Categories
Life hack

How to route all your android traffic through a secure tunnel

When you connect to a public Wi-Fi network, your Android phone is susceptible to the same sorts of attacks as a laptop—as demonstrated by the Android data vulnerability exposed a few days ago. The solution to securing your communication is simple: You have to encrypt it. Here’s how to set up an SSH tunnel as a cheap, easy method to encrypt all your Android phone’s data.

Android Data Vulnerability: How to Protect Yourself

An Android personal data leakage epidemic has just been revealed. The vulnerability affects 99% of…

What you’ll need:

  • A rooted Android phone : Your phone needs to be rooted in order to be able to make connections through an SSH tunnel. If you haven’t rooted your phone yet, and you’re willing to take the leap, hit up our always up-to-date guide to Android rooting to get started.
  • An SSH server: Ideally this would be rented from a web host online, but it could be any internet-connected computer with an SSH server running, including your home computer.
  • SSH Tunnel (free from the Android Market)

Why use encryption at all? What’s an SSH Tunnel?

Normally, you don’t need to worry about encryption on your phone because you’re already using your carrier’s mobile data connection, which in and of itself is pretty secure already, if only because you’re the only person using it. The problem arises when you connect to public Wi-Fi. On public Wi-Fi, anybody can listen in on everyone else’s web traffic with the right tools, and in doing so, potentially gain access to things like your social networks, your email, or worse.

SSH Tunneling allows your phone to create a secure, encrypted connection to a server located far away from the public Wi-Fi, and run all your data through that connection (like a tunnel). The Wi-Fi connection you’re using may not be secure, but when you’re using an SSH tunnel, your data will be. See our previous guide to encrypt your web browsing session using this method on a computer for the desktop version of this guide.

Geek to Live: Encrypt your web browsing session (with an SSH SOCKS proxy)

by Gina Trapani

Father’s Day CBD Bundle

Send Dad flowers
Well, send him a bundle of calming CBD products made from USDA-certified organic, Kentucky-grown, whole-flower hemp oil, at least.

Step One: Find or Set Up an SSH Server

The first thing you’ll need to do in order to use an SSH tunnel, is to find a server to connect to from your phone.

Paying for an SSH Server

By far, the best option is to buy a monthly web host subscription. There are fast, reliable options to choose from for around $10/mo (or even cheaper). See our list of the five most popular reader-selected web hosts to get an idea of the pricing and options. Any web host will do, so long as it offers SSH access—this is the one thing it must have.

Five Best Personal Web Hosts

The web’s full of services happy to host your photos, blog posts, and other online data, but if…

You can find free web hosts, but they tend to be extremely slow and unreliable. There are also “shell accounts,” which are basically nothing but SSH accounts on a server; they’re cheap, but you’re really only saving a couple of dollars compared to the cheaper web hosts, and in my experience they’re often not fast enough for our purposes.

You don’t need to worry about buying a domain name for your server if you don’t want to, since they come with what’s called an “access domain.” It’s basically an ugly URL for your server (an example would be ve.tddlyfzr.vesrv.com), and it’s all you need to connect with SSH.

Setting Up SSH on Your Home PC

If you don’t feel like paying money for your SSH server, you’ve also got the option of setting up your own SSH server on your home PC, but it’s got major pitfalls that make renting a web host—and spending the cost of two lattes—feel well worth it. When you tunnel through your home PC, the connection speed tends to be dismally slow (all the traffic is going through your home computer, so your speed will bottleneck with the speed of your upload bandwidth), not to mention the fact that the computer needs to be on and connected at all times. You’d also need to set up a service like DynDNS to assign a domain name to your PC and keep track of your home IP address, otherwise you wouldn’t know where to connect to while out of the house.

Geek to Live: How to assign a domain name to your home web server

by Gina Trapani

We’ve got some very in-depth instructions for how to rig your home PC as a media server , which also covers router settings and setting SSH to receive connections. Windows takes a minimal amount of work to install and run SSH, while Linux and Mac should theoretically “just work.”

How to Turn Your Computer Into the Ultimate Remote Access Media Server

If you’re out of the house a lot but still want access to files on your home computer, one of the…

It really is easier and generally better to use a web host if you can. Web hosts have a direct line to the internet, so compared to your home computer, they’re incredibly fast, and there’s nothing to bother setting up to connect to them with SSH. If, like many Lifehacker readers, you’ve already got one, then using it won’t cost you anything more than you’re already paying

Step Two: Set Up the SSH Tunnel App on Your Android

The free SSH Tunnel app does exactly what it sounds like: Creates the encrypted SSH tunnel between your phone and your SSH server, ensuring that all your internet usage is encrypted, even on open, public Wi-Fi networks. Setting it up is easy:

Once you have a server to connect to, simply enter your server’s domain as the Host, then enter your SSH username, and your password. Check the boxes that read “Use socks proxy” and “Global Proxy,” then flip the “Tunnel Switch” and it connects—dead simple. To make things even easier, the app also has options to reconnect automatically if the connection drops. Now, on all your connections (or just whenever you want to turn it on), all of your Android traffic will be secured, encrypted from prying eyes.

Routing your entire Internet traffic is optional, however, it can be advantageous in cases where you are expecting eavesdropping on the network. This may not only happen in insecure open Wi-Fi networks (airports, hotels, trains, etc.) but also in encrypted Wi-Fi networks where the creator of the network can monitor client activity.

Rerouting the Internet traffic through your Pi-hole will furthermore cause all of your Internet traffic to reach the Internet from the place where your WireGuard server is located. This can be used to obfuscate your real location as well as to be allowed to access geo-blocked content, e.g., when your Pi-hole is located in Germany but you are traveling in the United States. If you want to access a page only accessible from within Germany (like the live-broadcast of Tagesschau, etc.), this will typically not work. However, if you route your entire Internet through your Pi-hole, your network traffic will originate from Germany, allowing you to watch the content.

Create a second profile

Instead of editing your existing configuration, you can easily add a new one with the modified AllowedIPs line as above. This will give you two tunnel variants and you decide – at any time from mobile – which variant you want. The one with only the DNS traffic being safely forwarded to your Pi-hole or the variant where your entire Internet traffic is encrypted and sent through your Pi-hole. You can choose at any time which is the best solution in your current situation (e.g., trusted network, unencrypted airport Wi-Fi, etc.).

Ensure you’re already forwarding traffic

The following assumes you have already prepared your Pi-hole for IP forwarding and enabled NAT . If this is not the case, follow the steps over there before continuing here.

To route all traffic through the tunnel to a specific peer, add the default route ( 0.0.0.0/0 for IPv4 and ::/0 for IPv6 ) to AllowedIPs in the [Peer] section of your clients’s WireGuard config files:

The important change is setting the [Peer] -> AllowedIPs entry to 0.0.0.0/0, ::/0

Change this setting only on your clients

Do not set this on the server in the [Interface] section. WireGuard will automatically take care of setting up correct routing so that networking still functions on all your clients.

If you want to have a secure browsing environment or just want to access your home network securely without exposing extra services to the internet and without the mess that comes with setting up and maintaining a VPN server, ssh tunneling is your rescuer. In this post, I’ll tell you how to setup an ssh tunnel to your home network easily. Also look for some bonus tips at the end 😉

This article assumes that you have already installed and setup a ssh server (you can probably use openssh). Also, it assumes that the ssh server is accessible from the internet (i.e. you have appropriately forwarded the port on which ssh server is running). I’d also recommend that if you do not have a static IP for your home network, then sign up for a dynamic DNS service (I use dyndns.org) so that you can access your home network easily by using a domain name (e.g. myserver.dyndns.org) from outside.

Now, here is a step by step guide on what to do on your Android Phone (I’m doing this on a Nexus one but should be same for you as well):1. Install an app called “connectbot” from the android marketplace. It is a FREE ssh client for android.

  1. Open it and add the IP (or dynamic domain name as suggested above) and the port on which ssh server is running to the bottom and connect.

How to route all your android traffic through a secure tunnel

  1. Once connected, press the menu button and select the icon which says “Port Forwards”

How to route all your android traffic through a secure tunnel

  1. On this screen you can configure the ports to be used for tunneling. As you can see I already have my firefly server port configured for music streaming over itunes’ DAAP protocol. Now, you can press “menu” button and click on “Add ports” and go to step 4.

How to route all your android traffic through a secure tunnel

  1. You will see the dialog box as shown below. Here you can configure mainly two types of ports.

How to route all your android traffic through a secure tunnel

4a) First is for services that you want to access already running on your home network. e.g. in my case, I have a firefly media server (mt-daapd) running on a port “12345” and I want to access this just like I was on LAN over my home wi-fi. In such a case, select “type” as “Local”, source port as , say “56000” and destination as “ip:port” where ip is the your home local area IP of the machine on which the server is running (My server runs on router itself, which has IP 192.168.1.1) and the port is the actual port on which server is running (e.g. 12345 as we mentioned above). After doing this, just open the respective client app on your phone which wants to connect to this server and enter “127.0.0.1” as the ip and “56000” as the port to connect to and it will connect to server as if you were on your home network even over 3G or your office wi-fi.

4b) Secondly, you can use this tunnel to route all traffic to internet through home connection. For this, choose the type as “dynamic” and source port as, say, ” 56001″. You don’t need to select a destination port here because any traffic that comes over this tunnel will be routed back to the internet using the destination ip and port as desired, e.g., specified in a browser’s address bar.

**Bonus: **As I promised above, here is the bonus. For media streaming, you can use mt-daapd or firefly server on your home network, especially on a router like asus wl-500 or any other hackable router with custom firmware. For more info about how to set it up, you can check these posts: Latest Firefly server for your router and firefly sqlite error solution. For android side things, install the “DAAP Client” app from the market place and click on “Add server” option and follow step 4a as mentioned above. And there it is, your own music streaming service anywhere in the world, over edge/3G or any other network 🙂

Learn how to configure proxies on your Android phone or tablet.

How to route all your android traffic through a secure tunnel

When you use a proxy, all your connections go through it before reaching websites and apps. Proxies can help you hide your IP address, change your device’s location to unblock content, and more. It’s also possible for malware to enable proxies without your knowledge and consent.

This article will show you how to configure the Android proxy settings to set up or disable a proxy server on your device. Note that we use a OnePlus device; your proxy configuration settings might slightly differ.

How to Configure Android Proxy Settings

Step 1. Go to the Settings app and select Wifi & Internet.

How to route all your android traffic through a secure tunnel

Step 2. Find your Wi-Fi network. If you’re currently connected to it, it should be the topmost option.

How to route all your android traffic through a secure tunnel

Step 3. Select the Gear icon at the right side and tap Modify. This will open a preferences popup.

How to route all your android traffic through a secure tunnel

Step 4. In the popup, you’ll see the Proxy dropdown. Expand it.

How to route all your android traffic through a secure tunnel

Step 5. In the dropdown, select Manual.

This means that you’ll enter your proxy server’s settings by yourself.

If you’re using a proxy at school or work, your network administrator might give you a PAC file to configure the settings automatically. Commercial proxy providers rarely do that.

How to route all your android traffic through a secure tunnel

Step 6. Enter your proxy server’s information.

How to route all your android traffic through a secure tunnel

Proxy hostname requires a proxy server’s hostname. You’ll have a hostname if you use backconnect proxies (so, residential or rotating IPs). Otherwise, you can enter a proxy IP address.

  • Example of an IP: 127.168.0.1
  • Example of a hostname: en.proxyprovider.net

Proxy port asks you to enter the numbers that come after the IP or hostname. They will be separated by a colon.

