As seen when I type with wifi tethering enabled
iptables -L -t nat -v
the MASQUERADE line is like "-o pdp0 -i any", this means that packets are matched only when they exit via the mobile network.
However, the line should be more like "-i softap0 ! -o softap0". The MASQUERADE line should match packets that enter via the wifi access point, and leave via any other interface. (But see below, -i doesn't work, must use -s)
I found this while trying to use openvpn. When openvpn is running, the android device has complete access to the vpn according to my tests. The laptop associated with the AP can access the internet, the android device, but not the network behind the VPN connection. I can find no reason for this other than the MASQUERADE line. The routing table, sysctl *.forward etc. are all looking fine.
With this MASQUERADE line, it cannot possibly work, because when the unmasqueraded softap0 packets go down the tun0 interface, no machine knows where to route the reply packets.
This is on Android 2.3, Samsung galaxytab stock firmware. I'll investigate further.
Update:
when I stop tethering, the MASQUERADE rule goes away. This proves it's indeed controlled by tethering.
I tried it on Android 4.0, Sony Xperia pro, Cyanogenmod 9 ---> same thing
I can understand that noone ever thinks about making a MASQUERADE line with "-i interface", but it seems actually the right thing to me. (Must use -s addr/mask instead) I'm doing this on a laptop with lots of virtual machines connected to an internal network. This must be masqueraded for outgoing packets, no matter what interface it goes out (wlan0, eth0, openvpn etc.)
Update:
-i interface doesn't work in POSTROUTING. So the line should be "-s address_range_of_softap ! -o interface".
This complicates matters for a workaround. I'm planning to schedule a script at boot time, but I don't know how to (correctly) find the softap address when it's not running.
Update:
I tried tethering and replaced the iptables rule with "-s address_range_of_softap ! -o softap0" instead of just "-o pdp0". This still works to route/masquerade traffic to the internet, but doesn't work vor tun0 (openvpn). I don't know why. No packets/bytes go through it (counter doesn't increase) when pinging the other side of the vpn.
Related
Hi guys!
I´ve got problems to establish a connection to the university wlan network with my phone.
We´ve got a Cisco Router, so I need Cisco VPN support.
Any helpful suggestions for me?
Greetings, DaXmYsT
I asked SE, they sad they are not sure if they are intended to implement Cisco PPTP VPN support.
It is possible, but not easy at the moment... If you know linux well, look at the tun.ko module i compiled for the x10 mini and look for get-a-robot-vpnc packages and how to's. You'll have to fix the vpnc scripts but it works. Sorry i'm not at home and won't be able to share more than the kernel module i posted in the x10 mini forum...
Sent from my U20i using XDA App
I too am battling with this.
The vpnc-script as is stands does't work very well and is throwing up loads of errors. I had to install busybox on the device and set PATH so it used those commands so it could find things commands like "which" and "grep" etc. However simple lines in the script to set up variables such as
IPROUTE="`which ip | grep '^/' 2> /dev/null`"
Which is simply trying to set variable IPROUTE to the path where the command "ip" is found is failing, so I've set had to set up all the variable paths manually. I do not know why this is failing, but I suspect it's using "grep" is a slightly different manner to the busybox grep I have. grep didn't exist in /system/bin by default on my phone. (Debranded x10 on Voda)
However the big problem I've now discovered is the "route" command. The default in /system/bin fails miserably with the commands in the script and the busybox route command doesn't support all the options either.
So I'm now working out what the script is trying to do with the routing table so I can set all this manually...
...but appreciate any help!
UPDATE: Well I got vpnc working - turned out my version of busybox was waaay out of date. Installed the latest and it works just fine. Of course now I can connect via RDP to my work machine over my VPN I very much doubt I'll ever want or need to!
Which busybox version are you using?
Also which app from the market?
Thanks!
I am using busybox 1.16.1 downloaded from busybox - I then had to copy the binary over to my phone and installed it in /system/sbin
this caused me a few issues as in init.rc it sets up the path /system/sbin before /system/bin so applets from busybox took priority over /system/bin.
