macbroadcast´s blog


IPsec/L2TP gateway for Android and iPhone clients on OpenWRT
March 27, 2011, 3:42 pm
Filed under: Hacking, ipv6 | Tags: , , ,

How to set up an OpenWRT router/gateway as an IPsec/L2TP gateway for Andoid and iPhone clients Copyright © Dr. Rene Mayrhofer

The only “reasonable” (that is, not counting PPTP due to its known security issues) VPN protocol supported by default on non-rooted / non-jailbroken Android / iPhone phones as clients is the combination of IPsec and L2TP. Most probably, this was chosen due to its out-of-the-box support by newer Windows clients and MacOS/X as well.

The set-up described on this page therefore focussed on setting up a Linux VPN server to act as a gateway for Android and iPhone clients without additional software installations on the mobile phones. For convenience, I chose OpenWRT as the gateway Linux distribution to be able to run the gateway on my old Asus WL-500G Premium (v1) WLAN router (which has sufficient internal flash and RAM to support such use-cases as well as hardware-accelerated crypto support).

Most of the information on this page has been copied from various sources, most notably Jacco de Leeuw‘s excellent tutorial page, which he has been updating for years already, and taking some hints from here concerning Android and X.509 certificates. We had previous contact in terms of Debian support of L2TP in my openswan and strongswan packages, and he has a lot of experience with corner cases in different clients. Thanks to Jacco for his continuous efforts.

Client authentication is typically performed in two stages:

  1. IPsec authenticated the “outer” transport mode connection, either via
    • pre-shared key (PSK) or
    • X.509 certificates (with corresponding private keys on the gateway and the clients)
  2. L2TP invokes an inner PPP tunnel, which then authenticates based on user/password combination, most typically via the MSCHAP-v2 challenge-response protocol.

Many clients either don’t support X.509 certificate authentication or make it hard to set up. Therefore, I will start with PSK IPsec authentication.

Server installation

At the time of this writing, the newest OpenWRT release is “backfire” (10.03), and on the Asus WL-500GP I chose the newer kernel 2.6 with the bcrm47xx target image. Starting with the default install, the following packages need to be added (e.g. using opkg on the shell or the LuCi package management interface):

  • kmod-ocf-ubsec-ssb for hardware-accelerated crypto support
  • openswan as IPsec IKE daemon
  • ipsec-tools for the “setkey” command
  • xl2tpd as L2TP server (there are multiple L2TP server implementations available, I chose x2ltpd because of known-good integration with openswan and because it is being actively maintained)
  • iptables-mod-ipsec kmod-ipsec4 kmod-ipsec6 kmod-ipt-ipsec for kernel support modules.

If, in addition to the IPsec/L2TP protocol, another option with sometimes better NAT traversal support is desired, then I recommend OpenVPN (which has clients for most operating systems). For OpenVPN support, the following packages are installed on OpenWRT:

  • luci-app-openvpn for a simple administration interface
  • openvpn-easy-rsa for certificate management

Server configuration

The first part to configure is IPsec in the form of openswan /etc/ipsec.conf file. Simply add a block:


conn L2TP-PSK
        authby=secret
        pfs=no
        compress=no
        rekey=no
        keyingtries=3
        type=transport
        left=%defaultroute
        leftnexthop=%defaultroute
        leftprotoport=17/1701
        right=%any
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/%any
        auto=add

and exclude the locally used network from virtual_private in the config setup block, if it is a “private” address range, e.g.:

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.17.2.0/24

for a local address range of 172.17.2.0/24.

The specific configuration options are documented in detail in the ipsec.conf manual page, and are thus not repeated here. In essence, this block adds an IPsec policy for PSK-authenticated connections that only allow UDP port 1701 (L2TP), but from any source address connecting via the gateway default route.

Then, the PSK is configured in /etc/ipsec.secrets (which may not exist on a default installation and needs to be created):

%any %any : PSK "your super secret password here"

To automatically start the IPsec service on bootup, first create a file /etc/modules.d/99-local-ipsec:


af_key
ipcomp4
esp4
ah4
tunnel4
xfrm_mode_tansport
xfrm_tunnel
xfrm_ipcomp

and create a symlink to start openswan pluto with ln -s /etc/init.d/ipsec /etc/rc.d/S99ipsec.

