G955F Galaxy S8/S8+ Wifi Tether VPN Route for Unlimited Tethering - Samsung Galaxy S8+ Guides, News, & Discussion

So I figured I post a guide here for any of you having trouble routing a VPN through the wifi tether interface.
Before I start, you must have a root! Which means this will only work on international varients of the Galaxy S8/S8+ with unlocked bootloader's.
There are plenty of guides online on how to root.
First off, native tethering does NOT use the wlan0 as the interface! Instead the Galaxy S8/S8+ use an interface named swlan0. This means forget all the apps you may have been using like "Android Wifi Tether" etc. You will have to do this manually.
How to setup your phone:
1. First off start buy downloading a VPN app from the play store. My preferred app is "NordVPN" as they offer Netflix and Hulu access. Yes, NordVPN does cost money so your welcome to use any VPN of your choice.
2. Now download an app called "Scripter" from the play store and open it. https://play.google.com/store/apps/details?id=com.faziklogic.scripter
3. Click "Create Script"
4. In the first box name it anything you want like "Tether Hack"
5. In the second box labeled "Commands" copy and paste the below code:
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev swlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev swlan0 scope link table 61
And click "Save"
6. (Optional) Download an app called "Wifi Hotspot Widget" https://play.google.com/store/apps/details?id=com.aiuspaktyn.hotspot so you can add it to your home screen layout for quick access to start Android's wifi tethering feature. While your at it make a quick shortcut of the VPN app you chose and the "Scripter" app so you can easily start the tethering with VPN.
7. Now the fun parts, start you VPN first. Then start your Android wifi tethering feature. Finally, open the "Scripter" app and select the script you made earlier. It will ask if you want to run the script, click "YES".
8. Done! Now go ahead and test it out by connecting your computer to the wifi access point you made and visit a website to verify your VPN is working.
Keep in my mind the biggest advantage to this aside from security is that this will NOT use your carriers tethering data usage. So if you have unlimited data but only 7GB of tethering with this trick you WILL have UNLIMITED tethering.
If you have any questions or liked this post please feel free to comment below or PM me anytime!

Reserved

thanks

mfoster978 said:
So I figured I post a guide here for any of you having trouble routing a VPN through the wifi tether interface.
Before I start, you must have a root! Which means this will only work on international varients of the Galaxy S8/S8+ with unlocked bootloader's.
There are plenty of guides online on how to root.
First off, native tethering does NOT use the wlan0 as the interface! Instead the Galaxy S8/S8+ use an interface named swlan0. This means forget all the apps you may have been using like "Android Wifi Tether" etc. You will have to do this manually.
How to setup your phone:
1. First off start buy downloading a VPN app from the play store. My preferred app is "NordVPN" as they offer Netflix and Hulu access. Yes, NordVPN does cost money so your welcome to use any VPN of your choice.
2. Now download an app called "Scripter" from the play store and open it. https://play.google.com/store/apps/details?id=com.faziklogic.scripter
3. Click "Create Script"
4. In the first box name it anything you want like "Tether Hack"
5. In the second box labeled "Commands" copy and paste the below code:
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev swlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev swlan0 scope link table 61
And click "Save"
6. (Optional) Download an app called "Wifi Hotspot Widget" https://play.google.com/store/apps/details?id=com.aiuspaktyn.hotspot so you can add it to your home screen layout for quick access to start Android's wifi tethering feature. While your at it make a quick shortcut of the VPN app you chose and the "Scripter" app so you can easily start the tethering with VPN.
7. Now the fun parts, start you VPN first. Then start your Android wifi tethering feature. Finally, open the "Scripter" app and select the script you made earlier. It will ask if you want to run the script, click "YES".
8. Done! Now go ahead and test it out by connecting your computer to the wifi access point you made and visit a website to verify your VPN is working.
Keep in my mind the biggest advantage to this aside from security is that this will NOT use your carriers tethering data usage. So if you have unlimited data but only 7GB of tethering with this trick you WILL have UNLIMITED tethering.
If you have any questions or liked this post please feel free to comment below or PM me anytime!
Click to expand...
Click to collapse
Well cool. Cheers. You just breathed new life into an old fossil. Now I have a new target; something of interest to code for. ??

Related

[MISC] Activate and Adjust Wifi HotSpot Settings, No Root Necessary

Interestingly enough if you install Launcher Pro or similar you can pop right on over to the Froyo AP settings.
Its very straight-forward, all you need to do is long press your homescreen, create a shortcut/activity that goes directly to the Wifi AP settings, what you are looking for is:
com.android.settings.wifi.WifiApSettings
Its as exactly as you would find on the Nexus One, its just hidden from the standard menus to keep the noobs out I suppose. Hopefully they leave this in, since the cat is out of the bag!
Edit:
HamNCheese has figured out that the temp root is necessary to kick things off. Its not really complex, here is his instructions:
HamNCheese said:
Here's a workaround to get things working (for now)
Step 1: get root
Step 2: Add the wifi settings shortcut as posted in this thread and configure your AP
Step 3: Create dnsmasq.conf:
Code:
no-resolv
no-poll
server=208.67.222.222
server=208.67.220.220
dhcp-authoritative
Step 4: adb push dnsmasq.conf to /data/local/tmp
Step 5: create wifi.sh:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
./busybox ifconfig wl0.1 192.168.1.1
dnsmasq --strict-order --bind-interfaces --pid-file=/data/local/tmp/dnsmasq.pid --conf-file=/data/local/tmp/dnsmasq.conf --listen-address 192.168.1.1 --dhcp-range 192.168.1.2,192.168.1.254 --dhcp-lease-max=253
iptables -t nat --append POSTROUTING --out-interface rmnet0 -j MASQUERADE
iptables --append FORWARD --in-interface wl0.1 -j ACCEPT
Step 6: adb push wifi.sh to /data/local/tmp
Step 7: su, change to /data/local/tmp and run wifi.sh
Step 8: (important) Connect to your AP only after dnsmasq is started, otherwise you will get weird DNS failures.
Credit to teferi for his original USB tether script.
Click to expand...
Click to collapse
Ha! Nice find...
You beat me to it! I was just noticing that switchpro has an option to enable hotspot access. I still couldn't get to it, but the ssid popped up on my laptop.
This feature would make waiting for root soooo much easier. lol
Stupid dhcp...
Holy crap dude there it is! That's awesome. Thanks a lot for finding that out. Hopefully it does stay in.
Were you actually able to connect. My devices keep waiting to obtain an ip address
Sent from my T-Mobile G2 using XDA App
Rather than install an entirely new launcher, you could probably access this by installing AnyCut and creating a shortcut from there. Good luck to all you folks in G2 land!
Sent from my Nexus One using XDA App
yeah, its not working. good find still though.
I can get to it, but it's not working for me. Gets enabled, shows up on my laptop, but I never get an IP to use.
sherifone said:
Interestingly enough if you install Launcher Pro or similar you can pop right on over to the Froyo AP settings.
Its very straight-forward, all you need to do is long press your homescreen, create a shortcut/activity that goes directly to the Wifi AP settings, what you are looking for is:
com.android.settings.wifi.WifiApSettings
Its as exactly as you would find on the Nexus One, its just hidden from the standard menus to keep the noobs out I suppose. Hopefully they leave this in, since the cat is out of the bag!
Click to expand...
Click to collapse
I can't get anything to connect with it though so that's kind of a bust. Nice work on the hunt though!
Sent from my HTC Vision
To all of you trying to make it work, it doesn't. Something is disabled in the IP tables or something to that effect. The hotspot menu was removed from the settings.apk from the g2 shipped rom as another way to try and disable hotspot access. Looks like we're getting close!
I'm unable to get it up and running either. I see the SSID, but no valid connection.
Hopefully there's a simple workaround
InGeNeTiCs said:
Something is disabled in the IP tables or something to that effect.
Click to expand...
Click to collapse
Actually, everything is present - modules, iptables, etc. People are using the other wifi tether package successfully.
I think I found a solution.
We need to have an application to direct 3G data through post-added firewall and DHCP server, and direct to "hidden" hotspot.
When the application starts, it'll enable hotspot, and it'll get data from the network like other internet-based application, and direct to firewall/DHCP, and finally goes to the hotspot.
It's much like easytether or PDAnet, but the destination is hotspot instead of USB.
In addition, this application should have more options than native mobile hotspot like SSID hiding, site filtering, MAC address filtering.
Which wifi tether package is currently working?
Sent from my T-Mobile G2 using XDA App
YOUR CAN TETHER YOUR PHONE TO YOUR PC WITH "EASY TETHER"
Edit: IT WORKS You can Tether your phone using it
Has Anyone Tried "Easy Tether"
Here's a workaround to get things working (for now)
Step 1: get root
Step 2: Add the wifi settings shortcut as posted in this thread and configure your AP
Step 3: Create dnsmasq.conf:
Code:
no-resolv
no-poll
server=208.67.222.222
server=208.67.220.220
dhcp-authoritative
Step 4: adb push dnsmasq.conf to /data/local/tmp
Step 5: create wifi.sh:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
./busybox ifconfig wl0.1 192.168.1.1
dnsmasq --strict-order --bind-interfaces --pid-file=/data/local/tmp/dnsmasq.pid --conf-file=/data/local/tmp/dnsmasq.conf --listen-address 192.168.1.1 --dhcp-range 192.168.1.2,192.168.1.254 --dhcp-lease-max=253
iptables -t nat --append POSTROUTING --out-interface rmnet0 -j MASQUERADE
iptables --append FORWARD --in-interface wl0.1 -j ACCEPT
Step 6: adb push wifi.sh to /data/local/tmp
Step 7: su, change to /data/local/tmp and run wifi.sh
Step 8: (important) Connect to your AP only after dnsmasq is started, otherwise you will get weird DNS failures.
Credit to teferi for his original USB tether script.
Can't wait for this feature to be ready.
Sent from my T-Mobile G2 using XDA App
RaffieKol said:
YOUR CAN TETHER YOUR PHONE TO YOUR PC WITH "EASY TETHER"
Edit: IT WORKS You can Tether your phone using it
Has Anyone Tried "Easy Tether"
Click to expand...
Click to collapse
Can easytether do it over wifi????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Gotta wait till next month to get this phone. But.
Why can't you give yourself a static IP in the same subnet as the phone and use the phone as your DNS server? Or is it not routing either?
Anomaly said:
Gotta wait till next month to get this phone. But.
Why can't you give yourself a static IP in the same subnet as the phone and use the phone as your DNS server? Or is it not routing either?
Click to expand...
Click to collapse
Haven't tried that, but there might be an issue with trying to steal an IP from the T-Mobile dhcp pool.

