Develop Bugs

CM7 DroidSSHd - how to setup with passwords

Hello,
I just tried to set up DroidSSHd with the aim to backup my phone using rsync.
There is an option to set a password which I did but when I connect via a Windows machine/CopSSH/Putty the password will be ignored; so everybody can just connect to my phone, which is kind of a security disaster.
Is there something I have to do to get this working?
My steps so far (without much knowledge of command lines):
- created a set of ssh-keys using Putty
Code:
ssh-keygen
- copied the public key to /sdcard/authorized_keys/
- opened DroidSSHd and created a profile with root-access (didn't connect w/o), entered a password, chose the public key, changed the port to 22
- now user name is "root" and the service is running
- open Putty, and enter
Code:
ssh [email protected][IPADRESS]
>>password: [ENTER]
Ready to rock. BUT anyone can access my phone!
How do I set a password for DroidSSHd?
thx

Seems its not possible or I'm the only one facing that problem.

-Y <passsword> in the dropbear cmdline
this password is hidden from /proc/xxx/cmdline and ps
else there is the public key method, which doesnt require password if your client is "authorized" by SSH
Code:
ssh [email protected] -p 2222
The authenticity of host '[192.168.10.245]:2222 ([192.168.10.245]:2222)' can't be established.
RSA key fingerprint is c8:8f:61:2b:14:67:a5:62:50:02:39:3d:ad:ec:15:0d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.10.245]:2222' (RSA) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:

will try. thx a bunch. you are a really busy guy. i'm totally impressed.
Motorola Defy CM7RC1. 5, german Froyo base

[SOLVED] OpenVPN Full Tunnel

Short Version:
Got an OpenVPN server on my NAS. GN connects & works fine; remote resources are reachable. I now want to know how I can route all traffic through the tunnel. (Is this possible?)
Long Version:
For those times when I'm traveling (domestically and internationally) and/or using a questionable Internet connection, I'd like to secure the connection.
I've got a [stock] rooted GN running Jelly Bean with BusyBox installed. My NAS has two built-in VPN solutions one of which being OpenVPN so I got that setup which created an .ovpn file containing the following configuration:
Code:
dev tun
tls-client
remote YOUR_SERVER_IP 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
#redirect-gateway
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
#dhcp-option DNS DNS_IP_ADDRESS
pull
proto udp
script-security 2
ca ca.crt
comp-lzo
reneg-sec 0
auth-user-pass
After installing OpenVPN Installer & OpenVPN Settings, I had to manually symlink busybox, ifconfig, and route from /system/bin to /system/xbin in order for OpenVPN to run properly.
Code:
#Note: In an attempt to be thorough, and for any Googlers or forum searchers (+1)...
#First I had to mount /system as read/write via:
mount -o -rw,remount /system
#Then create the symlinks via:
ln -s /system/bin/busybox /system/xbin/busybox
ln -s /system/bin/ifconfig /system/xbin/ifconfig
ln -s /system/bin/route /system/xbin/route
#Then remount /system as read-only via:
mount -o ro,remount /system
Once all of the above was setup, I initiated the connection, successfully authenticated, and was able to reach remote resources without issue.
What I would like to do at this point is get it setup so that I can have a second profile that routes all traffic through the VPN. I assume its a client-side configuration change but I really don't know at this juncture.
Many thanks!

Doesn't CyanogenMod ROM have native OpenVPN support? I think the OpenVPN client on CM has an option to route all traffic through the VPN. I think for what you want to do you should need a custom ROM or kernel that supports iptables.
iptables is a system file that allows the system to redirect network traffic usually for apps like tethering, firewalls, and proxies.
Sent from my Galaxy Nexus using Tapatalk 2

Thanks for taking the time to reply KemikalElite.
I've got BusyBox 1.20.2 installed and I do have an iptables binary (v1.4.11.1). With solutions like Hotspot Shield VPN that don't require root yet supports encryption for all traffic, I figured root + OpenVPN + BusyBox + iptables would be sufficient.
My initial assumption was that I would need to make some changes to my OpenVPN configuration to encrypt & route all traffic through the tunnel. But maybe I've been thinking about this all wrong and its less about OpenVPN and more about running a custom script once connected to route everything through the tunnel; and vice versa when I disconnect to restore the original configuration.
Perhaps I should be scouring OpenVPN forums?

