- New and Improved!
Only takes 11 minutes from time you SSH into your box. Copy and paste 2 commands
The howto is broken down into two main sections.
1. Amazon EC2 Setup
2. Linux Setup (strongswan)
Reasons why you might want a VPN
watch american/british television freely on services like hulu or bbc. or watch those respective regional netflix offerings.
security using an open wifi hotspot (coffee shops, etc.)
to be cool when showing off your z10
Amazon EC2
FREE EC2 instance from Amazon (free tier for one year)
-click create free account
-its helpful if you already have an amazon account. it asks for your credentials and asks that you re-enter in your credit card number. this is if you go over free tier usage limits which are very large. 30 gigs of data transfer (i never use this) and even if you go over its like $0.01 a gig so don't worry. If any charges will be on your account they are quite nominal. Interestingly if you were to run this server for your own purposes, mildly, it could run maybe $5 a month. There are services out there that charge about this, but its more fun doing it yourself, and this way you know its secure.
-sign up now as first step may take a couple hours to get approved by amazon
After you have been approved by amazon (you should receive an email) then you goto this website to manage your ec2 instance
https://aws.amazon.com/marketplace/p...=1382353859417
Please take note of the region it is launching in. If you were interested in the free BBC material from its app then you would need to change this to Ireland. Likewise if you live on the west coast you might want to pick Oregon. This would also give you american tv content if you live somewhere else. Interestingly I use the ABC app even though I'm canadian. This is where you instance will be launched.
imgur: the simple image sharer
The next screen will now provide you with the details. You change any details you like, the only thing that is truly important is KEYPAIR. This is required!!! You need it to access your linux box securely to then make modifications to turn it into a VPN server. Download this Keypair and keep it in a safe place. if you ever lose this you will then lose the ability to access your own server. the security group we can modify later to allow specifically for your server.
imgur: the simple image sharer
Putty
Your instance is now being deployed. this takes a while as it is essentially booting up for the first time and installing or configuring whatever options you have previously selected. While this is being done you can be getting setup to access your server. For this you will need an SSH client. I personally use Putty. If you use putty you can get it here. You will need two files. Putty.exe and puttygen.exe. puttygen converts your keypair.pem to keypair.ppk for use specifically with putty.
PuTTY Download Page
run puttygen
click load
change filetypes to "all files" (from ppk)
locate keypair.pem
save private key > "save without passphrase" (I said yes but do what you want)
saved as keypair.ppk in same location
Photo Album - Imgur
now run putty.exe
click ssh (in options side left menu)
click auth > browse > locate keypair.ppk
in side-left menu go back to Session
input hostname in main menu now (ip you were assigned)
Photo Album - Imgur
you get this from your amazon ec2 page. highlight the instance that you launched and it will give you a hostname on
also while on this page i would get the name of the security group you have been assigned. this will need to be changed next
imgur: the simple image sharer
Security Groups
You need ports tcp22 open ( which should already be set) and udp (500,4500)
select the group from the top
in the bottom half add new rules
select custom UDP
then add 500
then do it again, add 4500
then make sure to APPLY changes otherwise nothings changed
imgur: the simple image sharer
Now go back to putty
i would recommend saving this infor so you dont have to do it again. but do as you want... click open
now a window asking if you want to use that certifcate pops up. say yes.
now a black window pops up and asks you to login. with this specific distro you login as
"root"
NEW AND IMPROVED WITH SCRIPT FROM REBELLIOUS
New Way [Post63]
Old Way [Post4]
Finished with the script. It is now available at https://www.dropbox.com/s/xk8jaqv67m8h15o/vpn.sh (just in case anybody is interested in its contents, or in order to check there is no Trojan horse in the code). Guys, sorry for absence of comments in the script, I am a little lazy to do this...
So the new procedure for installing Strongswan VPN for BlackBerry 10 is suggested as follows:
Step 1
Repeat all steps Guyzer offers you concerning AWS setup till the moment you log into your server with root.
Step 2 (copy and paste the commands if you feel you could make a typo)
Install wget package to be able to download the installation script.
Code:yum -y install wget
Code:bash <(wget -qO- --no-check-certificate https://www.dropbox.com/s/xk8jaqv67m8h15o/vpn.sh)
Pleasant thing: the whole installation process from installing wget till having a working VPN server takes 11 minutes (I did test this on a micro instance 15 minutes ago and this was exactly how long it took me).