So I had to remove the "ps" and the "su" commands IIRC.
However doing it the other way would have also caused issues, as "route" only worked when I used the busybox 1.16.1 and not the one currently in my /system/sbin
Other strange oddities also included the fact that rmmod from busybox didn't work but it did from the original /system/bin.
meh
I then also got the latest get-a-robot-vpnc.
I also needed the tun module, which I placed into /system/lib/modules
get-a-robot-vpnc didn't automatically install this module correctly though so I modified the scrip to ensure that when I used it the tun.ko module was loaded....
Code:
TUNTEST="`lsmod | grep 'tun'`"
if [ -z "$TUNTEST" ]; then
echo "tun not found try to install"
insmod -f /system/lib/modules/tun.ko
else
echo "tun module installed"
fi
Which seemed to do the trick.
I also had to put in my appropriate flags for vpnc.
Essentially I got it working first just using the shell and typing the commands manually and then got it working with the GUI.
I do not understand you mean that the included VPN client in Mini does not work with cisco VPN (pptp)?
Because for me it worked with a cisco vpn 3000.You say that you do pptp but which one (it could be pptp over ipsec?)
However, there is a free client on the market called "vpn connection", which work very vell with cisco equipement, it worked like a charm on my dream, but only on wifi as my phone provider do not let pass ipsec or pptp/ipsec.
Bye
Herc.
Hello,
I'm trying to connect to a Cisco VPN client by using VPN Connections on an Archos 70 IT 250 GB, that is rooted.
I always get a "Connection failed" message, after which the app crashes.
Did anyone succeed in getting VPN Connections working on Archos 70 IT ?
Regards,
Tonny
TonnyVanmunster said:
Hello,
I'm trying to connect to a Cisco VPN client by using VPN Connections on an Archos 70 IT 250 GB, that is rooted.
I always get a "Connection failed" message, after which the app crashes.
Did anyone succeed in getting VPN Connections working on Archos 70 IT ?
Regards,
Tonny
Click to expand...
Click to collapse
Hi,
I used to have the same error on my Galaxy S, when trying to create a VPN tunnel to my companies CISCO gateway.
The problem seems to relate to the missing tun.ko library.
I'm not sure if the Samsung Galaxy files will work for Archos, but you might want to adapt and try the following how-to: http://forum.xda-developers.com/showthread.php?t=793712&highlight=tun.ko
Regards,
Patrick
TonnyVanmunster said:
Did anyone succeed in getting VPN Connections working on Archos 70 IT ?
Click to expand...
Click to collapse
I found a possible clue. After trying several free pptp vpn services and noticing that it seemed to resolve a url one time then just hang, I set up a vpn on my lan and tried the local coffee shop connection to access it. I found that if encryption was completely disabled on the lan vpn and unchecked on the 70 IT, it would connect and I could browse, check email, etc. As soon as I set the policy on the vpn server to enable any level of encryption it was back to the resolve 1 url and hang behavior. Of course an unencrypted vpn is about as worthless as t*ts on a bull but it's the only clue I've found. As a control, I tried an ip*d touch w/encryption on against the same vpn with all levels enabled and that worked.
If anybody else who's running a local vpn can duplicate and confirm this, it's a step in the right direction!
VPN Connections 0.99 (aka get-a-robot-vpnc) working on A101IT with urukdriod-0.6
I've managed to make get-a-robot-vpnc (aka VPN Connections 0.99) work on urukdroid0.6 on Archos 101 IT.
There are two issues with default vpnc.script, and one issue with output of 'ps' command needed by VPN Connections 0.99 GUI, to check is there a connected vpnc process.
Resolving vpnc.script issues:
1. Symbolic link is missing that links /bin/busybox (or /usr/local/bin/busysbox on urukdroid) to 'which' command (cd /usr/local/bin; ln -s busybox which)
2. Symbolic link is missing that links /bin/busybox (or /usr/local/bin/busysbox on urukdroid) to 'ip' command (cd /usr/local/bin; ln -s busybox ip)
$aur0n told me that this two commands/links will be included in urukdroid-0.7.
