using /mnt/sdcard/Android/data/org.sandroproxy/cache for data storage
client cert file name is not valid so it will not be used:/mnt/sdcard/cert.p12
#attach sandroproxy to INPUT chain
iptables -A INPUT -j sandroproxy
- successful.
#attach sandroproxy to nat PREROUTING chain
iptables -t nat -A PREROUTING -j sandroproxy
- successful.
#attach sandrop_proc to nat OUTPUT chain
iptables -t nat -A OUTPUT -j sandrop_proc
- successful.
#redirect outbound port from 443 to 127.0.0.1:8010
iptables -t nat -A sandrop_proc -m owner --uid-owner 10099 -p tcp --dport 443 -j DNAT --to 127.0.0.1:8010
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:450
- successful.
#logging before redirection is made to /proc/kmsg
iptables -t nat -A sandrop_proc -m owner --uid-owner 10099 -p tcp --dport 443 -j LOG --log-level debug --log-prefix "[NewConnection]" --log-uid
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:450
- successful.
#redirect outbound port from 80 to 127.0.0.1:8009
iptables -t nat -A sandrop_proc -m owner --uid-owner 10099 -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:450
- successful.
#logging before redirection is made to /proc/kmsg
iptables -t nat -A sandrop_proc -m owner --uid-owner 10099 -p tcp --dport 80 -j LOG --log-level debug --log-prefix "[NewConnection]" --log-uid
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:450
- successful.
#create sandro_proc chain
iptables -t nat --new sandrop_proc
iptables: Chain already exists.
- failed!
Error executing superuser commands: length=4096; regionStart=0; regionLength=-1
#redirect outbound port from 80 to 127.0.0.1:8009
iptables -t nat -A sandrop_proc -m owner --uid-owner 10052 -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:450
- successful.
#logging before redirection is made to /proc/kmsg
iptables -t nat -A sandrop_proc -m owner --uid-owner 10052 -p tcp --dport 80 -j LOG --log-level debug --log-prefix "[NewConnection]" --log-uid
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:450
- successful.
#create sandro_proc chain
iptables -t nat --new sandrop_proc
- successful.
#list of iptables
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
all -- anywhere anywhere owner socket exists
sandroproxy all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
all -- anywhere anywhere owner socket exists
Chain costly_shared (0 references)
target prot opt source destination
all -- anywhere anywhere owner socket exists
ACCEPT all -- anywhere anywhere
Chain sandroproxy (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
- successful.
#list of iptables nat
iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
sandroproxy all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain sandroproxy (1 references)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:www redir ports 8009
REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 8010
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
- successful.
#redirect 443 to 8010
iptables -A sandroproxy -t nat -p tcp --dport 443 -j REDIRECT --to-port 8010
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:450
- successful.
#redirect 80 to 8009
iptables -A sandroproxy -t nat -p tcp --dport 80 -j REDIRECT --to-port 8009
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:450
- successful.
#create sandroproxy chain, , it could fail if already exist
iptables -t nat --new sandroproxy
iptables: Chain already exists.
- failed!
#accept connection on port 443
iptables -A sandroproxy -p tcp --dport 443 -j ACCEPT
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:450
- successful.
#accept connection on port 80
iptables -A sandroproxy -p tcp --dport 80 -j ACCEPT
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:450
- successful.
#create sandroproxy chain, it could fail if already exist
iptables --new sandroproxy
iptables: Chain already exists.
- failed!
Attaching iptables -L -t nat command
Capturing https is more tricky. It can be done but with some additional stuff.
When app make ssl request it states hostname.
If ssl server side certificate is not for the same hostname, by default connection is not trusted and dropped.
Sandroproxy has in settings that you can state name for generated certificate.
http://code.google.com/p/sandrop/issues/detail?id=40
Also you should put sandroproxy CA to android store.
http://code.google.com/p/sandrop/issues/detail?id=2
You can test if app will work if you make same request from browser and no popup that something is wrong with ssl appears.
If you redirect browser (native, opera, ...) to sandroproxy, and click continue on ssl popup, it will proceed.
To find out what kind of request app makes on ssl you should check in /proc/kmsg where iptables puts some info.