Ssh tunnel

Hi all.
I have a question that I have searched for, tried some apps, and have yet to get what I am seeking and shoud be kinda easy IMO.
I am seeking a way to forward all traffic over wifi through a remote ssh server of mine. I am hoping to do so without changing browsers as I am seeking more than just a browser proxy. I tried apps that claim to do it without success (like the Tor app, and transperent proxy). I think icould get connectbot do do it if it was aded to su, but haven't figured that one out yet.
Any suggestions would be loved.
Thanks.
J
Sent from my SPH-D700 using XDA App
Guss this iras harder than I assumed. Does anyone have any suggested solution for my needs? Could ready use some advice fire travel tomorrow.
Sent from my SPH-D700 using XDA App
Sorry for bump
Sent from my SPH-D700 using XDA App
You should be able to foward (nearly) all traffic with OpenVPN. This requires having OpenVPN installed on the proxy machine. Setting this up is a bit tricky, but there should be HOWTO guides available online for it. One of the things you'll need is tunnel device support for your kernel. If it's not compiled in (might be on some of the custom ones), you'll need a tun.ko module. The one in this thread is for the DI18 kernel. If you're running Froyo kernel (e.g., DK28) and it's not compiled in, then you're probably out of luck for now.
Alternatively, if you can live with just HTTP/HTTPS traffic being forwarded, you can use an SSH tunnel along with an HTTP proxy (e.g., tinyproxy) on the proxy end. If you're using the stock browser, you'll need a proxy that supports transparent proxying (tinyproxy does) and you'll have to add firewall rules to the phone to force HTTP traffic over the tunnel. Some alternate browsers (e.g., Opera Mobile) support HTTP proxies directly, so you don't need to add firewall rules.
Assuming you already have an SSH tunnel setup on (localhost) 8888, this firewall rule (entered from a terminal like ConnectBot local) will force all traffic destined for port 80 (HTTP) over it:
Code:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8888
you can clear the rule with:
Code:
iptables -t nat -F OUTPUT
To forward HTTPS traffic, add a second rule using "dport" 443 instead of 80.
You should be able to use ConnectBot to setup the tunnel. Assuming the proxy port on the proxy-end is 8888, you'd setup a rule for "Source port: 8888", "Destination: localhost:8888".
However, the last time I tried doing port-forwarding with ConnectBot it didn't quite work, pages would load partially then stop. Using another ssh client solved the problem. You could try installing dropbear, then from a terminal (e.g., ConnectBot local) run "ssh -L 8888:localhost:8888 [email protected]".
Mk... Thanks for the detailed reply. I will play with your recommendations.
Sent from my SPH-D700 using XDA App