Resolving GUI 'ps' issue (a bit harder ):
VPN COnnections GUI do 'ps | grep 'vpnc$' to see is there active vpnc process (established connection), but output of 'ps' command(s) found on urukdroid is not what GUI expects, so it cannot find vpnc proccess even if it is running and VPN is established.
On urukdroid there is 2 versions of 'ps' command:
1st is /bin/ps which is symbolic link to /bin/busybox (very old version of busybox (1.7.2, I believe) and output of ps this command is not suitable for VPN Connections (GUI)
2nd is /usr/local/bin/ps which is native ps command, but its output is also not suitable for VPN Connections (GUI)
There is a (hidden ) 3rd 'ps' command in /usr/local/bin/busybox (that version of busybox is 1.17.2) - but also not suitable output for VPN Connections (GUI).
Experimenting a bit I've found that '/usr/local/bin/ps -A' gives an suitable output, so I:
1. renamed /usr/local/bin/ps to /usr/local/bin/ps.new
2. made a script /usr/local/bin/ps with:
Code:
#!/bin/sh
ps.new -A
exit $?
3. chown root:root /usr/local/bin/ps; chmod 755 /usr/local/bin/ps
After that, everything worked.
Hope this solves issues for some of you
P.S. Forgot to mention - urukdroid 0.7 will have its own vpnc service built-in.
Works in UD 1.5
nenadr said:
I've managed to make get-a-robot-vpnc (aka VPN Connections 0.99) work on urukdroid0.6 on Archos 101 IT.
There are two issues with default vpnc.script, and one issue with output of 'ps' command needed by VPN Connections 0.99 GUI, to check is there a connected vpnc process.
Resolving vpnc.script issues:
1. Symbolic link is missing that links /bin/busybox (or /usr/local/bin/busysbox on urukdroid) to 'which' command (cd /usr/local/bin; ln -s busybox which)
2. Symbolic link is missing that links /bin/busybox (or /usr/local/bin/busysbox on urukdroid) to 'ip' command (cd /usr/local/bin; ln -s busybox ip)
$aur0n told me that this two commands/links will be included in urukdroid-0.7.
Resolving GUI 'ps' issue (a bit harder ):
VPN COnnections GUI do 'ps | grep 'vpnc$' to see is there active vpnc process (established connection), but output of 'ps' command(s) found on urukdroid is not what GUI expects, so it cannot find vpnc proccess even if it is running and VPN is established.
On urukdroid there is 2 versions of 'ps' command:
1st is /bin/ps which is symbolic link to /bin/busybox (very old version of busybox (1.7.2, I believe) and output of ps this command is not suitable for VPN Connections (GUI)
2nd is /usr/local/bin/ps which is native ps command, but its output is also not suitable for VPN Connections (GUI)
There is a (hidden ) 3rd 'ps' command in /usr/local/bin/busybox (that version of busybox is 1.17.2) - but also not suitable output for VPN Connections (GUI).
Experimenting a bit I've found that '/usr/local/bin/ps -A' gives an suitable output, so I:
1. renamed /usr/local/bin/ps to /usr/local/bin/ps.new
2. made a script /usr/local/bin/ps with:
Code:
#!/bin/sh
ps.new -A
exit $?
3. chown root:root /usr/local/bin/ps; chmod 755 /usr/local/bin/ps
After that, everything worked.
Hope this solves issues for some of you
P.S. Forgot to mention - urukdroid 0.7 will have its own vpnc service built-in.
Click to expand...
Click to collapse
Just wanted to say thanks! I'm using Urukdroid 1.5 and had the same issue. Used your trick and now VPNC connects to my companies VPN ^_^
Hi,
Last week I received my Archos 101. In general it is great. Even better is this forum
I installed urukdroid (thanks to the project-team!). I tried to use openvpn but it failed and I am not sure about the reason.