Phylum said:
Thanks for taking the time to reply KemikalElite.
I've got BusyBox 1.20.2 installed and I do have an iptables binary (v1.4.11.1). With solutions like Hotspot Shield VPN that don't require root yet supports encryption for all traffic, I figured root + OpenVPN + BusyBox + iptables would be sufficient.
My initial assumption was that I would need to make some changes to my OpenVPN configuration to encrypt & route all traffic through the tunnel. But maybe I've been thinking about this all wrong and its less about OpenVPN and more about running a custom script once connected to route everything through the tunnel; and vice versa when I disconnect to restore the original configuration.
Perhaps I should be scouring OpenVPN forums?
Click to expand...
Click to collapse
You have the tun module as well right?
code.google.com/p/android-openvpn-settings/issues/list
Check through some of those issues. Something did say that the DNS servers may need to be manually set.
OpenVPN is so complex because of the config options. I find it easier to use native PPTP connections since there's no config only authentication and it routes all traffic automatically.
Sent from my Galaxy Nexus using Tapatalk 2

You need to enter "redirect-gateway" into your ovpn config file.... Just remove the # in the your config

Thanks for the reply ZiCoN!
I should have mentioned this sooner - terribly sorry for omitting this.
Once I got the VPN connected, I did the old 'what is my ip' to verify the route. It was still using the provider's network, but I could reach my NAS and other remote devices in the 192.168.x.x range - so the VPN itself was working. After reading the mini explanation in the config file I enabled 'redirect-gateway' and after reconnecting I could no longer access the Internet. I checked the OpenVPN Manual I added 'def1' after the 'redirect-gateway' statement, reconnected but still no go: I can no longer access the Internet. Remote resources are still accessible in both scenarios.

KemikalElite said:
You have the tun module as well right?
code.google.com/p/android-openvpn-settings/issues/list
Check through some of those issues. Something did say that the DNS servers may need to be manually set.
OpenVPN is so complex because of the config options. I find it easier to use native PPTP connections since there's no config only authentication and it routes all traffic automatically.
Sent from my Galaxy Nexus using Tapatalk 2
Click to expand...
Click to collapse
I somehow missed this when drafting my last reply. I think you're right about it being a DNS problem. I made a change to the config file (adding a few lines for 'dhcp-option DNS x.x.x.x') and within OpenVPN used the 'Fix DNS' button.
Thanks all for your time, thoughts, opinions and instructions!

Phylum said:
Thanks for the reply ZiCoN!
I should have mentioned this sooner - terribly sorry for omitting this.
Once I got the VPN connected, I did the old 'what is my ip' to verify the route. It was still using the provider's network, but I could reach my NAS and other remote devices in the 192.168.x.x range - so the VPN itself was working. After reading the mini explanation in the config file I enabled 'redirect-gateway' and after reconnecting I could no longer access the Internet. I checked the OpenVPN Manual I added 'def1' after the 'redirect-gateway' statement, reconnected but still no go: I can no longer access the Internet. Remote resources are still accessible in both scenarios.
Click to expand...
Click to collapse
You probably need to allow traffic to route back along the vpn film the internet. On your gateway, route vpn addresses to the VPN server and make sure forwarding is enabled on the vpn server.

Questions go in Q&A
Read forum rules and stickies before posting
Thread moved
FNM