Or with this app.
https://play.google.com/store/apps/details?id=com.googlecode.networklog
FIX ME is from iptables command and will probably be gone in some new version.
Losik said:
Tried this on ICS9, iptables -V = 1.4.x, transparent proxy
HTTP traffic is pushing through the App with no problems. But HTTPS traffic capturing seems like not working...
Saw some FIX ME! comments in the log, maybe that's the reason?...
Attaching iptables -L -t nat command
Click to expand...
Click to collapse
Unfortunately...
I verified hostname by the NetworkLog app that you gave me... set it up in SandroProxy, checked HTTPS next to App, started service, exported and loaded sandroproxy CA... but app doesn't let me through, anyway. In Logs, app seems like trying to change SSL, maybe succeeds, maybe fails, I don't know:
Code:
Reading reqest from browser
Finished negotiating SSL - algorithm is SSL_RSA_WITH_RC4_128_MD5
Intercepting SSL connection!
However, browser works, and says certificate is valid for that hostname.
So... something's wrong with SSL. I guess I'll have to find other ways around (
Anyway, thanks for trying to help me, I appreciate donate it.
Related
Hi all.
I have a question that I have searched for, tried some apps, and have yet to get what I am seeking and shoud be kinda easy IMO.
I am seeking a way to forward all traffic over wifi through a remote ssh server of mine. I am hoping to do so without changing browsers as I am seeking more than just a browser proxy. I tried apps that claim to do it without success (like the Tor app, and transperent proxy). I think icould get connectbot do do it if it was aded to su, but haven't figured that one out yet.
Any suggestions would be loved.
Thanks.
J
Sent from my SPH-D700 using XDA App
Guss this iras harder than I assumed. Does anyone have any suggested solution for my needs? Could ready use some advice fire travel tomorrow.
Sent from my SPH-D700 using XDA App
Sorry for bump
Sent from my SPH-D700 using XDA App
You should be able to foward (nearly) all traffic with OpenVPN. This requires having OpenVPN installed on the proxy machine. Setting this up is a bit tricky, but there should be HOWTO guides available online for it. One of the things you'll need is tunnel device support for your kernel. If it's not compiled in (might be on some of the custom ones), you'll need a tun.ko module. The one in this thread is for the DI18 kernel. If you're running Froyo kernel (e.g., DK28) and it's not compiled in, then you're probably out of luck for now.
Alternatively, if you can live with just HTTP/HTTPS traffic being forwarded, you can use an SSH tunnel along with an HTTP proxy (e.g., tinyproxy) on the proxy end. If you're using the stock browser, you'll need a proxy that supports transparent proxying (tinyproxy does) and you'll have to add firewall rules to the phone to force HTTP traffic over the tunnel. Some alternate browsers (e.g., Opera Mobile) support HTTP proxies directly, so you don't need to add firewall rules.
Assuming you already have an SSH tunnel setup on (localhost) 8888, this firewall rule (entered from a terminal like ConnectBot local) will force all traffic destined for port 80 (HTTP) over it:
Code:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8888
you can clear the rule with:
Code:
iptables -t nat -F OUTPUT
To forward HTTPS traffic, add a second rule using "dport" 443 instead of 80.
You should be able to use ConnectBot to setup the tunnel. Assuming the proxy port on the proxy-end is 8888, you'd setup a rule for "Source port: 8888", "Destination: localhost:8888".
However, the last time I tried doing port-forwarding with ConnectBot it didn't quite work, pages would load partially then stop. Using another ssh client solved the problem. You could try installing dropbear, then from a terminal (e.g., ConnectBot local) run "ssh -L 8888:localhost:8888 [email protected]".
Mk... Thanks for the detailed reply. I will play with your recommendations.
Sent from my SPH-D700 using XDA App
original source
To do this, you will need a server or vps with ssh enabled and a public ip address,
what we are going to do is to use the server as a tunnel to your Raspberry Pi like this:
Code:
Raspberry Pi ----> SERVER <---- A computer outside your home network
To make everything easier, configure your server to use public key authentication, so you
are not going to be asked for a password everytime you connect.