Enjoy!
Now setup your BlackBerry
Create a new VPN profile using the following connection details:
Profile Name: anything
Server Address: VPN server's public Internet address
Gateway Type: Generic IKEv2 VPN Server
Authentication Type: EAP-MSCHAPv2
Authentication ID Type: IPv4
MSCHAPv2 EAP Identity: anything, this field does not matter
MSCHAPv2 Username: user1 (username specified in ipsec.secrets)
MSCHAPv2 Password: password2 (user password specified in ipsec.secrets)
Gateway Auth Type: PSK
Gateway Auth ID Type: IPv4
Gateway Preshared Key: password1 (the PSK password specified in ipsec.secrets)
Perfect Forward Secrecy: not checked
There is no need to change any "Advanced" configurations.
Other links you may be interested in
PPTP VPN
Tired Of "Snoopfest"? Stop It in [Market-Ticker]
http://aws.amazon.com/console/mobile/
https://forums.crackberry.com/e?link...token=eO5NtEXpLast edited by Guyzer; 05-08-14 at 12:56 AM.
10-21-13 08:31 AMLike 16 -
- Thanks for your concern. I don't have a credit card. Can't I create an Amazon account? Does it mean that I can not proceed with this method?
Posted via CB1010-22-13 05:11 AMLike 0 -
EDIT: I just found out you can copy and paste all the commands as one dump. They will sequentially run one after another. So heres the dump of what you can copy and paste into putty
yum -y update
yum -y install wget
yum -y install vim
yum -y install make
yum -y install gcc
yum -y install gmp-devel
yum -y install openldap-devel
yum -y install libcurl-devel
yum -y install openssl-devel
wget http://download.strongswan.org/strongswan-5.1.1.tar.bz2
tar xjvf strongswan-5.1.1.tar.bz2; cd strongswan-5.1.1
./configure --prefix=/usr --sysconfdir=/etc --enable-curl --enable-ldap --enable-pkcs11 --enable-md4 --enable-openssl --enable-ccm --enable-gcm --enable-farp --enable-eap-identity --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-md5 --enable-eap-gtc --enable-eap-mschapv2 --enable-eap-dynamic --enable-eap-radius --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-xauth-eap --enable-dhcp --enable-charon
make
make install
Input the following one at a time, follow the prompts select Y for yes when asked.
Code:yum -y update yum -y install wget yum -y install vim yum -y install make yum -y install gcc yum -y install gmp-devel yum -y install openldap-devel yum -y install libcurl-devel yum -y install openssl-devel
Code:wget http://download.strongswan.org/strongswan-5.1.1.tar.bz2
Code:tar xjvf strongswan-5.1.1.tar.bz2; cd strongswan-5.1.1
./configure --prefix=/usr --sysconfdir=/etc --enable-curl --enable-ldap --enable-pkcs11 --enable-md4 --enable-openssl --enable-ccm --enable-gcm --enable-farp --enable-eap-identity --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-md5 --enable-eap-gtc --enable-eap-mschapv2 --enable-eap-dynamic --enable-eap-radius --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-xauth-eap --enable-dhcp --enable-charon
Code:make
Code:make install
FIREWALL
Edit: it appears many other users are getting the firewall working with the first options listed below. only try disabling the firewall if you run into issues. other uses mentioned they would be able to connect but no traffic would be routed through.
Unfortunately I don't quite understand how to use the settings the other guides give. I am relying on the firewall config that amazon provides that you just modified. So I will show you both, how they say to modify it, and how I got it to work. Essentially I just disabled the firewall thats the only way I could get it to work, but Im hoping someone reading this might be able to help me configure it properly.