[Q] Help ? Xperia ARC+DarkKernel+LX : Wifi almost working, only sees the gateway

Hi,
This is my first post, on this great forum, so I'm posting as a "noob"...
So my problem :
- I installed the LegacyXperia 20130908 CM10.1 release. It was working almost OK
- But because of the high wifi drain, I gave the lated DarkKernel a try (http://forum.xda-developers.com/showthread.php?t=2451839)
It seems to perform very good BUT I just noticed something really weird : I have access to the internet through my wifi LAN, I can ping my gateway BUT nothing else works on the local LAN :
ping fails :
[email protected]:/ $ ping -c 1 192.168.1.13
PING 192.168.1.13 (192.168.1.13) 56(84) bytes of data.
From 192.168.1.10 icmp_seq=1 Destination Host Unreachable
The arp table seems incomplete :
1|[email protected]:/ $ arp -a
d810.home (192.168.1.13) at <incomplete> on wlan0
livebox.home (192.168.1.1) at 00:1f:95:26:25:4d [ether] on wlan0
The routes seem ok, the ip neighbours are not :
[email protected]:/ $ ip route show
default via 192.168.1.1 dev wlan0
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.10
192.168.1.1 dev wlan0 scope link
[email protected]:/ $ ip neighbor show
192.168.1.13 dev wlan0 FAILED
192.168.1.1 dev wlan0 lladdr 00:1f:95:26:25:4d STALE
AH, on more weird thing, the kernel arp table has lots of zeroes for the unreachable devices MAC adresses (yes, I have 192.168.1.13 and 1.15 are up and running) :
[email protected]:/ $ cat /proc/net/arp
IP address HW type Flags HW address Mask Device
192.168.1.1 0x1 0x2 00:1f:95:26:25:4d * wlan0
192.168.1.15 0x1 0x0 00:00:00:00:00:00 * wlan0
And I can't seem to be able to communicate with the local LAN only with the android phone...
I have static IPs in my DSL router, I can't set the arp tables manually.
I *think* this was all working with the default ROM kernel, but before I attempt to revert back to that kernel to check (I backed up the modules, but yet another noob thing, I'm not sure putting back the tar into /lib/modules will be enough...) :
==> this is my noob question : anybody knows how I can report that to the dev, and how I can get help ?
Since it's my first post (only 9 remaining now !), I can't post in dev section...
Thanks && regards

Did you flash the DarkModules?

Hi,
Yes i did flash them in cwm...

fschaer said:
==> this is my noob question : anybody knows how I can report that to the dev, and how I can get help ?
Click to expand...
Click to collapse
ROM developer has said:
http://forum.xda-developers.com/showpost.php?p=45704866&postcount=1488
http://forum.xda-developers.com/showpost.php?p=45757921&postcount=155

Someguyfromhell said:
ROM developer has said:
http://forum.xda-developers.com/showpost.php?p=45704866&postcount=1488
http://forum.xda-developers.com/showpost.php?p=45757921&postcount=155
Click to expand...
Click to collapse
Hi,
Thanks for the reminder.
But actually, by dev, i meant the kernel dev : the issue i see is not a force close or things like that,
and it appeared after i flashed this new kernel which seems better for the battery.
I think this is a kernel/wifi modules issue, not a rom one.
Or a noob error, but then i hope some of you can help me understand my error
As i said, wifi is somehow working since i'm replying just now using it...
It's just that apart from the dhcp/gateway, my device seems unable to learn any mac address with this kernel.
I haven't tried a tcpdump for now, and i wanted to test ipv6 but my 'great' dsl/wifi box does not support v6 - yes, that still exists...
Regards

fschaer said:
But actually, by dev, i meant the kernel dev : the issue i see is not a force close or things like that,
Click to expand...
Click to collapse
He is also developing the kernel together with his team, which is given within the .zip file.

Ahh... txs.
OK, now I don't understand anymore anything...
I did :
- remount rw /system/
- cleanup and then restore the /system/lib/modules backup I had done - using tar
- reflash the ROM kernel (200130908)
And... still no ping on the wLAN, but I can ping google and the GW. ??
The arp table still shows me incomplete records.
Still I'm 100% sure I could connect before : I did use connectbot to ssh onto my computer and setup new ssh keys.
I don't know what else I can try exept reboot the dsl box (which is the wifi router)... or delete the recorded stuff in that dsl box and that reference my arc s.
Or reflash all, but I always manage loosing stuff when I reflash (which I avoïd doing then), even with titanium backup
That's all really weird...
Side question : is there *always* a captcha verification on every post ?
Cheers

fschaer said:
Ahh... txs.
OK, now I don't understand anymore anything...
I did :
- remount rw /system/
- cleanup and then restore the /system/lib/modules backup I had done - using tar
- reflash the ROM kernel (200130908)
And... still no ping on the wLAN, but I can ping google and the GW. ??
The arp table still shows me incomplete records.
Still I'm 100% sure I could connect before : I did use connectbot to ssh onto my computer and setup new ssh keys.
I don't know what else I can try exept reboot the dsl box (which is the wifi router)... or delete the recorded stuff in that dsl box and that reference my arc s.
Or reflash all, but I always manage loosing stuff when I reflash (which I avoïd doing then), even with titanium backup
That's all really weird...
Side question : is there *always* a captcha verification on every post ?
Cheers
Click to expand...
Click to collapse
Which DNS server are you using? Did you change anything else by WiFi?
The captcha is only for limited amount of posts, then it will disappear.

