- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, all.
For communication and other pleasantries, I have set up a small server farm at my parents house. This setup allows my family to communicate privately in a social-networking-like setup as well as a LOT of internal stuff for them to use. Unfortunately, I have to travel a lot for my job. My younger brother is learning to be a system admin, but it would be really nice if I could use the Droid to VPN into my farm and do some quick emergency repairs when needed.
My friend just got a Droid from T-Mobile, and he let me play with it. It has OpenVPN available so I could VPN into my server from his phone without issue. That is a really nice feature, and sometimes my family needs that support.
I have heard that Verizon blocks this application, and makes it available only for a steep price. If this is true, then why? It's not like it uses any more bandwidth than if I had set up web-controls to be accessible from the outside (not a secure way of doing things), and that's less bandwidth than browsing youtube. Is it that Verizon is snooping on their customers or is it that Verizon just wants to charge me more because they think that OpenVPN is something too complicated for a not-so-rich person to understand?
It would be really nice to get a straight answer from someone on this matter, because all this silence I'm getting from you guys so far has been deafening. I'm beginning to think that being the biggest network doesn't give Verizon much bragging rights if and when that network can't be used for necessary communication.
Thanks.
Solved! Go to Correct Answer
Correct answers
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You've got the basic idea. There are no OpenVPN clients available yet that can run on a non-rooted phone. I think there are some other VPN apps available for lesser VPN solutions, but for OpenVPN, the VPN is created at the interface level and requires rooting the phone. As to rooting, you also have the basic principle down. All rooting does is basically allows you to su to root, that's it. Rooting is done by exploiting a security vulnerability in the Linux kernel that can allow the rooting program to modify the permissions on the operating system to allow su. You can root a phone without making any other changes to the system at all. Once your root the phone, you have the *option* to install other versions of Android, modify files you wouldn't have permission to modify before, etc.
There are risks involved, the least of wich is bricking the phone. In reality you are a million times more likely to do something "stoop-ed" while accessing the phone as root (typing a command wrong that deletes a critical file, say the kernel itself...) than to actually do any real damage in the process of rooting the phone itself.
Verizon certianly in no way condones rooting their devices, and it would also void your warranty should they find out you did root the phone.
I think from the carrier's perspective, the biggest concern they probably have against rooting the phone is the ability for a rooted phone to be tethered (used as a broadband modem by a computer or laptop) and use gobs of data that a phone by itself would not/could not possibly use. There is also the risk that rooted phones could be exploited remotely, like what has happened in the case of jailbroken iphones on AT&T. The hackers could *possibly* launch an attack against the carriers wireless system from "inside" were this to occur, however the particular problem with the iphone was an ssh client on the affected phones that all had the same root password - As far as I know all ssh clients for rooted Android devices generate a random root password each time they are started up.
I can not give you any specifics, however as I have not played with the OpenVPN available on Android, so I can not tell you what would be involved in configuring the client. (For that matter I haven't bothered rooting my Droid, however I did have root on a Sprint Hero to get rid of all the fluff-ware Sprint installed and insisted it start up at every boot. I would assume the OpenVPN configuration would be the same as any other, involving your .ovpn file pointing to your imported .key and .crt files. I don't know if you would have to manually create the tap/tun interfaces each time you restarted the phone or not. If it's a full implementation of OpenVPN, from the OpenVPN source code I would think that it would auto-create the appropriate tap or tun interface and set routing based on the .ovpn file just like under any other Linux distro.
It would be great if Android would simply add support for OpenVPN to the base OS so the phone didn't have to be rooted to do OpenVPN, as OpenVPN is WAY more robust, reliable and suited to an enviroment where signals may drop or be delayed as can/will happen with a mobile connection.
I have a city where I set up OpenVPN for the police cars to access back to the PD via cellular network cards in the laptops in the patrol cars where they then connect to a Terminal Server to do license checks, reports, etc. They were spending a few thousand per month for mobile services to do with with a radio & communications company, had spotty coverage around town, only had radios in 4 cars, and pretty much were extremely unhappy with the whole situation.
Now they are using cellular cards in almost every car, cost is $40/month per car. I think we have it in about 10 cars at last count. (a Verizon Competitor - Verizon wasn't in the area when we tested the 4 available networks, and went with the fastest.). It's been in place for 2+ years, and have never, ever had a single problem. Once the laptops are set up, we simply don't have to touch them, ever... Dropped connections are non-existant (well it may drop, but the officer doesn't realize it because the negotiation on OpenVPN is so fast and seemless comopared to other methods) We've even been able to connect a laptop from one of the local schools where a DARE offcer has a permenent office, through the schools firewall. The school IT dept said there was no way we would be able to get a VPN connection through their system, but then again they had never seen OpenVPN. I guess what I'm saying is I doubt that any company could provide any VPN service that is more reliable than OpenVPN, and would have one heck of a time trying to block it. (unlike an IPSEC based VPN) Also, since your reason for accessing the home system via VPN is purely security related, and you are not trying to hide file transfers, or moving a lot of data, nor are you wanting to keep the connectioin "open" continuously to the home VPN system, I don't think you are going to raise any red flags by doing so.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay... I have googled around and found that I can install and use OpenVPN if I have rooted the phone. It also appears that I can customize the .conf files as well (which would be a must in my case because of my setup).
