[Guyzer]

New and Improved!
Only takes 11 minutes from time you SSH into your box. Copy and paste 2 commands

The howto is broken down into two main sections.
1. Amazon EC2 Setup
2. Linux Setup (strongswan)

Reasons why you might want a VPN

watch american/british television freely on services like hulu or bbc. or watch those respective regional netflix offerings.
security using an open wifi hotspot (coffee shops, etc.)
to be cool when showing off your z10

Sources

Howard's blog: Create a VPN server for Blackberry Playbook (or Blackberry 10) using StrongSwan
VPN on PlayBook | kingtut666
Strongswan VPN and the Playbook | Richard Wall

The reason I am doing this write up is for those who like me, have very little understanding of linux. Though these other guides are helpful there are some steps they miss. i am going to try and fill in those missing steps.

Amazon EC2
FREE EC2 instance from Amazon (free tier for one year)
-click create free account
-its helpful if you already have an amazon account. it asks for your credentials and asks that you re-enter in your credit card number. this is if you go over free tier usage limits which are very large. 30 gigs of data transfer (i never use this) and even if you go over its like $0.01 a gig so don't worry. If any charges will be on your account they are quite nominal. Interestingly if you were to run this server for your own purposes, mildly, it could run maybe $5 a month. There are services out there that charge about this, but its more fun doing it yourself, and this way you know its secure.
-sign up now as first step may take a couple hours to get approved by amazon

Amazon Elastic Compute Cloud (Amazon EC2), Cloud Computing Servers
where to click to open account

After you have been approved by amazon (you should receive an email) then you goto this website to manage your ec2 instance
https://aws.amazon.com/marketplace/p...=1382353859417

Please take note of the region it is launching in. If you were interested in the free BBC material from its app then you would need to change this to Ireland. Likewise if you live on the west coast you might want to pick Oregon. This would also give you american tv content if you live somewhere else. Interestingly I use the ABC app even though I'm canadian. This is where you instance will be launched.
imgur: the simple image sharer

The next screen will now provide you with the details. You change any details you like, the only thing that is truly important is KEYPAIR. This is required!!! You need it to access your linux box securely to then make modifications to turn it into a VPN server. Download this Keypair and keep it in a safe place. if you ever lose this you will then lose the ability to access your own server. the security group we can modify later to allow specifically for your server.
imgur: the simple image sharer

Putty

Your instance is now being deployed. this takes a while as it is essentially booting up for the first time and installing or configuring whatever options you have previously selected. While this is being done you can be getting setup to access your server. For this you will need an SSH client. I personally use Putty. If you use putty you can get it here. You will need two files. Putty.exe and puttygen.exe. puttygen converts your keypair.pem to keypair.ppk for use specifically with putty.
PuTTY Download Page

run puttygen
click load
change filetypes to "all files" (from ppk)
locate keypair.pem
save private key > "save without passphrase" (I said yes but do what you want)
saved as keypair.ppk in same location
Photo Album - Imgur

now run putty.exe
click ssh (in options side left menu)
click auth > browse > locate keypair.ppk
in side-left menu go back to Session
input hostname in main menu now (ip you were assigned)
Photo Album - Imgur

Hostname
you get this from your amazon ec2 page. highlight the instance that you launched and it will give you a hostname on
also while on this page i would get the name of the security group you have been assigned. this will need to be changed next
imgur: the simple image sharer

Security Groups
You need ports tcp22 open ( which should already be set) and udp (500,4500)
select the group from the top
in the bottom half add new rules
select custom UDP
then add 500
then do it again, add 4500
then make sure to APPLY changes otherwise nothings changed
imgur: the simple image sharer


Now go back to putty
i would recommend saving this infor so you dont have to do it again. but do as you want... click open

now a window asking if you want to use that certifcate pops up. say yes.
now a black window pops up and asks you to login. with this specific distro you login as
"root"