What I had to do to connect. Though I would not get internet access unless I ran commands listed just below this
HowTo Disable The Iptables Firewall in Linux
Code:/etc/init.d/iptables save /etc/init.d/iptables stop
Enable masquerade (replace eth0 by your network interface name):
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
Enable clamp-mss-to-pmtu:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Code:iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
now we modify a config file sysctl.conf
Code:vim /etc/sysctl.conf
VIM commands that are useful
i = insert text
del = will delete text
to exit its kinda weird
you need to type ":" then q
:q = quit without saving
:wq = write then quite which means its saves it
Code:net.ipv4.ip_forward = 1
Code:net.ipv4.conf.default.proxy_arp = 1 net.ipv4.conf.default.arp_accept = 1 net.ipv4.conf.default.proxy_arp_pvlan = 1
comment by putting a number sign # infront of every one of these three lines
Code:net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0
Code:type ":" which is like shift+; :wq
Code:sysctl -p
Code:vim /etc/ipsec.secrets
Code:: PSK "password1" user1 : EAP "password2" user2 : EAP "password3"
to paste this into putty just "right-click" mouse
now save and exit
Code::wq
Code:vim /etc/ipsec.conf
then select the text below and right-click copy, then go back to putty > "right-click" mouse to paste.
* a side note you have to select the text from the bottom of what you want to copy if you want it to paste properly. dont ask me why...
it still might not paste properly so add the beginning lines "config se" or whatever happens on your putty screen.
we need to replace the entire contents with this
Code:config setup strictcrlpolicy=no conn %default ikelifetime=24h keylife=24h keyexchange=ikev2 dpdaction=clear dpdtimeout=3600s dpddelay=3600s compress=yes conn rem rekey=no leftsubnet=0.0.0.0/0 leftauth=psk leftid=SERVER_PUBLIC_IP_ADDRESS right=%any rightsourceip=192.168.2.100/29 rightauth=eap-mschapv2 rightsendcert=never eap_identity=%any auto=add
hostname = ec2-54-202-7-88.us-west-2.compute.amazonaws.com
ip = 54.202.7.88
now save and exit vim
Code::wq
Code:vim /etc/strongswan.conf
Code:charon { threads = 16 dns1 = 8.8.4.4 dns2 = 8.8.8.8 } pluto { } libstrongswan { }
above you can also change 8.8.8.8 or 8.8.4.4 to the dns server of your choice. this ones google. opendns is 208.67.222.222 208.67.220.220
save and exit
Code::wq
Code:ipsec start
http://forums.crackberry.com/blackbe...8/#post9368429Last edited by Guyzer; 05-06-14 at 01:33 AM.
10-22-13 05:25 PMLike 0 - Will such vpn servers be multi-user? Can I have a test vpn account for a few hours on the server you created for yourself to see if it works for my z10 in my country, or not ( for any unknown possible reason)? Following the procedure you described is not easy for me be coz I have to find a method for internet payment. It would be great if I can test such a vpn before I make a lot of efforts for that.
Posted via CB10commandos135 likes this.10-26-13 04:28 AMLike 1 - Guyzer, have you tried this by yourself and does it really work this way? I was trying to follow your guide (a very good one) on my openSUSE installation, but could not connect to my server. Did it work OK for you? Are there any certificates needed? In your how-to there's not a single word about it...11-06-13 02:30 PMLike 0
- Guyzer, have you tried this by yourself and does it really work this way? I was trying to follow your guide (a very good one) on my openSUSE installation, but could not connect to my server. Did it work OK for you? Are there any certificates needed? In your how-to there's not a single word about it...
Tired Of "Snoopfest"? Stop It in [Market-Ticker]
can you post the bb z10 (or w/e device you have) vpn logs? they will identify what the problem is with your vpn. if you have no logs, its most likely a firewall issue. thats why I had to disable the one in linux with.
Code:/etc/init.d/iptables save /etc/init.d/iptables stop
udp (500,1701,4500)11-06-13 02:46 PMLike 0 - Nice guide, thanks for it. It's worth noting that for myself the firewall rules were required to have a functioning VPN server. I could connect without them but no traffic was routed through.12-20-13 05:40 PMLike 0
-
-
-
I also wanted to thank you very much for putting this guide together12-26-13 06:33 PMLike 0 - EXCELLENT GUIDE! wonderfully put and very easy to follow, took me 30 minutes from start to end. Plus now I have my own VPN server
However please note that us running 10.2 + versions of the OS will not be able to connect to any IPsec service, it keeps giving us Timeout issues.
