longzuyuan / ics-openvpn

Automatically exported from code.google.com/p/ics-openvpn
0 stars 0 forks source link

Feature request: OpenVPN over ssh tunnel #105

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Chinese great firewall start blocking openvpn connection since Nov/2012.
I confirmed making openvpn connection through ssh tunnel works fine on my 
laptop.

It would be very nice if Android can do the same.

Original issue reported on code.google.com by tom.tomo...@gmail.com on 15 Nov 2012 at 3:04

GoogleCodeExporter commented 9 years ago
This is something you can already do, really.  You simply need to establish an 
SSH tunnel, forward the needed ports, and then apply a proper openvpn 
configuration to use localhost.  This isn't an OpenVPN function, per-se.

Original comment by mnsli...@gmail.com on 15 Nov 2012 at 3:34

GoogleCodeExporter commented 9 years ago
It is not that easy. The ssh connection would be routed over the VPN and 
OpenVPN would stop working. I think the OpenVPN app should not include a ssh 
client but provide a API that allows this kind of tunneling. Contact me if you 
want to work on this.

Original comment by arne@rfc2549.org on 19 Nov 2012 at 5:59

GoogleCodeExporter commented 9 years ago
I have a script to do that on linux. Before establishing the tunnel you need to 
get the current routing table and save it. Then you explicitly set the route 
for the ssh server using the old gateway....  then openvpn is not stopping 
after setting the new default gw....

Original comment by sebastia...@gmail.com on 20 Feb 2013 at 8:08

GoogleCodeExporter commented 9 years ago
Yeah things are different in Android land. I know how to implement this in 
theory but since I don't use openvpn over ssh myself and I don't believe many 
people use openvpn over ssh I did not have motivation to implement the feature 
yet.

Original comment by arne@rfc2549.org on 20 Feb 2013 at 9:18

GoogleCodeExporter commented 9 years ago
Well If you know how ever-popular openVPN now has been blocked severely in 
internet censorship countries like China for its vulnerable fingerprint, you 
should understand why people ask you do such a favor. Microsoft's SSTP doesn't 
have such drawback but unfortunately it has no open source implementation. 
Protecting privacy and interest freedom is really worth to do it. Please hear 
more users voice before rejecting the suggestion. Thanks.

Original comment by shifeng....@gmail.com on 20 Feb 2013 at 12:10

GoogleCodeExporter commented 9 years ago
I don't reject the idea. It is just a hobby project and I wanted to explain why 
my motivation to do this *right now* is low.

Original comment by arne@rfc2549.org on 20 Feb 2013 at 12:25

GoogleCodeExporter commented 9 years ago
I would also love to have OpenVPN working over an ssh tunnel on jellybean. I 
have been trying server options with no luck:

local 127.0.0.1
push "redirect-gateway local def1 bypass-dhcp"
push "route SERVER_IP_ADDRESS 255.255.255.255 net_gateway 1"

For some reason the last route push has no effect on Android and the ssh tunnel 
breaks when the OpenVPN connects.

Original comment by corley.k...@gmail.com on 3 Apr 2013 at 11:11

GoogleCodeExporter commented 9 years ago
Yeah. See the last FAQ entry why the route command does not work.

Original comment by arne@rfc2549.org on 3 Apr 2013 at 11:31

GoogleCodeExporter commented 9 years ago
Is there any way to use the VPNService API to setup a dummy service direct to 
the server at the same time or just prior to setting up OpenVPN over SSH ?

Original comment by corley.k...@gmail.com on 4 Apr 2013 at 3:12

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
With the newest you should be able to specify the ip of the ssh server as 
excluded ip as a workaround

Original comment by arne@rfc2549.org on 26 Sep 2014 at 9:10

GoogleCodeExporter commented 9 years ago
Also there is a protect call in the AIDL that can be used to protect the ssh 
connection. 

Closing that as WONTFIX since I will not build a tight ssh implementation into 
ics-openvpn (lack of time/interest)

Original comment by arne@rfc2549.org on 9 Jan 2015 at 1:39