First of all, put your ssh key inside ~/.ssh/ BOTH of your raspberry and the computer you
want to use to access the RPI, then we we'll configure the server to tunnel connections
to the bind address we specify, so edit your server /etc/ssh/sshd_config and add at the end:
Code:
GatewayPorts clientspecified
Now we are ready, open a screen session on your raspberry and type:
Code:
ssh -R your-server-interface-ip:2222:localhost:22 [email protected]
So, if you want the SSH port to be tunneled only on the server localhost, you shall type:
Code:
ssh -R localhost:2222:localhost:22 [email protected]
Otherwise, if you want it to be tunneled on the public ip address:
Code:
ssh -R your-server-address:2222:localhost:22 [email protected]
Now you are ready, if you used the localhost bind interface, you can reach your RPI connecting
to your server and then, from the inside of the ssh session type:
Code:
ssh -p2222 [email protected]
Else, if you choose the public ip, you will simply connect with:
Code:
ssh -p2222 [email protected]
Enjoy ^_^
Dynamic DNS
Your home connection may not have a static IP address, so most home routers now give the option of filling in dynamic DNS account information that will assign a hostname to your IP address automatically. This means you don't have to keep track of your IP address manually.
Google for "how to set up dynamic dns" -- Wired.com has a nice step-by-step tutorial. (Can't post links yet. :-/) I use DynDNS as my provider, they allow you to set up a hostname using their domains for free.
=RV=
redvelociraptor said:
Your home connection may not have a static IP address, so most home routers now give the option of filling in dynamic DNS account information that will assign a hostname to your IP address automatically. This means you don't have to keep track of your IP address manually.
Google for "how to set up dynamic dns" -- Wired.com has a nice step-by-step tutorial. (Can't post links yet. :-/) I use DynDNS as my provider, they allow you to set up a hostname using their domains for free.
=RV=
Click to expand...
Click to collapse
Considering in this tutorial i've suggested a dedicated server as tunnel, i don't get why static/dynamic ip address of your home network is important ....
control rpi over nat by http
The hopmsg.com allows you the make a free message channel by creating a random key for free (no registration,login,etc) which can be used to get status / send command to your rpi:
1, Simplest way to Send/Receive message from any kind of OS/browser/platform just by clicking on a link, only need to know the ID of your msg!
Example: set your message by opening a link : hopmsg.com/ctl.php?id=YOUR_UNIQUE_KEY&value=message
get your message from any device by opening: hopmsg.com/ctl.php?id=YOUR_UNIQUE_KEY
or use the Android App to get/set it.
2, Control your device inside Nat/Lan
Example: set your command by opening a link : hopmsg.com/ctl.php?id=YOUR_UNIQUE_KEY&value=command
get your command from any device by opening: hopmsg.com/ctl.php?id=YOUR_UNIQUE_KEY
or use the Android App to get/set it.
3, Basic monitoring system
Bash script checking uptime:
UP=`uptime | sed -e 's/ /_/g'`; curl "hopmsg.com/ctl.php?id=YOUR_UNIQUE_KEY&value=`echo ${UP}`"
and use the Android App or a browser to check the status of the device.
4, Get your IP address, the message source, poor man's dyndns
If you set some values, with src=1 parameter your IP and the UTC time also added to your message
Example:
hopmsg.com/ctl.php?id=YOUR_UNIQUE_KEY&value=VALUE&src=1
wget -qO- hopmsg.com/ctl.php?id=YOUR_UNIQUE_KEY > result.txt
to use with some script.
Hi,
another option is dataplicity , very easy installation , 0 configuration and really good features
Hi, I have this network setup
Dd-wrt where netflix.com and netflix.net are going through us server as I am in country where netflix is not officialy supported. I can open netflix on my pc or tablet app and it works
On nexus player I also modified my dns to use my us server
When I sideload tablet netflix apk it can connect but GUI is terrible for tv so I installed official netflix for androidTv but it still shows me error -100, cannot connect
As all other on same network works I assume it is a problem of new app
Any idea what can it be?
