[AnimalPak200]

Would it be possible to also run a PPTP server concurrently with this IKEV2 server? Id like to have the IKEV2 for BB10 devices directly and then a regular PPTP to be connected to by a router running DDWRT in order to feed things like roku, fire TV, etc.

Edit: just saw the "other links" regarding pptp in the OP. Time to break things I suppose.

Posted via CB10

[Guyzer]

Would it be possible to also run a PPTP server concurrently with this IKEV2 server? Id like to have the IKEV2 for BB10 devices directly and then a regular PPTP to be connected to by a router running DDWRT in order to feed things like roku, fire TV, etc.

Edit: just saw the "other links" regarding pptp in the OP. Time to break things I suppose.

Posted via CB10

let us know how you fair, i can see how it could be useful

[Guyzer]

پیدا کردی به ما هم بگو ...

Translated by moderator:
Tell us you found it ...

if your referring to the script that lets you use your vpn as another way to install bar files remotely there are more instructions here

Want the same? | Sideload.it

[AnimalPak200]

let us know how you fair, i can see how it could be useful

Well, didn't go so well.

I tried setting up the pptpd service on a separate ubuntu instance, and then a separate CentOS instance. I was able to connect to the vpn in both cases, but was not able to get internet access despite all my attempts.

Modified iptables, disabled the iptables firewall, tried using the UFW (more friendly firewall), opened up all ports to all traffic on the EC2 security group, nothing.

If anyone can give it a try,.. the set up is actually really easy (and widely documented). I just can't seem to get the port forwarding or firewall to let my client traffic through to the internet and back.

After trying that,.. I have to give an even bigger kudos to the OP and the script authors. Had the IKEV2 vpn up and running in less than an hour.

Posted via CB10

[Hendrack]

I followed the every step. but I've got -bash: ipsec: command not found at the last stage.

Use CentOS 6.4/6.5 (AMI) linux as amazon EC2 instance, is a way to solve your problem.

---

If you want to use 'CentOS 7 (x86_64) with Updates HVM' as amazon EC2 instance.
The following presentation provides a tutorial to help you:

So the new procedure for installing Strongswan VPN for BlackBerry 10 is suggested as follows:

Step 1

• 1 Repeat all steps Guyzer offers you concerning AWS setup.
  
• 2 CentOS 7 (x86_64) with Updates HVM
  https://aws.amazon.com/marketplace/pp/B00O7WM7QW
  
• 3 Assign an Elastic IP Address to Your Instance
  Step 4: Assign an Elastic IP Address to Your Instance - Amazon Virtual Private Cloud
  
• 4 Log into your server with root:
  
  Code:

  $ ssh -i /path/key_pair.pem centos@Your_Elastic_IP
  [centos@ip-Private_IP ~]$ sudo passwd root
  Changing password for user root.
  New password:
  Retype new password:
  passwd: all authentication tokens updated successfully.
  [centos@ip-Private_IP ~]$ su root
  passwd:
  [root@ip-Private_IP centos]# cd
  [root@ip-Private_IP ~]#

Step 2
(copy and paste the commands if you feel you could make a typo)
Install wget package to be able to download the installation script.

Code:

yum -y update
yum -y install wget
bash <(wget -qO- --no-check-certificate https://www.dropbox.com/s/9fb7muwagi9yrr6/CentOS7vpn.sh)

The script will offer you 4 steps for configuring your installation: IP address of your server (found in AWS control panel "Elastic IP"), gateway pre-shared key, user name and user password.

[Rebelllious]

I tried setting up the pptpd service on a separate ubuntu instance, and then a separate CentOS instance. I was able to connect to the vpn in both cases, but was not able to get internet access despite all my attempts.

I guess you did not enable traffic pass-through for VPN clients.

Code:

vim /etc/sysctl.conf

and put

Code:

net.ipv4.ip_forward = 1

instead of

Code:

net.ipv4.ip_forward = 0

I see this as the only reason that you could not get farther than your server.
Also, I am curious why you would want a PPTP VPN connection. I don't see the point of it while having IPsec configured. If you need that for an iOS or Android device, I could just share the piece of a configuration file that would enable IPsec VPN access for those devices.
Just let me know if you need that.

[AnimalPak200]

I guess you did not enable traffic pass-through for VPN clients.

Code:

vim /etc/sysctl.conf

and put

Code:

net.ipv4.ip_forward = 1

instead of

Code:

net.ipv4.ip_forward = 0

I see this as the only reason that you could not get farther than your server.
Also, I am curious why you would want a PPTP VPN connection. I don't see the point of it while having IPsec configured. If you need that for an iOS or Android device, I could just share the piece of a configuration file that would enable IPsec VPN access for those devices.
Just let me know if you need that.