I did not change any dns setting, but i saw local names in the terminal, so i must be using my dhcp/box dns.
You remind me i unchecked the wifi optomizations with the new kernel: i read this was causing arp issues on nexus devices...
Lets try to re-enable that... appart from this, i changed nothing after i flashed this kernel.
Except I tried 1.8ghz (it worked well), but this disappeared sincei restored the official rom krtnel
Thats really all i changed since i tried the new kernel yesterday evening

Can you believe this...
- Restoring the wifi optimisations did not help
- rebooting the DSL box helped. For 5 minutes.
I was able to ping a computer on the network, but not to go to the dsl box webserver. and I lost internet.
- subsequent dsl box reboots did not solve anything : no internet, no webserver, no connexion even on the wired PCs , powerd them on or off, nothing.
- *unplugging* everything + dsl box reboot => did restore internet+wifi on the arc
- replugging the PCs did not break
- and I can now see/ping the LAN with the arc s
Only remains, now, the dlink switch I have downtstairs that is the only stuff that remained plugged all time (theres a device on it, but it's off)..... It must have switched to a "netkill" state somehow. Funny, isn't it ?
let's now start wireshark, reinstall the new kernel, and see if there is any difference... and lastly reboot/replug the dlink switch
the come back for the (arp) ping of death ?
Regards

Last experiments:
- fired wireshark, to capture any network suspicious paquets
- reflashed the new kernel+modules
- retried ping / local LAN
Still working.
I rebooted my last network device (dlink switch), repluggued it : everything is still working.
conclusion : I don't understand :laugh:
Cheers

Will this work for VPN...?

Install openvpn and then place your edited client vpn config files and certificate files on the storage of FireTV similar to the raspberry pi method in the thread below:
h**p xbmchub.com/forums/threads/24769-How-to-set-up-your-VPN-on-raspberry-pi-using-Brain-Hornsby-Openvpn-for-XBMC
Thanks for anyone that may know more than me that could maybe get this to work...

Hmm would be nice if that worked. Did u get a chance to try it?
Sent from my Nexus 5 using XDA Free mobile app

tdfsu said:
h**p xbmchub.com/forums/threads/24769-How-to-set-up-your-VPN-on-raspberry-pi-using-Brain-Hornsby-Openvpn-for-XBMC
Click to expand...
Click to collapse
I'm working on something like this just now. Here's the thing: in my logs for the simplest openvpn app to install (not straight openvpn, it turns out, as there's a windowing issue there that makes it difficult / impossible to navigate through setup, even with a keyboard and Droidmote) once I have a config, I get errors in logcat informing me
"Your image does not support the VPNService API, sorry "
There is a manually installable openvpn binary that I've looked at a bit but not yet configured. It is going to require adding a binary to /system/xbin directly, as the installer (at least on my phone) does not understand where /system/xbin really lives and issues a remount command to a nonexistent partition.
If you're running dd-wrt or similar configurable firewall, another option is to get an account with a provider who is set up to let you do a firewall to firewall connection, and then route either all of your traffic or the traffic from your firetv through that firewall-to-firewall connection.