  • Example of a port: en.proxyprovider.net:10000

Bypass proxy for lets you select websites that will ignore the proxy server. If you want to enter multiple websites, separate them with a comma and no spaces.

  • Example: google.com,bing.com

Step 7. Authenticate your proxies.

Unlike iOS, Android doesn’t have fields for authenticating the proxy server in the settings. Instead, you’ll be asked to authenticate when you open your web browser. There, simply enter your credentials: username and password.

If you’ve authenticated by whitelisting your IP address, you don’t need to enter the credentials.

Step 8. Test your proxies.

Go to What Is My IP Address to see if your IP address and location have changed.

If you want to test the proxies in more detail, feel free to read our article on how to test proxies.

That’s it! You’ve successfully set up a proxy server on your Android phone or tablet!

How to Use a Proxy on Android

Once you’ve configured the proxy server on your Android device, it will send all your connection requests through itself. There are a few caveats, though:

  • The proxy server only works on the Wi-Fi network where it’s enabled. If you connect to a different Wi-Fi, you’ll have to configure proxies anew. And this method won’t work on cellular connections at all.
  • The proxy server may not affect apps. It’s up to the individual developers to choose whether to ignore proxies. So, they’re only guaranteed to work with your web browser. If you want to route all traffic through a proxy server, there are apps for that, but you’ll need to root your device first.

How to Disable Proxies on Android

Follow Steps 1-5. Then, in the dropdown simply select None.

How to route all your android traffic through a secure tunnel

Solving the ERR TUNNEL CONNECTION FAILED Error

The ERR TUNNEL CONNECTION FAILED error pops up whenever you’re trying to connect through a proxy or VPN and the connection fails. There can be various reasons why this happens, but in the case of proxies, the two most common ones are:

  1. The proxy server is down. Try turning it off and on again. If nothing happens, wait until the server comes back up.
  2. You haven’t authenticated the proxies. In other words, you’ve entered a wrong username or password, or whitelisted a wrong IP address.

Frequently Asked Questions About Android Proxy Settings

What Is a Proxy?

A proxy server is a middleman that routes your connection requests through itself. So, instead of accessing a website directly, you go through a proxy server first.

Can I Set a Proxy on Android to Affect Apps, Not Only Websites?

Yes, but you need to root your device first. Then, you can use an app like ProxyDroid to enable proxies for all traffic.

Is Using a Proxy Server for Android Phones Legal?

Yes, it’s legal to use proxies on Android. It’s how you use them that matters.

When you connect to a public Wi-Fi network, your Android phone is susceptible to the same sorts of attacks as a laptop—as demonstrated by the Android data vulnerability exposed a few days ago. The solution to securing your communication is simple: You have to encrypt it. Here’s how to set up an SSH tunnel as a cheap, easy method to encrypt all your Android phone’s data.

Android Data Vulnerability: How to Protect Yourself

An Android personal data leakage epidemic has just been revealed. The vulnerability affects 99% of…

What you’ll need:

  • A rooted Android phone : Your phone needs to be rooted in order to be able to make connections through an SSH tunnel. If you haven’t rooted your phone yet, and you’re willing to take the leap, hit up our always up-to-date guide to Android rooting to get started.
  • An SSH server: Ideally this would be rented from a web host online, but it could be any internet-connected computer with an SSH server running, including your home computer.
  • SSH Tunnel (free from the Android Market)

Why use encryption at all? What’s an SSH Tunnel?

Normally, you don’t need to worry about encryption on your phone because you’re already using your carrier’s mobile data connection, which in and of itself is pretty secure already, if only because you’re the only person using it. The problem arises when you connect to public Wi-Fi. On public Wi-Fi, anybody can listen in on everyone else’s web traffic with the right tools, and in doing so, potentially gain access to things like your social networks, your email, or worse.

SSH Tunneling allows your phone to create a secure, encrypted connection to a server located far away from the public Wi-Fi, and run all your data through that connection (like a tunnel). The Wi-Fi connection you’re using may not be secure, but when you’re using an SSH tunnel, your data will be. See our previous guide to encrypt your web browsing session using this method on a computer for the desktop version of this guide.

Geek to Live: Encrypt your web browsing session (with an SSH SOCKS proxy)

by Gina Trapani

Father’s Day CBD Bundle

Send Dad flowers
Well, send him a bundle of calming CBD products made from USDA-certified organic, Kentucky-grown, whole-flower hemp oil, at least.

Step One: Find or Set Up an SSH Server

The first thing you’ll need to do in order to use an SSH tunnel, is to find a server to connect to from your phone.

Paying for an SSH Server

By far, the best option is to buy a monthly web host subscription. There are fast, reliable options to choose from for around $10/mo (or even cheaper). See our list of the five most popular reader-selected web hosts to get an idea of the pricing and options. Any web host will do, so long as it offers SSH access—this is the one thing it must have.

Five Best Personal Web Hosts

The web’s full of services happy to host your photos, blog posts, and other online data, but if…

You can find free web hosts, but they tend to be extremely slow and unreliable. There are also “shell accounts,” which are basically nothing but SSH accounts on a server; they’re cheap, but you’re really only saving a couple of dollars compared to the cheaper web hosts, and in my experience they’re often not fast enough for our purposes.

You don’t need to worry about buying a domain name for your server if you don’t want to, since they come with what’s called an “access domain.” It’s basically an ugly URL for your server (an example would be ve.tddlyfzr.vesrv.com), and it’s all you need to connect with SSH.

Setting Up SSH on Your Home PC

If you don’t feel like paying money for your SSH server, you’ve also got the option of setting up your own SSH server on your home PC, but it’s got major pitfalls that make renting a web host—and spending the cost of two lattes—feel well worth it. When you tunnel through your home PC, the connection speed tends to be dismally slow (all the traffic is going through your home computer, so your speed will bottleneck with the speed of your upload bandwidth), not to mention the fact that the computer needs to be on and connected at all times. You’d also need to set up a service like DynDNS to assign a domain name to your PC and keep track of your home IP address, otherwise you wouldn’t know where to connect to while out of the house.

Geek to Live: How to assign a domain name to your home web server

by Gina Trapani

We’ve got some very in-depth instructions for how to rig your home PC as a media server , which also covers router settings and setting SSH to receive connections. Windows takes a minimal amount of work to install and run SSH, while Linux and Mac should theoretically “just work.”

How to Turn Your Computer Into the Ultimate Remote Access Media Server

If you’re out of the house a lot but still want access to files on your home computer, one of the…

It really is easier and generally better to use a web host if you can. Web hosts have a direct line to the internet, so compared to your home computer, they’re incredibly fast, and there’s nothing to bother setting up to connect to them with SSH. If, like many Lifehacker readers, you’ve already got one, then using it won’t cost you anything more than you’re already paying

Step Two: Set Up the SSH Tunnel App on Your Android

The free SSH Tunnel app does exactly what it sounds like: Creates the encrypted SSH tunnel between your phone and your SSH server, ensuring that all your internet usage is encrypted, even on open, public Wi-Fi networks. Setting it up is easy:

Once you have a server to connect to, simply enter your server’s domain as the Host, then enter your SSH username, and your password. Check the boxes that read “Use socks proxy” and “Global Proxy,” then flip the “Tunnel Switch” and it connects—dead simple. To make things even easier, the app also has options to reconnect automatically if the connection drops. Now, on all your connections (or just whenever you want to turn it on), all of your Android traffic will be secured, encrypted from prying eyes.

Comments

adamierymenko commented Jun 12, 2015

A ZeroTier network could advertise, as part of its configuration, one or more gateways. A user could — optionally — after joining a network choose to send all traffic (default route) over that gateway. This would support conventional VPN “tunnel everything” use cases. Been requested before, wanted to officially put into backlog.

The text was updated successfully, but these errors were encountered:

keesbos commented Jul 2, 2015

Optionally disabling other network interfaces? That would prohibit hopping. Or maybe only permit networks from same controller?

adamierymenko commented Jul 2, 2015

Not sure I understand. this would route ‘default’ (with the exception of ZeroTier traffic itself) via a gateway on a virtual network. It wouldn’t necessarily affect other networks, and I don’t think this would be desired behavior.

Example: let’s say I’m a member of a network with a 10.1.0.0/16 IP scheme and another with 28.0.0.0/7 (Earth). If I enabled the use of a gateway on 10.1.0.0/16, I’d want my default traffic e.g. to www.google.com to go through that gateway. But I’d still want the 28.0.0.0/7 network to behave normally. That’s a more specific route — default is catch-all.

keesbos commented Jul 3, 2015

Indeed. Default gateway won’t have any effect on other interfaces. For normal “reasonably” concerned security officers this could be enough. Probably good for 99% percent of the use cases where the default gateway is applied.

In a paranoid security environment, the scrutiny officer will want to control more than that: Make sure that whoever connects to your network will never allow others via that node to penetrate the network. E.g. I’m connected to the management network of a organisation with a high risk profile and have also a connection to “earth”. That’s something that might be unwanted.

janjaapbos commented Jul 3, 2015

That really is depending on your control of the OS. In any case you can disable bridging for the management network. Still, the connected OS can do IP nat for other networks that it is connected to. I’m not sure if you can restrict that at the zerotier device level.

heri16 commented Dec 8, 2015

I think this feature is a bad idea as it would place zerotier right in the crosshairs of government censorship. If the government is serious about clampdown, I don’t think zerotier traffic can evade the sophisticated great firewalls at the state-level. It is very easy to add in a static route on any operating system, rather than make zerotier not function in many countries.

adamierymenko commented Dec 8, 2015

This is going to be optional, but it likely will make an appearance. It’s a highly desired feature among certain classes of enterprise customers that might want to use this to replace conventional hub-and-spoke VPNs.

The reason it hasn’t made an appearance yet is that it’s a pain in the behind to implement. You have to — on each operating system where it is supported — send ZeroTier traffic in such a way that it bypasses the “fake” VPN default route and uses the physical one. But other traffic uses the VPN.

That’s easy on hub and spoke VPNs since you have a single static IP endpoint to add a specific route for. But this is a P2P system which means you have multiple ever-changing routes that sprawl all over the Internet.

The solution on some platforms could be using SOCK_RAW and bypassing the kernel’s routes and other filters completely. This would also make ZeroTier traffic skip iptables though, which some users might not like — though other users might consider that a feature. It would be controversial. It would also be highly platform specific and probably impossible on Windows since anything novel related to networking is impossible on Windows without being paid for in the wicked currency of misery and suffering. A hack that should be kept from the eyes of the innocent is usually required.

whosawhatsis commented Dec 18, 2015

Not to pile more onto your plate, but a nice feature for this to support would be the ability to route/not route certain ports to the gateway. For instance, if I’m on an open wifi network, it would be nice to be able to route all of my port 80 traffic (http) through an encrypted tunnel to my home network, but I’d rather have port 443 traffic (https) go directly for latency and bandwidth reasons.

It’s probably a terrible idea that would add a ton of complexity, but on the off chance that it’s not (or that it is, but is valuable enough to others to implement anyway).

hpk42 commented Feb 22, 2016

I’d be happy already if only linux nodes were supported as an “exit gateway”. However, I didn’t understand yet if the implementation complexity is on the side of the node who wants to route default traffic through a remote “exit” zerotier node or if it’s at the side of the exit node which routes traffic to the wider internets. Could you clarify?

janjaapbos commented Feb 22, 2016

The complexity is at the side that wants to route through the default gateway.

faddat commented Mar 23, 2016

This is another example of something that definitely would help us to make our networks more robust at Klouds. Thanks a lot for all the hard work.