I did enable it. It was listed in all the instructions and I also doubled checked the original set of instructions here.

The only reason I want pptp is because I'm sending my mom back to el salvador with a dd-wrt flashed router, and it doesn't let me configure it as a IKEV2 vpn client. It's just so that she can connect a roku/fire TV to the router and watch amazon prime.

Posted via CB10

[AnimalPak200]

I don't see the point of it while having IPsec configured. If you need that for an iOS or Android device, I could just share the piece of a configuration file that would enable IPsec VPN access for those devices.
Just let me know if you need that.

Looks like IPsec would also work on dd-wrt. If you get a chance to share the configuration file that you mentioned, it would be greatly appreciated!



Posted via CB10

[BCITMike]

I did enable it. It was listed in all the instructions and I also doubled checked the original set of instructions here.

The only reason I want pptp is because I'm sending my mom back to el salvador with a dd-wrt flashed router, and it doesn't let me configure it as a IKEV2 vpn client. It's just so that she can connect a roku/fire TV to the router and watch amazon prime.

Posted via CB10

You shouldn't use a VPN for that, just DNS forwarding. This allows you to use closer CDN's.

https://github.com/corporate-gadfly/Tunlr-Clone

Posted via CB10

[Rebelllious]

By the way, is there any need for an Ubuntu-based script for StrongSwan installation? Just finished one yesterday, though it still needs some testing to polish things.

[Hendrack]

It couldn't be better! I need it.

[Rebelllious]

Anybody willing to test the VPN server installation script for Ubuntu?
You should have an EC2 instance with Ubuntu or any Ubuntu installation where you can check this for connectivity.
PM me for details.

[Rebelllious]

By the way, if anyone is intending to use an Android or an iOS device with Strongswan installation one currently has, it is easy.
Just do

Code:

vim /etc/ipsec.conf

and at the end of the file put

Code:

conn ios
   keyexchange=ikev1
   authby=xauthpsk
   xauth=server
   left=%defaultroute
   leftsubnet=0.0.0.0/0
   leftfirewall=yes
   right=%any
   rightsubnet=10.10.71.0/24
   rightsourceip=10.10.71.2
   auto=add

In the file

Code:

vim /etc/ipsec.secrets

you add your users as

Code:

iphone : XAUTH "password"
android : XAUTH "password"

Use your username instead of "iphone" or "android" and your password in place of "password".
Reload the settings by

Code:

ipsec restart

and you are ready to go. You will just need to configure your device and that's it. Choose IPsec XAUTH profile and configure everything properly using your login credentials.
Tested both on iPhones and Androids - works fine. Though some Androids (like LG G2) seemed to have problems with Internet access through native web browser, yet Chrome connected fine at the same time.
Good luck to everyone.

[usernaym]

Hi, thanks for this guide. I've managed to setup it up and working on my Z10 but I can't use the VPN on my Windows PC. Do you have instructions on how to do that?

[charity47]

I also went wrong somewhere.. How can i reset the server and rerun the script? I always get a "timeout" error..

SOLUTION: i had added a security group instead of editing the one -.-. Now works

BUT, i would also be interested in how to make it work on windows

[Guyzer]

for windows I would look at what rebellious posted about ios and android. im sure one of those settings would also work with windows.

post 162

[AnimalPak200]

I got this to work with both BlackBerry and ios/android devices. Also installed the no-ip.com ddns updater into the instance and now I don't have to manually change my vpn ip whenever I turn on the ec2 instance.

I also played around with OpenVPN to set up a router-to-router vpn (instead of the pptp alternative I had mentioned above). Flashed two Linksys routers with tomato and went through the instructions posted online (have to generate certificates and keys) to configure a server and client (also tried two windows clients). Definitely much more complicated than the OP's script! But I did get it to work and now my mom has a separate vpn wifi network back home in el salvador to which her roku stick is connected to.

I have to say that I ran some speed tests and pptp was brutally much slower than either this solution or the OpenVPN solution. The only advantage is how easy it is to set up clients on android and windows.

I also set up a "free-tier exceeded alarm" on the amazon workspace console. Still can't figure out exactly what the limits are based on (time the instance is running, amount of processing used, bandwidth used, or some combination?). At least the alarm will send you an email when you have started incurring charges (i.e. $0.01)

Posted via CB10

[AnimalPak200]

Hey guys,.. I've noticed that whenever myself (using a Passport) or my mom (using a Z10) are connected to the strongswan VPN, we are unable to use BBM voice/video features (to anyone). Just wondering if this is something to be expected or if we need to modify iptables to allow the BBM video/voice ports through, as described here:

http://btsc.webapps.blackberry.com/b...ListHelperImpl


Edit: I should add that while both BlackBerry devices are unable to do bbm voice and video,.. when I connect a Samsung S4 to the vpn (using the XAUTH modification provided in this thread) it is still able to make and receive BBM voice calls.

