Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

HOWTO: Leak Protection for Android

A core mission of cryptostorm is ensuring consistent, reliable network security with minimal fuss & drama. From DNS-based services like our DeepDNS in-browser native .onion/.i2p site access, through grounbreaking research on IP6 leakblocking, & to firewall-based structures to enable "fail-closed" security, this is where we discuss & develop cryptostorm-style leakblock tech.
User avatar

Topic Author
acid1c
Posts: 49
Joined: Sat Aug 31, 2013 5:42 am

HOWTO: Leak Protection for Android

Postby acid1c » Tue Nov 12, 2013 4:12 am

{edited some parts, deleted some redundancy, merged postings and created a new thread. acid1c will be at your service but everyone is welcomed and encouraged to contribute here. ~DesuStrike}

We highly recommend to download F-Droid, a FOSS(Free and Open Source Software) market, because it offers most apps that you'll find here!


1. AFWall+

AFWall+ available on Play Store and FDroid is a great firewall.
Minimal setup is to whitelist just OpenVPN for Android and VPN networking.

To enable VPN Control:
Menu > Preferences > Enable VPN Control

(WARNING: Experimental Feature. It may block all data COMPLETELY on some ROMs until deaactivated)
Fix Data Startup Leak:
Menu > Preferences > Enable Fix Startup Data Leak

tmp_Screenshot_2013-11-11-18-20-30-497555821.png


Enable each program you need under VPN Control to allow it through your VPN.

DNS proxy may be required for apps that use the netd command like bitcoin. Tor nor I2P use netd, it can be turned on and off as needed when some whitelisted apps aren't getting through.

tmp_Screenshot_2013-11-11-18-23-531873592939.png



2. Xposed Framework and VPNDialog Xposed Module

Using Xposed Framework(latest installer here), an Android Framework that allows customizing of your ROM. Arne developed a VPNDialog Xposed Module(Download) that takes care of the confirmation window where you have to agree and Confirm to get the VPN running.

tmp_Screenshot_2013-11-11-18-57-32-737082736.png



3. Freezing/Defrosting Packages

I am skeptical of any of Google's apps, as many of us here probably are. The Play Store has its uses, but when utilizing a VPN its generally not good to have our Android and its user/device identifiable information hitting Google's server while on a VPN.

To start you will need Terminal Emulator from Play Store or FDroid. A backup utility such as Titanium Backup or ROM Toolbox Pro both have a GUI and allow you freeze/defrost apps as well.

The 4 apps I would recommend freezing before connecting to your VPN:
  • Google Play Store (com.android.vending)
  • Google Search (com.google.android.googlequicksearchbox)
  • Google Play Services (com.google.android.gms)
  • Google Services Framework (com.google.android.gsf)

Start up terminal.
To gain root type su
Confirm root access by watching the $ before the cursor change to #

To freeze/disable these apps we will Package Manager:
  • pm disable com.android.vending
  • pm disable com.google.android.googlequicksearchbox
  • pm disable com.google.android.gms
  • pm disable com.google.android.gsf

After an app is frozen, you should see it missing from your app tray. To defrost an app replace "disable" with "enable". After re-enabling apps like the Play Store and Google Framework, a reboot is required.
Last edited by acid1c on Fri Nov 15, 2013 5:07 am, edited 5 times in total.
Bitmessage me with Questions, Help, or ChitChat :) - BM-2cV5BzWc9P7vufQREE8Be4U64GBgRJ3GnT
" Those who do not move, do not notice their chains." -Rosa Luxemburg

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: openvpn for android cryptostorm

Postby DesuStrike » Tue Nov 12, 2013 6:38 am

acid1c -

This is absolutely wonderful work of yours! Thank you very much! I never heard about those apps before. This is the kind of all-embracing knowledge that can only be archived by dedicated community work. :thumbup: :clap:

Unfortunately I'm just a freshman on the Forum-Team and thus kinda lack the needed moderation rights. Don't know if this was intentional or if PJ just forgot about it. Anyways as much as I'd love to I cannot edit those posts and we have to wait for someone from the company staff.