NEW AND IMPROVED WITH SCRIPT FROM REBELLIOUS
New Way [Post63]
Old Way [Post4]
Finished with the script. It is now available at https://www.dropbox.com/s/xk8jaqv67m8h15o/vpn.sh (just in case anybody is interested in its contents, or in order to check there is no Trojan horse in the code). Guys, sorry for absence of comments in the script, I am a little lazy to do this...
So the new procedure for installing Strongswan VPN for BlackBerry 10 is suggested as follows:
Step 1
Repeat all steps Guyzer offers you concerning AWS setup till the moment you log into your server with root.
Step 2 (copy and paste the commands if you feel you could make a typo)
Install wget package to be able to download the installation script.

Code:

yum -y install wget

Run the script directly from the web:

Code:

bash <(wget -qO- --no-check-certificate https://www.dropbox.com/s/xk8jaqv67m8h15o/vpn.sh)

The script will offer you 4 steps for configuring your installation: IP address of your server (found in AWS control panel), gateway pre-shared key, user name and user password. Please, take care when entering this info in order not to make mistakes. Otherwise you will need to abort the script with Ctrl+C combination or get a non-working installation at the end, this leading to a frustration of yours and the need of editing all configuration files on your own.
Pleasant thing: the whole installation process from installing wget till having a working VPN server takes 11 minutes (I did test this on a micro instance 15 minutes ago and this was exactly how long it took me).
Enjoy!

Now setup your BlackBerry

Create a new VPN profile using the following connection details:
Profile Name: anything
Server Address: VPN server's public Internet address
Gateway Type: Generic IKEv2 VPN Server
Authentication Type: EAP-MSCHAPv2
Authentication ID Type: IPv4
MSCHAPv2 EAP Identity: anything, this field does not matter
MSCHAPv2 Username: user1 (username specified in ipsec.secrets)
MSCHAPv2 Password: password2 (user password specified in ipsec.secrets)
Gateway Auth Type: PSK
Gateway Auth ID Type: IPv4
Gateway Preshared Key: password1 (the PSK password specified in ipsec.secrets)
Perfect Forward Secrecy: not checked
There is no need to change any "Advanced" configurations.

Other links you may be interested in
PPTP VPN
Tired Of "Snoopfest"? Stop It in [Market-Ticker]
http://aws.amazon.com/console/mobile/
https://forums.crackberry.com/e?link...token=eO5NtEXp

[howarmat]

thanks for the detailed post!

[habibvalil]

Thanks for your concern. I don't have a credit card. Can't I create an Amazon account? Does it mean that I can not proceed with this method?

Posted via CB10

[Guyzer]

EDIT: I just found out you can copy and paste all the commands as one dump. They will sequentially run one after another. So heres the dump of what you can copy and paste into putty

yum -y update
yum -y install wget
yum -y install vim
yum -y install make
yum -y install gcc
yum -y install gmp-devel
yum -y install openldap-devel
yum -y install libcurl-devel
yum -y install openssl-devel
wget http://download.strongswan.org/strongswan-5.1.1.tar.bz2
tar xjvf strongswan-5.1.1.tar.bz2; cd strongswan-5.1.1
./configure --prefix=/usr --sysconfdir=/etc --enable-curl --enable-ldap --enable-pkcs11 --enable-md4 --enable-openssl --enable-ccm --enable-gcm --enable-farp --enable-eap-identity --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-md5 --enable-eap-gtc --enable-eap-mschapv2 --enable-eap-dynamic --enable-eap-radius --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-xauth-eap --enable-dhcp --enable-charon
make
make install

Now we are in the linux half. We will be compiling strongswan from source and I have all commands you need to copy paste
Input the following one at a time, follow the prompts select Y for yes when asked.