Thanks
Are you blocking the following google DNS IP's on your router: 8.8.8.8 and 8.8.4.4
http://help.unotelly.com/support/ar...public-dns-lookups-requires-supported-router-
thanks
I tried this, set it on my dd-wrt router, added -s 192.168.1.5 what is IP of my nexus player (I want to have access to google dns from my other devices) but didnt help...I rebooted nexus player, cleared netflix data but still same error
edit:
so I tried to add lot of other free DNS servers, but still no progress
iptables -I FORWARD -s 192.168.1.5 -d 8.8.8.8 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 8.8.4.4 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 209.244.0.3 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 209.244.0.4 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 208.67.222.222 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 208.67.220.220 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 84.200.69.80 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 84.200.70.40 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 8.26.56.26 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 8.20.247.20 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 156.154.70.1 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 156.154.71.1 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 199.85.126.10 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 199.85.127.10 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 81.218.119.11 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 209.88.198.133 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 195.46.39.39 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 195.46.39.40 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 216.87.84.211 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 208.115.243.35 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 199.5.157.131 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 208.71.35.137 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 208.76.50.50 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 208.76.51.51 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 216.146.35.35 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 216.146.36.36 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 37.235.1.174 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 37.235.1.177 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 89.233.43.71 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 91.239.100.100 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 74.82.42.42 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 109.69.8.51 -j DROP
so I did lot of tests...disable this blocking and tried to reroute google DNS to my US DNS server but still didnt help
just thinking if better solution will be to hack netflix app and remove hardcoded google DNS
There are no hard coded DNS IPs in the Netflix app nor the Nexus Player.
so now I am confused...I read somewhere else that it is hardcoded there
but anyway, I also tried this
iptables -A PREROUTING -t nat -p udp -s 192.168.1.5 --dport 53 -j DNAT --to-destination <myUSdnsServer>
iptables -A PREROUTING -t nat -p tcp -s 192.168.1.5 --dport 53 -j DNAT --to-destination <myUSdnsServer>
but didnt help and still have -100error
any idea what else I can try? thanks
ok got it work finally
I had to remove dnsmasq settings on router, then I just put my US dns server in network settings and did block google public DNS with iptables on router as mentioned in posts before
now it is running fine
Blocking Google is an unnecessary step. But, glad you got it working.
you are right, I did remove that blocking setup in router config and netflix does work...so only blockingpoint was dnsmasq setup
I'm having troubles with this too still.
I've tried many things:
- Set my US DNS settings directly on the Nexus player (both wireless and wired via USB adapter)
- DNSMasq (which works fine with Netflix on my other devices)
- Drop 8.8.8.8 and 8.8.4.4 requests on my network
- Re-route 8.8.8.8 and 8.8.4.4 requests on my network
- Reinstall Netflix
Nothing is working, in fact if I remove all settings from my router, I still get the -100 error. Something is very weird here
Yesterday when I had to reflash my NP I had same problem again even I set my US DNS on my nexus...but I fixed it this way
I set DHCP and I have my local provider DNS
I put this into DNSmasq
server=/netflix.com/xxx.xxx.xxx.xxx
server=/netflix.net/xxx.xxx.xxx.xxx
server=/nflxvideo.net/xxx.xxx.xxx.xxx
server=/llnwd.net/xxx.xxx.xxx.xxx
Where xxx.xxx.xxx.xxx is your US dns IP
And I reinstalled netflix app with my US google account (blank account created jut for this) and switch back to my original account and it works
Just for info, I was getting -100 trying to use Netflix in Europe with an European account on a NP. I got the -100 even before being able to login.
Turns out it was because I was using the Google DNS (8.8...). Using my EU provider DNS solved the issue.
So I made it a little bit further. It turns out there was an address that my US DNS provider was not forwarding (specifically: android.nccp.netflix.com ). They don't forward *.netflix.com to maximize customer privacy, which is nice.
Now I'm able to get to the error screen in Netflix where I can choose more details and go down to Connection information. I am getting randomly failed connections to one or more of the 4 netflix servers now. It changes, sometimes it's just one, sometimes it's 3, and the ones failing all change.
I get a nw-2-5 error code on these servers.
I don't believe any other addresses are missing as I've got my router traffic going through wireshark and there are no other DNS requests with addresses the US DNS provider isn't already forwarding.