I will drop PJ a DM and ask him for either editing the post himself or granting me some fancy moderation powers. Hehe... perfect pretence... :mrgreen:
home is where the artillery hits

User avatar

Topic Author
acid1c
Posts: 49
Joined: Sat Aug 31, 2013 5:42 am

Re: HOWTO: openvpn for android cryptostorm

Postby acid1c » Tue Nov 12, 2013 7:07 am

Ironically, I was the Guest post that started this before it got the android. * redirect. lol
Last edited by acid1c on Fri Nov 15, 2013 2:58 am, edited 1 time in total.
Bitmessage me with Questions, Help, or ChitChat :) - BM-2cV5BzWc9P7vufQREE8Be4U64GBgRJ3GnT
" Those who do not move, do not notice their chains." -Rosa Luxemburg

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: openvpn for android cryptostorm

Postby DesuStrike » Wed Nov 13, 2013 4:45 am

The guide is now improved based on a selection of acid1c and my own suggestions. The reason for me dropping some suggestions is to provide a guide that is as close to the original crypstorstorm.conf as possible.

Any optional settings or additional applications that are required only for certain devices or can help improve overall security should be in a separated post in this thread. I will link to those "additional posts" the same way like the main guide is linked in the OP posting.

@ acid1c:
I will merge your posts and use them as a complementary guide.
home is where the artillery hits

User avatar

Topic Author
acid1c
Posts: 49
Joined: Sat Aug 31, 2013 5:42 am

Re: HOWTO: openvpn for android cryptostorm

Postby acid1c » Wed Nov 13, 2013 6:20 am

It is an honor to help. :mrgreen:

I also added a section to my post about freezing and defrosting app, of which I feel could come in handy as well if anyone is interested. Better formatting could probably be done, but I'd rather not spend the time doing that on my mobile.
Bitmessage me with Questions, Help, or ChitChat :) - BM-2cV5BzWc9P7vufQREE8Be4U64GBgRJ3GnT
" Those who do not move, do not notice their chains." -Rosa Luxemburg

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: openvpn for android cryptostorm

Postby marzametal » Thu Nov 14, 2013 5:34 am

I'll get around to this eventually... I only use the Internet part of my phone to check lottery numbers... lmao

EDIT: Is it possible to download the "x for Android", plus the firewall stuff onto a PC and then transfer via USB to phone?

User avatar

Topic Author
acid1c
Posts: 49
Joined: Sat Aug 31, 2013 5:42 am

Re: HOWTO: openvpn for android cryptostorm

Postby acid1c » Thu Nov 14, 2013 6:38 am

marzametal wrote:I'll get around to this eventually... I only use the Internet part of my phone to check lottery numbers... lmao

EDIT: Is it possible to download the "x for Android", plus the firewall stuff onto a PC and then transfer via USB to phone?


Yes, I personally recommend browsing the F-Droid repos here: https://f-droid.org/repository/browse/

They provide the needed links there to download the latest apks. As well as the apks being validated as FOSS compliant :).

If Google Play Store is more your style, there is a Chrome extension called 'APK Downloader'. It violates the Markets ToS, so you are on your own if you decide to go that route.

When you plug your Android into your PC via USB, it should be plug in play, and one of two things will happen; either your sdcard will automatically mount as usb storage (as a flash drive normally would), or a notification will show in your notification bar that you must click and confirm to activate usb storage. :)

If you have any issues, I'll do my best to help out from here :)

Also you will need an app to be able to browse your filesystem. F-Droid has a few File Managers as well.
Bitmessage me with Questions, Help, or ChitChat :) - BM-2cV5BzWc9P7vufQREE8Be4U64GBgRJ3GnT
" Those who do not move, do not notice their chains." -Rosa Luxemburg

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: openvpn for android cryptostorm

Postby DesuStrike » Thu Nov 14, 2013 11:54 am

I wonder if it would be clever to split this thread into half for reasons of clarity and comprehensibility as well as providing you with enough space for extensive discussion.