Code:

yum -y update
yum -y install wget
yum -y install vim
yum -y install make
yum -y install gcc
yum -y install gmp-devel
yum -y install openldap-devel
yum -y install libcurl-devel
yum -y install openssl-devel

now we download strongswan and compile it

Code:

wget http://download.strongswan.org/strongswan-5.1.1.tar.bz2

Code:

tar xjvf strongswan-5.1.1.tar.bz2; cd strongswan-5.1.1

these are all the options we need to configure

./configure --prefix=/usr --sysconfdir=/etc --enable-curl --enable-ldap --enable-pkcs11 --enable-md4 --enable-openssl --enable-ccm --enable-gcm --enable-farp --enable-eap-identity --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-md5 --enable-eap-gtc --enable-eap-mschapv2 --enable-eap-dynamic --enable-eap-radius --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-xauth-eap --enable-dhcp --enable-charon

now we compile (takes like 10 minutes)

Code:

make

when thats done

Code:

make install

Now strongswan is setup for vpn use. we just need to configure access config

FIREWALL
Edit: it appears many other users are getting the firewall working with the first options listed below. only try disabling the firewall if you run into issues. other uses mentioned they would be able to connect but no traffic would be routed through.

Unfortunately I don't quite understand how to use the settings the other guides give. I am relying on the firewall config that amazon provides that you just modified. So I will show you both, how they say to modify it, and how I got it to work. Essentially I just disabled the firewall thats the only way I could get it to work, but Im hoping someone reading this might be able to help me configure it properly.

What I had to do to connect. Though I would not get internet access unless I ran commands listed just below this
HowTo Disable The Iptables Firewall in Linux

Code:

/etc/init.d/iptables save
/etc/init.d/iptables stop

Other Guides Says...

Enable masquerade (replace eth0 by your network interface name):
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
Enable clamp-mss-to-pmtu:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Now this allows you to get outside net access while connected to the vpn

Code:

iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

now we modify a config file sysctl.conf

Code:

vim /etc/sysctl.conf

a new screen will now pop up. your essentially in a text editor to change the config file to what we need it for the vpn server. there are other editors use what you like, im providing codes for what i found to work. we will be changing one line from 0 to 1 and adding three more lines. also uncommenting 3 other lines

VIM commands that are useful

i = insert text
del = will delete text
to exit its kinda weird
you need to type ":" then q
:q = quit without saving
:wq = write then quite which means its saves it

change from 0 to 1

Code:

net.ipv4.ip_forward = 1

add

Code:

net.ipv4.conf.default.proxy_arp = 1
net.ipv4.conf.default.arp_accept = 1
net.ipv4.conf.default.proxy_arp_pvlan = 1

Photo Album - Imgur

comment by putting a number sign # infront of every one of these three lines

Code:

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

now save your changes and exit

Code:

type ":" which is like shift+;
:wq

now we need to restart sysctl

Code:

sysctl -p

we are now going to create a file that will house our username/password credentials

Code:

vim /etc/ipsec.secrets

copy and paste this in // change what you like to what you want... keep in mind i reference these in the future though

Code:

: PSK "password1"
user1 : EAP "password2"
user2 : EAP "password3"

to copy this text above select it with mouse then "cntrol+c"
to paste this into putty just "right-click" mouse

now save and exit

Code:

:wq

now we are going to edit /etc/ipsec.conf

Code:

vim /etc/ipsec.conf

to select all in vim type "v" then "gg" then "shift+g" then delete by hitting the "del" key then hit "del" a few more times till everything is cleared from screen.
then select the text below and right-click copy, then go back to putty > "right-click" mouse to paste.
* a side note you have to select the text from the bottom of what you want to copy if you want it to paste properly. dont ask me why...
it still might not paste properly so add the beginning lines "config se" or whatever happens on your putty screen.