My next question is what does "rooting" mean in this sense? Does the Android take the Ubuntu approach and disable the root account, and "rooting" simply means enabling the root login? If that is the case, then whats wrong with sudo?
Or does "rooted" simply mean login to the operating system as root?
Or does "rooted" mean to literally hack the OS.
Furthermore, is "rooting" a Verizon-stamped droid against Verizon policy? I don't think it would be because it's my phone running my operating system, right? I should be able to be my own administrator. But having said that, nothing Verizon does would surprise me anymore.
Has anyone done this yet? If so, what else should I expect? Does the tap interface need to be manually set up as well, or is that automatic? What about scripts forcing a pre-created resolv.conf while the tunnel exists?
If this is reasonably doable, I may just get a Droid and stick with Verizon for the time being.
Thanks
*edited to fix spelling
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You've got the basic idea. There are no OpenVPN clients available yet that can run on a non-rooted phone. I think there are some other VPN apps available for lesser VPN solutions, but for OpenVPN, the VPN is created at the interface level and requires rooting the phone. As to rooting, you also have the basic principle down. All rooting does is basically allows you to su to root, that's it. Rooting is done by exploiting a security vulnerability in the Linux kernel that can allow the rooting program to modify the permissions on the operating system to allow su. You can root a phone without making any other changes to the system at all. Once your root the phone, you have the *option* to install other versions of Android, modify files you wouldn't have permission to modify before, etc.
There are risks involved, the least of wich is bricking the phone. In reality you are a million times more likely to do something "stoop-ed" while accessing the phone as root (typing a command wrong that deletes a critical file, say the kernel itself...) than to actually do any real damage in the process of rooting the phone itself.
Verizon certianly in no way condones rooting their devices, and it would also void your warranty should they find out you did root the phone.
I think from the carrier's perspective, the biggest concern they probably have against rooting the phone is the ability for a rooted phone to be tethered (used as a broadband modem by a computer or laptop) and use gobs of data that a phone by itself would not/could not possibly use. There is also the risk that rooted phones could be exploited remotely, like what has happened in the case of jailbroken iphones on AT&T. The hackers could *possibly* launch an attack against the carriers wireless system from "inside" were this to occur, however the particular problem with the iphone was an ssh client on the affected phones that all had the same root password - As far as I know all ssh clients for rooted Android devices generate a random root password each time they are started up.
I can not give you any specifics, however as I have not played with the OpenVPN available on Android, so I can not tell you what would be involved in configuring the client. (For that matter I haven't bothered rooting my Droid, however I did have root on a Sprint Hero to get rid of all the fluff-ware Sprint installed and insisted it start up at every boot. I would assume the OpenVPN configuration would be the same as any other, involving your .ovpn file pointing to your imported .key and .crt files. I don't know if you would have to manually create the tap/tun interfaces each time you restarted the phone or not. If it's a full implementation of OpenVPN, from the OpenVPN source code I would think that it would auto-create the appropriate tap or tun interface and set routing based on the .ovpn file just like under any other Linux distro.
It would be great if Android would simply add support for OpenVPN to the base OS so the phone didn't have to be rooted to do OpenVPN, as OpenVPN is WAY more robust, reliable and suited to an enviroment where signals may drop or be delayed as can/will happen with a mobile connection.
I have a city where I set up OpenVPN for the police cars to access back to the PD via cellular network cards in the laptops in the patrol cars where they then connect to a Terminal Server to do license checks, reports, etc. They were spending a few thousand per month for mobile services to do with with a radio & communications company, had spotty coverage around town, only had radios in 4 cars, and pretty much were extremely unhappy with the whole situation.
Now they are using cellular cards in almost every car, cost is $40/month per car. I think we have it in about 10 cars at last count. (a Verizon Competitor - Verizon wasn't in the area when we tested the 4 available networks, and went with the fastest.). It's been in place for 2+ years, and have never, ever had a single problem. Once the laptops are set up, we simply don't have to touch them, ever... Dropped connections are non-existant (well it may drop, but the officer doesn't realize it because the negotiation on OpenVPN is so fast and seemless comopared to other methods) We've even been able to connect a laptop from one of the local schools where a DARE offcer has a permenent office, through the schools firewall. The school IT dept said there was no way we would be able to get a VPN connection through their system, but then again they had never seen OpenVPN. I guess what I'm saying is I doubt that any company could provide any VPN service that is more reliable than OpenVPN, and would have one heck of a time trying to block it. (unlike an IPSEC based VPN) Also, since your reason for accessing the home system via VPN is purely security related, and you are not trying to hide file transfers, or moving a lot of data, nor are you wanting to keep the connectioin "open" continuously to the home VPN system, I don't think you are going to raise any red flags by doing so.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like my research into this is just starting, but you've at least given me hope. We just re-upped our contract with Verizon, and the termination fee for three phones looked like it was going to make my wallet bleed ("Freedom ain't cheap").
I should have posted my question on this forum rather than ask Verizon directly. Community support is always better. Thank you so much for your insight (and seeing past my frustration).
I've more questions about post-root, but I think I've found a more appropriate forum for that.
BTW. I think it's very cool that you got to "Support Your Local Sheriff." in that way. Hopefully, the seed will grow and neighboring cities/counties will see the benefits and unshackle themselves from greedy service providers who think local government has ridiculous amounts of money to blow.