The server-configuration is
...
ifconfig-pool 10.10.10.120 10.10.10.130
push "route 10.10.10.1"
route 10.10.10.0 255.255.255.0
ifconfig 10.10.10.1 255.255.255.0
push "route-gateway 10.10.10.1"
push "route 10.10.10.0 255.255.255.0"
...
As the Archos is the only device it would get IP 10.10.10.120.
BUT: ifconfig shows:
inet addr.: 10.10.10.255 Bcast: 10.255.255.255 Mask 255.0.0.0
That did (and cannot) work. No ping to home network possible.
When I called route it looked fine (I used redirect-gateway).
When I send the command
ifconfig tap0 10.10.10.120 broadcast 10.10.10.1 netmask 255.255.255.0
from Archos Terminal I had at least access to my home network. But all route entries are gone.
Who has an idea what I am doing wrong? I checked it in the last day again and again... If there is no solution: is it possible to 'save' the entries from route and restore it after my manual change of ifconfig? I would like to do it via script, as my home network I only reachable via dyndns.
Thanks and best regards!
I used the OpenVPN Howto Quickstart and had no problems.
macemoneta said:
I used the OpenVPN Howto Quickstart and had no problems.
Click to expand...
Click to collapse
Yes, I know the guide. I did the same with my ubuntu-netbook and it works directly.
And I think, it would work also on the Archos, if the openvpn/ifconfig on Archos accept the 10.10.10.120. But the IP is changed to 10.10.10.255 and that did not fit.
Where the h*** did the 255 instead of 120 come from?
I noticed the same problem...
No idea where it comes from, but as a workaround, you can put a script somewhere containing a suitable "ip addr add x.x.x.x/y dev z" statement, and reference that in the .conf file as "up scriptname".
Note that you need to add "--script-security 2" to the openvpn commandline to make that work. I added that to the OPENVPN_CFG variable in /etc/uruk.conf/openvpn.
regards
Patrick
This is the openvpn configuration I use for my Archos 101 (on the server). I'm not having any problems, using openvpn 2.1.1:
Code:
port 1194
dev tun
tls-server
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/[COLOR="Blue"]<my host>[/COLOR].crt
key /etc/openvpn/keys/[COLOR="blue"]<my host>[/COLOR].key
dh /etc/openvpn/keys/dh1024.pem
mode server
ifconfig 10.8.0.1 10.8.0.2
ifconfig-pool 10.8.0.4 10.8.0.255
push "route 10.8.0.1 255.255.255.255"
client-config-dir ccd
push "redirect-gateway def1"
push "dhcp-option DOMAIN [COLOR="Blue"]<my domain>[/COLOR]"
push "dhcp-option DNS [COLOR="blue"]<my dns server>[/COLOR]"
keepalive 10 60
inactive 3600
route 10.8.0.0 255.255.255.0
user openvpn
group openvpn
persist-tun
persist-key
verb 4
I examined the situation a bit further.
The problem comes from the ifconfig command that openvpn calls itself:
Code:
/system/bin/ifconfig myvpn \
192.168.x.41 \
netmask 255.255.255.0 \
mtu 1500 \
broadcast 192.168.x.255
This is only used when tap interfaces are involved, which is the case in my setup, but not in the setup macemoneta is showing. caesar68: do you also use tap interfaces?
I can reproduce the problem by just using that ifconfig command again.
When I list the IP-address-to-set as the last argument, instead, it works, i.e.
Code:
/system/bin/ifconfig myvpn \
netmask 255.255.255.0 \
mtu 1500 \
broadcast 192.168.x.255 \
192.168.x.41
A quick scanning of the openvpn manpage, does not suggest a way to override the ifconfig command that is used, but it does give an option --ifconfig-noexec which suppresses its calling.
Unfortuntely, when I just pack the is-working-after-the-interface-is-up ifconfig command into an up script with this option, it just gives me an error SIOCSIFNETMASK (Cannot assign requested address) - even if the same commandline works when I run it over an already upped interface... Probably because the interface then already had an IP address...