we need to replace the entire contents with this

Code:

config setup
    strictcrlpolicy=no

conn %default
   ikelifetime=24h
   keylife=24h
   keyexchange=ikev2
   dpdaction=clear
   dpdtimeout=3600s
   dpddelay=3600s
   compress=yes

conn rem
   rekey=no
   leftsubnet=0.0.0.0/0
   leftauth=psk
   leftid=SERVER_PUBLIC_IP_ADDRESS
   right=%any
   rightsourceip=192.168.2.100/29
   rightauth=eap-mschapv2
   rightsendcert=never
   eap_identity=%any
   auto=add

replace serveripaddress with the ip address of your server. not sure if you can just put hostname, but its easy to convert to ip.
hostname = ec2-54-202-7-88.us-west-2.compute.amazonaws.com
ip = 54.202.7.88

now save and exit vim

Code:

:wq

we are now going to edit /etc/strongswan.conf

Code:

vim /etc/strongswan.conf

select all delete then paste with the following

Code:

charon {
   threads = 16
   dns1 = 8.8.4.4
   dns2 = 8.8.8.8
}

pluto {
}

libstrongswan {
}

after you paste also notice that "cha" might be missing from the first line "charon" you will need to add it.
above you can also change 8.8.8.8 or 8.8.4.4 to the dns server of your choice. this ones google. opendns is 208.67.222.222 208.67.220.220

save and exit

Code:

:wq

Now start the strongswan server. Just to reassure everyone I followed my own guide, and it produced a working server. Just make sure you copy and pasted exactly and all that and your z10 or q10 will be running off secure vpn.

Code:

ipsec start

Now go back to post one
http://forums.crackberry.com/blackbe...8/#post9368429

[habibvalil]

Will such vpn servers be multi-user? Can I have a test vpn account for a few hours on the server you created for yourself to see if it works for my z10 in my country, or not ( for any unknown possible reason)? Following the procedure you described is not easy for me be coz I have to find a method for internet payment. It would be great if I can test such a vpn before I make a lot of efforts for that.


Posted via CB10

[Rebelllious]

Guyzer, have you tried this by yourself and does it really work this way? I was trying to follow your guide (a very good one) on my openSUSE installation, but could not connect to my server. Did it work OK for you? Are there any certificates needed? In your how-to there's not a single word about it...

[Guyzer]

Guyzer, have you tried this by yourself and does it really work this way? I was trying to follow your guide (a very good one) on my openSUSE installation, but could not connect to my server. Did it work OK for you? Are there any certificates needed? In your how-to there's not a single word about it...

yes I have followed the steps exactly and it works from scratch. you mentioned certificates but the config I used was user/pass no certificates. if you want certifcates you can see this website. getting certificates is my next project as it is more secure.

Tired Of "Snoopfest"? Stop It in [Market-Ticker]

can you post the bb z10 (or w/e device you have) vpn logs? they will identify what the problem is with your vpn. if you have no logs, its most likely a firewall issue. thats why I had to disable the one in linux with.

Code:

/etc/init.d/iptables save
/etc/init.d/iptables stop

you also might make sure you have all the ports you need open otherwise.

udp (500,1701,4500)

[Andrew French]

Nice guide, thanks for it. It's worth noting that for myself the firewall rules were required to have a functioning VPN server. I could connect without them but no traffic was routed through.

[macroberry]

uncomment by putting a number sign # infront of every one of these three lines
Code:

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

Sorry, did you mean 'comment'?

[macroberry]

Nice guide, thanks for it. It's worth noting that for myself the firewall rules were required to have a functioning VPN server. I could connect without them but no traffic was routed through.

The same here

[Guyzer]

Sorry, did you mean 'comment'?

yeah fixed it thanks

so whats the issues with the firewall you guys are having? Did you set both the AMAZON one and the linux one as well?

[macroberry]

so whats the issues with the firewall you guys are having? Did you set both the AMAZON one and the linux one as well?

To get VPN working I needed to have iptables running with rules that you specified in your post.
I also wanted to thank you very much for putting this guide together

[Nasser Alomran]

EXCELLENT GUIDE! wonderfully put and very easy to follow, took me 30 minutes from start to end. Plus now I have my own VPN server

However please note that us running 10.2 + versions of the OS will not be able to connect to any IPsec service, it keeps giving us Timeout issues.