Next, to configure the L2TP server, edit /etc/xl2tpd/xl2tpd.conf to read like this:


[global]
port = 1701
;auth file = /etc/xl2tpd/xl2tp-secrets
access control = no
ipsec saref = yes

[lns default]
exclusive = yes
ip range = 172.17.2.192-172.17.2.254
local ip = 172.17.2.191
;hidden bit = no
length bit = yes
name = VPNServer
ppp debug = yes
require authentication = yes
unix authentication = no
require chap = yes
refuse pap = yes
pppoptfile = /etc/ppp/options.xl2tpd

The PPP options file /etc/ppp/options.xl2tpd should contain these options:


lock
auth

debug
dump
# CCP seems to confuse Android clients, better turn it off
noccp
novj
novjccomp
nopcomp
noaccomp
require-mschap
require-mschap-v2
ms-dns 172.17.2.1
lcp-echo-interval 120
lcp-echo-failure 10
idle 1800
connect-delay 5000
nodefaultroute
noipdefault

proxyarp
mtu 1400
mru 1400


where the local IP addresses and ranges in both files will obviously need to be adapted. Note that all addresses should be within the local network to which the L2TP server provides access. User names and passwords are configured in /etc/ppp/chap-secrets without any special considerations, including the possibility to specify static IP addresses for users.

Also create a symlink to start xl2tpd with ln -s /etc/init.d/xl2tpd /etc/rc.d/S99xl2tpd.

Finally create a firewall rule (e.g. via LuCi) to allow access from the WAN interface to UDP port 500 and 4500 as well as the ESP protocol. A more specific rule to allow L2TP traffic from the WAN interface only when encrypted with IPsec can not be set in the interface, and therefore must be entered manually e.g. in /etc/firewall.user:

iptables -A input_wan -m policy –strict –dir in –pol ipsec –proto esp -j ACCEPT

Using strongSwan on an Alix 2D13 AMD Geode board

As an alternative to an OpenWRT installation running on a common (typically ARM or MIPS based) access point, I also use my own Gibraltar firewall Linux distribution running e.g. on Alix 2D13 embedded network appliance boards with AMD Geode CPUs. The only catch here is that strongSwan needs to be compiled with support for the IPsec transport mode (in combination with NAT traversal). This requires the configure option –enable-nat-transport, which is disabled by default. My Debian packages enable this option starting with version 4.5.0-1, and Gibraltar version 3.1 includes updated packages with this option enabled.

As mobile devices typically only support IKEv1 but not IKEv2 at the time of this writing, plutostart=yes is required in the config setup section of ipsec.conf for strongSwan. All other configuration options (e.g. the conn section or the xl2tpd configuration) are equal to the ones for OpenWRT as described above.

For improved performance specifically with AMD Geode CPUs, load the geode_aes kernel module for hardware AES acceleration (128 bits only, though).

Client configuration

On Android clients, simply use the supplied settings screen to create an IPsec/L2TP connection, specifying the PSK, username, password, and obviously the server hostname or IP address. This will allow to connect the Android client and get an internal IP address.

Unfortunately, at the time of this writing, testing with an HTC Desire and the stock Android 2.2 ROM leads to automatic disconnects after 10s when connecting to the OpenWRT gateway, seemingly initated by the Android device (‘rcvd [LCP TermReq id=0x3 “User request”]’ is printed in the server log). I am still searching for this issue. However, the connection works well and is not terminated automatically when connecting from the same mobile phone to a Gibraltar firewall 3.1 with strongswan 4.4.1-6, xl2tpd 1.2.0+dfsg-1, and ppp 2.4.4rel-10.1 Debian packages.

Copyright © Rene Mayrhofer unless stated otherwise | OpenPGP key fingerprint: 7FE4 0DB5 61EC C645 B2F1 C847 ABB4 8F0D C3C2 4BD

Advertisements


Android Emulator on OS X 10.5
March 22, 2011, 12:56 pm
Filed under: Hacking, socialweb, society, streaming | Tags: , , , ,

Great source thanks !!

I got mobile Web Application using jQTouch and this has been tested for iPhone (iPhone simulator and my iPhone). Looking REALLY good and thanks to jQTouch, the implementation was so easy!

Now I wanted to test with Android so I followed instruction provided by Nick Nelson and also referenced Installing the Android Development Environment article from MOTODEV.

Source



Denial of Service on Camfrog
March 21, 2011, 8:58 am
Filed under: Camfrog, Decentralization, fraud, phishing, socialweb | Tags: , , , , , , ,

As some of you might mentioned ,since camfrog is aquired from paltalk ,
everything is going downhill.Camfrog is under permanent DDOS attack since a week.Read the article over here.

In this video you see how easy it is to compromise the camfrog registration server.
As you can see the IP adress is hardcoded into the camfrog.exe . !

 

I found this post here on camfrog-community, whitch explains the current situation and why things happen like they do in the past.:

You’re right on and YES the IP address or Domain that Camfrog hard-coded into their application is one of the main reasons why everytime Camfrog Dev Team try and re-code=(patch up) the old application it will just continue to break further and this leads to vulnerability and knowingly leaving the door open for outsiders to DDOS attack their Server. This can be preety nasty and ugly all depending on there layout and network structure that camfrog has in place. The ones to blame for the mess sadly but true would be Camfrogs Dev Team.