To be honest I plan to unhinge everything not directly related to "OpenVPN for Android" and put it into a new Thread named: "HOWTO: F-Droid and Leak Protection for Android". (or similar. Input appreciated!) The thread would start with the Post about AFWall+ and I would cross reference to it in the first post of this thread. Kinda like I already did but just in a new thread.

@acid1c: As I see you are kinda our F-Droid/Android expert here and you told me you want to help out on the forums I'd like to assign you (though unofficially) to watch over this new thread and provide support where you can. If you volunteer to do so, of course. If there are any major changes like new apps or new guides you can drop me a PM or even better Bitmessage (I'll send you my address) and I will link to those or integrate them into the first Post so newbies can easily find them.

Let me know what you think so I can do the necessary steps.
home is where the artillery hits

User avatar

Topic Author
acid1c
Posts: 49
Joined: Sat Aug 31, 2013 5:42 am

Re: HOWTO: openvpn for android cryptostorm

Postby acid1c » Thu Nov 14, 2013 5:53 pm

It sounds like a plan, i ll do my best :)
Bitmessage me with Questions, Help, or ChitChat :) - BM-2cV5BzWc9P7vufQREE8Be4U64GBgRJ3GnT
" Those who do not move, do not notice their chains." -Rosa Luxemburg

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: Leak Protection for Android

Postby marzametal » Thu Mar 27, 2014 7:07 am

Awesome stuff man, managed to get all this stuff working well... just forgot to type "exit" after I froze the google apps :P
Might try and put all this stuff together in a PDF.

User avatar

Topic Author
acid1c
Posts: 49
Joined: Sat Aug 31, 2013 5:42 am

Re: HOWTO: Leak Protection for Android

Postby acid1c » Tue Apr 01, 2014 7:27 am

Ill gladly help you out if need be :), things could be updated here, but i cannot edit this post anymore.
While i did suggest terminal for freezing apps, any modern backup utility like Titanium backup can freeze apps with ease as well :)
Bitmessage me with Questions, Help, or ChitChat :) - BM-2cV5BzWc9P7vufQREE8Be4U64GBgRJ3GnT
" Those who do not move, do not notice their chains." -Rosa Luxemburg

User avatar

Jarmer
Posts: 15
Joined: Sat Aug 17, 2013 9:10 pm

Re: HOWTO: Leak Protection for Android

Postby Jarmer » Fri Apr 04, 2014 8:03 pm

Thanks to everyone here for this thread, this is super useful stuff in combination with the openvpn cryptostorm connection! Now I can finally block off those damn games from trying to connect to google+ for saving cloud shit, or whatever they're doing. This is awesome.

I have a question though, I've gone through and configured AFWall+, set all the settings, and enabled the firewall, selected all the apps through VPN, and deselected the ones I don't want to have access, but it's not working. Or ... it seems to be ... kind of working...??

The firewall says it is running, and I've applied the settings for all the apps, and the vpn is connected, but if I try to disallow an app such as Dolphin browser, apply rules, then go into dolphin and go to google.com --- BAM it works totally fine no problem. If I try to go to mozilla.org it also works, but with a very strange half connected interface. But then if I try to go to duckduckgo, it doesn't work! It gives me a bad connection error (how it should be).

You all experiencing this at all? If I've disallowed Dolphin, there is no way it should be getting ANY data connection to get to google or mozilla, right? And they're not just cached pages, I tried clearing all the cache and clicking on several links and the links load as well.
Attachments
Screenshot_2014-04-04-10-48-02.png
mozilla.org kinda half works, but it's getting at least SOME data..
Screenshot_2014-04-04-10-47-53.png
... but google works totally fine :(
Screenshot_2014-04-04-10-46-30.png
disallowed dolphin browser

User avatar

Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: HOWTO: Leak Protection for Android

Postby Tealc » Fri Apr 04, 2014 11:38 pm

Jarmer wrote:The firewall says it is running, and I've applied the settings for all the apps, and the vpn is connected, but if I try to disallow an app such as Dolphin browser, apply rules, then go into dolphin and go to google.com --- BAM it works totally fine no problem. If I try to go to mozilla.org it also works, but with a very strange half connected interface. But then if I try to go to duckduckgo, it doesn't work! It gives me a bad connection error (how it should be).