  • Home
  • Forums
  • Samsung
  • Samsung Galaxy Nexus

Breadcrumb

Phylum

Senior Member
  • Aug 18, 2012
  • #1
  • Short Version:
    Got an OpenVPN server on my NAS. GN connects & works fine; remote resources are reachable. I now want to know how I can route all traffic through the tunnel. (Is this possible?)

    Long Version:
    For those times when I’m traveling (domestically and internationally) and/or using a questionable Internet connection, I’d like to secure the connection.
    I’ve got a [stock] rooted GN running Jelly Bean with BusyBox installed. My NAS has two built-in VPN solutions one of which being OpenVPN so I got that setup which created an .ovpn file containing the following configuration:

    Once all of the above was setup, I initiated the connection, successfully authenticated, and was able to reach remote resources without issue.

    What I would like to do at this point is get it setup so that I can have a second profile that routes all traffic through the VPN. I assume its a client-side configuration change but I really don’t know at this juncture.

    KemikalElite

    Senior Member
    • Aug 19, 2012
  • #2
  • Doesn’t CyanogenMod ROM have native OpenVPN support? I think the OpenVPN client on CM has an option to route all traffic through the VPN. I think for what you want to do you should need a custom ROM or kernel that supports iptables.

    iptables is a system file that allows the system to redirect network traffic usually for apps like tethering, firewalls, and proxies.

    Sent from my Galaxy Nexus using Tapatalk 2

    Phylum

    Senior Member
    • Aug 19, 2012
  • #3
  • Thanks for taking the time to reply KemikalElite.

    I’ve got BusyBox 1.20.2 installed and I do have an iptables binary (v1.4.11.1). With solutions like Hotspot Shield VPN that don’t require root yet supports encryption for all traffic, I figured root + OpenVPN + BusyBox + iptables would be sufficient.

    My initial assumption was that I would need to make some changes to my OpenVPN configuration to encrypt & route all traffic through the tunnel. But maybe I’ve been thinking about this all wrong and its less about OpenVPN and more about running a custom script once connected to route everything through the tunnel; and vice versa when I disconnect to restore the original configuration.

    Perhaps I should be scouring OpenVPN forums?

    KemikalElite

    Senior Member
    • Aug 19, 2012
  • #4
  • Thanks for taking the time to reply KemikalElite.

    I’ve got BusyBox 1.20.2 installed and I do have an iptables binary (v1.4.11.1). With solutions like Hotspot Shield VPN that don’t require root yet supports encryption for all traffic, I figured root + OpenVPN + BusyBox + iptables would be sufficient.

    My initial assumption was that I would need to make some changes to my OpenVPN configuration to encrypt & route all traffic through the tunnel. But maybe I’ve been thinking about this all wrong and its less about OpenVPN and more about running a custom script once connected to route everything through the tunnel; and vice versa when I disconnect to restore the original configuration.

    Perhaps I should be scouring OpenVPN forums?

    You have the tun module as well right?

    Check through some of those issues. Something did say that the DNS servers may need to be manually set.

    OpenVPN is so complex because of the config options. I find it easier to use native PPTP connections since there’s no config only authentication and it routes all traffic automatically.

    Sent from my Galaxy Nexus using Tapatalk 2

    ZiCoN

    Senior Member
    • Aug 19, 2012
  • #5
  • Phylum

    Senior Member
    • Aug 19, 2012
  • #6
  • Thanks for the reply ZiCoN!
    I should have mentioned this sooner – terribly sorry for omitting this.

    Once I got the VPN connected, I did the old ‘what is my ip’ to verify the route. It was still using the provider’s network, but I could reach my NAS and other remote devices in the 192.168.x.x range – so the VPN itself was working. After reading the mini explanation in the config file I enabled ‘redirect-gateway’ and after reconnecting I could no longer access the Internet. I checked the OpenVPN Manual I added ‘def1’ after the ‘redirect-gateway’ statement, reconnected but still no go: I can no longer access the Internet. Remote resources are still accessible in both scenarios.

    Phylum

    Senior Member
    • Aug 19, 2012
  • #7
  • You have the tun module as well right?

    Check through some of those issues. Something did say that the DNS servers may need to be manually set.

    OpenVPN is so complex because of the config options. I find it easier to use native PPTP connections since there’s no config only authentication and it routes all traffic automatically.

    Sent from my Galaxy Nexus using Tapatalk 2

    I somehow missed this when drafting my last reply. I think you’re right about it being a DNS problem. I made a change to the config file (adding a few lines for ‘dhcp-option DNS x.x.x.x’) and within OpenVPN used the ‘Fix DNS’ button.

    Thanks all for your time, thoughts, opinions and instructions!

    ttabbal

    Senior Member
    • Aug 19, 2012
  • #8
  • Thanks for the reply ZiCoN!
    I should have mentioned this sooner – terribly sorry for omitting this.

    Once I got the VPN connected, I did the old ‘what is my ip’ to verify the route. It was still using the provider’s network, but I could reach my NAS and other remote devices in the 192.168.x.x range – so the VPN itself was working. After reading the mini explanation in the config file I enabled ‘redirect-gateway’ and after reconnecting I could no longer access the Internet. I checked the OpenVPN Manual I added ‘def1’ after the ‘redirect-gateway’ statement, reconnected but still no go: I can no longer access the Internet. Remote resources are still accessible in both scenarios.

    How to route all your android traffic through a secure tunnel

    Carlos Delgado
    • May 21, 2019
    • 99.4K views

    Learn how to route all your traffic through the TOR network in Kali Linux.

    How to route all your android traffic through a secure tunnel

    Either if you want to check how your website looks from random locations in the world, changing your real location can be a very simple task if you use a VPN. One of the tricky versions of this task, is to navigate through the TOR network. Tor consists of a huge proxy database that users can access to protect their network privacy and keep their online identity safe. Tor works with Web browsers, remote login applications and instant messaging programs. Tor is an implementation of onion routing, which involves running an onion proxy on a user’s machine. The software is designed to negotiate a virtual tunnel through the Tor network by encrypting and randomly bouncing communications through relay networks across the globe. Tor networks provide anonymity to applications such as Internet relay chat, instant messaging and Web browsing. Tor is conjugated with privoxy, a proxy server that provides privacy at the application layer:

    How to route all your android traffic through a secure tunnel

    In this article, we’ll explain you easily how to install and use the Torghost library to use TOR to go anonymous on the network.

    1. Download and install Torghost

    Proceed to clone the Torghost repository with the following command in some directory of your Kali system:

    Once the download finishes, proceed to enter into the cloned directory with:

    And proceed to assign the proper execution permissions to the install script:

    And run it directly to install what Torghost needs:

    The installation script is composed basically by the execution of the following commands (if you don’t want to run the install script, you may install the libraries with the command directly):

    After running the install script, you will have torghost available from your terminal (or use the torghost binary to run the commands of the tutorial laters). For more information about this script, please visit the official repository at Github here. This tool offers:

    1. Redirection of all network traffic to the TOR network, that is, any connection of the computer that tries to connect to the Internet will pass through it.
    2. No ping will be filtered, which protects our identity.
    3. Force to the applications to circulate through it, unlike proxychain, that is ignored by some applications that tend to a faster connection ignoring the proxies.
    4. Reject incoming and outgoing requests that may contain sensitive information or may reveal our real IP.
    5. DNS leak protection, we can use an anonymous remote DNS.

    2. Using Torghost to go anonymous

    The tool offers basically 3 functions:

    • torghost start : starts routing all traffic through the TOR network.
    • torghost stop : stop routing traffic.
    • torghost switch : change the current IP.

    You only need to start a new terminal and run the following command to get started with the tool:

    In the terminal the output will look like:

    How to route all your android traffic through a secure tunnel

    If we open one of those websites that show you the current IP address and your location after starting torghost, for example in this case we will get instead of our real location (Colombia):

    How to route all your android traffic through a secure tunnel

    According to the website, we are in germany. You may want to change the IP when you want, either stopping and starting torghost again, or just run:

    The output of the command in the terminal will look like:

    How to route all your android traffic through a secure tunnel

    This time, in another website they tracked us down in Brazil:

    How to route all your android traffic through a secure tunnel

    Great isn’t !? In this way with this simple tool, you may change your location within seconds inside the tor network. Once you’re done with your things, simply stop the tool with:

    The output of the command in the terminal will look like:

    How to route all your android traffic through a secure tunnel

    Torghost will start flushing the iptables, restart the network manager and fetch the real IP and that’s it.

    Microsoft Tunnel uses Microsoft Defender for Endpoint as The Microsoft Tunnel client app on Android. Microsoft Defender for Endpoint replaces Microsoft Tunnel as the client app beginning on June 14 2021. Use of the standalone Microsoft Tunnel client app remains in support until January 31, 2022.

    The Microsoft Tunnel client app helps you securely and privately connect to your corporate network over a VPN. If your organization requires you to use the app, they already configured a VPN connection for your work account. To connect to the VPN, simply install the app and sign in with your work account.

    Install Microsoft Tunnel

    Microsoft Defender for Endpoint is available in the Google Play store. Before heading there, check your device to see if it’s already installed.

    If you can’t find the app in the Play store, contact your IT support person for help.

    Connect and disconnect from VPN

    1. Open Microsoft Defender for Endpoint.
    2. Sign in with your work account if prompted.
    3. On the Tunnel screen, turn the Status toggle on or off to connect or disconnect from the VPN.

    Your organization might require you to stay connected to Microsoft Tunnel. This is known as an always-on connection. If this is the case, the Status toggle will appear inactive, and you won’t be able to disconnect from the VPN as long as you’re connected to the internet.

    If the toggle is stuck in the off position, select Help > Send logs and report the problem to your IT support person. For more details, see the Send logs section in this article.

    Connection details

    The following information appears on the Connect screen when Tunnel is connected.

    Uptime: How long the VPN connection has been running.

    Data received: How much data has been received through the VPN connection.

    Data sent: How much data has been sent through the VPN connection.

    Tap Details to see the following information:

    Address: The server address for your VPN connection.

    Device-wide connection: When turned on, all network traffic to and from your device goes through the VPN connection.

    Apps that use Tunnel: If apps are listed, only network traffic to and from these apps go through the VPN connection.

    Always-on: When turned on, Microsoft Defender for Endpoint will continuously try to establish a connection.

    App settings

    From the Connect screen, select the Settings gear icon to:

    • Allow/block Microsoft from collecting usage and performance data.
    • Turn verbose logging on/off.

    Get help in the app

    Select Help from the menu at the bottom of the screen to:

    • Access this article.
    • Send logs to IT support to report a problem.

    Send logs

    Send app logs to IT support to get help with an app or connection problem.

    1. Select Help >Send logs.
    2. Select Send logs again. Your logs will be sent to a Microsoft database, from which your organization can access.
    3. Select EMAIL IT SUPPORT.
    4. On the Share screen, select your mail app.
    5. In the body of the email, describe the problem you experienced so that the support team has an idea of what to look for.
    6. Send the email.

    About Microsoft Tunnel

    Tap your profile picture, and then select About to view the Microsoft Tunnel privacy policy, terms of use, and third-party notices.

    Next steps

    Need additional help? Contact your IT support person. For contact information, check the Company Portal website.

    Community Support Forum

    route all traffic over vpn using openvpn connect on android?

    route all traffic over vpn using openvpn connect on android?

    Post by pigro » Tue Jan 29, 2013 2:11 pm

    Hi. I would like to use openvpn connect on an unrooted Samsung Galaxy Note in order to connect over 3G to my home Win XP box (which runs openvpn 2.2.2). My end goal is to be able then to run a remote desktop session on the phone over my vpn to a 3rd party Windows server that sits behind a corporate firewall. THat firewall has an exception to allow RDP traffic originating from the static IP address of my home broadband.