When you mentioned:
replace serveripaddress with the ip address of your server. not sure if you can just put hostname, but its easy to convert to ip.
hostname = ec2-54-202-7-88.us-west-2.compute.amazonaws.com
ip = 54.202.7.88
Did you mean only to place the server IP address instead of this line
leftid=SERVER_PUBLIC_IP_ADDRESS
?12-28-13 06:52 AMLike 0 - Never mind the timeout issue, I've got it to work now. Got a successful connection through the SS Ipsec server. I am trying to open normal websites through the browser but its not allowing me, just seems to keep loading the white screen forever.
EDIT: It finally works! the VPN service is faster than any other I have used. Great! totally recommend following these steps, but PUT ON The firewall because without it there will be 0 traffic, in my case, websites were not opening up. I dont know how the OP was able to work on it with FW settings turned off.
I hope this thread becomes a sticky, it is very helpful and a guide that was clear and easy to follow, my english is very basic but I found no issues going through the instructions. Kindly make this a sticky so that everyone looking for help with VPNs can get it working on their end.
Question to Original Poster: How much would it cost me to continue using this service on Amazon EWS for the next year? I have my credit card punched in and I am the only user on my server, and I dont want to be shocked by the charges on my 13th month when renewal kicks in! thanksLast edited by Nasser Alomran; 12-28-13 at 08:30 AM.
Guyzer likes this.12-28-13 07:13 AMLike 1 - leftid=54.202.7.88
EXCELLENT GUIDE! wonderfully put and very easy to follow, took me 30 minutes from start to end. Plus now I have my own VPN server
However please note that us running 10.2 + versions of the OS will not be able to connect to any IPsec service, it keeps giving us Timeout issues.
When you mentioned:
replace serveripaddress with the ip address of your server. not sure if you can just put hostname, but its easy to convert to ip.
hostname = ec2-54-202-7-88.us-west-2.compute.amazonaws.com
ip = 54.202.7.88
Did you mean only to place the server IP address instead of this line
leftid=SERVER_PUBLIC_IP_ADDRESS
?12-28-13 05:54 PMLike 0 - Question to Original Poster: How much would it cost me to continue using this service on Amazon EWS for the next year? I have my credit card punched in and I am the only user on my server, and I dont want to be shocked by the charges on my 13th month when renewal kicks in! thanks
I am currently using my 2nd credit card with a new email/account and I get a new year again. I also had one of my other cards changed so its a new number, thus allowing me to get another new account as long as I have another email. I have three free years
If your stuck with one credit card there are some things you can do to limit the fees even further. You can shutdown and restart your vpn services as needed. you will need to install amazon app store which is easy to do with the latest leak (allows you to install apk's without bar conversion).
you can get it here.
Install Amazon Appstore
if you have the leak that allows you to install apk's you can then install
amazon aws console
this allows you to configure and shutdown what you need when you need it. very easy, at the touch of a button you can have your vpn off/on. this will save on fees (though they are already pretty low). so you only need to turn on the vpn when you need it.
Amazon.com: AWS Console: Appstore for Android
or
AWS Management Console App for iOS and Android
one thing to keep in mind though is you will need to add a line in one of your configs to autostart the vpn on startup. since we started the vpn manually, if you restart, you will need to restart manually again, unless you add it to autostart. i was looking into this but never got it setup, since I dont need to shut down my vpns yet.
here is where I would start if i wanted to find out how to do it
Code:/etc/rcX.d /etc/init.d/
12-28-13 06:03 PMLike 0 - Do we know what it will cost after the free year? I tried to figure it out by myself but couldnt find it.01-21-14 06:36 AMLike 0
- $5 / month depending on usage but should be less. mind you... if you know of, someone like maybe your wife, who has another credit card you can sign up over again for another free year. im currently on my second year
01-21-14 09:05 PMLike 0 - Sorry for not posting so long. Just had no time to dive into this again.
Now I followed your guide word-to-word, and made everything using EC2 and Red Hat (the same as CentOS) as well. I finally got devices connecting to the server (with iptables stopped only, otherwise timeouting), but the client devices seem to lose Internet connection in this way, being not able to surf further.
Also, I opened UDP 1701 in AWS console, however it seems to be closed anyway.