VPN and Honeycomb/A500

Hey guys, anyone know a way to get vpn working on the A500?
It supports ipsec. but we are eliminating that as of next week in favor of SSL.
I was going to use openvpn (and the new kern mod) but I don't think it supports ssl (only ipsec).
So curious is anyone has thought through this, I'd like to stop carrying my 17" hackbook-pro (HP DV9700 running snow leopard).
thanks in advance!
Hey,try vpnc widget.
At my university it works with my htc desire z.
Didn't try it on the a500,but you could do it
Bye
Sergioka
Sent from my HTC Vision using Tapatalk
Do you solved this? I had the same problem. Iconia don't remember any VPN settings.
Took me a while to figure out how to save on my Transformer. When you are on the VPN setup screen the menu/option box (not sure the correct name, it is the one with the 4 horizontal lines) will be up in the right hand corner. Selet that and a "Save" option will appear in the drop down.
I've yet to get VPN to work on my A500. Trying to connect to VPN on Windows 2003 server. It connects, but then nothing works. can't get to anything on the remote network or even my local network or the internet. As soon as i disconnect the VPN, the local network and internet starts working again.
Same boat
I'm experiencing the exact same situation where I can connect but get no traffic moving. Also, I cannot get settings, etc. to stick on shutdown/reboot. I'm going to put down exactly how I got here in the hopes that it helps someone else to figure this out...
1. Rooted stock Acer Iconia (A500) tablet
2. Installed tun.ko
Copied tun.ko to /system/lib/modules
chmod 644 /system/lib/modules/tun.ko
insmod /system/lib/modules/tun.ko
3. Installed BusyBox (from Market) 1.18.4 to /system/xbin
4. Installed VPNC Widget (from Market) and set information:
IPSecGateway - Public VPN host
IPSecId - VPN group name
IPSec Group Password - VPN group password
XAuthUsername - User ID
XauthPassword - User password
other Vpnc Options - *blank*
5. From VPNC Widget settings, selected "Check Prerequisites".
Running tests...
Error: root access missing!
Error: no access to TUN device!
Warning: 'Advanced Routing' feature missing - VPN connectivity might be lost after a while
Sorry, the VPNC Widget will not work on this phone.​Not sure why it's saying root access missing, but it is saying no access to TUN device. It's not saying that TUN device is missing, so I know the insmod worked.
6. Started VPNC Widget - immediately errored out. Checked last vpn session log:
Enter IPSec secret for [email protected]
Enter password for [email protected]
pre-Init phase...
reloc_library[1315]: 1069 cannot locate '__set_sycal_errno'...
CANNOT LINK EXECUTABLE
reloc_library[1315]: 1070 cannot locat '__set_syscall_errno'...
CANNOT LINK EXECUTABLE
Error: no access to TUN device!
can't open /dev/net/tun, check that it is either device char 10 200 or (with DevFS) a symlink to ../misc/net/tun (not mist/net/tun): No such file or directory
can't initialise tunnel interface: No such file or directory
vpnc version 0.5.3-mjm1-140M​
7. Manually created tunnel device
mkdir /dev/net
mknod /dev/net/tun c 10 200
8. From VPNC Widget settings, selected "Check Prerequisites".
Running tests...
Error: root access missing!
Warning: 'Advanced Routing' feature missing - VPN connectivity might be lost after a while
Sorry, the VPNC Widget will not work on this phone.​TUN access is working, but still says no root access...
9. Started VPNC Widget. Connected immediately, but VPN traffic would not flow. External web traffic still worked. Cisco ASA shows successful login.
10. Disconnected from VPN Widget. Checked last vpn session log:
Enter IPSec secret for [email protected]
Enter password for [email protected]
pre-Init phase...
Error binding to source port. Try '--local-port 0'
Failed to bind to 0.0.0.0:4500: Address already in use
vpnc version 0.5.3-mjm1-140M
IKE SA selected psk+auth-3des-md5
NAT status: this end behind NAT? YES -- remote end behind NAT? YES​
11. Changed VPNC Widget configuration:
Added '--local-port 0' to other Vpnc Options
12. Start VPNC Widget. Either it connects and immediately reports password error (Cisco ASA shows unsuccessful login - bad password, I think) or it connects but no traffic passes, VPN or web (Cisco ASA show successful login).
13. Check last vpn session log for bad password event:
Enter IPSec secret for [email protected]
Enter password for [email protected]
pre-Init phase...
Password for VPN [email protected]s:
Password for VPN [email protected]s:
authentication unsuccessful
vpnc version 0.5.3-mjm1-140M
IKE SA selected psk+auth-3des-md5
NAT status: this end behind NAT? YES -- remote end behind NAT? YES​
I've tried reinstalling everything but I get the same results every time. I'm hoping this information helps someone (and me)...
Same problem here on the Motorola Xoom...
Typing netcfg reveals
Code:
lo UP 127.0.0.1 255.0.0.0 0x00000049
dummy0 DOWN 0.0.0.0 0.0.0.0 0x00000082
usb0 DOWN 0.0.0.0 0.0.0.0 0x00001002
sit0 DOWN 0.0.0.0 0.0.0.0 0x00000080
ip6tnl0 DOWN 0.0.0.0 0.0.0.0 0x00000080
ppp0 UP 10.10.6.7 255.255.255.255 0x000010d1
eth0 DOWN 0.0.0.0 0.0.0.0 0x00001002
tun0 DOWN 0.0.0.0 0.0.0.0 0x00001090
No connection on the TUN0 interface even though the widget claims VPN is connected.
After adding the following to the VPN options:
Code:
--local-port 0
--natt-mode cisco-udp
I can start VPN as many times I want resulting in numerous TUN interfaces in netcfg - all of which are DOWN.
I'm wondering if upgrading to HC3.1 (Xoom instructions http://forum.xda-developers.com/showthread.php?t=1074609) - which provides TUN support - solves the issue for both devices.
When you run the prerequisites check, does it also say that root access is missing?
Sadly, I am doubtful that HC3.1 will fix this as I know the TUN file is working properly because others have gotten OpenVPN working. The issue seems to lie with the VPNC Widget.
I can also connect to many different giganews VPN servers, but cannot access ANY network once connected.
WORKING with VPNC (not VPNC Widget)
I uninstalled VPNC Widget and then installed 0.99 VPNC and it is working.
Just need to create /etc/resolv.conf and append --local-port 0.
Sucks that I have to do it from the shell, but at least it works...
latest vpnc widget works with a few mods :
- edit vpnc-script and change MYBOX="$0-box" to ="'
- chmod 500 vpnc-script (something recreates vpnc-script at every start otherwise)
Stopping vpnc does not work though ;/ (just cut off wifi for a few seconds to make it close)
hey n00bzy,where can I find the vpnc-script?
thx
sergioka
sergioka said:
hey n00bzy,where can I find the vpnc-script?
thx
sergioka
Click to expand...
Click to collapse
If I recall correctly, it's in /data/data/com.gmail.mjm4456.vpncwidget/files but don't quote me on it...
hey thanks for the info,
i found the file, but
the widget tells me this
"Running tests...
Error: root access missing!
Warning: 'Advanced Routing' feature missing - VPN connectivity might be lost after a while
Sorry, the VPNC Widget will not work on this phone."
Wow I forgot about the thread I started! lol I will try some of these suggestions and see if any work..
I know that ipsec is going to be cut off here soon, so I'm going to need a SSL solution sooner or later.
sergioka said:
hey thanks for the info,
i found the file, but
the widget tells me this
"Running tests...
Error: root access missing!
Warning: 'Advanced Routing' feature missing - VPN connectivity might be lost after a while
Sorry, the VPNC Widget will not work on this phone."
Click to expand...
Click to collapse
I was getting that message but it still connected. Try to connect, check your last connection log, and see what it says.
Oh man, I had only the link on the desktop and not the widget
Now, with the wigdet, it works!
Couple of questions as I am going through a a vpnc widget setup on a rooted Asus Transformer.
I am running prime 1.4 which already has the tun loaded but when I go to /dev/net/tun there is no file in that directory. Should there be a file in that directory?
The error I am getting right now from the widgets log is "can't open /dev/net/tun, check that it is either device char 10 200 or (with DevFS) a symlink to ../misc/net/tun (not /misc/net/tun): Is a directory can't initialize tunnel interface"