    I already have this scenario working on an old Nokia N800 smartphone (which gives root without hacking), and I also had it working on my samsung whilst it was rooted using the ‘original’ openvpn client by friedrich shauffelhut.

    In both cases the phones were connecting using TAP and the XP box had an ethernet bridge setup such that the clients got local IP’s on the same subnet as my XP box (192.168.222.0/24). My openvpn server script used push “redirect-gateway def1” to force all IP traffic to go over the vpn, and this had the desired effect that, when I had the vpn established and then started an RDP to the 3rd party server on my phone, the IP address presented to their firewall was that of my home broadband’s static IP, and therefore my RDP session connected OK.

    Unfortunately, I have had to unroot my samsung, and I’m now trying to replicate the above RDP access solution with the new “non-root” openvpn client for android, but I can no longer use the TAP device as it isn’t supported on openvpn connect.

    So, I set up a second openvpn instance to listen on a separate port on the XP box, and configured it as tun. Other than the tap->tun changes the rest of the server and client config files are the same.

    The XP box is at static IP 192.168.222.10, and is connected over powerline ethernet to my netgear modem/router (182.168.222.1). The subnet IO used for the vpn is 10.8.0.0/24.

    When I connect with ‘push “redirect gateway loc1″‘ in the server config file, I get connected OK to my XP server, and I can ping 10.8.0.1 (vpn endpoint on server) and 192.168.222.10 (server’s static IP on my LAN) but I can’t ping any external IP’s, use the phone browser to surf, or connect to my 3rd party server over RDP. Note – this isn’t a DNS problem, it’s total lack of routing to external IP’s. I’ve confirmed that by overriding the DNS servers locally on the phone.

    If I comment out ‘push “redirect-gateway def1″‘ from the server config file then I can connect, I can ping 10.8.0.1 but NOT 192.168.222.10, and I can browse the internet but with the traffic NOT transiting my vpn. All ow which is as I’d expect, but of course I can’t RDP to the 3rd party server as I’m presenting the wrong IP.

    I know I need to do something with the routing tables on the phone and/or server ends to change the default gateway such that I can force all traffic over the vpn and still have traffic bound for external IP’s get to their destination, but I have stumbles around for days making “suck it and see changes” with no joy and I’m now stumped. Can anyone advise?

    Protect your web servers from direct attack

    From the moment an application is deployed, developers and IT spend time locking it down — configuring ACLs, rotating IP addresses, and using clunky solutions like GRE tunnels.

    There’s a simpler and more secure way to protect your applications and web servers from direct attacks: Cloudflare Tunnel.

    Ensure your server is safe, no matter where it’s running: public cloud, private cloud, Kubernetes cluster, or even a Mac mini under your TV.

    Challenges of protecting origin infrastructure

    Your origin IP addresses and open ports are exposed and vulnerable to advanced attackers, even when they’re behind your cloud-based security services. Some common ways to stop these direct DDoS or data breach attempts include monitoring incoming IP addresses through access control lists (ACLs) and enabling IP security via GRE tunnels.

    Compared to other network security solutions — like secure tunneling software — these approaches are often slow and expensive, time-consuming to set up and maintain, and lack fully integrated encryption.

    Securely connect origins directly to Cloudflare

    Cloudflare Tunnel is tunneling software that lets you quickly secure and encrypt application traffic to any type of infrastructure, so you can hide your web server IP addresses, block direct attacks, and get back to delivering great applications.

    Here’s how it works:

    The Tunnel daemon creates an encrypted tunnel between your origin web server and Cloudflare’s nearest data center, all without opening any public inbound ports.

    After locking down all origin server ports and protocols using your firewall, any requests on HTTP/S ports are dropped, including volumetric DDoS attacks. Data breach attempts — such as snooping of data in transit or brute force login attacks — are blocked entirely.

    Learn more about how we built Tunnel — and how we’re continuing to improve it.

    Protect web servers from direct attacks

    How to route all your android traffic through a secure tunnel

    Tunnel works with Cloudflare DDoS Protection and Web Application Firewall (WAF) to defend your web properties from attacks.

    Once you deploy the Tunnel daemon and lock down your firewall, all inbound web traffic is filtered through Cloudflare’s network.

    Now, your web server’s firewall can block volumetric DDoS attacks and data breach attempts from reaching your application’s origin servers.

    How to route all your android traffic through a secure tunnel

    Secure access to internal applications

    How to route all your android traffic through a secure tunnel

    Tunnel allows you to quickly deploy infrastructure in a Zero Trust environment, so all requests to your resources first pass through Cloudflare’s robust security filters.

    When Tunnel is combined with Cloudflare Access, our comprehensive Zero Trust access solution, users are authenticated by major identity providers (like Gsuite and Okta) without the help of a VPN.

    Applications once accessible to anyone through the origin IP are now only accessible to authenticated users through Cloudflare’s network.

    And you can restrict access to internal applications (including those in development environments) that you’d like to make externally facing.

    Learn more about how Cloudflare enables Zero Trust security.

    How to route all your android traffic through a secure tunnel

    Accelerate origin traffic with Argo Smart Routing

    Any organization can create Cloudflare Tunnels, for free! Try getting started by connecting an origin to Cloudflare with a single command.

    Organizations can also augment their Tunnels by adding Argo Smart Routing, which improves application performance by using Cloudflare’s private network to route visitors through the least congested and most reliable paths. Smart Routing reduces average origin traffic latency by 30% and connection errors by 27%.

    “With Cloudflare, I’ve been able to reduce the administrative overhead of firewalls, reduce the attack surface, and get the added benefit of higher performance through the tunnel.”

    • Home
    • Forums
    • General Discussion
    • Networking

    Breadcrumb

    Dr.Tautology

    Member
    • Oct 31, 2013
  • #1
  • For anyone interested in data security the ability to encrypt network traffic is obviously important– especially in light of the myriad of recent well publicized reports of private and government electronic snooping. It is also relevant to mention that to date no one has come close to cracking “TwoFish” encryption which can be used by SSH. With this in mind, consider the following tutorial which describes a method for encrypting all 3g, 4g, and Wi-Fi data, thus beefing up phone and personal data security.

    Setting up a global SSH Tunnel on Android phones
    This tutorial assumes the reader possesses a fully configured SSH server and rooted phone. In lieu of a server, (eg., the reader only has only a Windows-based operating system), research into CYGWIN is recommended. I use CYGWIN to run my SSH server and I have found that it is the most robust option for Windows users; however, setting this up on Windows can be a daunting task.

    Setting up global SSH Tunnel on Android
    1. Download 2 apps from the Google Playstore: ConnectBot and ProxyDroid
    2. Install ConnectBot and ProxyDroid on your phone.
    3. In ConnectBot set up Port forwards for your SSH connection. For “Type” field use “Dynamic (SOCKS).” For “Source Port” use 56001 or any local port not being used. The reasoning behind using port 56001 is this: System Ports (0-1023), User Ports (1024-49151), and the Dynamic and/or Private Ports (49152-65535)
    4. Open ProxyDroid and configure as follows:
    Host: 127.0.0.1
    Port: 56001 (or the port you chose to use in step 3)
    Proxy Type: SOCKS5
    Global Proxy: Check the box

    The above procedure accomplishes several things. First, ConnectBot remotely connects to your SSH server. Next, the ConnectBot connection forwards to the local port 56001. ProxyDroid then redirects all network traffic through the localhost on port 56001. Once you are connected through ConnectBot and ProxyDroid is activated all of your data will be tunneled through the encrypted ConnectBot session. This is an excellent way to set up a global proxy because it does not require manual configuration of any applications to connect through the proxy. You can test the functionality of the connection by opening up your phone browser and performing the Google search: What is my IP. If the proxy is functional you will see the WAN IP of the network of your SSH server. Additional and more thorough testing can be done with packet sniffers such as WireShark.

    An application called “SSH Tunnel” is an alternative to accomplishing the above. However, I find ConnectBot and ProxyDroid is more elegant and gives better control– not to mention being more sophisticated/chic. When correctly performed the ConnectBot and ProxyDroid method encrypts all 3g, 4g and Wi-Fi data on your phone. This is obviously useful for phone access of sensitive materials especially using unfamiliar or alien network connections. With the current proliferation of identity theft via electronic snooping on mobile devices I do not advocate using cellular phones for any banking or electronic transactions without setting up a robust and reliable encrypted connection.

    I’m attempting to change the settings of a Cisco IPSec VPN connection which was set up through OSX’s built in VPN client in system preferences. The VPN functions as expected, allowing me to access protected servers at my company. I would like to access other websites on the internet through this VPN (youtube, wikipedia, whatever). As far as I can tell, my regular web browsing is not being directed through the VPN.

    This apple support page says there is a setting called “Send all traffic over VPN connection” which can be enabled through the Apple menu > System Preferences > Network > Advanced > Options dialogue. However, when I select the VPN from the network interface list and click the “Advanced. ” button, there is no “Options” tab or button. I see a dialogue with two tabs, “DNS” and “Proxies”. There is no options button or “Send all traffic over VPN connection” anywhere to be found.

    So, what gives? Does this have to do with what kind of VPN I am connected to (Cisco IPSec)? Is it related to the VPN’s settings? Regardless, how can I route normal browsing through the VPN?

    2 Answers 2

    I guess not all VPN connections of the build-in VPN client in Mac have that option.

    The PPTP and L2TP do offer the option: Open your network settings:

    How to route all your android traffic through a secure tunnel

    Select your VPN connection and click on the advanced button.

    A new window will pop up with three check-boxes under the heading “Session options”. The last one of these checkboxes is the one you want: “redirect all traffic over VPN”.

    However, like you said. The advanced button does not pop up with Cisco IPSec.

    I found this thread (https://superuser.com/questions/91191/how-to-force-split-tunnel-routing-on-mac-to-a-cisco-vpn) that maybe could be an answer to your problem (if you use it to route the whole ip range):

    Any one know how to hack the routing table (on a mac) to defeat the forcing of VPN routing for every thing over a cisco VPN? pretty much what I want to do is have only 10.121.* and 10.122.* addresses over the VPN and everything else straight to the internet.

    The following works for me. Run these after connecting to the cisco vpn. (I’m using OS X’s built-in cisco client, not the Cisco branded client.)

    Replace “10” in the first command with the network that’s on the other side of the tunnel.

    Replace “192.168.0.1” with your local network’s gateway.

    I put it into a bash script, like this:

    I also found an explanation on how to run this automatically when you connect the VPN, but it’s late on Friday and I don’t feel like trying it 🙂

    I have since left the job where I was using the Cisco VPN, so this is from memory.

    The “10” in the first command is the network that you want to route over the VPN. “10” is short hand for “10.0.0.0/8”. In Tuan Anh Tran’s case, it looks like the network is “192.168.5.0/24”.

    As for which gateway to specify in the second command, it should be your local gateway. When you log into a VPN that prevents split-tunneling, it is enforcing that policy by changing your routing tables so that all packets are routed on the virtual interface. So you want to change your default route back to what it was prior to getting on the VPN.

    The easiest way to figure out the gateway is to run netstat -rn before logging into the VPN, and look at the IP address to the right of the “default” destination. For example, here’s what it looks like on my box right now:

    My gateway is 10.0.1.1 — it is to the right of the “default” destination.