Any insight?01-24-14 05:11 AMLike 0 - heres a test sever for anyone who wants to see if the american ip will work for what they need
Create a new VPN profile using the following connection details:
Profile Name: anything
Server Address: 54.194.240.250
Gateway Type: Generic IKEv2 VPN Server
Authentication Type: EAP-MSCHAPv2
Authentication ID Type: IPv4
MSCHAPv2 EAP Identity: anything, this field does not matter
MSCHAPv2 Username: user1
MSCHAPv2 Password: password2
Gateway Auth Type: PSK
Gateway Auth ID Type: IPv4
Gateway Preshared Key: password1
Perfect Forward Secrecy: not checked
There is no need to change any "Advanced" configurations.Last edited by Guyzer; 01-29-14 at 03:25 AM.
01-28-14 01:59 AMLike 0 - Sorry for not posting so long. Just had no time to dive into this again.
Now I followed your guide word-to-word, and made everything using EC2 and Red Hat (the same as CentOS) as well. I finally got devices connecting to the server (with iptables stopped only, otherwise timeouting), but the client devices seem to lose Internet connection in this way, being not able to surf further.
Also, I opened UDP 1701 in AWS console, however it seems to be closed anyway.
Any insight?
UDP
500
1701
4500
if you truly did follow this word for word redhat is not the same as centos. i as well as others have been able to get the server up and running with all these steps included01-28-14 02:01 AMLike 0 - I really tried to do this step-by-step, and I did follow everything in order to get it all running as it should. I did open the ports (UDP 500, 1701 and 4500) in AWS console when setting up the instance. Also, I tried several times to re-open them afterwards. I spoilt at least 5 instances with no luck for the server to let the clients connect to the internet. The only connection existing is "client-server", not "client-server-internet". Now I am launching another instance once again and give it another try.
Red Hat was only the first time, all the rest were CentOS.
I am really getting desperate01-29-14 02:14 AMLike 0 - I really tried to do this step-by-step, and I did follow everything in order to get it all running as it should. I did open the ports (UDP 500, 1701 and 4500) in AWS console when setting up the instance. Also, I tried several times to re-open them afterwards. I spoilt at least 5 instances with no luck for the server to let the clients connect to the internet. The only connection existing is "client-server", not "client-server-internet". Now I am launching another instance once again and give it another try.
Red Hat was only the first time, all the rest were CentOS.
I am really getting desperate01-29-14 02:30 AMLike 0 - Also does that test server work for you? This is important because it is possible your isp is preventing you from connecting to a vpn
edit:give me a sec, current test server overloaded. creating a second oneokay updated to 54.194.240.250
double edit: also i think its possible for me to just give you the image of the current server I am running. lol, this would really simplify this howto
triple edit: lol, looks like some peeps were using the vpn for more than just testing. ran usage up to 20 gigs. still under free teir so no biggy. it resets on the 1st again anyways
super edit: okay so I found something out with the firewall. those issues that some were having. so, I wasn't able to connect to the server while the firewall was on. so I had to turn it off. then I could not get internet access even though I was connected. Found that I had to redo the iptables options. I will update the howto, no clue why this works. I just like to play with stuff yet I know nothing really about linux. still would be cool if someone from crackberry could help out on what I need to do specifically with the firewallLast edited by Guyzer; 01-29-14 at 03:31 AM.
01-29-14 02:32 AMLike 0
- Forum
- BlackBerry 10 Phones & OS
- BlackBerry 10 OS
FREE VPN: Strongswan Ipsec/IKEv2 Z10/Z30/Q10
« BB presenter
|
Guide on how to unlock blackberry passport with picture only even after 5 failed times »
Similar Threads
-
Z30 Wi-Fi connection unstable.
By young guy in forum BlackBerry Z30Replies: 10Last Post: 10-22-13, 10:18 PM -
Line App on BlackBerry Q10
By gnulab in forum BlackBerry Q10Replies: 7Last Post: 10-22-13, 06:12 PM -
How can you copy paste text on the z10?
By Lee Eshelman in forum BlackBerry Z10Replies: 10Last Post: 10-21-13, 01:39 PM -
Z30 not permitting Facebook posting
By rosie_parent in forum General BlackBerry News, Discussion & RumorsReplies: 7Last Post: 10-21-13, 11:21 AM -
How can i update my z10 software 10.2
By chitwan in forum BlackBerry Z10Replies: 2Last Post: 10-21-13, 08:18 AM
LINK TO POST COPIED TO CLIPBOARD