Any help will be much appreciated
I will pay good $$ to have a working (simple) Cisco VPN option on my Android. I have tried and wasted way to many hours trying to get this working with all the complicated and unclearly documented ways to get this working.
Anyone working on something besides Cisco (which they will be forcing our organization to pay for such service which is not possible seeing we are one of the largest orgs around and something like that is not feasible)?

[GUIDE] How to WiFi tether with VPN (DroidVPN)

Before anyone says "this has been discussed before" yes it has, but this is the ONLY method that's worked for me, so therefore it may also work for you when others have not.
My carrier is Telcel (Mexico) Its prepaid that I haven't paid for since using the VPN, as it allows me to have free internet, and this method allows me to share it with all my devices, I've used 30GB of data in 2 weeks.
Disclaimer: not responsible for your device in anyway, even though this should not harm anything
STEP 1: You need a rooted device
STEP 2: Make sure you have a VPN app, like OpenVPN or DroidVPN ( I use DroidVPN and its the best)
STEP 3: Download Terminal Emulator
STEP 4: Activate your hotspot and connect to your VPN
STEP 5: launch Terminal emulator and on the first line type "su" (without the quotes) and press enter
STEP 6: Copy and paste this to the Terminal Emulator, MAKE SURE TO PASTE TO A NEW FOLDER USING ROOT BROWSER FIRST, AND COPY TO T.E. IN THE EXACT FORMAT AS SHOWN
Code:
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
STEP 7: That's about it
Also be sure to make a folder with Root Browser and paste the code there, as this resets after re-boot.
Please comment if this worked for you, it worked on my LG G3 on android 4.4.2
FIRST!
So, basically, what do this does?
GabrielCool1 said:
So, basically, what do this does?
Click to expand...
Click to collapse
Basically for me it allows me to bypass my carriers tether restrictions, in example; you have tmobile, your plan has unlimited data but only 5GB of tethering, this will trick it into thinking all traffic is coming from your phone, giving you unlimited data to all your devices
SmokeyTech1 said:
Basically for me it allows me to bypass my carriers tether restrictions, in example; you have tmobile, your plan has unlimited data but only 5GB of tethering, this will trick it into thinking all traffic is coming from your phone, giving you unlimited data to all your devices
Click to expand...
Click to collapse
Venga, que no te entiendo lo del tethering, me lo puedes explicar en español? C:
GabrielCool1 said:
Venga, que no te entiendo lo del tethering, me lo puedes explicar en español? C:
Click to expand...
Click to collapse
Claro! Enviarme un mensaje directo y yo te dijo
FWIW this will be different on different carriers, different devices, and different VPN(Juno's pulse for example). Good info none the less :good:
Sent from my SM-G900P using XDA Free mobile app
miked63017 said:
FWIW this will be different on different carriers, different devices, and different VPN(Juno's pulse for example). Good info none the less :good:
Sent from my SM-G900P using XDA Free mobile app
Click to expand...
Click to collapse
This should darn near be universal, as this was code I found was just a copy and paste of the original, don't need to change anything, it should also work with all VPNs, can't confirm though, I've only used this on my AT&T LG G3, I will try on my HTC One
Also the "IP table" part of the code can be found in a few places, the special part of the code is "ip rule" and "ip route"
SmokeyTech1 said:
This should darn near be universal, as this was code I found was just a copy and paste of the original, don't need to change anything, it should also work with all VPNs, can't confirm though, I've only used this on my AT&T LG G3, I will try on my HTC One
Also the "IP table" part of the code can be found in a few places, the special part of the code is "ip rule" and "ip route"
Click to expand...
Click to collapse
The iptables should be, but the routing, rules, and lookup tables could vary. Also some carriers you would need extra iptables commands and route commands to work with their tethering data cap security measures.
Like I said its useful knowledge but in some cases may need a little extra massaging to fully work.
any good guides for setting up a vpn server on your own PC?
sowers17 said:
any good guides for setting up a vpn server on your own PC?
Click to expand...
Click to collapse
Are you on windows or Linux?
Honestly the easiest way would be to get a router that supports it out of the box, but if you don't have one its still pretty easily doable.
thingss said:
Good guide. Thanks.
Click to expand...
Click to collapse
Did this work for you? If so please state your device name and android version, I'm going to add to the OP a "confirmed working on"
SmokeyTech1 said:
Before anyone says "this has been discussed before" yes it has, but this is the ONLY method that's worked for me, so therefore it may also work for you when others have not.
My carrier is Telcel (Mexico) Its prepaid that I haven't paid for since using the VPN, as it allows me to have free internet, and this method allows me to share it with all my devices, I've used 30GB of data in 2 weeks.
Disclaimer: not responsible for your device in anyway, even though this should not harm anything
STEP 1: You need a rooted device
STEP 2: Make sure you have a VPN app, like OpenVPN or DroidVPN ( I use DroidVPN and its the best)
STEP 3: Download Terminal Emulator
STEP 4: Activate your hotspot and connect to your VPN
STEP 5: launch Terminal emulator and on the first line type "su" (without the quotes) and press enter
STEP 6: Copy and paste this to the Terminal Emulator, MAKE SURE TO PASTE TO A NEW FOLDER USING ROOT BROWSER FIRST, AND COPY TO T.E. IN THE EXACT FORMAT AS SHOWN
Code:
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
STEP 7: That's about it
Also be sure to make a folder with Root Browser and paste the code there, as this resets after re-boot.
Please comment if this worked for you, it worked on my LG G3 on android 4.4.2
Click to expand...
Click to collapse
Do you have a premium account or a free one on Droid VPN?
Sent from my GT-S7392 using xda app-developers app
Andro001 said:
Do you have a premium account or a free one on Droid VPN?
Sent from my GT-S7392 using xda app-developers app
Click to expand...
Click to collapse
Premium, the free account almost never connects, and you only get 100mb daily
SmokeyTech1 said:
Premium, the free account almost never connects, and you only get 100mb daily
Click to expand...
Click to collapse
I used droid vpn on my sim's internet connection after 100mb it disconnected so I just changed the mobile and with the same account I logged jn droid vpn and it got connected. How was it possible?
Sent from my GT-S7392 using xda app-developers app
Andro001 said:
I used droid vpn on my sim's internet connection after 100mb it disconnected so I just changed the mobile and with the same account I logged jn droid vpn and it got connected. How was it possible?
Sent from my GT-S7392 using xda app-developers app
Click to expand...
Click to collapse
I really don't know, maybe droidvpn monitors each devices data, like you can use 100mb on one 100mb on another,
does this work on android lollipop version 5.0? im not sure if its safe to write that down in the android terminal
shadowx141 said:
does this work on android lollipop version 5.0? im not sure if its safe to write that down in the android terminal
Click to expand...
Click to collapse
Works and great! on android 5.02
Is there any way to incorporate this into an AFWall+ profile, so that someone can just switch profile when leaving home and have this automatically setup?
miked63017 said:
Are you on windows or Linux?
Honestly the easiest way would be to get a router that supports it out of the box, but if you don't have one its still pretty easily doable.
Click to expand...
Click to collapse
I got a dlink 510L that says it will run my pantech 290, it work on computer with software, when i put it in router saying no internet.