    I got the inspiration here. It looks like AFWall+ is able to create a NAT forwarding policy to keep all traffic going through a SOCKS5 proxy and fool Google apps into thinking they are not connected via a VPN (Google apps implement additional security measures when connecting via VPNService and if you are in China you will not pass the security check – the security check requests don’t go through VPN, so they will EOF because GFW will kill these requests, read more here).

    So my question is, if let’s say I have a socks5 server running at 192.168.1.1:1088 which tunnels all connections via vmess protocol (aka V2Ray ) to remote servers in the US, how do I create my custom script? I have tried:

    This does not work. So:

    1. Did I create a wrong script? How do I create a script that does what I want to do?
    2. Are there other settings that I should enable first? I didn’t tick any app so I assume that means all app go through custom script, right?

    How to route all your android traffic through a secure tunnel

    1 Answer 1

    The link you have provided is not setting up SOCKS but a transparent proxy i.e. it takes TCP/UDP traffic and SOCKSify it before sending through shadowsocks tunnel. But you need to make your traffic SOCKS-aware before directing towards SOCKS proxy. Either configure individual apps (which have built-in support for SOCKS) or enforce proxy system-wide transparently (what you are trying to do).

    LIMITATIONS OF SOCKS PROXY:

    It looks like AFWall+ is able to create a NAT forwarding policy

    AFWall+ uses iptables at back end and it can execute your script on network changes. Enforcing global proxy is (at least partially) possible with proxifier apps like ProxyDroid (which is iptables -based) and SocksDroid (which is VPN/routing based). I have no affiliation with either.

    If manually workig from CLI, you can use a transparent TCP/UDP-to-proxy redirector like redsocks in combination with iptables . shadowsocks provides its own similar tool ( ss-redir ), so does Tor.

    I didn’t tick any app so I assume that means all app go through custom script, right?

    No. The problem with the iptables approach is that SOCKS5 is a layer 5 protocol in OSI model. So it cannot carry whole traffic from all apps. Most of the traffic generated by apps is TCP which works fine with SOCKS and is easy to setup. But some games, VoIP apps and above all the traditional DNS generate UDP traffic which is not supported by many SOCKS5 proxies. E.g. openssh and tor both don’t, shadowsocks however does have UDP associate features. But it doesn’t work with simple DNAT or REDIRECT (probably because SO_ORIGINAL_DST is not available for UDP sockets, I don’t know the details). You can possibly redirect traffic only towards a fixed socket (IP:PORT) e.g. a DNS server or game server.

    TPROXY is the alternative here, but the trouble is that it works only with PREROUTING chain i.e. the traffic coming from outside, not that generated on device. So you have to do extra setup to route your on-device traffic without NATing towards a local proxy server (usually default gateway) where you’ll set up TPROXY .

    Complicated? That’s why VPN is preferred. Even if you need to use a proxy to circumvent firewalls, VPN tunneling through proxy spares you from the traffic redirection complexities. VPN operates at lower level in network stack (L2/L3 in OSI), so it flawlessly carries all IP traffic including ICMP echos ( ping ) etc. which can no way be sent through SOCKS. Another plus point is that VPN can be tunneled through transparent proxies – like shapeshifter-dispatcher and stunnel – or SOCKS proxies which are meant to forward only single port – like obfs4proxy .

    If not forwarding single port (tunneling), SOCKS5 must be an application level proxy i.e. it should be able to forward arbitrary ports from different apps like SSH dynamic port forwarding does.

    tun2socks is another SOCKSification method which collects TCP/UDP traffic on a tun interface (same like a VPN, no NAT involved) and forwards it through a SOCKS proxy. It recently added UDP associate support. Previously used UDP Gateway method also worked quite fine but it requires running a separate daemon ( udpgw ) along with proxy server. tun2socks is a non-root solution because apps – like SocksDroid and many other firewalls, sniffers etc. – using this method rely on Android’s VPN facilities.

    . and fool Google apps into thinking they are not connected via a VPN (Google apps implement additional security measures when connecting via VPNService .

    With both above methods (VPN through tunnel and Tun-to-SOCKS) it’s not necessary to use Android’s VPNService API (if that’s causing problems for you). On a rooted device you can get a static openvpn or tun2socks binary and run that through CLI. That’s far less hassle than setting up proxy through iptables . In former case, though, you need a VPN server obviously.

    SOCKS IFY WHOLE DEVICE:

    As you don’t want to go with VPN/routing based solution, here is the simple iptables -based method.

    First get redsocks binary for your device architecture (or try this one for aarch64 or this one for armeabi-v7a ). Create configuration file:

    * See redsocks.conf.example for details and more options.

    You can add custom iptables script to AFWall+. redsocks can be run as init service with non-root UID, dropped capabilities and restricted SELinux context. See How to run an executable on boot?

    We have updated some of the terminology associated with OpenVPN Cloud. Review the recent changes.

    • Release Notes
    • Key Terms
    • Admin Portal
      • Settings
        • Network Settings
        • User Settings
      • Users
      • Groups
      • Networks
      • Hosts
      • Access
      • Shield
      • Status
    • User Portal
    • Connect Client
    • VPN Setup Examples
    • Networks
    • API Guide (beta)

    This guide takes you through the process of securing internet traffic for your workforce. You can set up secure access to the public internet on the whole or to specific public resources.

    This illustration shows a high-level view of the concept of secure internet access. On the left, each user connects with the OpenVPN Connect app on their device through a secure tunnel to the geographically closest OpenVPN Cloud Region. On the middle-right, each Connector on your private network, that provides access to the internet, establishes a secure tunnel between your network and the geographically closest Region. You can then configure User Groups and routes to that private network such that your workforce can either securely access specific public resources through OpenVPN Cloud or the entire internet.

    How to route all your android traffic through a secure tunnelSecure Internet Access

    1. Set up your OpenVPN Cloud account.
      • Access https://cloud.openvpn.com/ and sign up to give it a try with up to three free connections.
      • Create an OpenVPN ID that uniquely identifies your VPN; for example, myopenvpnID.openvpn.com. Your ID lets you administer your VPN network and download the OpenVPN Connect Client and its configuration profile. The Connect client can also directly import configuration profiles using your OpenVPN ID to get your user devices connected to OpenVPN Cloud.
    2. Configure the private network, that you want to use to provide access to the internet via OpenVPN Cloud, in the OpenVPN Cloud administration portal.
      • Access the Networks section and add a new network.
      • You can then choose to either:
        • Enable Egress to route all internet traffic through this network,
        • Or leave Egress disabled and define your public resources by domain name or IP address.
      • For further information, refer to Domain Name as a Route , VPN Egress and Adding VPN Egress.
      • Here is a detailed example of setting up a network for VPN egress: HQ Network being used as VPN egress route.
    3. Next, you must set up a network Connector and make sure it’s online.
      • Deploy a Connector on your private network. You can choose your operating system or compatible router and use the quick launch directly in the portal to deploy the Connector. For more information, refer to Connector Deployment User Guides
    4. For user groups, networks and hosts, for which all internet traffic should be routed through the network (Egress is enabled) navigate to them and change Internet Access to Split Tunnel Off, so that all their traffic is routed to OpenVPN Cloud. For more information, refer to Split-tunnel
    5. Connect your users
      • You can manually create users in the Users section of the OpenVPN Cloud administration portal. When you add users to your account and include an email address, those users automatically receive an email with instructions for downloading the OpenVPN Connect client and their connection profile.
      • If you don’t include an email address when creating new users, you’ll need to send those users the user portal link, username, and temporary password using some other means.
      • If you set up SAML or LDAP authentication with OpenVPN Cloud, you can let your workforce know that they can use their existing SAML or LDAP credentials to download the Connect app for their devices and import a profile using your unique OpenVPN Cloud ID URL.
      • Note that you can also configure User Groups, which enable you to set:
        • The Regions that users are allowed to connect to.
        • The type of authentication needed to establish a connection.
        • The maximum number of devices that can access the VPN simultaneously.
        • Split-tunneling on or off (routing public internet traffic).
      • Refer to these guides for more information:
        • Adding A User
        • User Groups and Add New User Group
    6. Each user can then connect to OpenVPN Cloud and reach all internet resources through your egress-enabled network or specific subnets and domains through routes defined for the network.
    7. You also have the added option of configuring private services and access groups to enforce access controls.
      • Learn more about configuring access to services here: Cloud Services
      • For information on setting up access groups for those services, refer to: Cloud Access Groups
      • Note: Your access controls won’t be active until your VPN topology is set to Custom.

    Prevent your passwords from being sniffed

    If you’re connecting to a remote desktop using the Virtual Network Computing (VNC) protocol, your connection might not be secure. Some VNC clients, like the popular TightVNC, don’t encrypt your connection beyond the initial sign-in stage. To get around the problem, you can tunnel a VNC connection over a Secure Shell (SSH) tunnel.

    Not only does an SSH tunnel provide an entirely secure connection for VNC, but it also allows you to use VNC connections when the typical VNC port (port 5901) is blocked. Some corporate networks will block common ports like port 5901 for extra security, so tunneling VNC over SSH would allow you to get around this problem.

    How to route all your android traffic through a secure tunnel

    Setting Up PuTTY

    Windows 10 does have an SSH client built-in, thanks to the Windows PowerShell, but this is only a recent development. If you want to know how to tunnel VNC through SSH, it’s recommended you use PuTTY to make the connection to your SSH server.

    PuTTY offers a graphical user interface that can easily be configured to allow you to tunnel other software, like your VNC viewer, over the connection. For this to work, you’ll need to have a suitable SSH server installed on the remote desktop PC or server you’re looking to connect to over VNC.

    • To start, download PuTTY and open the client.
    • The main Session menu allows you to type your server IP address or hostname. Type your SSH server address in the Host Name (or IP address) text box. If your SSH port is different from the standard port 22, type this in the Port box.
    • You’ll also want to save this session, so in the Saved Sessions text box, add a suitable name for your SSH connection, then click the Save button.

    How to route all your android traffic through a secure tunnel

    • In the left-hand menu, expand the Connection tab, then do the same for the SSH. Click on Tunnels.

    How to route all your android traffic through a secure tunnel

    • In the Port forwarding section of the Tunnels menu, you’ll be providing the details to allow PuTTY to tunnel your VNC connection over SSH. In the Source port text box, type 5901. In the Destination text box, type your remote IP address:5901, using the IP address of the remote desktop PC or server. For instance, 192.168.1.100:5901 would be suitable.

    How to route all your android traffic through a secure tunnel

    • Return to the Session section, click on your saved session name under Saved Sessions, then click Save to save your settings.

    How to route all your android traffic through a secure tunnel

    • With your PuTTY settings ready, make the SSH connection by clicking Open at the bottom. You’ll be required to insert the username and password required to make your SSH connection as PuTTY makes the attempt.

    How to route all your android traffic through a secure tunnel

    • Once the login process is complete, you’ll be given access to the SSH terminal window for your remote desktop.

    How to route all your android traffic through a secure tunnel

    With the SSH tunnel to your remote desktop server active, you’ll now be able to make a VNC connection. You can use any VNC client you choose, but this guide will run through how to connect using TightVNC, a popular and free VNC client for Windows and Linux.

    You can minimize PuTTY while the connection is active.

    Connecting Using TightVNC

    If your SSH connection is active, connecting using TightVNC is pretty simple. This assumes that your VNC server is running on your remote PC or server.

    • Open TightVNC to begin. In the Connection section, type localhost::5901 or 127.0.0.1::5901 into the Remote Host text box. PuTTY is monitoring this port and will automatically forward this connection, when the attempt is made, to your remote server.
    • You can configure your VNC connection further by clicking Options but, if you’re ready to connect, click Connect.