I have a Private Internet Access vpn account.
Installed openvpn on FireTV--
http play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn.installer&hl=en
Installed busybox on FireTV--
http play.google.com/store/apps/details?id=stericson.busybox&hl=en
I created a pass.txt file with my PIA username on the first line and password on the second line, nothing else, then saved the file as a text file (pass.txt).
Download the following to PC--
http privateinternetaccess.com/openvpn/openvpn.zip
Extracted the zip file.
Edited the location specific .ovpn file (see below), changing the 'remote', 'ca', 'crl' and 'auth' lines to the following--
client
dev tun
proto udp
remote us-florida.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /storage/sdcard0/openvpn/ca.crt
tls-client
remote-cert-tls server
auth-user-pass /storage/sdcard0/openvpn/pass.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /storage/sdcard0/openvpn/crl.pem
Then, save the USFlorida.ovpn file.
Upload ca.crt, crl.pem, pass.txt, and .ovpn file to FireTV to /storage/sdcard0/openvpn/
Open terminal on FireTV. I use jackpal's terminal app below, but you can also use adb.
http play.google.com/store/apps/details?id=jackpal.androidterm
In terminal, type the following--
su
openvpn cd /storage/sdcard0/openvpn/USFlorida.ovpn
But I get several errors. Anyway, that's where I'm at. Maybe someone else more knowledgeable than me can figure it out. Sorry about the links, my low post-count will not allow me to post url's.
Also, you can sideload the following app to verify your external ip address, and it works great with the FireTV remote--
http play.google.com/store/apps/details?id=igit.WhatIsMyIp

The approach you've taken is where I'd be headed next on the client side.
One thing you might want to try is to do the same setup a less locked-down device and confirm that the config files work as expected there.
There's also a good discussion of the hardware approach (setting up a tunnel from your edge to a VPN provider) in the other VPN thread, http://forum.xda-developers.com/showthread.php?t=2797005
also, private internet access will sell a preconfigured router for this purpose!

The problem about VPN(IKEv2) with Win10 Mobile

L2TP work as well.
IKEv2 not route , and can not get the vaild IP address.
Can anyone solve this problem?

0oVicero0 said:
L2TP work as well.
IKEv2 not route , and can not get the vaild IP address.
Can anyone solve this problem?
Click to expand...
Click to collapse
are you on Redstone build ?
seems VPN broken on Redstone , not only IKEV2

It's working fine for me. IKEv2 IPsec, Strongswan server.
Requires editing the connections file on the phone, though. Windows 10 mobile (same for PC) will not use the default route provided by the VPN server and there is no toggle to send all the traffic through the VPN like there was on Windows Phone 8/8.1 in the VPN connection settings GUI.
So, 'IpPrioritizeRemote=1' has to be set manually for the connection in rasphone.pbk on the phone. This can be achieved and requires an NTFS formatted SD card with the modified rasphone.pbk and a symbolic link to 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections' (you can make this symbolic link on the PC).
First you have to create a VPN connection on the phone, then delete it. This will make 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections\Pbk\' user writable and you can put a modified rasphone.pbk file in that location by accessing it through the symbolic link on the SD card.
If you don't know how to make the rasphone.pbk file, first configure the connection as it should be on the phone, then copy rasphone.pbk from the phone, edit it on PC and add 'IpPrioritizeRemote=1'. Delete the VPN connection from the phone, and put the modified rasphone file in its place.
Reboot might be required after copying the file manually.
^ This is for phones that can't be interop unlocked like my Lumia 950XL. It's much easier for other phones which can be unlocked and full FS access is achievable.
Pretty stupid omission on Microsoft's part. I've been shouting about it on windows feedback since Windows 10 Mobile was released to insiders, but no one listens.

VPN is broken in Windows 10. Period! Microsoft it's not going to fix it.

w.bogdan said:
VPN is broken in Windows 10. Period! Microsoft it's not going to fix it.
Click to expand...
Click to collapse
No period. It's broken, but it can be made to work. Who put you in charge of dropping the period?

DLS123 said:
No period. It's broken, but it can be made to work. Who put you in charge of dropping the period?
Click to expand...
Click to collapse
Search for "Windows 10 DNS resolution" or other VPN related issues in Windows 10. It's not a bug, it's a feature ... for NSA, the government of China and so on.

w.bogdan said:
Search for "Windows 10 DNS resolution" or other VPN related issues in Windows 10. It's not a bug, it's a feature ... for NSA, the government of China and so on.
Click to expand...
Click to collapse
I know about it and took measures against it. They call it Smart multi-homed name resolution. It can be disabled on Desktop and also the order of DNS servers used can be set for each VPN connection. This isn't really caused by the broken built-in VPN client, but the way Windows 10 itself works out of the box.