No problem, though, ifconfig is obsolete anyway, let us just use ip link and ip addr, which are fortunately available under Uruk.
So, caesar68, the clean solution would be to have
--script-security 2 on the openvpn commandline, e.g. via OPENVPN_CFG in /etc/uruk.conf/openvpn
in your myvpn.conf file:
Code:
ifconfig-noexec
up-delay
up-restart
up /etc/openvpn/myvpn-on-up
a corresponding script /etc/openvpn/myvpn-on-up, executable, with content
Code:
#! /system/bin/sh
ip link set $dev mtu $tun_mtu up
ip addr add $ifconfig_local/$ifconfig_netmask \
broadcast $ifconfig_broadcast \
dev $dev
Works For Me
Thanks for the explanation and the workaround, brian_o'fish. Why are you using tap though? Tap provides an Ethernet bridge, so you'll be transporting packets that really don't need to be sent to your Archos (reducing available bandwidth). Tun is layer 3 routed, so only traffic destined for either endpoint goes over the VPN connection.
macemoneta said:
Why are you using tap though?
Click to expand...
Click to collapse
That's what the server I'm using, is configured to do, as it provides transparant bridged LAN access via VPN, and that is what I want, as I am the admin of said LAN and VPN.
If the low level of broadcasts we have, ever increases or appears to be a problem to me, I'll set up an additional tun server, but for now it is simply not an issue.
Anyway, good hint in general!
Hi all!
Thanks a lot for your comments. Yes I am using tap. I would like to have access to my home network (storage etc.). Therefore I want to use the brigde functionality. And that works only when I changed the ifconfig manually afterwards. But the route is distroyed then and packages to the internet are not routed secure thru my home-network.
@ brian_o'fish: Thanks for the advise. I will try that the next days. In the moment I am happy to read, that I am not the only one with the problem (and maybe to stupid to use openvpn - but on the netbook it works).
I have never worked with tun. Maybe I could check, if that is also a workaround.
I will keep you informed, but I am on a trip the next days.
Thanks again!
*** Update ***:
I didn't work neither with tap nor with tun. Meanwhile I tried to run VPNC. I had some trouble, but it works now.
caesar68 said:
I didn't work neither with tap nor with tun.
Click to expand...
Click to collapse
Did you try the approach I described with tap, and can tell where / how it failed?
USB reverse tethering = Cellphone gets network connection from PC via USB.
I know how to do USB reverse tethering except for one problem: Many Android apps will check network connection using the code below before doing any useful work:
Code:
ConnectivityManager connectivityManager = (ConnectivityManager)context.getSystemService(Context.CONNECTIVITY_SERVICE);
NetworkInfo info = connectivityManager.getActiveNetworkInfo();
The problem is that, when using USB reverse tethering, the above code will report no network connection. However, there IS a network connection (which is the USB reverse tethering itself), and ping, wget and all programs not doing this stupid check work well.
So the question is: How can I hack the system to let this network connection check return success (so that I can fool these apps)?
BTW. I use Cyanogenmod 7. And any solution specific to this MOD is also welcome.
Hello,
Could you please tell me how did you do the USB reverse tethering? Since on USB connection there is no option to do that under CM 7.1?
...
Thank you. Unfortunately the binary /system/bin/netsharing is not part of CM7.1, apparently it exists with Sense ROM. How do you manage to run it under CM7.1?
Sense ROM has the reverse USB tether built-in ("Internet passthrough"), maybe if the 2 commands could be executed, thanks to existing HTC NDIS driver doing NAT inside the PC it will work?
I've tested in CM7 that netsharing is not needed. Just execute the rest of the commands will be OK. Of course you need to do NAT on the PC because what you've setup is just a small LAN with private IP addresses.
Thank you for your input.
What I understand:
1- connect the phone via USB cable, choose charge only
2- Assuming my router has IP 192.168.1.1:
So I have to type these commands, could you confirm?