Huummmm can you please make sure that the app is running and then try two sites that you never browse from your device and computer before, like: https://kellersp.ch and http://www.meteosuisse.admin.ch/

Did they worked ok?

User avatar

Jarmer
Posts: 15
Joined: Sat Aug 17, 2013 9:10 pm

Re: HOWTO: Leak Protection for Android

Postby Jarmer » Sat Apr 05, 2014 12:39 am

I disabled firewall, rebooted (just in case you never know), reconnected to vpn, and enabled firewall, so everything should be set and cleanly connected. Tried opening Dolphin (still disallowed in afwall+ settings) and going to those two sites. It did not work, which is awesome. However, google.com still comes through totally fine, and I can click links and keep browsing other google pages, google+ for instance. mozilla.org also still works, but still in that half-screwed-up way. I then tried a page I've not ever been to on Dolphin at all, en.wikipedia.org - (i use the wiki app so I never would use a browser for it) and it also loaded and works perfectly fine.

So it appears there is definitely something wrong with afwall+, it's sometimes blocking the connection through Dolphin, but other times not. Not sure how it's choosing what to block and what not to block. And if it's doing this on one app, then I'm guessing it's doing it on a bunch of them.

Thanks Tealc for all your help, you've been awesome with my issues. We need a "thanks" button on this forum.

User avatar

Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: HOWTO: Leak Protection for Android

Postby Tealc » Sat Apr 05, 2014 8:44 pm

@Jarmer

In the screenshots it looks like your using stock browser and not Chrome, is that right?
What kind of connection are you using in your smartphone? Wifi, 3G/4G/CDMA?
Can you do the following:

PLEASE REBOOT AND DO NOT ENABLE DATA CONNECTION

1) Start AFwall+ and "Enable Firewall" followed by "Apply"
2) Set the Mode to: White List (allow selected)
3) Select to authorize "Dolphin" in "VPN", and "OpenVPN for Android" all options
4) Un-select any other app, leave only the two apps from 3), followed by "Apply"
5) Connect to WIFI
6) Start OpenVPN and connect
7) Use Dolphin and go to: http://whatthefuckshouldimakefordinner.com
8) Disconect from OpenVPN
9) Disconnect from WIFI
10) Connect to 3G/4G/CDMA
11) Start OpenVPN and connect
12) Use Dolphin and go to: http://www.wtfpl.net/
13) Give me stats, if it worked ok, from 7) and 12)
14) Un-Select Dolphin from allowed apps and chose Chrome, allow only VPN, followed by "Apply"
15) Do the same from 5) to 13)
16) Now try to access in Dolphin a website that you go every day
17) Check here if it's your ip address or the VPN ip address: http://whatismyipaddress.com/

Let me know this steps. :think:
And please can you upload your firewall logs? Be so kind to change any mac address or ip address that may show up 8-)

User avatar

Topic Author
acid1c
Posts: 49
Joined: Sat Aug 31, 2013 5:42 am

Re: HOWTO: Leak Protection for Android

Postby acid1c » Fri Apr 11, 2014 5:15 pm

If you are on stock Kitkat or a non recently updated custom kitkat ROM, there is a VPN issue in which all traffic will leak despite firewall rules. I suggest updating to the latest CyanogenMod, aokp, or omni.
Bitmessage me with Questions, Help, or ChitChat :) - BM-2cV5BzWc9P7vufQREE8Be4U64GBgRJ3GnT
" Those who do not move, do not notice their chains." -Rosa Luxemburg


Return to “DeepDNS.net - cryptostorm's no-compromise DNS resolver framework”

Who is online

Users browsing this forum: waughd and 6 guests

cron

Login