Anyone have any more ideas? Does it really make a difference using a US Play store account to install the apps? I'm pretty sure it's the same Netflix APK across stores...
this netflix app is really pain in the ass
it was working fine for almost a month...then I reinstalled my NP, installed netflix app again (router settings with dnsmasq for netflix) were not touched and netflix shows me again -100 error before login screen
once, dunno how I was able to get login screen with message my country is not supported, but it happened only once, now still -100 error and I am trying various network settings
update:
so here is the way how to fix this (in my case)
remove dnsmasq settings to fwd netflix via US dns server. Run netflix app, which shows that it is not allowed in my country bla bla, click on sign in and try to sign in, it will sign and show again not supported in my country. Then I re-added my dnsmasq settings on router and apply...click on try again in netflix app (cannot exit the app while changing setup of router), after 2nd try it shows ui-113 error, I tried again and it finally started
Why didn't / don't you just add the US DNS settings into your NP WI-FI settings?
It didnt work (still -100 error) and that US DNS I use is custom and dunno why google services are not working with it
I got the same error, well I should say I've had many errors with the Netflix app and if I uninstall it and re-downdload it and sign in then it always works.
Unotelly dns settings are on the router. And 8.8.8.8 only is refirected to a fake ip. Netflix is working on Np and chromecasts.
from today I cant run netflix again...nothing changed on my router/network...I thought it is issue that I have older version so I updated the netflix app on my nexus but now it is doing still same...I click on netflix, it shows loading and then exit to home screen
any idea what went wrong?
Update: ok after 2 days it magically starts working again, it looks some issue on netflix side with android apk because during that time also netflix on my nexus 7 didnt work but worked in browser
habskilla said:
There are no hard coded DNS IPs in... the Nexus Player.
Click to expand...
Click to collapse
So it's different to the Chromecast in that respect?
Hi guys!
I've been using OpenVPN for connecting my phones to my home network.
When I replaced my old phone with Note 4, I noticed that when VPN connectivity is established, DNS is leaking. If you use VPN you can test it here to see if you're also affected by this: https://dnsleaktest.com.
I tried to fix this, but despite all my efforts, DNS traffic just refused to go through the VPN tunnel or DNS not working at all.
Eventually I figured out the series of steps needed and I'd like to share this with you in case someone is having the same problem.
Many thanks to users MaxChinni and Transfusion from this Stack Exchange thread for providing useful information.
Here is how my connection sequence looks like. Needless to say, you need root for this:
1. openvpn --config client.ovpn --daemon
2. iptables -t nat -F OUTPUT
3. iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 192.168.1.1
(192.168.1.1 is the internal IP address of my router that has DNS server running and intercepting all packets sent to UDP port 53)
4. pkill netd
5. Set DNS:
ndc resolver flushif tun0
ndc resolver flushdefaultif
ndc resolver setifdns tun0 208.67.222.222 208.67.220.220
ndc resolver setdefaultif tun0
Here is the disconnection sequence:
1. pkill openvpn
2. iptables -t nat -F OUTPUT
3. pkill netd
5. Set DNS:
ndc resolver flushif wlan0
ndc resolver flushdefaultif
ndc resolver setifdns wlan0 208.67.222.222 208.67.220.220
ndc resolver setdefaultif wlan0
Note: wlan0 interface is my Wi-Fi. If I'm on 4G, then I use "rmnet_data0" instead.
Attached are the exported Tasker tasks. I'm using some icons from these icon packs, so unless you want to change these tasks to use your own icons, you might want to install them first:
Ipack / Kyo-Tux Aeon HD
Ipack / Crystal Project HD
IMPORTANT:
* OpenVPN profiles are expected to be in "/storage/extSdCard/OpenVPN". Replace this path with your own if you want to use a different location.
* Before running "VPN Toggle" task you will need to set %VPN_PROFILE variable to the file name of OpenVPN profile you woudl like to use, e.g. "client.ovpn".
* I have a check for my home Wi-Fi to prevent starting VPN accidentally in this case, so you might want to change the reg-exp in "VPN Toggle" task that checks %SSID variable. It's currently checking for SSIDs to start with "FBIVan".
* You might also want to add a task that runs on boot to set the widget name to the one you want.
After you import these tasks, just create a widget on your desktop to run "VPN Toggle" task.