Code:
echo 4 > /sys/devices/platform/msm_hsusb/usb_function_switch
route add default gw 192.168.1.1
ifconfig usb0 192.168.1.1 mtu 500 up
But then how to do the NAT thing is out of my knowledge!
In fact what I want is when there is no router (since mine is wireless) with available Internet connetion
(ADSL line down). So I have to use USB 56kbps modem with telephone line to access Internet from the PC (running XP).
And I would like to plug the Android phone with USB cable and allow the phone to access Internet (Internet sharing
with the PC). I am not sure of the operations to do then.
Sorry but I don't know how to set up NAT on Windows XP... I use Linux and a simple iptables command suffices:
Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I've been looking for this for a while finally I got it, this is what I did:
- Connect your android device to your linux PC
- Enable USB tethering
- On your linux box as root (I'm using Fedora 16)
Code:
iptables -A POSTROUTING -t nat -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
ifconfig usb0 12.12.10.1
With this you will enabled internet sharing between network interfaces and assign an IP to the usb interface.
- Enable mobile data access (3G) on your android
- On your Android using adb or terminal emulator
Code:
ifconfig rmnet0 0.0.0.0
ifconfig usb0 12.12.10.2
route add default gw 12.12.10.1 dev usb0
setprop net.dns1 8.8.8.8
The first line will disable the data traffic through your 3G connection so all the traffic wiil go through the USB
- Enjoy
All apps works because they see a vaild 3G connection!!!
WARNING: If during you are USB connected, the 3g connection is reset, the system will restore its IP and DNS so
the traffic will go through this interface you must reset again the IP to 0.0.0.0 and the dns to 8.8.8.8. Maybe
one of the devs here could help us to prevent this happened. You can always check the IP values of all interfaces by typing "netcfg"
Press Thanks if I help you
everytime,
bash: /proc/sys/net/ipv4/ip_forward: Permission denied
yes i tried with sudo, same output.
using ubuntu12.04 64 bit. all other commands are fine,
gandhar said:
everytime,
bash: /proc/sys/net/ipv4/ip_forward: Permission denied
yes i tried with sudo, same output.
using ubuntu12.04 64 bit. all other commands are fine,
Click to expand...
Click to collapse
In Ubuntu you can re-direct to files you own as the user calling sudo, such as files in your home directory, but not system files
so try this:
sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
or you can edit /etc/sysctl.conf and then run sysctl -p
secondary problem
Thank you very much for your post, this is what I was looking for.
I have configured correctly, ubuntu 12.10 and android 2.3.7 (Huawei U8650) but there is a problem.
Only works a few seconds, the first moments. In the browser takes more time, but when I open "play store" internet is disconnected. It seems they check applications and stop working, it's strange. Configuration is successful because it works, but only a few seconds ...
Seems to prove that internet applications not from the 3g and crashes ...
I have broken the wireless on my huawei U8650 and this is the only way I can access the internet
Thanks in advance
PS: I'm Spanish, sorry for my bad English.
wideru said:
Thank you very much for your post, this is what I was looking for.
I have configured correctly, ubuntu 12.10 and android 2.3.7 (Huawei U8650) but there is a problem.
Only works a few seconds, the first moments. In the browser takes more time, but when I open "play store" internet is disconnected. It seems they check applications and stop working, it's strange. Configuration is successful because it works, but only a few seconds ...
Seems to prove that internet applications not from the 3g and crashes ...
I have broken the wireless on my huawei U8650 and this is the only way I can access the internet
Thanks in advance
PS: I'm Spanish, sorry for my bad English.
Click to expand...
Click to collapse
Yes sometimes it happen to me too but normally takes several minutes even hours not seconds, READ the WARNING.
Hope it help.
rply plx
what about windows 7 ?
how can i let my all apps including vpn to be worked with reverse tethering
Qutub Uddin said:
what about windows 7 ?
how can i let my all apps including vpn to be worked with reverse tethering
Click to expand...
Click to collapse
check this http://forum.xda-developers.com/showthread.php?t=1371345