    How to route all your android traffic through a secure tunnel

    • You’ll be asked for your VNC server password, so provide this in the VNC Authentication pop-up window, then click OK.

    How to route all your android traffic through a secure tunnel

    If your SSH connection is working correctly, TightVNC should load your remote VNC desktop window, ready for you to use.

    SSH Clients With Tunneling Support

    While TightVNC is a popular Windows client for VNC connections, it doesn’t support SSH tunneling within the client itself, requiring you to use PuTTY to make the connection.

    Other VNC clients, however, do include SSH tunneling within the client itself. One example is SSVNC which, while basic, will tunnel over SSH before making a VNC connection. SSVNC is supported by Windows and Linux operating systems.

    • Open the SSVNC client and, within the main SSVNC client window, fill in the required fields. Under VNC Host:Display, type [email protected]:1. Replace SSHusername with the username you’d use for your SSH connection, and replace remoteIPaddress with your remote desktop IP address. For example, [email protected]:1.
    • Make sure you select the Use SSH or SSL+SSL option before you connect. When you’re ready, click the Connect button.

    How to route all your android traffic through a secure tunnel

    • You’ll be asked for your SSH password in a pop-up terminal window. Provide your password, then press enter on your keyboard.

    How to route all your android traffic through a secure tunnel

    Once the SSH tunnel is active, your VNC connection will begin, and your VNC client window should appear, where you can begin using your remote desktop.

    While VNC connections aren’t encrypted by default, Microsoft’s own Remote Desktop Protocol is encrypted. If you’re running Windows and you’re planning on connecting to a remote Windows PC or server, you can connect using the Remote Desktop Connection tool instead.

    Ben Stockton is a freelance technology writer based in the United Kingdom. In a past life, Ben was a college lecturer in the UK, training teens and adults. Since leaving the classroom, Ben has taken his teaching experience and applied it to writing tech how-to guides and tutorials, specialising in Linux, Windows, and Android. He has a degree in History and a postgraduate qualification in Computing. Read Ben’s Full Bio

    The SSL VPN > Client Routes page allows the administrator to control the network access allowed for SSL VPN users. The NetExtender client routes are passed to all NetExtender clients and are used to govern which private networks and resources remote user can access via the SSL VPN connection.

    The following tasks are configured on the SSL VPN > Client Routes page:

    Configuring Tunnel All Mode

    Select Enabled from the Tunnel All Mode drop-down list to force all traffic for NetExtender users over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table:

    NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.

    Adding Client Routes

    The Add Client Routes pulldown menu is used to configure access to network resources for SSL VPN users. Select the address object to which you want to allow SSL VPN access. Select Create new address object to create a new address object. Creating client routes causes access rules to automatically be created to allow this access. Alternatively, you can manually configure access rules for the SSL VPN zone on the Firewall > Access Rules page. For more information, see “Firewall > Access Rules” .

    It is possible to use IPsec on a firewall running pfSenseВ® software to send Internet traffic from a remote site such that it appears to be coming from another location. This may be needed if a vendor requires that connections originate from a specific address.

    The basis of this tunnel is a working site-to-site IPsec VPN as described in IPsec Site-to-Site VPN Example with Pre-Shared Keys . Refer to that recipe for detailed instructions. Only the differences from that recipe will be mentioned here.

    As a reminder, this example uses two sites:

    Site A is the main site. The Internet traffic will exit this location.

    Site B is a remote office with LAN subnet 10.5.0.0/24 . This is the source of local traffic which will traverse the tunnel and reach the Internet through site A.

    Site A, phase 2 Local Network

    Site B, phase 2 Remote Network

    This will cause the firewall to send all traffic from the LAN through the IPsec tunnel to the remote end of the tunnel.

    Allow IPsec traffic through the firewall¶

    Since this tunnel must pass traffic from the Internet, the firewall rules must be fairly lenient. The rules on site A will need to pass traffic from a source of the site B LAN ( 10.5.0.0/24 ) to a destination of any.

    To prevent site B from reaching sensitive local resources at site A or sites connected to additional VPNs, place block rules above the rule passing the Internet traffic.

    The rules at site B do not necessarily have to allow much traffic back through unless there are public resources at site B which will be reached across the tunnel (e.g. 1:1 NAT, port forwards).

    Configure outbound NAT¶

    For site B to reach the Internet, site A must perform outbound NAT on the traffic from the site B LAN ( 10.5.0.0/24 ) as it leaves the WAN.

    To do this, first change the outbound NAT mode on the site A firewall:

    Navigate to Firewall > NAT, Outbound tab

    Set the Outbound NAT Mode to Hybrid Outbound NAT

    If site A is already on this mode or set to Manual, then do not change the mode.

    Click Save

    Using this mode will allow the default automatic NAT rules to continue working without needing a full manual ruleset. Now add a custom rule to the top of the list which will match site B:

    Click Add

    Set the following values:

    NAT for IPsec tunnel Site B

    Click Save

    Click Apply changes.

    The new entry is now in the outbound NAT rule list.

    At this point site B will have a working Internet connection through the IPsec tunnel and the Internet provider at site A. Any Internet traffic from site B will look as if it were coming from site A.

    For assistance in solving software problems, please post your question on the Netgate Forum. If you see anything that’s wrong or missing with the documentation, please suggest an edit by using the feedback button in the upper right corner so it can be improved.

    © 2022 Electric Sheep Fencing LLC and Rubicon Communications LLC. All Rights Reserved. | Privacy Policy | Legal

    This page was last updated on Sep 22 2021.

    Other Resources
    Our Mission

    We provide leading-edge network security at a fair price – regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

    Subscribe to our Newsletter

    Product information, software announcements, and special offers. See our newsletter archive for past announcements.

    Matthew Rogers

    When you connect to a public Wi-Fi network, your Android phone is susceptible to the same sorts of attacks as a laptop — as demonstrated by the Android data vulnerability exposed a few days ago. The solution to securing your communication is simple: you have to encrypt it. Here’s how to set up an SSH tunnel as a cheap, easy method to encrypt all your Android phone’s data.

    What you’ll need

    • A rooted Android phone: Your phone needs to be rooted in order to be able to make connections through an SSH tunnel. If you haven’t rooted your phone yet, and you’re willing to take the leap, hit up our complete guide to Android rooting to get started.
    • An SSH server: Ideally this would be rented from a web host online, but it could be any internet-connected computer with an SSH server running, including your home computer.
    • SSH Tunnel (free from the Android Market)

    Why use encryption at all? What’s an SSH Tunnel?

    Normally, you don’t need to worry about encryption on your phone because you’re already using your carrier’s mobile data connection, which in and of itself is pretty secure already, if only because you’re the only person using it. The problem arises when you connect to public Wi-Fi. On public Wi-Fi, anybody can listen in on everyone else’s web traffic with the right tools, and in doing so, potentially gain access to things like your social networks, your email, or worse.

    SSH Tunnelling allows your phone to create a secure, encrypted connection to a server located far away from the public Wi-Fi, and run all your data through that connection (like a tunnel). The Wi-Fi connection you’re using may not be secure, but when you’re using an SSH tunnel, your data will be.

    Step One: Find or Set Up an SSH Server

    The first thing you’ll need to do in order to use an SSH tunnel, is to find a server to connect to from your phone.

    Paying for an SSH Server

    By far, the best option is to buy a monthly web host subscription. There are fast, reliable options to choose from for around $US10/month (or even cheaper). See our list of the five most popular web hosts to get an idea of the pricing and options. Any web host will do, so long as it offers SSH access — this is the one thing it must have.

    You can find free web hosts, but they tend to be extremely slow and unreliable. There are also “shell accounts”, which are basically nothing but SSH accounts on a server; they’re cheap, but you’re really only saving a couple of dollars compared to the cheaper web hosts, and in my experience they’re often not fast enough for our purposes.

    You don’t need to worry about buying a domain name for your server if you don’t want to, since they come with what’s called an “access domain”. It’s basically an ugly URL for your server (an example would be ve.tddlyfzr.vesrv.com), and it’s all you need to connect with SSH.

    Setting Up SSH on Your Home PC

    If you don’t feel like paying money for your SSH server, you’ve also got the option of setting up your own SSH server on your home PC, but it’s got major pitfalls that make renting a web host — and spending the cost of two lattes — feel well worth it. When you tunnel through your home PC, the connection speed tends to be dismally slow (all the traffic is going through your home computer, so your speed will bottleneck with the speed of your upload bandwidth), not to mention the fact that the computer needs to be on and connected at all times. You’d also need to set up a service like DynDNS to assign a domain name to your PC and keep track of your home IP address, otherwise you wouldn’t know where to connect to while out of the house.

    We’ve got some very in-depth instructions for how to rig your home PC as a media server, which also covers router settings and setting SSH to receive connections. Windows takes a minimal amount of work to install and run SSH, while Linux and Mac should theoretically “just work”.

    It really is easier and generally better to use a web host if you can. Web hosts have a direct line to the internet, so compared to your home computer, they’re incredibly fast, and there’s nothing to bother setting up to connect to them with SSH. If, like many Lifehacker readers, you’ve already got one, then using it won’t cost you anything more than you’re already paying.

    Step Two: Set Up the SSH Tunnel App on Your Android

    The free SSH Tunnel app does exactly what it sounds like: creates the encrypted SSH tunnel between your phone and your SSH server, ensuring that all your internet usage is encrypted, even on open, public Wi-Fi networks. Setting it up is easy:

    Once you have a server to connect to, simply enter your server’s domain as the Host, then enter your SSH username, and your password. Check the boxes that read “Use socks proxy” and “Global Proxy”, then flip the “Tunnel Switch” and it connects — dead simple. To make things even easier, the app also has options to reconnect automatically if the connection drops. Now, on all your connections (or just whenever you want to turn it on), all of your Android traffic will be secured, encrypted from prying eyes.

    Got a preferred secure usage method of your own? Let’s hear about it in the comments.

    I’ve used the following guide to set up my raspberry pi as an access point:

    I’m forwarding wlan0 to eth0 and NATing all my traffic. Works great!

    Now I want to set up the same rules except use interface tun0-00 and forward all my traffic through my vpn tunnel. I do want to send all of it, don’t want anything leaking out into the host network. Thinkin it goes something like this:

    Unfortunately I know that these iptables rules aren’t complete. The trouble is that eth0 stays up; the original rule to forward traffic to eth0 still exists.

    I want to send all my traffic through the tunnel if the tunnel is open; if not, I’m good with it using eth0 .

    Update:

    Used the -I flag to insert my rules:

    The FORWARD chain:

    Still no joy, the forwarding doesn’t seem to work.

    Client VPN Config

    I’ve scrubbed out things that looked sensitive:

    The pi connects just fine and reflects a different public IP. The clients still show the pi as their gateway but they can’t connect anymore.

    Solution

    First I needed to add redirect-gateway def1 into the .ovpn file on the pi.

    Then I needed to actually type my interface name in correctly. Ugh. I feel like a crazy person, but apparently I saw tun0-00 in the beginning and that was the only time it existed. The interface is actually just tun0 .