So,.. Seems like either the Android OS routes things differently or BBM voice on non-BlackBerry devices is implemented through a different port/protocol.

Posted via CB10

[BCITMike]

Has anyone experienced any problems with this hijacking gateways for other PC's?

Last year, I setup centos in a VM at home with StrongSwan. It seemed to work, but I found out one of my Windows machines with static IP was sending packets to the wrong place, basically making it not able to get out to the Internet. I couldn't make sense of it, given the static IP and all. I shut it down and just kept using the VPS.

Today I got notice from my VPS provider that my VPS was hijacking IP's on the subnet. He showed me a screenshot of my MAC address with my IP, another IP and the gateway showing up in the Windows VPS. It looks like my VPS is going an arp poisoning, causing the other VPS from being able to get traffic back out to the net. The only thing I can think of, is the masquerade in iptables?

I happened to be using the VPN on my lunch break and VPS was disconnected by VPS hoster by the time I got back from lunch. It seems to correlate that when I was connected, this hijacking was happening at the VPS hoster.

This has happened 3 times now, and both previous times I got angry with VPS provider because I thought this was very unlikely I was the cause and they had nothing for me to investigate, so I didn't do anything other than make sure I wasn't infected or hacked and used in a bot storm or something

There was a month or more where I was running a 10.3.1 hack where VPN didn't work with hotspots and so I didn't use the VPN. It seems that these VPS issues did not occur during this time. The VPS provider seems to have a fairly simple network with no separation or protection (sticky arp? VLAN's?), so its possible this is prevented with Amazon or other VPS's and just happened to be noticed for me at home and with the crappy VPS hoster.

[DigiAngel]

Anyone get this to fly with using certs instead of PSK?

[BCITMike]

Anyone get this to fly with using certs instead of PSK?

Not with this script, but I setup a centos 7 on latest StrongSwan with certs on both sides and perfect forward secrecy.

https://raymii.org/s/tutorials/IPSEC..._CentOS_7.html

There's two typos to fix. First in ipsec.conf about rightauth2, and the second about firewall-cmd at the bottom. I emailed the website but got no response.

Posted via CB10

[Guyzer]

Not with this script, but I setup a centos 7 on latest StrongSwan with certs on both sides and perfect forward secrecy.

https://raymii.org/s/tutorials/IPSEC..._CentOS_7.html

There's two typos to fix. First in ipsec.conf about rightauth2, and the second about firewall-cmd at the bottom. I emailed the website but got no response.

Posted via CB10

can you post the specific fixes in this thread? i would like to try this out myself soon

[cycle_wala]

+1 to that. Unable to use BBM calls when connected to VPN. Not just this method. Even when using IKeV2 gateways.

Hey guys,.. I've noticed that whenever myself (using a Passport) or my mom (using a Z10) are connected to the strongswan VPN, we are unable to use BBM voice/video features (to anyone). Just wondering if this is something to be expected or if we need to modify iptables to allow the BBM video/voice ports through, as described here:

http://btsc.webapps.blackberry.com/b...ListHelperImpl


Edit: I should add that while both BlackBerry devices are unable to do bbm voice and video,.. when I connect a Samsung S4 to the vpn (using the XAUTH modification provided in this thread) it is still able to make and receive BBM voice calls.

So,.. Seems like either the Android OS routes things differently or BBM voice on non-BlackBerry devices is implemented through a different port/protocol.

Posted via CB10

Posted via CB10

[BCITMike]

can you post the specific fixes in this thread? i would like to try this out myself soon

Search: rightauthby2=pubkey
Replace with: rightauth2=pubkey

Search: firewall-cmd --permanent --set-default-zone=dmz
Replace with: firewall-cmd --set-default-zone=dmz
firewall-cmd --permanent

I am not 100% confident in the firewall-cmd, but I can say that the original gives errors and doesn't apply (didn't like both being set at same time), and my suggested change applies and works across reboot.

So if you update your auto installer script, this has the benefit of enabling the firewall permanently, where your previous script set iptables but didn't save it persistently. So newbies who didn't notice that would run into problems after reboot.

[BCITMike]

+1 to that. Unable to use BBM calls when connected to VPN. Not just this method. Even when using IKeV2 gateways.



Posted via CB10

What is your symptom? I think my BBM voice is broken.., or I'm confirming what you see.

I went to just call my bro, which I know worked 1+ years ago, and now it just opens a black active frame. When I disconnected the VPN, the BBM call looked like it was going to go through.

So we need someone with a sniffer to capture the traffic and find out what traffic and port its using to connect to BlackBerry servers.