When you mentioned:
replace serveripaddress with the ip address of your server. not sure if you can just put hostname, but its easy to convert to ip.
hostname = ec2-54-202-7-88.us-west-2.compute.amazonaws.com
ip = 54.202.7.88

Did you mean only to place the server IP address instead of this line
leftid=SERVER_PUBLIC_IP_ADDRESS

?

[Nasser Alomran]

Never mind the timeout issue, I've got it to work now. Got a successful connection through the SS Ipsec server. I am trying to open normal websites through the browser but its not allowing me, just seems to keep loading the white screen forever.

EDIT: It finally works! the VPN service is faster than any other I have used. Great! totally recommend following these steps, but PUT ON The firewall because without it there will be 0 traffic, in my case, websites were not opening up. I dont know how the OP was able to work on it with FW settings turned off.

I hope this thread becomes a sticky, it is very helpful and a guide that was clear and easy to follow, my english is very basic but I found no issues going through the instructions. Kindly make this a sticky so that everyone looking for help with VPNs can get it working on their end.

Question to Original Poster: How much would it cost me to continue using this service on Amazon EWS for the next year? I have my credit card punched in and I am the only user on my server, and I dont want to be shocked by the charges on my 13th month when renewal kicks in! thanks

[Guyzer]

leftid=54.202.7.88

EXCELLENT GUIDE! wonderfully put and very easy to follow, took me 30 minutes from start to end. Plus now I have my own VPN server

However please note that us running 10.2 + versions of the OS will not be able to connect to any IPsec service, it keeps giving us Timeout issues.

When you mentioned:
replace serveripaddress with the ip address of your server. not sure if you can just put hostname, but its easy to convert to ip.
hostname = ec2-54-202-7-88.us-west-2.compute.amazonaws.com
ip = 54.202.7.88

Did you mean only to place the server IP address instead of this line
leftid=SERVER_PUBLIC_IP_ADDRESS

?

[Guyzer]

Question to Original Poster: How much would it cost me to continue using this service on Amazon EWS for the next year? I have my credit card punched in and I am the only user on my server, and I dont want to be shocked by the charges on my 13th month when renewal kicks in! thanks

about $5 a month based on usage mind you. per gig its $0.01 so it depends. there are a few way to help ease the payment though.

I am currently using my 2nd credit card with a new email/account and I get a new year again. I also had one of my other cards changed so its a new number, thus allowing me to get another new account as long as I have another email. I have three free years

If your stuck with one credit card there are some things you can do to limit the fees even further. You can shutdown and restart your vpn services as needed. you will need to install amazon app store which is easy to do with the latest leak (allows you to install apk's without bar conversion).

you can get it here.
Install Amazon Appstore

if you have the leak that allows you to install apk's you can then install
amazon aws console
this allows you to configure and shutdown what you need when you need it. very easy, at the touch of a button you can have your vpn off/on. this will save on fees (though they are already pretty low). so you only need to turn on the vpn when you need it.
Amazon.com: AWS Console: Appstore for Android
or
AWS Management Console App for iOS and Android

one thing to keep in mind though is you will need to add a line in one of your configs to autostart the vpn on startup. since we started the vpn manually, if you restart, you will need to restart manually again, unless you add it to autostart. i was looking into this but never got it setup, since I dont need to shut down my vpns yet.

here is where I would start if i wanted to find out how to do it

Code:

/etc/rcX.d
/etc/init.d/

[blackbili]

]""""""بابا جون مادرتون یه ایرانی با غیرت پیدا نمیشه بگه ما چجوری واس یه وی پی ان بگیریم[]"""""

[ATV_Hightower]

Do we know what it will cost after the free year? I tried to figure it out by myself but couldnt find it.