    Awards

    How to route all your android traffic through a secure tunnel

    Consulting

    How to route all your android traffic through a secure tunnel

    Newsletter

    How to route all your android traffic through a secure tunnel

    Always On VPN Device Tunnel Operation and Best Practices

    ” data-image-caption data-medium-file=”https://i0.wp.com/directaccess.richardhicks.com/wp-content/uploads/2020/03/book_magnifying_glass.jpg?fit=250%2C167&ssl=1″ data-large-file=”https://i0.wp.com/directaccess.richardhicks.com/wp-content/uploads/2020/03/book_magnifying_glass.jpg?fit=250%2C167&ssl=1″ src=”https://i0.wp.com/directaccess.richardhicks.com/wp-content/uploads/2020/03/book_magnifying_glass.jpg?resize=120%2C80&ssl=1″ alt=”Always On VPN Device Tunnel Operation and Best Practices” width=”120″ height=”80″ data-recalc-dims=”1″ data-lazy-src=”https://i0.wp.com/directaccess.richardhicks.com/wp-content/uploads/2020/03/book_magnifying_glass.jpg?resize=120%2C80&is-pending-load=1#038;ssl=1″ srcset=”data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7″>Unlike DirectAccess, Windows 10 Always On VPN settings are deployed to the individual user, not the device. As such, there is no support for logging on without cached credentials using the default configuration. To address this limitation, and to provide feature parity with DirectAccess, Microsoft later introduced the device tunnel option in Windows 10 1709.

    Device Tunnel Use Cases

    The device tunnel is designed to allow the client device to establish an Always On VPN connection before the user logs on. This enables important scenarios such as logging on without cached credentials. This feature is crucial for organizations who expect users to log on to devices the first time remotely. The device tunnel can also be helpful for remote support, allowing administrators to manage remotely connected Always On VPN clients without having a user logged on. In addition, the device tunnel can alleviate some of the pain caused by administrators resetting remote worker’s passwords, or by users initiating a Self-Service Password Reset (SSPR).

    Device Tunnel Requirements

    The device tunnel requires Windows 10 Enterprise edition 1709 or later, and the client device must be joined to the domain. The device tunnel must be provisioned in the context of the local system account. Guidance for configuring and deploying a Windows 10 Always On VPN device tunnel can be found here.

    Device Tunnel Authentication

    The device tunnel is authenticated using a certificate issued to the client device, much the same as DirectAccess does. Authentication takes place on the Routing and Remote Access Service (RRAS) VPN server. It does not require a Network Policy Server (NPS) to perform authentication for the device tunnel.

    Always On VPN Device Tunnel Operation and Best Practices

    CRL Checking

    Eventually an administrator may need to deny access to a device configured with an Always On VPN device tunnel connection. In theory, revoking the client device’s certificate and terminating their IPsec Security Associations (SAs) on the VPN server would accomplish this. However, Windows Server RRAS does not perform certificate revocation checking for Windows 10 Always On VPN device tunnel connections by default. Thankfully an update is available to enable this functionality. See Always On VPN Device Tunnel and Certificate Revocation for more details.

    Configuration Best Practices

    As the device tunnel is designed only to support domain authentication for remote clients, it should be configured with limited access to the on-premises infrastructure. Below is a list of required and optional infrastructure services that should be reachable over the device tunnel connection.

    Required

    • All domain controllers
    • Enterprise DNS servers (if DNS is running on servers other than domain controllers)

    Optional

    • All issuing certification authority (CA) servers
    • All certificate services online HTTP responders
    • All certificate services Online Certificate Status Protocol (OCSP) servers
    • System Center Configuration Manager (SCCM) distribution point servers
    • Windows Server Update Services (WSUS) servers
    • Management workstations

    Limiting Access

    Limiting access over the Always On VPN device tunnel can be accomplished in one of the following two ways.

    Traffic Filters

    The administrator can configure traffic filters on the device tunnel to restrict access only to those IP addresses required. However, be advised that when a traffic filter is enabled on the device tunnel, all inbound access will be blocked. This effectively prevents any remote management of the device from an on-premises system over the device tunnel.

    Host Routes

    An alternative to using traffic filters to limit access over the device tunnel is using host routes. Host routes are configured with a /32 prefix size and define a route to a specific individual host. The following is an example of host route configuration in ProfileXML.

    Always On VPN Device Tunnel Operation and Best Practices

    Note: A PowerShell script that enumerates all enterprise domain controllers and outputs their IP addresses in XML format for use in ProfileXML can be found here.

    Caveats

    Some organizations may have hundreds or even thousands of domain controllers, so creating individual host route entries for all domain controllers in profileXML may not be practical. In this scenario it is recommended to add host routes only for the domain controllers that belong to the Active Directory site where the VPN server resides.

    Supportability

    Do not use the element in ProfileXML or enable force tunneling for the device tunnel. Neither of these configurations are supported.

    Tunnel Coexistence

    The device tunnel can be safely deployed in conjunction with the user tunnel whenever its functionality is required.

    DNS Registration

    If the device tunnel and user tunnel are both deployed, it is recommended that only one of the tunnels be configured to register in DNS. If the device tunnel is configured to register its IP address in DNS, be advised that only those devices with routes configured in the device tunnel VPN profile will be able to connect remotely to Always On VPN clients.

    I am looking for a software to tunnel RDP or other binary TCP traffic through a HTTPS tunnel. Because many clients only have HTTP/S permitted (only port 80 and 443 open in the firewall).

    But there’s a need to forward RDP (and other protocols) from machines in DMZ to clients.

    How to route all your android traffic through a secure tunnel7 View large function description

    Is there any kind of open source or enterprise software for this problem?

    Bad solutions

    Solutions like F5 big ip has the problem that I have to create the connection configuration with this software. If it would be possible to do this by use of an api it would be an good solution. But i would prefer only to get the tunnel component without bying a whole gateway software. Beacuse i need to create tunnels (1000ds of) out of my own software and its a need to restrict tunnel access to permitted user (Identifyed by session cookie)

    Good solutions

    If it would be possible that the tunnel client would not be a dedicated server but a java applet of flash running within the clients browser, it would match by 100% my needs.

    3 Answers 3

    There are a huge number of projects that tunnel TCP over HTTP(S). You will have to do a bit of work to select the one that best suits your needs (and probably modify it slightly).

    SuperTunnel (Java). Looks nice, they seem to have given some thought to how to deal with not-well-behaved proxies.

    JHttpTunnel (Java). A port of gnu httptunnel, I think uses the same network protocol.

    Netty HTTP Tunnel (Java, part of Netty, a very nice networking library; sample code). I think this requires both client and server to use Netty, but aside from that is a drop-in replacement for the regular sockets in Netty.

    ProxyChains (C, Unix, very popular)

    GNU httptunnel (C, no HTTPS support, this is probably the granddaddy of all http tunnels)

    I think SuperTunnel and JHttpTunnel can both be included in an applet or Java app of your own on the client side, they do not need to run as standalone proxies.

    Netty will also do that, but (I think) it requires that your server also use Netty: in other words, it allows you to replace regular TCP connect() to a server using Netty with TCP-over-HTTP connect() , but does not proxy arbitrary connections to other servers (unless you write your own simple proxy).

    How to route all your android traffic through a secure tunnel

    If you are on the windows world I would strongly suggest to take a look at Windows 2008/2008R2/2012 SSTP VPN service. It uses the 443 port, and can be co-hosted with IIS (on 443). It works like a charm on Windows Vista / 7 / 8. I have heard about mac OSX solutions but not there yet.

    However there is the good old solution of SSH.

    If on linux, just install an openssh-server. If on windows, get and install an OpenSSH Server (e.g. copSSH from itefix https://www.itefix.no/). Modify the port to be using 443 instead of default 22.

    On the client side can then use Putty ( http://www.chiark.greenend.org.uk/

    sgtatham/putty/download.html ) or kitty ( http://kitty.9bis.net/ ) on windows or any kind of SSH client in any OS to connect to your server through port 443 (where your SSH server is listening to).

    Instructions on tunneling via putty for instance can be found on several sites:

    Always remember that you have to point to your local host to do this.

    VPN Split Tunneling Definition

    Virtual private network (VPN) split tunneling lets you route some of your application or device traffic through an encrypted VPN, while other applications or devices have direct access to the internet. This is particularly useful if you want to benefit from services that perform best when your location is known while also enjoying secure access to potentially sensitive communications and data.

    It is important to keep in mind the security risks (more on these later) when considering this option.

    Virtual Private Network (VPN)

    A VPN provides users with a secure tunnel through which all data traveling to and from their device is encrypted. This allows them to enjoy secure remote access and protected file sharing while also being able to mask their location if they choose to do so.

    However, with a VPN, you may experience slower network speed and bandwidth issues because of the encryption that has to be applied to all data traveling through it.

    Choose Which Traffic Goes Through the VPN

    With a VPN split tunnel connection, users can send some of their internet traffic via an encrypted VPN connection and allow the rest to travel through a different tunnel on the open internet. The default setting of a VPN is to route 100% of internet traffic through the VPN, but if you want to access local devices or obtain higher speeds while encrypting specific data, consider using split tunneling.

    Benefits of VPN Split Tunneling

    VPN split tunneling may not be a good fit for all organizations, but you have the option of turning it on when you set up your VPN. Many organizations with VPNs have bandwidth restrictions, particularly because the VPN has to both encrypt data and send it to a server in a different location. This can result in performance issues if split tunneling is not implemented.

    Conserve Bandwidth

    When split tunneling is enabled, traffic that would have been encrypted by the VPN, which is likely to transmit more slowly, is sent through the other tunnel. Routing traffic through a public network can enhance performance because no encryption is necessary.

    Provide a Secure Connection for Remote Worker

    Remote employees can benefit from a secure network connection through the VPN that provides them with encrypted access to sensitive files and email. At the same time, they can access other internet resources through their internet service provider (ISP) at higher speeds.

    Work on a Local-Area-Network (LAN)

    When you connect to a VPN, encryption may block access to your LAN. With split tunneling, you can still access local resources like printers through your LAN while benefiting from the security of the VPN.

    Stream Content Without Using Foreign IP Addresses

    Stream content while traveling abroad and enjoy web services that depend on you having a local Internet Protocol (IP) address. You can use the VPN to connect to content in your home country, and with the split tunneling feature enabled, you can get the most out of websites and search engines that work best when they know your location.

    How to route all your android traffic through a secure tunnel

    What Are the VPN Split Tunneling Security Risks?

    There are risks to using VPN split tunneling, and these must be weighed against the benefits. Those in charge of information security in corporate environments use defensive technology to protect endpoints and stop users from carrying out certain tasks, whether intentionally or by accident.

    Traditionally, users can circumvent proxy servers and other devices, which are put in place to regulate and protect network usage. Therefore, if a user is working from a network that is not secure, they can put the organization’s network at risk. If a hacker is able to compromise the network the user is working from by means of split tunneling, the hacker may be able to put the rest of the organization’s network in jeopardy as well. As long as a company computer is compromised, the organization’s network remains at risk too.

    Users may also bypass the Domain Name Systems (DNS), which aids in identifying and repelling intruders, devices that prevent data loss, as well as other devices and systems. Each of these devices or systems plays a significant role in protecting data and communication. So circumventing any of them just to reduce traffic or increase performance may not be advantageous.

    One function of proxy servers is to limit traffic to websites of a questionable nature or reputation. They also allow organizations to keep track of what their employees are doing or accessing. Additionally, proxies offer protection to corporate endpoints by preventing communication with command-and-control (C&C) servers manned by hackers. Another benefit is to monitor traffic and regulate it. An example are proxies that limit or prevent access to sites like Spotify, YouTube, or Netflix, which stream music, movies, and other forms of entertainment.

    If an employee’s system is infected, the data it sends to C&C systems in a split tunneling setup will not be visible to corporate IT. While the device or network is compromised and in communication with the invading system, the user may spend their time accessing disreputable sites on company time. And because split tunneling is enabled, the organization is unaware of the security risk or the loss of employee productivity.

    How Fortinet Can Help?