[GUIDE] My Pi-hole and PiVPN powered by our Raspberry Pi 3 Model B+

ATTENTION (update on 2018-04-09): The procedures described in this thread are only working if you own an internet account with a public IPv4 address or dual stack i.e. both, public IPv4 and public IPv6 addresses. For account with only a public IPv6 address, it won't work. Please also refer to post #16.
Although I'd already read quite a lot about commercial VPN providers, reading of this article "VPN Leaks Found on 3 Major VPNs out of … 3 that We Tested" clearly established my decision to go for my own private VPN.
Thanks to Mike Kuketz who's running an excellent German blog regarding information technology security, I was able to study these two articles (https://www.kuketz-blog.de/pi-hole-schwarzes-loch-fuer-werbung-raspberry-pi-teil1/, https://www.kuketz-blog.de/pivpn-raspberry-pi-mit-openvpn-raspberry-pi-teil3/) about Pi-hole and PiVPN on/via a Raspberry Pi and immediately decided to purchase a Raspberry Pi 3 Model B+ (including an official case and charger) from an authorised Raspberry Pi dealer. Remark for German speaking XDA users: Mike also runs a very interesting forum in conjunction with his blog.
I'd be glad if this thread raises or raised your interest in a Raspberry Pi with Pi-hole and PiVPN. We are fascinated by their capabilities and glad to be able to utilise our own private VPN. If you also decide to go for it I hope that this tutorial facilitates setup and configuration. However, always be aware and remember that different scenario exist why use of a VPN might be reasonable. To anonymously browse the web via a VPN-provider certainly doesn't belong to that. The desire for anonymity and privacy in the world wide web is a reasonable wish of many users that can unfortunately hardly be implemented or only by extremely high efforts. You do not achieve anonymity while browsing the web, only because your network traffic is tunneled via a VPN-provider. This is only a promotional promise belonging into the category of modern fairy tales of the internet. However, by use of a (private) VPN you certainly enhance your privacy due to the encryption of your data traffic in this case between the Android device and the Raspberry Pi / PiVPN.
Intent of this thread is to share my experiences and procedure during the setup of the Raspberry Pi, Pi-hole and PiVPN. As client (or you might call it the companion of PiVPN) on our Android devices, I use OpenVPN for Android by Arne Schwabe. I downloaded it from F-Droid; however, it's also available via the Google Play Store. Possibly interesting to a few Android users might be that it does not require root. The whole setup is positively working on our Android Nougat ROM but I don't have any experiences with Android Oreo.
Additionally I want to clearly emphasise that I personally used Mike's two above linked articles written in German i.e. my thread is more or less only a translation of Mike's instruction into English. Therefore, I must clearly state that all credits go to Mike Kuketz.
Generally, in this thread I don't intend to discuss the reasons that induced my decision to establish my own private VPN or to create my own Network-wide ad blocking. Already brief searches of the web are providing multiple hits in this context but it's anyway a very private decision.
Additionally, I'm only focusing on our router, an AVM Fritz!Box 7390, our Android devices (Samsung Galaxy S3 LTE - i9305, all with RR-N-v5.8.5-final, Magisk v16.0, Xposed, XPrivacyLua and GApps-free thanks to microG), and Windows 10 Pro on a notebook (just started to familarise myself with Linux Mint i.e. all work in regard to this thread was conducted under Windows). I'm convinced that all interested readers of this thread are capable to translate/transfer the basic ideas to other routers, devices or Linux, iOS etc.
Content:
Post #2: Initial Installation of the Raspberry Pi
Post #3: The Pi-hole
Post #4: PiVPN
Post #5: PiVPN in Combination with the Pi-Hole
Post #6: OpenVPN for Android
Post #7: Dynamic DNS
Post #8: Customisation of the NTP-Server
Post #9: Unbound / Recursive DNS server
Remark:
In the attached screenshots, IP-addresses are blacked out for privacy reasons.
Please advise if something is not clear, incorrect or incomplete.
Off topic comments are allowed as long they are generally related to the overall topic, are in the general interest of the followers of this thread and add value to the thread. Having fun is always welcomed here. The ultimate decision rests with me as the OP!
Initial Installation of the Raspberry Pi
Updated on 2019-03-17!
********************
Initial Installation of the Raspberry Pi
As already said I'd ordered a Raspberry Pi 3 Model B+ including the official housing and AC charger. Most likely the whole setup is going to work with other Raspberry Pi models but please note that Jacob Salmela, the developer of Pi-hole, recommends a system of 512 MB RAM. Brief remark, you're unable to place the Raspberry Pi in its housing with an inserted microSD card.
Talking about microSD cards, I use a 32 GB, class 10 card to host the Raspberry Pi's OS and the Pi-hole/PiVPN. I'm convinced that a 16 GB card is also suitable, even a 8 GB one might be sufficient. I personally didn't require a keyboard or screen for the Raspberry Pi as I connect to it via a Secure Shell (SSH).
I decided to use RASPBIAN, the official OS of the Raspberry Pi Foundation; however, there're other OS' available, just search the web. I'm using Raspbian Stretch Lite, which fully meets my requirements, and downloaded it here as a zip-file. Unzipped the file and inserted the microSD into my notebook. There are multiple ways described to flash the OS image to the SD but I decided to use the way via Win32DiskImager. The Win32DiskImager utility is available via its Sourceforge Project page as an installer file. I just exactly followed the instructions as provided on the last linked Raspberry Pi page.
After the image had been flashed to the SD I had to create a simple file called "ssh" in the /boot partition in order to be later on able to access the Raspberry Pi via SSH. As a Windows user, first I'd to install Ext2Fsd driver to be able to access the system partition. The microSD was now prepared and ready to use.
The Raspberry Pi was already sleeping in its housing, I inserted the microSD into the Pi, connected the Pi by a regular network cable to LAN3 of my Fritz!Box (LAN1 is used for the connection to my Genexis Hybrid Live! Titanium-54 running in bridge mode as fiber modem, the internet radio is connected to LAN4) and finally connected the Pi to power.
For the following steps, please refer to the attached screenshots (I apologise for not havin changed Windows system language to English). Next step was to access the admin panel of our Fritz!Box. Its DHCP server is enabled; however, I don't allow the DHCP server to use the complete spectrum of IP addresses ("Home network => Home network overview => Network settings => IPv4-addresses"). On "Home network => Home network overview" I selected the details of the raspberrypi. Here, I assigned an IP to raspberrypi that is outside of the DHCP IP-range and ticked the always assign the same IP. Just for completeness, even before I installed the Raspberry Pi the DNS-servers were set to 85.214.20.141 (i.e. Digital Courage) and 213.73.91.35 (i.e. Chaos Computer Club) in the Fritz!Box ("Internet => Access credentials => DNS server"). On this German page you find other uncencored and free DNS server without tracking.
Knowing the IP-address of the Raspberry Pi, I now connected to the Pi via SSH by use of PuTTY that I downloaded from here and installed it. After start of PuTTY and entering of the Pi's IP, a terminal opens.
The default user credentials are:
- User: pi
- Password: raspberry
Now, I accessed the Pi's admin terminal, and first changed the default password by:
Code:
passwd
Changed slightly the Pi's configuration:
Code:
sudo raspi-config
Code:
Advanced Options → Expand Filesystem
Localisation Options → Change Timezone → Europe → Berlin
Finish, Reboot
My last step in the setup of the Raspberry Pi was to update the package by:
Code:
sudo apt-get update
sudo apt-get upgrade
sudo reboot
Final remark: I keep the Raspberry Pi's WiFi disabled as I don't require it.
The Pi-hole
Updated on 2019-03-18!
********************
The Pi-hole
The Pi-hole has been developed by Jacob Salmela since 2015. Pi-hole is based on dnsmasq and the webserver Lighttpd. The complete source code is available at GitHub. But what makes Pi-hole actually so special? It's a solution to block advertisement and trackers already within the network i.e. Pi-hole is theoretically able to blocks ads for all devices connected to the network. I guess this initially sounds adventurously but it proves to work in our home network.
If interested in the technical background please refer to the linked websites.
For the installation of Pi-hole on the Raspberry Pi, I connected to the Pi via SSH and opened a terminal. For a full automatic installation of Pi-hole I used the following command line:
Code:
curl -sSL https://install.pi-hole.net | bash
Attention: Please acknowledge the following statement posted on the Pi-hole webpage:
Our code is completely open, but piping to bash can be dangerous. For a safer install, review the code and then run the installer locally.
Click to expand...
Click to collapse
After completion of the installation of all packages and dependencies, the configurator opened. My personal selection is as follows:
Select Upstream DNS Provider
Custom: 85.214.20.141, 213.73.91.35 [Remark: DNS servers as already mentioned in post #2.]
Select Protocols
IPv4: Check
IPv6: Uncheck (Remark: None of our devices uses IPv6.)
Do you want to use your current network settings as a static address?
IP address: xxx.xxx.xxx.xxx (Remark: The fixed IP-addess of the Raspberry Pi.)
Gateway: xxx.xxx.xxx.1 (Remark: The IP of my router i.e. the Fritz!Box.)
Do you want to log queries?
On: Check
After the configurator's queries were completed it provided me with the address of graphical web-interface (http://pi.hole/admin or http://"IP-address of the Pi"/admin; screenshot available in the OP) and the login password for Pi-hole.
Remark: As soon as practicable I changed the initial password to my own one by following command line:
Code:
sudo pihole -a -p
In order that ads and trackers are blocked by the Pi-hole, it's necessary to point the Pi as the DNS-server to all devices. As usually, different ways and approaches exist to do so. Below I only describe the one I used.
Please refer to the attached screenshot that I already used in post #2, too. I circled the field where I inserted the IP-address of the Pi as the local DNS server.
Remark: With some routers it's possible to simply assign the IP-address of the Raspberry Pi as the new DNS-server. Advantage: Nothing is changing for the clients; they simply send a DNS-request to the router that forwards it to the Pi-hole in turn. However, this feature is not available for all Fritz!Boxes due to their integrated "DNS Rebind Protection".
Just for completeness a few useful Pi-hole commands:
pihole -h: Help that shows a list of all available commands
pihole -up: Initiates an update of the Pi-hole software
pihole -r: Relauch of the configurator e.g. to conduct changes to the DNS
pihole -g: Initiates an update of the blocklists
Pi-hole automatically updates the ad sources once a week on Sunday at a random time in the early morning. If required this "cron-job" can be changed via
Code:
sudo nano /etc/cron.d/pihole
respectively
Code:
sudoedit /etc/cron.d/pihole
Since Pi-hole version 3.x, it's no longer required to add/delete/amend blocklists via a terminal but can easily be accomplished via the Admin-web-interface.
Now some initial changes to the pi-hole settings via the Admin GUI:
Settings → DNS → DNSSEC: Enabled.
Settings → Blocklists: Set to you're own desire; I've got all default lists enabled. Personally I added the Non-crossed-list to the blocklists. Just copy and paste all lists into the text field, followed by a click onto "Save and Update".
In the dashboard, about 1M blocked domains should be indicated.
Final remark: Personally, I recognise the Pi-hole as my first line of defense, and I continue to use addons in my browser like uBlock Origin to defeat the rest.
PiVPN
Updated on 2019-03-18
*******************
PiVPN
The project PiVPN owns a webpage and additionally a Github-page, where it's source could can be examined. Basically, PiVPN is nothing else than a collection of shell scripts that facilitates installation and configuration of OpenVPN extremely.
I guess it's obvious that VPN only makes sense if the Android device is always able to reach the end of the tunnel and to connect to the Raspberry Pi. You are certainly aware that a lot of or most Internet Service Provider (ISP) assign dymnamic IPs to an Internet account - at least mine does i.e. my ISP regularly or occasionally changes the IP-address of my account. In turn, this means we need to ensure that the Android device "finds" the Raspberry Pi independent of its IP address. Two simple steps are required to achieve this and ought to be conducted prior to the installation of PiVPN on the Raspberry Pi:
Assign a static IP to the Raspberry Pi on the router as described in post #2.
Find and use a DynDNS-provider who converts the dynamic, public IP-address assigned by the ISP into a permanent domain name as described in post #7.
Remark: Ideally, use of the subnets 192.168.0.x/24 oder 192.168.1.x/24 should be avoided as they are very commonly in use, and routing conflicts might arise if trying to connect from the outside. In this context, please acknowledge a note taken from the OpenVPN-log:
NOTE: Your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Click to expand...
Click to collapse
After I managed these prerequisites, I commenced installation of PiVPN that is as easily conducted by a single command line as it had been for the Pi-hole (the respective attention note I made in post #3 also applies here):
Code:
curl -L https://raw.githubusercontent.com/pivpn/pivpn/master/auto_install/install.sh | bash
At first, the script updates the APT-package sources followed by the upgrade of the packages and subsequently installs OpenVPN.
During the installation I was able to customise my configuration. Attached are a few screenshots that I explain in sequence below:
As already stated the IP-address of PiVPN respectively the Raspberry Pi ought to be static on the router. The gateway address is usually the internal IP address of the router.
Usually, I'm not one for automated updates or upgrades as I rather maintain control and prefer to be able to immediately intervene in case of issues. However, I decide to make an exception for PiVPN as in this case activation of validation and installation of security updates seems to be very reasonable especially if the solution is meant to be as "fire (i.e. install) and forget"; i.e. install once and gotta rarely care. Don't interpret rarely as never; the automated security updates merely lighten my workload.
As protocol I chose UDP and left the standard port 1194 unchanged. At this point, I don't intend to start a discussion about the pro's or con's of OpenVPN via UDP or TCP, just briefly: UDP is faster and TCP more reliable. Please allow me to quote the OpenVPN mainpage:
OpenVPN is designed to operate optimally over UDP, but TCP capability is provided for situations where UDP cannot be used. In comparison with UDP, TCP will usually be somewhat less efficient and less robust when used over unreliable or congested networks.
Click to expand...
Click to collapse
Since OpenVPN v2.4, authentification and key exchange is possible via elliptic curves. PiVPN optionally generates either a 256-, 384-, or 521-bit-ECDSA-key pair, containing the public and private keys. 256-bit is the default setting, which is ok as it matches a 3072-bit.
The key generation on a Raspberry Pi 3 only takes a few seconds.
The striked-out lines are only valid for clients that doesn't support OpenVPB v2.4+:
For asymmetric keys, general wisdom is that 1024-bit keys are no longer sufficient to protect against well-equipped adversaries. Use of 2048-bit is a good minimum. It is wise to ensure all keys across your active PKI (including the CA root keypair) are using at least 2048-bit keys.
Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN,) but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide.
Click to expand...
Click to collapse
Due to the already a few times mentioned "issue" with the dynamic public IP-address issued by the ISP, I ticked "Use a public DNS".
In this window I entered my domain name as mentioned in post #7 regarding dynamic DNS.
I selected custom to use the DNS servers of my choice.
Here, I entered "my" DNS servers as already explained in post #2.
This completed installation and configuration of PiVPN. Now, I had to create profiles that in turn need to be "installed" on my clients. Personally, I decided to use a distinct profile for each client . To create a profile for an Android device the follwoing command lines apply:
Code:
pivpn add
Code:
Enter a Name for the Client: MyClientName
Enter the password for the client: MyPassword
Subsequently the profile was generated with all necessary information (certificate, encryption details, etc.) and saved at /home/pi/ovpns.
I downloaded and installed FileZilla on my Windows notebook, connected via FileZilla to the Raspberry Pi and copied the file "MyClientName.ovpn" at /home/pi/ovpns onto my notebook. I transfered this file to my Android device and imported it into OpenVPN for Android; please refer to post #6 for more information in this respect.
That was it - now I was nearly able to connect my Android via my own private VPN with PiVPN respectively our Raspberry Pi; the only missing step was to open the router's/Fritz!Box's UDP port 1194 for the Raspberry Pi / PiVPN to allow data to pass from the outside.
The procedure is pretty simple and straight forward for a Fritz!Box (please refer to the last three screenshots). Open the admin web-interface of the Fritz!Box and select "Internet => Permissions => Port permissions => New port permission" (Remark: The English web-interface might probably read different than my translation but I'm convinced it's self-explaining). The IP must be the fixed IP assigned to the Raspberry Pi, I chose to name this permission "OpenVPN", selected UDP as the protocol and port "1194". And I didn't forget to tick the "Activate permission".
Last but not least, the following command line allowed me to check if my i9305 successfully connected to my PiVPN:
Code:
pivpn list
PiVPN in Combination with the Pi-Hole
Updated on 2019-06-15.
--------------------------------------------------------------------------------------------------------------------------------------------------
PiVPN in combination with the Pi-Hole
Please allow me to mention of another great advantage of having PiVPN together with Pi-hole on one and the same Raspberry Pi:
All of our mobile devices, which connect via OpenVPN with our home network, benefit from the Pi-hole i.e. no advertisement or trackers that follow us at every turn when connected to the web via mobile data or a WiFi network other than ours.
However, in order to achieve this I was require to slightly modify two configuration files on the Raspberry Pi as described below (please refer to the screenshots) - and ok, it's self-evident that I had to first install Pi-hole and PiVPN on the same Raspberry Pi before as described in this thread.
At first, I modified the OpenVPN server configuration by nano via the Raspberry Pi's console:
Code:
sudo nano /etc/openvpn/server.conf
The file opened and I looked for those two lines showing the IP-addresses of the DNS servers of my choice and as mentioned in the posts above:
Code:
push "dhcp-option DNS 85.214.20.141"
push "dhcp-option DNS 213.73.91.35"
I deleted one line and modified the other one to read:
Code:
push "dhcp-option DNS 10.8.0.1"
As DNS-server for all of our clients I've therefore defined the IP address of the VPN interface (tun0) (originally the local IP of the eth0 interface) of our Raspberry Pi, and hence forward all DNS-requests to the local DNS-server (dnsmasq) of the Pi-hole.
With its latest release Pi-hole changed the content of dnsmasq.conf located at /etc (for details refer to DNS Resolver in the Pi-hole documentation). dnsmasq.conf now simply points to a new folder named dnsmasq.d that is also located at /etc (refer to attached screenshot 1). This folder now contains the actual configuration files and is initially only populated with one file called 01-pihole.conf, which is the configuration file of Pi-hole's dnsmasq. 01-pihole.conf is used and modified by Pi-hole itself, and no custom modification should be made to it (refer to screenshot 2). However, additional configuration files in this folder will be executed in sequence by dnsmasq / FTLDNS.
This means I created a new file called 10-general.conf with the content:
Code:
cd /etc/dnsmasq.d
sudo touch 10-general.conf
sudo nano /etc/dnsmasq.d/10-general.conf
Insert line:
Code:
interface=tun0
This means we added a line with the VPN interface (tun0) that is listening on IP 10.8.0.1 by default.
Finally, I simply rebooted the Raspberry Pi.
OpenVPN for Android
OpenVPN for Android
As already stated in the OP that also contains a few screenshots, I only use OpenVPN for Android by Arne Schwabe on our Android devices. No experiences with other OpenVPN applications and most likely never will because Arne's app is easy to configure and perfectly running and performing as expected by me.
During the installation of PiVPN and as explained in post #4 I created profiles for each of our mobile Android devices. I transfered the respective profile file (name something like "MyClientName.ovpn") to the respective device. I installed "OpenVPN for Android", opened the application, granted permission to "storage" and just imported the before mentioned file. If I correctly remember the application questions the password I created during the creation of the profile. This password is always queried when starting on OpenVPN connection. That was all; I didn't modify anything in the settings of the application.