DLS123 said:
I know about it and took measures against it. They call it Smart multi-homed name resolution. It can be disabled on Desktop and also the order of DNS servers used can be set for each VPN connection. This isn't really caused by the broken built-in VPN client, but the way Windows 10 itself works out of the box.
Click to expand...
Click to collapse
It's not just desktop. On W10M, DNS leaks, VPN connected icon is barely visible and you don't get notified if the VPN connection drops. Is hard to believe Satya Nadella is so dumb not to notice.

w.bogdan said:
It's not just desktop. On W10M, DNS leaks, VPN connected icon is barely visible and you don't get notified if the VPN connection drops. Is hard to believe Satya Nadella is so dumb not to notice.
Click to expand...
Click to collapse
I know there are DNS leaks on W10Mobile and multi-homing can't be disabled, but I don't have a problem with that. The purpose of VPN for me is to gain access to other private networks and encrypt the communication with them. DNS leaks aren't that critical. It's not like I don't want my employer to know what websites I access while connecting to VPNs from their network. I couldn't care less to be honest that they're logging my DNS querries. And I also don't live in China.
Even if they have my DNS records they still won't ever be able to break the encrypted IPsec tunnels and get any glimpse of what's passing through them.

Wasn't able to download rasphone.pbk from the phone but could upload one.
I used my Windows 10 PC and created the connections there. Then I disabled IpPrioritizeRemote and used the powershell cmdlet Add-VpnConnectionRoute to add a route to the pbk file pointing to my local subnet.
I am now able to connect to the internet and access corporate resources at the same time.
I however couldn't connect from one particular app which worked in 8.1. There may be issues with non universal apps.

DLS123 said:
It's working fine for me. IKEv2 IPsec, Strongswan server.
Requires editing the connections file on the phone, though. Windows 10 mobile (same for PC) will not use the default route provided by the VPN server and there is no toggle to send all the traffic through the VPN like there was on Windows Phone 8/8.1 in the VPN connection settings GUI.
So, 'IpPrioritizeRemote=1' has to be set manually for the connection in rasphone.pbk on the phone. This can be achieved and requires an NTFS formatted SD card with the modified rasphone.pbk and a symbolic link to 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections' (you can make this symbolic link on the PC).
First you have to create a VPN connection on the phone, then delete it. This will make 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections\Pbk\' user writable and you can put a modified rasphone.pbk file in that location by accessing it through the symbolic link on the SD card.
If you don't know how to make the rasphone.pbk file, first configure the connection as it should be on the phone, then copy rasphone.pbk from the phone, edit it on PC and add 'IpPrioritizeRemote=1'. Delete the VPN connection from the phone, and put the modified rasphone file in its place.
Reboot might be required after copying the file manually.
^ This is for phones that can't be interop unlocked like my Lumia 950XL. It's much easier for other phones which can be unlocked and full FS access is achievable.
Pretty stupid omission on Microsoft's part. I've been shouting about it on windows feedback since Windows 10 Mobile was released to insiders, but no one listens.
Click to expand...
Click to collapse
Thanks!!! It's working fine!
I think Microsoft do not want to fix it.

0oVicero0 said:
I think Microsoft do not want to fix it.
Click to expand...
Click to collapse
Yeah, looks like that's the case. There is very little feedback in insider hub about VPN problems. Very few care about these issues so probably MS has no incentive to fix and prefer to rely on MDM for VPN configuration on these devices. Now if only that were an option for mere mortals...

How to import self-signed key or export builtin cert for a strongswan server?
DLS123 said:
It's working fine for me. IKEv2 IPsec, Strongswan server.
Click to expand...
Click to collapse
How did you get the VPN connection set up properly (aside from the IpPrioritizeRemote setting)?
I've set up a strongswan server and generated my own self-signed keys using ipsec pki, but when I import the key to my Lumia 1520 (by tapping it using the Files app and tapping import at the prompt), the VPN connection will not send that cert. Instead it sends a certificate issued by CN=Microsoft Genuine Windows Phone CA15" with an OU that looks like a GUID.
So I tried punting and just exporting that certificate to place on my strongswan server ... but I can't figure out how to get the certificate off the phone either. So how do I do either one?