Nice, any chance of posting that tasked profile? I would appreciate it
Amd4life said:
Nice, any chance of posting that tasked profile? I would appreciate it
Click to expand...
Click to collapse
Updated the first post with exported tasks.
So I figured I post a guide here for any of you having trouble routing a VPN through the wifi tether interface.
Before I start, you must have a root! Which means this will only work on international varients of the Galaxy S8/S8+ with unlocked bootloader's.
There are plenty of guides online on how to root.
First off, native tethering does NOT use the wlan0 as the interface! Instead the Galaxy S8/S8+ use an interface named swlan0. This means forget all the apps you may have been using like "Android Wifi Tether" etc. You will have to do this manually.
How to setup your phone:
1. First off start buy downloading a VPN app from the play store. My preferred app is "NordVPN" as they offer Netflix and Hulu access. Yes, NordVPN does cost money so your welcome to use any VPN of your choice.
2. Now download an app called "Scripter" from the play store and open it. https://play.google.com/store/apps/details?id=com.faziklogic.scripter
3. Click "Create Script"
4. In the first box name it anything you want like "Tether Hack"
5. In the second box labeled "Commands" copy and paste the below code:
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev swlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev swlan0 scope link table 61
And click "Save"
6. (Optional) Download an app called "Wifi Hotspot Widget" https://play.google.com/store/apps/details?id=com.aiuspaktyn.hotspot so you can add it to your home screen layout for quick access to start Android's wifi tethering feature. While your at it make a quick shortcut of the VPN app you chose and the "Scripter" app so you can easily start the tethering with VPN.
7. Now the fun parts, start you VPN first. Then start your Android wifi tethering feature. Finally, open the "Scripter" app and select the script you made earlier. It will ask if you want to run the script, click "YES".
8. Done! Now go ahead and test it out by connecting your computer to the wifi access point you made and visit a website to verify your VPN is working.
Keep in my mind the biggest advantage to this aside from security is that this will NOT use your carriers tethering data usage. So if you have unlimited data but only 7GB of tethering with this trick you WILL have UNLIMITED tethering.
If you have any questions or liked this post please feel free to comment below or PM me anytime!
Reserved
thanks
mfoster978 said:
So I figured I post a guide here for any of you having trouble routing a VPN through the wifi tether interface.
Before I start, you must have a root! Which means this will only work on international varients of the Galaxy S8/S8+ with unlocked bootloader's.
There are plenty of guides online on how to root.
First off, native tethering does NOT use the wlan0 as the interface! Instead the Galaxy S8/S8+ use an interface named swlan0. This means forget all the apps you may have been using like "Android Wifi Tether" etc. You will have to do this manually.
How to setup your phone:
1. First off start buy downloading a VPN app from the play store. My preferred app is "NordVPN" as they offer Netflix and Hulu access. Yes, NordVPN does cost money so your welcome to use any VPN of your choice.
2. Now download an app called "Scripter" from the play store and open it. https://play.google.com/store/apps/details?id=com.faziklogic.scripter
3. Click "Create Script"
4. In the first box name it anything you want like "Tether Hack"
5. In the second box labeled "Commands" copy and paste the below code:
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev swlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev swlan0 scope link table 61
And click "Save"
6. (Optional) Download an app called "Wifi Hotspot Widget" https://play.google.com/store/apps/details?id=com.aiuspaktyn.hotspot so you can add it to your home screen layout for quick access to start Android's wifi tethering feature. While your at it make a quick shortcut of the VPN app you chose and the "Scripter" app so you can easily start the tethering with VPN.
7. Now the fun parts, start you VPN first. Then start your Android wifi tethering feature. Finally, open the "Scripter" app and select the script you made earlier. It will ask if you want to run the script, click "YES".
8. Done! Now go ahead and test it out by connecting your computer to the wifi access point you made and visit a website to verify your VPN is working.
Keep in my mind the biggest advantage to this aside from security is that this will NOT use your carriers tethering data usage. So if you have unlimited data but only 7GB of tethering with this trick you WILL have UNLIMITED tethering.
If you have any questions or liked this post please feel free to comment below or PM me anytime!
Click to expand...
Click to collapse
Well cool. Cheers. You just breathed new life into an old fossil. Now I have a new target; something of interest to code for. ??