What will happen is this (issues will continue to arise for years to come since the actual code has never been changed re-done) except Camfrog has just made the application look nicier for the consumer but unfortunately I’m afraid to say this but they don’t seem to want to remove completly the old buggy code and replace the old buggy code with a newer updated code. Camfrog Dev Team seem to always be working backwards from day 1 and there only re-patching the old buggy file app and there basically stuck today playing a game of snakes and ladders. The most annoying types of behaviour is when Camfrog goes up and down up and down. Now some end users do not think there is any problem with Camfrog but think it has to do with there own internet. Hmmm unfortunately, all of you have had to live with this Camfrog behaviour since the very early days. You all got used to Camfrog going up and down like a monkey. As a Professional, it is NOT worth the money to sell to a customer a buggy App!

I have seen way too many Applications fail in no-time in my career because of the lack of true professional development experiance. Camfrog Dev Team lack this type of PRO DEV experiance in so many ways and to me personally as a Professional Dev, Camfrog should of hired real Professional Developers years ago when the Application was first built up. These are just basic facts that anyone can ask a True Professional Dev who holds a real degree in computer Science/Technology.

I don’t think any of Camfrogs Developers qualify as real DEV programmers in which is very sad to see and this leads to very poor programming skills as we can all see up to date. There is a huge differance in the programming world and I will compare it the same way so that most of you will have a much better picture, it’s like holding a drivers licence, If you can actually drive and know the updated regulations then there is no excuses and this is almost the same way in computer programming. Again, non-degree developers get paid less which takes more time and you will notice more constant failures down the road and this what Camfrog has been going threw since its early stages with the Camfrog application. A second benefit of having a professional DEV is so that it shows that you’re able to commit to a long-term project and succeed with ultimate results even after so many years. Still, I believe that Camfrog will fail within very little time because the CEO has decided he doesn’t care about the Development of his Application and just wants a free ride from his paying consumers which to me is unacceptable.

If I had the money to purchase Camfrog, I would first fire all the current so-called DEV Team and their sorry asses. First of all you never hard code IP’s into any code duh,duh,duh. What do Camfrog un-educated Devs think let’s all work backwards? Seriously your idiots and that stupid I mean honestly I would fire all of you and hire my own PROF DEV Team to fix your buggy crap.

Camfrogers are going to be waiting a very very long time before Camfrog becomes less buggy, like I said it matters in the real world to be a Real Dev Programmer because technology never remains the same its constantly upgrading and it seems though that Camfrogs Dev TEAM are working with 2 decades ago technology and this will greatly increase the odds of surviving in today’s world when you lack the Real Prof Dev degree!

Camfrog is not going re-write the code are you kidding me there going to keep the same shitty buggy code, because the cost of it now to repair the damage thats already done would be way to expensive amd time consuming for any Pro DEV to re-code from the ground upwards. The CEO of Camfrog is enjoying all of this downtime and he’s banking on his consumers money.

Until the customer reports add up and Camfrog System no longer works, You and I really don’t know what to expect as this has been going on for so many years with Camfrog and people have a right to keep talking about this, for the amount of money you all pay Camfrog for their service I would expect alot more uptime and backing from them. But their feedback system on their blog and thier forum is childish and very unprofessional from the Admin and not to mention he is very one sided. I will always support the protection of CamfrogCommunity.com members and if Camfrog doesn’t do the same the consumers will begin to leave.

Furthermore you guys should UNBAN a few countrys and read something about DATALOVE

Peace



Gebet an den Planeten – Lektionen in Demut
March 18, 2011, 12:18 pm
Filed under: globalchange, music, socialweb, society


Datalove.me

The principles of datalove as seen by Telcomix agents

Love data

Data is essential

The data must flow

Data must be used

Data is neither good nor bad

There is no illegal data

Data is free

Data can not be owned

No man, machine or system shall interrupt

the flow of data

Locking data is a crime against datanity


Love data

There is as well a nice and cosy PDF of this document. Print it out and show to everyone. Post it at your blog, in forums, make translations of this text. Share the datalove ❤

Here you can see datalove.

 

 



Lady Gaga Monster Ball – Maddison Quare garden
March 3, 2011, 10:21 pm
Filed under: music, streaming, Urheberrecht | Tags: , ,

I wasnt a big Lady gaga fan, till i saw this performance from her Mosterball Tour ,at sold out maddison quare garden on February 21, 2011 in new york,  ive found the pieces on youtube , but hopefull will get the RTL2 Monsterball cut somewhere as bittorrent.

I would say this is one of the best live performances i´ve ever seen in 10 years and she is worth any grammy and award.

 



RSA Animate – Changing Education Paradigms
March 2, 2011, 1:34 am
Filed under: globalchange, socialweb, society