rlively said:
How did you get the VPN connection set up properly (aside from the IpPrioritizeRemote setting)?
I've set up a strongswan server and generated my own self-signed keys using ipsec pki, but when I import the key to my Lumia 1520 (by tapping it using the Files app and tapping import at the prompt), the VPN connection will not send that cert. Instead it sends a certificate issued by CN=Microsoft Genuine Windows Phone CA15" with an OU that looks like a GUID.
So I tried punting and just exporting that certificate to place on my strongswan server ... but I can't figure out how to get the certificate off the phone either. So how do I do either one?
Click to expand...
Click to collapse
I don't know what self generated certificate your phone sends, but you shouldn't use that.
You should generate a client certificate on the strongswan server then you should include both the root CA and the client certificate and pack them together in a PKCS 12 file (.p12) which you open on the phone and import. The phone will choose the proper certificate stores to import to. Did you do that?
https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/
Just follow this tutorial., with the only mention that you should add "--flag clientAuth" to the command line for generating the client certificate.

DLS123 said:
I don't know what self generated certificate your phone sends, but you shouldn't use that.
You should generate a client certificate on the strongswan server then you should include both the root CA and the client certificate and pack them together in a PKCS 12 file (.p12) which you open on the phone and import. The phone will choose the proper certificate stores to import to. Did you do that?
Just follow this tutorial., with the only mention that you should add "--flag clientAuth" to the command line for generating the client certificate.
Click to expand...
Click to collapse
Thanks, that is a good tutorial - I definitely did not use the clientAuth flag (the ipsec tutorial for openWRT didn't include it: openwrt doc/howto/vpn.ipsec.roadwarrior), so I tried generating new certs with clientAuth. Unfortunately I got the same results. My Win10 phone sent the same "Microsoft Genuine Windows Phone CA15" cert.
Did you import the PKCS 12 file just by tapping it in the Microsoft "Files" app on the phone or did you use another method? I'm verifying the certs with the Microsoft "Certificates" app, which does show that the original cert I generated has no "Enhanced usages" but the second has "Client Authentication." Still the builtin VPN client won't pick it to send to my strongSwan server.
I did away completely with my configuration and started over with the win7 configuration here: strongswan wiki: Win7CertReq but none of it will help if I can't get my phone to actually send the correct certificate ... this configuration did something a little different though:
My phone sent the correct certificate in the "received TLS peer certificate" line followed by these error messages:
no trusted certificate found for 'my-CN-here' to verify TLS peer
sending fatal TLS alert 'certificate unknown'
Despite the fact that I have the certificate pem in /etc/ipsec.d/certs ...
in any case it continues on and sends the Microsoft cert afterwards and then the server throws "no peer config found" (since I don't have the public cert loaded for that MS cert).
Followed up on the error here: strongswan wiki /issues/785
I also tried it with "eap_identity=%identity" instead of "eap_identity=%any".
Frustrating that it works great for Win7 but I just can't get a Win10 phone working. Any guides out there specifically for Windows phone + Strongswan?

rlively said:
Thanks, that is a good tutorial - I definitely did not use the clientAuth flag (the ipsec tutorial for openWRT didn't include it: openwrt doc/howto/vpn.ipsec.roadwarrior), so I tried generating new certs with clientAuth. Unfortunately I got the same results. My Win10 phone sent the same "Microsoft Genuine Windows Phone CA15" cert.
Did you import the PKCS 12 file just by tapping it in the Microsoft "Files" app on the phone or did you use another method? I'm verifying the certs with the Microsoft "Certificates" app, which does show that the original cert I generated has no "Enhanced usages" but the second has "Client Authentication." Still the builtin VPN client won't pick it to send to my strongSwan server.
I did away completely with my configuration and started over with the win7 configuration here: strongswan wiki: Win7CertReq but none of it will help if I can't get my phone to actually send the correct certificate ... this configuration did something a little different though:
My phone sent the correct certificate in the "received TLS peer certificate" line followed by these error messages:
no trusted certificate found for 'my-CN-here' to verify TLS peer
sending fatal TLS alert 'certificate unknown'
Despite the fact that I have the certificate pem in /etc/ipsec.d/certs ...
in any case it continues on and sends the Microsoft cert afterwards and then the server throws "no peer config found" (since I don't have the public cert loaded for that MS cert).
Followed up on the error here: strongswan wiki /issues/785
I also tried it with "eap_identity=%identity" instead of "eap_identity=%any".
Frustrating that it works great for Win7 but I just can't get a Win10 phone working. Any guides out there specifically for Windows phone + Strongswan?
Click to expand...
Click to collapse
I import the certificates from file explorer on phone or from the OneDrive app, doesn't matter.
Have you actually set the EAP identity correctly in the client certificate? CN has to be exactly the same as --san
That's the eap_identity which has to be known if you use EAP-TLS.
I don't know what else to say, maybe post your ipsec.conf with censored IPs