    It is important to properly configure your VPN split tunnels and firewalls as they can be exposed to security risks because of the other tunnel’s lack of encryption. FortiClient improves security for your endpoints, providing secure access for remote employees. It also includes a built-in VPN that you can configure for split tunneling.

    To protect your network from attacks and manage vulnerabilities, you can use the FortiGate next-generation firewall (NGFW) and the Fortinet software-defined wide-area network (SD-WAN). With FortiGate, all traffic undergoes deep inspection, and threats are discarded as they are detected. The Fortinet Secure SD-WAN solution gives you web filtering, sandboxing, secure sockets layer (SSL) inspection, and more security features, all while enabling full visibility over your data center, users, devices, and business applications via a single pane of glass.

    What is VPN split tunneling?

    Virtual private network (VPN) split tunneling lets you route some of your application or device traffic through an encrypted VPN, while other applications or devices have direct access to the internet.

    Can you choose which traffic goes through a VPN split tunnel?

    Virtual private network (VPN) split tunneling lets you route some of your application or device traffic through an encrypted VPN, while other applications or devices have direct access to the internet.

    What are the benefits of using a VPN split tunnel?

    Many organizations with VPNs have bandwidth restrictions, particularly because the VPN has to both encrypt data and send it to a server in a different location. This can result in performance issues if split tunneling is not implemented.

    Businesses have been rapidly growing more distributed in recent years. The COVID-19 pandemic was a major driver of this, inspiring many organizations to adopt remote work policies that may persist beyond the end of the pandemic. These remote workers need secure remote access to company systems and resources over untrusted networks. Companies also commonly have satellite offices and cloud-based infrastructure and the need to securely connect these geographically-distributed networks.

    Virtual private networks (VPNs) are a common choice for meeting these needs. A remote-access VPN establishes an encrypted tunnel between a user’s computer and a VPN endpoint, while a site-to-site VPN creates an encrypted tunnel between two VPN endpoints.

    The rise of remote work has driven a boom in VPN usage, making the technology a prime target for cybercriminals. As of Oct. 25, 2021 , cybercriminals were known to be using 54 zero-day vulnerabilities in VPNs to deliver ransomware.

    Best practices for choosing and hardening a VPN

    In September 2021, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint guidance on Selecting and Hardening Remote Access VPN Solutions .

    This advisory provides numerous recommendations on selecting the right VPN and hardening and configuring it to minimize the organization’s digital attack surface. Here are some of the highlights from the recommendations:

    1. Select a standards-based VPN

    VPNs that use accepted standards, such as Internet Key Exchange/Internet Protocol Security (IKE/IPSec), are generally less risky and more secure than Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs that use custom code to send traffic over TLS. If a VPN is designed to use a custom SSL/TLS tunnel as a fallback, disable this functionality.

    2. Use a VPN with strong cryptography

    Validate that the encryption algorithms authentication algorithms and protocols used by a VPN are strong and FIP-validated. Configure all VPNs to use multi-factor authentication (MFA) and replace password-based authentication with client authentication through digital certificates (stored on smartcards) when possible.

    3. Manage software vulnerabilities

    The exploitation of VPN vulnerabilities is a common attack vector for cybercriminals. Select a VPN vendor with a strong track record of vulnerability patching, and request a software bill of materials (SBOM) to validate that third-party code is up-to-date and secure. Also, look for a product that can perform validation of its code when running to detect potential intrusions.

    After deploying a VPN, regularly check for and promptly apply software updates. Follow vendor guidance for updating, such as forcing a password change for users when patching a vulnerability known to be actively exploited by threat actors.

    4. Limit VPN access

    VPNs are a common target for cybercriminals who use compromised credentials to access an organization’s internal systems. Create firewall rules to allow only UDP ports 500 and 4500 for IKE/IPsec VPNs or TCP port 433 (or custom port) for SSL/TLS VPNs.

    It is also wise to restrict access to and from the VPN. If possible, limit access to the VPN endpoint based on an IP address allowlist. Also, block access to management interfaces via the VPN to prevent it from being used with compromised administrator credentials to access management interfaces and perform privileged activities. This should be part of a greater zero trust security and network segmentation policy that limits access to and from the VPN based on the principle of least privilege.

    5. Secure VPN traffic

    A VPN is designed to provide an encrypted channel between two locations. It does not perform any security inspection or filter the traffic passing through this tunnel.

    All VPN traffic should pass through a full security stack en route to and from the enterprise network, including a web application firewall (WAF) and intrusion prevention system (IPS). Additionally, the VPN should be configured with all web application security settings enabled, such as replay attacks using previous users’ session data.

    Deploying a secure remote access VPN

    In the wake of the COVID-19 pandemic, many organizations rolled out infrastructure as quickly as possible to support a suddenly remote workforce. As a result, many remote access infrastructure was vulnerable to exploitation, a state that ransomware gangs and other cybercriminals have taken full advantage of.

    The need for remote access is not going away any time soon, and securing the remote workforce should be a core component of an enterprise cybersecurity strategy. The guidance released by the NSA and CISA provides an opportunity for organizations to review and reevaluate their existing VPN infrastructure and potential plans for expansion. Check out the full advisory for a list of recommendations for acquiring and hardening secure remote access VPNs.

    The traffic selector actually refers to a specific arrangement which actually permits the traffic through the respective when it matches with the local as well as remote address. The proxy ID in IKEv1 is an example of a traffic selector. Several traffic selector can be defined while using a specific route based VPN which may result into a IPsec phase 2 security association for each of the configured traffic selectors. The traffic selected by the respective traffic selector can only be permitted through the SA.
    While using a specific traffic selector only a single sub-network can be specified for the local & the remote addresses. Though remote as well as local addresses cannot be specified by the use of an address book, you may configure the traffic selectors by IPv4 or IPv6 addresses. Multiple traffic selectors can be associated with a specific von while using different tunnel modes e.g. IPv4-in-IPv4, IPv6-in-IPv6, IPv4-in-IPv6 & IPv6-in-IPv4 etc. All of the generally used traffic selectors are only supported by IKEv1.
    At the time of configuring traffic selectors, traffic routes are automatically gets added. The process of negotiating traffic selectors is known as reverse route insertion (RRI). There may be a chance of the confliction between these routes & those ones which are populated in the routing protocols. At the time of configuring a selector there’s no need to configure the routing protocols on st0 interfaces. The passing of the traffic through a specific tunnel may get affected at the time of deletion of a specific traffic selector as it results into the removal of the IPsec SAs, tunnel sessions & routes etc. TO use the traffic selector again properly, the re-installation of the IPsec SAs, tunnel sessions & routes is needed. After the completion of this re-installation, you will be able to use the traffic selector without any hassles.

    Written By: SEo

    Recent Posts

    • How to Obtain A Korean IP Address From Any Country?
    • How to Install VPN On Xbox One?
    • What Is A Tunnel VPN? How Does VPN Tunnel Work?
    • Tik Tok Teen Protection Guidelines for The Parents
    • How to Access the Dark Web from Your Computer?

    Popular tags

    You May Also Like…

    How to Obtain A Korean IP Address From Any Country?

    by VPNShazam Articles | August 19, 2020 | Featured | 0 Comments

    Korean music and movie lovers, do you want to obtain a Korean IP? You can not access your desired Korean content (music, videos, TV programs, etc.)

    How to route all your android traffic through a secure tunnel

    SSH provides a secure mechanism to share files to and fro on your Android. SSH also comes in handy in a huge number of cases from networking to development. It lets you access your Android remotely. Moreover, you can also access your Android’s internal file structure. However, most of the SSH apps available on the Play Store require you to root your device.

    In case, you just want to SSH your Android, rooting your Android device is too far a step. You can access your Android via SSH without root. Here’s how to do it.

    Uses of SSH

    SSH lets you completely control your Android over WiFi. You can issue commands like ls, mkdir, find, etc. Though, to take full advantage of this, you’ll have to be familiar with the terminal command. Moreover, SSH lets you transfer files securely to your Android device. Unlike Pushbullet or AirDroid, there is no file size limit. Or, you don’t have to authenticate every time you connect to your Android device.

    What will you need

    We will need an SSH client and an SSH server running on the computer and Android respectively.

    • First, you need to install an SSH server on your Android. For this, we’ll use the SSHelper app as it doesn’t require root.
    • Next, to access your Android from Computer, we’ll use the command line
    • Also, make sure both PC and Android are on the same WiFi

    Get SSH Server on Android

    1. Head over to Google play store, install the SSHelper app. Once done open the app.

    How to route all your android traffic through a secure tunnel

    2. When you open the app, first up you will have a pop-up asking for Storage Permission. The process to provide it storage permission is a bit different. Tap on the “OK” button and next tap on the “Permissions” option.

    How to route all your android traffic through a secure tunnel

    3. Next, within the Permissions tab, tap on Storage. Next, tap on the Allow to enable storage permission for the app.

    How to route all your android traffic through a secure tunnel

    4. Once done, head back to the SSHelper app. The SSH server would have been started on your phone. Now, in order to connect to our Android device, we need 4 things: IP Address, SSH Port number, username, and password. To see the IP address and port number, switch to the Configuration tab. Here, you can find the IP address and port number. Note it down as we would require it to connect to the SSH server. The default login username and password is “admin“.

    How to route all your android traffic through a secure tunnel

    Now that we have started the SSH server on Android, we can move over to the PC.

    Use CMD on Windows 10 to access Android

    1. The good old Windows command-line already supports SSH. All you have to do is fire the ssh command from cmd. To do that, head over to the Start menu and type “cmd”. Once the results pop-up hit Enter. Alternatively, you can also hit Win+R and type cmd and click on the “OK” button. How to route all your android traffic through a secure tunnel2. Next, type the following command on the command prompt.

    In case you haven’t changed a thing on Android, use the same command by changing the IP address with your Android device. How to route all your android traffic through a secure tunnel3. After you hit enter on the command line, it’ll hit you with a question. If you are using a trusted laptop, just type yes. Thus, your computer would be permanently authenticated and trusted by your Android device. If you aren’t using a trusted device, just type no. Next, enter the password. The default password is admin. How to route all your android traffic through a secure tunnelOnce authenticated, you’ll be presented with the Android command-line where you can execute commands remotely.

    Use Terminal on Mac 10 to access Android

    How to route all your android traffic through a secure tunnel2. On the terminal, enter the following command. Replace the IP Address with your Android device IP Address.

    How to route all your android traffic through a secure tunnelThe next prompt would be to enter the password. The default password is admin. Once you are successfully authenticated, you will be presented with the Android terminal.

    Third-Party App for Windows and macOS

    Although the native command line supports SSH, if you want an intuitive interface, a third-party command-line like Putty would be a good option. Moreover, PuTTY lets you manage multiple connections at a time and the connection settings can be configured on the GUI.

    1. Download PuTTY.exe on your PC from the link below. According to your Windows version, download a 32-bit or 64-bit file accordingly. Download PuTTY for Windows

    How to route all your android traffic through a secure tunnel

    2. Enter the IP address of your Android device and change the SSH port from 22 to 2222.

    How to access Android GUI From A Computer

    In case you aren’t comfortable with the command line, you can also use a third-party GUI app like WinSCP. WinSCP lets you access your Android’s File system via GUI over SSH. The app uses SCP which works over SSH. You can securely transfer files from your Windows PC to your Android smartphone. Download WinSCP for Windows

    How to route all your android traffic through a secure tunnelAlso Read: 6 Best Android Text Editor for Programming

    Pratik

    Pratik works as an In-house writer and video host at TechWiser. Former Programmer, Current writer. Loves tech in any form, quite optimistic about AI, data science and IoT. Talks extremely less but you betcha can geek out over anything on Twitter.