[Guyzer]

$5 / month depending on usage but should be less. mind you... if you know of, someone like maybe your wife, who has another credit card you can sign up over again for another free year. im currently on my second year

Do we know what it will cost after the free year? I tried to figure it out by myself but couldnt find it.

[Rebelllious]

Sorry for not posting so long. Just had no time to dive into this again.
Now I followed your guide word-to-word, and made everything using EC2 and Red Hat (the same as CentOS) as well. I finally got devices connecting to the server (with iptables stopped only, otherwise timeouting), but the client devices seem to lose Internet connection in this way, being not able to surf further.
Also, I opened UDP 1701 in AWS console, however it seems to be closed anyway.
Any insight?

[Guyzer]

heres a test sever for anyone who wants to see if the american ip will work for what they need

Create a new VPN profile using the following connection details:
Profile Name: anything
Server Address: 54.194.240.250
Gateway Type: Generic IKEv2 VPN Server
Authentication Type: EAP-MSCHAPv2
Authentication ID Type: IPv4
MSCHAPv2 EAP Identity: anything, this field does not matter
MSCHAPv2 Username: user1
MSCHAPv2 Password: password2
Gateway Auth Type: PSK
Gateway Auth ID Type: IPv4
Gateway Preshared Key: password1
Perfect Forward Secrecy: not checked
There is no need to change any "Advanced" configurations.

[Guyzer]

Sorry for not posting so long. Just had no time to dive into this again.
Now I followed your guide word-to-word, and made everything using EC2 and Red Hat (the same as CentOS) as well. I finally got devices connecting to the server (with iptables stopped only, otherwise timeouting), but the client devices seem to lose Internet connection in this way, being not able to surf further.
Also, I opened UDP 1701 in AWS console, however it seems to be closed anyway.
Any insight?

well you forgot to include a couple ports. this most likely is your problem. in the aws console


UDP
500
1701
4500



if you truly did follow this word for word redhat is not the same as centos. i as well as others have been able to get the server up and running with all these steps included

[Rebelllious]

I really tried to do this step-by-step, and I did follow everything in order to get it all running as it should. I did open the ports (UDP 500, 1701 and 4500) in AWS console when setting up the instance. Also, I tried several times to re-open them afterwards. I spoilt at least 5 instances with no luck for the server to let the clients connect to the internet. The only connection existing is "client-server", not "client-server-internet". Now I am launching another instance once again and give it another try.
Red Hat was only the first time, all the rest were CentOS.
I am really getting desperate

[Guyzer]

I really tried to do this step-by-step, and I did follow everything in order to get it all running as it should. I did open the ports (UDP 500, 1701 and 4500) in AWS console when setting up the instance. Also, I tried several times to re-open them afterwards. I spoilt at least 5 instances with no luck for the server to let the clients connect to the internet. The only connection existing is "client-server", not "client-server-internet". Now I am launching another instance once again and give it another try.
Red Hat was only the first time, all the rest were CentOS.
I am really getting desperate

If you pm me your credentials I'll do it for you.

[Guyzer]

Also does that test server work for you? This is important because it is possible your isp is preventing you from connecting to a vpn

edit: give me a sec, current test server overloaded. creating a second oneokay updated to 54.194.240.250

double edit: also i think its possible for me to just give you the image of the current server I am running. lol, this would really simplify this howto

triple edit: lol, looks like some peeps were using the vpn for more than just testing. ran usage up to 20 gigs. still under free teir so no biggy. it resets on the 1st again anyways


super edit: okay so I found something out with the firewall. those issues that some were having. so, I wasn't able to connect to the server while the firewall was on. so I had to turn it off. then I could not get internet access even though I was connected. Found that I had to redo the iptables options. I will update the howto, no clue why this works. I just like to play with stuff yet I know nothing really about linux. still would be cool if someone from crackberry could help out on what I need to do specifically with the firewall