DLS123 said:
I import the certificates from file explorer on phone or from the OneDrive app, doesn't matter.
Have you actually set the EAP identity correctly in the client certificate? CN has to be exactly the same as --san
That's the eap_identity which has to be known if you use EAP-TLS.
I don't know what else to say, maybe post your ipsec.conf with censored IPs
Click to expand...
Click to collapse
For the moment I just have mschap authentication with no certificate and it works. The certificate is just giving me fits.
On my client certificate my CN is not the same as the san. My san is set to the FQDN of my VPN server ... the CN of my client certificate is an identifier for my client.
What does the VPN server use for eap_identity - the CN from the client certificate when set to eap_identity=%identity ?
---------- Post added at 10:01 PM ---------- Previous post was at 09:35 PM ----------
rlively said:
For the moment I just have mschap authentication with no certificate and it works. The certificate is just giving me fits.
On my client certificate my CN is not the same as the san. My san is set to the FQDN of my VPN server ... the CN of my client certificate is an identifier for my client.
What does the VPN server use for eap_identity - the CN from the client certificate when set to eap_identity=%identity ?
Click to expand...
Click to collapse
My server certificate does have a CN and san that match. I thought I read somewhere that having that same value in the client san would help the client match up the cert to send to the server, at least for Windows Phone. Of course I can't find that guide now, so maybe I misread. I do see that in the example on https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/ that the server CN and san match and the client CN and san match each other.

In the client certificate you should have [email protected]_FQDN --san server_FQDN --flag clientAuth
the eap_identity used by strongswan is the part before @ from CN.
It won't match anything when using eap_idenity=%identity if you don't do it like this.

Are there any relevant registry files we can access with interop tools?

DLS123 said:
It's working fine for me. IKEv2 IPsec, Strongswan server.
Requires editing the connections file on the phone, though. Windows 10 mobile (same for PC) will not use the default route provided by the VPN server and there is no toggle to send all the traffic through the VPN like there was on Windows Phone 8/8.1 in the VPN connection settings GUI.
So, 'IpPrioritizeRemote=1' has to be set manually for the connection in rasphone.pbk on the phone. This can be achieved and requires an NTFS formatted SD card with the modified rasphone.pbk and a symbolic link to 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections' (you can make this symbolic link on the PC).
First you have to create a VPN connection on the phone, then delete it. This will make 'C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections\Pbk\' user writable and you can put a modified rasphone.pbk file in that location by accessing it through the symbolic link on the SD card.
If you don't know how to make the rasphone.pbk file, first configure the connection as it should be on the phone, then copy rasphone.pbk from the phone, edit it on PC and add 'IpPrioritizeRemote=1'. Delete the VPN connection from the phone, and put the modified rasphone file in its place.
Reboot might be required after copying the file manually.
^ This is for phones that can't be interop unlocked like my Lumia 950XL. It's much easier for other phones which can be unlocked and full FS access is achievable.
Pretty stupid omission on Microsoft's part. I've been shouting about it on windows feedback since Windows 10 Mobile was released to insiders, but no one listens.
Click to expand...
Click to collapse
Hi I tried your manual, unfortunately without any success
If I Read it correctly you do the following steps:
1) Format sd card on NTFS
2) On the sd card create symbolic link to: C:\Data\USERS\DefApps\APPDATA\ROAMING\MICROSOFT\Network\Connections
3) Insert sd in phone
4) Create a vpn connection on the phone
5) Delete al the vpn connections on the phone
6) Use the phone to put a new (modified) rasphone.pbk file on the sd card (though onedrive??). I cant access my sd om my pc when usb is connected
7) Reboot the phone
8) Make a new vpn connection (can it have a different name?)
Can someone verify if i miss something?
I'll be very happy if this works