Please acknowledge these Security Considerations provided by Arne on his FAQ page:
"As OpenVPN is security sensitive a few notes about security are sensible. All data on the sdcard is inherently insecure. Every app can read it (for example this program requires no special sd card rights). The data of this application can only be read by the application itself. By using the import option for cacert/cert/key in the file dialog the data is stored in the VPN profile. The VPN profiles are only accessible by this application. (Do not forget to delete the copies on the sd card afterwards). Even though accessible only by this application the data is still unencrypted. By rooting the telephone or other exploits it may be possible to retrieve the data. Saved passwords are stored in plain text as well. For pkcs12 files it is highly recommended that you import them into the android keystore."
Click to expand...
Click to collapse
Dynamic DNS
EDIT (2018-06-15)
--------------------------------------------------------------------------------------------------------------------------------------------------
Dynamic DNS
You are certainly aware that a lot of or most Internet Service Provider (ISP) assign dymnamic IPs to an Internet account - at least mine does i.e. my ISP regularly or occasionally changes the IP-address of my account. You can easily retrieve the IP address currently assigned to your account by e.g. IP/DNS Detect (and which additionally offers a lot of other useful information about your current footprint in the web - or how well they are disguised by your browser addons).
However, with Dymnamic DNS it's possible to connect to my Fritz!Box respectively the Raspberry Pi despite the changing IPs by use of an unchanging domain name. In order to actually achieve this, a dynDNS-provider is required. I personally went with Two-DNS that offers an account with up to five free hosts and to choose from a wide collection of domains. Below I try to explain how I configured our Fritz!Box for the use of Two-DNS.
By default, the Fritz!Box already cooperates with a lot of dynDNS-providers but not with Two-DNS; however, via the option "user defined/customised" it's pretty easily achieved.
Create your Two-DNS account.
After you created the account, a "New Host" is created by Two-DNS.
You can choose any host name you want unless it's already in use. The dropdown box offers you different possibilities for the domain (part).
Just as an example; it's not my actual domain name (in blue the host name; in green the domain): "myfritzbox.my-wan.de". The Fritz!Box respectively the Raspberry Pi can later be called up by this domain name.
This completed the setup of the account/host at Two-DNS. Now we need to access the web-interface of the Fritz!Box.
Via "Internet => Permissions => Dynamic DNS" (I hope the settings translate this way to English but I'm convinced you're figuring it out) the following settings were assigned:
Dynamic DNS-Provider: User defined/customised
Update-URL: https://update.twodns.de/update?hostname=<domain>&ip=<ipaddr>
Domain name: your domain (e.g. myfritzbox.my-wan.de)
User name: the email address you registered with Two-DNS
Password: your Two-DNS password
Apply - and that's it. On "Internet => Online-Monitor" it should read (refer to screenshot):
DynDNS active, "your domain name", IPv4-status: successfully logged in.
Attention: Due to the limited number of IPv4-addresses, a lot of new internet account have been connected to the internet via Dual Stack Lite (DS-Lite). If this is the case for your internet account, above mentioned procedure is unusable. Please acknowledge following AVM post on their website in this respect.
Customisation of the NTP-Server
I've customised the NTP-server to synchronise the time with the German Physikalisch-Technische Bundesanstalt (PTB).
Code:
sudo nano /etc/systemd/timesyncd.conf
NTP=ptbtime1.ptb.de ptbtime2.ptb.de
Unbound / Recursive DNS server
Updated on 2019-03-18
******************
Unbound / Recursive DNS server
I decided to install Unbound in order to operate the Pi as my own (tiny) recursive DNS server.
Via the Pi-hole admin GUI, I disabled DNSSEC in Settings => DNS, as Unbound is handling that later on.
As we require for the very last step , the local root zone, a new version of Unbound than the one currently available via the default sources of Raspbian Stretch we need to play tricky via Apt-Pinning to allow to retrieve the software from the testing branch of Debian.
We install dirmngr and fetch a GPG key to verify the downloaded packages from the testing branch:
Code:
sudo aptitude install dirmngr
sudo apt-key adv --receive-keys 0x7638D0442B90D010
Now we edit the sources.list and add the link to the package.
Code:
sudo nano /etc/apt/sources.list
#Testing
deb http://ftp.de.debian.org/debian/ testing main non-free contrib
Now we give the testing branch a lower priority than stable:
Code:
sudo nano /etc/apt/preferences
Package: *
Pin: release a=stable
Pin-Priority: 600
Package: *
Pin: release a=testing
Pin-Priority: 400
Update of the database and installation of Unbound:
Code:
sudo aptitude update
sudo aptitude install unbound/testing
During the installation, Raspbian provides suggestions how to resolve the dependencies. First suggestion is to simply not install Unbound what we deny by "N". In the second suggestion, all current dependencies ought to be updated from the testing branch what we confirm by two times "Y". And we allow the services to be automatically re-started during the installation. Don't care about possible red error messages; we'll take care of that later.
During the installation you'll see following message:
Configuration file '/etc/lighttpd/lighttpd.conf'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
Click to expand...
Click to collapse
Please answer with "N" in order to keep the Lighttpd configuration that was installed by Pi-hole.
In order to avoid network issues per DHCP during a network re-start to add to following file:
Code:
sudo nano /etc/network/interfaces
Code:
[FONT=Verdana] auto lo[/FONT]
[FONT=Verdana]iface lo inet loopback[/FONT]
[FONT=Verdana]
[/FONT]
[FONT=Verdana]auto eth0[/FONT]
[FONT=Verdana]iface eth0 inet dhcp[/FONT]
Now we provide Unbound with a file containing name and address of the root server.
Code:
wget -O root.hints https://www.internic.net/domain/named.root sudo mv root.hints /var/lib/unbound/
We adapt the additional config-file for Unbound provided by Pi-hole:
Code:
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
server: # If no logfile is specified, syslog is used # logfile: "/var/log/unbound/unbound.log" verbosity: 0 port: 5353 do-ip4: yes do-udp: yes do-tcp: yes # May be set to yes if you have IPv6 connectivity do-ip6: no # Use this only when you downloaded the list of primary root servers! root-hints: "/var/lib/unbound/root.hints" # Trust glue only if it is within the servers authority harden-glue: yes # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS harden-dnssec-stripped: yes # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details use-caps-for-id: no # Reduce EDNS reassembly buffer size. # Suggested by the unbound man page to reduce fragmentation reassembly problems edns-buffer-size: 1472 # TTL bounds for cache cache-min-ttl: 3600 cache-max-ttl: 86400 # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried prefetch: yes # One thread should be sufficient, can be increased on beefy machines num-threads: 1 # Ensure kernel buffer is large enough to not lose messages in traffic spikes so-rcvbuf: 1m # Ensure privacy of local IP ranges private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8 private-address: fd00::/8 private-address: fe80::/10
Re-start Unbound and let's test functionality, commencing with a simple DNS request followed by DNSSEC:
Code:
sudo systemctl restart unbound
dig kuketz-blog.de @127.0.0.1 -p 5353 dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353 dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353
The second request should provide "status: SERVFAIL" while the last one a "status: NOERROR".
Now go back into the Pi-Hole admin GUI, and under Settings => DNS delele the entry in "Custom 2" and untick it.
For "Custom 1" modify the entry to:
127.0.0.1#5353
Click to expand...
Click to collapse
Pi-hole lighttpd Workaround
The upgrade of Debian Buster Packages (Testing) of Unbound (v. 1.9.0-2) also upgrades the Lighttpd-Webserver-Package from version 1.4.45-1 (now, stable) -> 1.4.53-3 (testing). Currently, Pi-hole isn't yet compatible with the new Lighttpd-Syntax. After an upgrade to the new version, the Lighttpd webserver doesn#t start and the Pi-hole web interface can't be reached. In order to solve this issue, here's the follwoing work-around:
Code:
sudo nano /etc/lighttpd/lighttpd.conf
Comment the following line
Code:
#include_shell "/usr/share/lighttpd/create-mime.assign.pl"
and insert this line:
Code:
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
Start or re-start the lighttpd service:
Code:
service lighttpd start
service lighttpd restart
Some users, including me, complained about starting issues of the lighttpd webserver, therefore I also commented the following line:
Code:
#include_shell "cat external.conf 2>/dev/null"
In order to spare us the first DNS request by Unbound to the DNS root server, we provide Unbound with the respective configuration. It must occasionally be updated, as the DNS root server themselves sometimes receive changes e.g. their IP addresses. As I don't want to update everything manually, I created to things:
a mechanism that automatically notifies my about updates
and a script that eases the replacement by new configuration files.
We create a dynamic Message of the Day (MOTD). This is supposed to be a notification that always appears whenever we log into the Pi via SSH. We delete the static MOTD in order to only have our dynamic one be displayed.
Code:
sudo rm /etc/motd
We now edit a file in that folder that is analysed for the creation of MOTD's. This will ensure that we're always informed about the currentness of the Hyperlocal configuration when we log into the Pi via SSH.
Code:
sudo nano /etc/update-motd.d/20-info
The codes of this file will be executed and the resulting output transferred to the MOTD. Add the following lines but replace "NAME" with your Pi user name.
Code:
#!/bin/bash
echo
echo -e "\e[1mUptime:\e[m $(uptime)"
echo -e "\e[1mDate:\e[m $(date)"
echo -e "\e[1mHyperlocal conf:\e[m $(cat /home/NAME/.unbound/update.txt)"
echo
In the folder for user scripts we now create the new script that will provide the update notifications:
Code:
sudo nano /usr/local/bin/autoupdatelocalroot
Code:
#!/bin/bash ## VARIABLES ## DIR=$HOME/.unbound hints=/var/lib/unbound/root.hints conf=/etc/unbound/unbound.conf.d/localroot.conf infile=${DIR}/root.hints outfile=${DIR}/localroot.conf update=${DIR}/update.txt ## SCRIPT ## # check for existence of update.txt file and .unbound directory if [[ ! -d $HOME/.unbound ]]; then mkdir ${DIR} fi if [[ ! -e $HOME/.unbound/update.txt ]]; then echo "up to date" > ${update} fi # get the file with the root servers and save as "root.hints" wget --timeout=30 -O ${infile} https://www.internic.net/domain/named.root # extract name and IP addresses (A + AAAA) of root servers and nicely put them into the file for unbound awk '\ BEGIN\ { print "auth-zone:\n\tname: \".\"" } { if($0 ~ /[ ]NS[ ]/) { print "\t# "$NF } if($0 ~ /[ ]A[ ]/) { print "\tmaster: "$NF } if($0 ~ /[ ]AAAA[ ]/) { print "\tmaster: "$NF } } END\ { print "\tfallback-enabled: yes\n\tfor-downstream: no\n\tfor-upstream: yes\n\tzonefile: \"root.zone\"\n" }\ ' ${infile} > ${outfile} #update the motd update notification if neither outfile nor diff file empty if [[ -e ${outfile} && "$(diff -Niw ${conf} ${outfile})" != "" ]] || [[ -e ${infile} && "$(diff -Niw ${hints} ${infile})" != "" ]]; then echo "Update available – please run: sudo updateunboundconf" > ${update} else echo "up to date" > ${update} fi #print update status cat ${update} echo
The script will be executable for all users and be added to Crontab for regulat execution. When I was asked, which editor to use while editing Crontab, I stayed with nano.
Code:
sudo chmod 755 /usr/local/bin/autoupdatelocalroot
crontab -e
In order to e.g. execute the script on Sundays at 04:20 we add the following line:
Code:
20 4 * * 0 /usr/local/bin/autoupdatelocalroot
Now we create the second script that will ease the update of the configuration files. It won't be executed automatically but only after a manual launch for a simple reason: I won't to control this and be personally present in case of any unforeseen event.
Code:
sudo nano /usr/local/sbin/updateunboundconf
Code:
#!/bin/bash ## VARIABLES ## DIR=/home/$(logname)/.unbound hints=/var/lib/unbound/root.hints conf=/etc/unbound/unbound.conf.d/localroot.conf infile=${DIR}/root.hints outfile=${DIR}/localroot.conf update=${DIR}/update.txt PLSUPDATE="Please run 'autoupdatelocalroot' first." NOTHING="Update skipped, nothing done." ## SCRIPT ## #update root.hints file if [[ -e ${infile} ]] && [[ "$(diff -Niw ${hints} ${infile})" != "" ]]; then input=r echo "Install new root.hints file for Unbound (overwrites old file)?" echo "Yes / No / Re-Read differences?" while [[ "$input" =~ [rR] ]]; do diff -Niw ${hints} ${infile} | less read -e -p " [Default = no] (y/n/r): " input done if [[ "$input" =~ [yY] ]]; then mv -fv ${infile} ${hints} chown unbound:unbound ${hints} chmod 644 ${hints} yes1=TRUE else echo echo $NOTHING echo fi else if [[ ! -e ${infile} ]]; then echo echo $PLSUPDATE echo exit 1 else yes1=TRUE fi fi #update localroot.conf file if [[ -e ${outfile} ]] && [[ "$(diff -Niw ${conf} ${outfile})" != "" ]]; then input=r echo "Install new localroot.conf file for Unbound (overwrites old file)?" echo "Yes / No / Re-Read differences?" while [[ "$input" =~ [rR] ]]; do diff -Niw ${conf} ${outfile} | less read -e -p " [Default = no] (y/n/r): " input done if [[ "$input" =~ [yY] ]]; then mv -fv ${outfile} ${conf} yes2=TRUE else echo echo $NOTHING echo fi else if [[ ! -e ${outfile} ]]; then echo echo $PLSUPDATE echo exit 1 else yes2=TRUE fi fi #update motd update notification if [[ "$yes1" == TRUE ]] && [[ "$yes2" == TRUE ]]; then echo "up to date" > ${update} echo echo "Unbound's local root config is up to date!" echo else echo echo "Entire or partial Update still pending." echo fi
This script also gets the permissions to be executable; however, only for root users (in case you use multiple users).
Code:
sudo chmod 744 /usr/local/sbin/updateunboundconf
Let's perform a test run and hereby simultaneously create the effective configuration files.
Code:
sudo autoupdatelocalroot
For the second script we're using the toll diff that illustrates the diffences betwenn the files. The symbol "<" at the beginning of a line shows that this line is removed in the second file (i.e. the new, updated configuration), while ">" means this line will be added. To visit all differences, navigate with the arrow keys and terminate with the key "q".
For final installation of the new files confirm with "Y".
Code:
sudo updateunboundconf
All credits go to Mike Kuketz and Max Tschaeggaer for their German speaking tutorial.
reserved #9
reserved #10
Congratulations on putting together this great and well-written guide :good:
I was thinking about something similar to Pi-hole, but never thought about the possibility to combine ad-blocking with my own VPN. Thank you for bringing this to my attention, I surely have some things left to read on the security blog by Mike Kuketz.
Portgas D. Ace said:
Congratulations on putting together this great and well-written guide :good:
I was thinking about something similar to Pi-hole, but never thought about the possibility to combine ad-blocking with my own VPN. Thank you for bringing this to my attention, I surely have some things left to read on the security blog by Mike Kuketz.
Click to expand...
Click to collapse
Congratulations to your 4,000th post.
I was in contact with Mike and he granted me permission to more or less translate his tutorials and to post on XDA. Already a long time ago I realised that's really worth to monitor his blog closely.
Nice work and as always precise in your instructions :good:
Sent from my Pixel 2 XL using XDA Labs
Meanwhile, I also have a fixed public IPv4-address. I found a company that corporates with my ISP, and they provided my with the fixed IPv4 for a small monthly fee. All procedures described above (especially in post #4 and post #7) remain the same with one exception: I did not enable respectively setup DynDNS in the Fritzbox.
Important also, you need to find a DynDNS-provider that allows you to manually insert an IPv4-address into your DynDNS-account; not all providers do, e.g. the in post #7 mentioned Two-DNS doesn't. These providers simply take the IPv4-address that they read, and that one is a non-public dynamic IPv4 address. I'm now with ddnss.de, Here, I was allowed to manually override and save the read nun-public IPv4 by my new fixed IPv4-address.
The reason why you must not enable DynDNS in the Fritzbox is pretty easy: If it is enabled it will initiate updates of your DynDNS and hence overwrite the fixed public IPv4-address by a dynamic non-public IPv4 through that the Pi can't be accessed.
PiVPN is fantastically running, and I've OpenVPN on all of our devices now, which have access to the internet. Now, and doesn't matter where, or if mobile data, an unsecure public WiFi network or a secure WiFi network other than ours is used, I'm able to initiate my own private secure VPN tunnel to my router respectively my RaspberryPi.
Having this working now, I'm going to stick with my current ISP-provider.
EDIT (2018-06-24): Just for completeness - while on mobile network with the Android, the VPN with my RaspberryPi is established in about 3 seconds on WiFi and 5 seconds on mobile data (even if only on 2G). To establish the VPN between the PC and the Pi it takes 7 seconds (see attached log). Additionally, use of the Pi as DNS-server works seamlessly.
Hi! I followed your guide and everything is working properly. I have just one issue. I would like to route only DNS via VPN. I tried doing what this article in Pi-hole documentation suggested. I couldn't find
HTML:
push "redirect-gateway def1 bypass-dhcp"
so I commented out
HTML:
push "redirect-gateway def1"
But doing this stops the internet connection on the client device though the openvpn profile is succesfully connected.
Any suggestions on how I can route only DNS via VPN? Any help would be much appreciated. Thanks
Ex-Hunter said:
Hi! I followed your guide and everything is working properly. I have just one issue. I would like to route only DNS via VPN. I tried doing what this article in Pi-hole documentation suggested. I couldn't find
HTML:
push "redirect-gateway def1 bypass-dhcp"
so I commented out
HTML:
push "redirect-gateway def1"
But doing this stops the internet connection on the client device though the openvpn profile is succesfully connected.
Any suggestions on how I can route only DNS via VPN? Any help would be much appreciated. Thanks
Click to expand...
Click to collapse
I couldn't find the line mentioned in the linked turorial either; my server.conf file also only contains
Code:
push "redirect-gateway def1"
, a line that is not commented out.
I apologise I've no clue at all. You certainly have your reasons to go the way you describe, and I'm not questioning it. Before I used OpenVPN with my Pi, I used the DNS changer I mentioned in about the middle of this post. I can confirm this application is working even with mobile data by just establishing a VPN in order to only use DNS servers of your desire.
In order to keep this thread up-to-date, I like to share my latest and new experiences. Till last Friday and as I already mentioned within this thread my internet connection was via fibre-optics. My data plan with the fibre-optics ISP was 100 MBit/s down- and upload, and as this ISP only offers public dynamic IPv6 addresses, I additionally had to book a public static IPv4 address from another commercial provider. Overall, my monthly charges for this setup were about 55 €.
Since last Friday, my new internet connection via VDSL by a different ISP is online. The data plan I ordered is for 50 MBit/s download and 10 MBit/s upload, which I assumed to fulfill my requirements. If I realise this to be insufficient I can upgrade to 100/40 anytime but after only three days I already doubt I have to. This ISP offers public dynamic IPv4 addresses i.e. I don't require the additional contract for a static IPv4 anymore (and it has already been cancelled). For this data plan, my new ISP charges me about 35€ a month i.e. I'm now saving 20€ per month.
With this change of ISP (and type of connection) I had to perform three changes in the settings of my FritzBox: Enter the new credentials for the different internet connection, enter the new credentials for VoIP, and re-enable the dynDNS that I did setup when I initially established the Pi in our home network.
Overall: My own private secure VPN between OpenVPN for Android and the PiVPN is continuing to work flawlessly and perfectly! DynDNS is always immediately updated when the public IPv4 address changes. I'm still extremely satified with the complete setup described in this thread.
Can you write on how to forward only DNS requests to the VPN via OpenVPN? I couldn't get it to work. Also, forwarding port 53 and using the pi as a public DNS is not recommended.
MikeTheGamer said:
Can you write on how to forward only DNS requests to the VPN via OpenVPN? I couldn't get it to work. Also, forwarding port 53 and using the pi as a public DNS is not recommended.
Click to expand...
Click to collapse
A few month ago, @Ex-Hunter asked a very similar question here. I'm unable to answer you're question. I've achieved my primary goal with my setup to be able to connect to my PiVPN via my own secure VPN if I'm connected to a network other than our home one. Additionally, I wanted to use the Pi-hole in our home network. All is working great! And I absolutely trust Mike Kuketz whom I mentioned in the OP and whose instructions I followed.

Categories

Resources