[Someone7272]

Hi all,

In the UK, there's a scam which fraudulently charges directly to your phone bill, simply for visiting a malicious website, or landing on a page with a malicious advert. More information on that here. If you're in the UK and using a UK network operator, I strongly recommend that you read this thread!

The scam works because UK network operators provide your phone number, based off your 3G/4G IP address to websites. If I use a VPN, that would prevent this scam from happening, as websites will only see the VPN IP address, rather than my 3G/4G IP address.

I'm considering setting up my own private VPN server at home, and route all traffic from my Z10 through that. We have an upload speed of 18Mb/s and a download speed of 70Mb/s at home, so speed should not be much of an issue here. I was previously able to do this on my iPhone 4S using a PPTP VPN server. But PPTP was compromised a long time ago, so it's obviously not supported on BlackBerry 10. I'm not looking for my VPN to be the most secure, I just want a VPN that works.

Now before everybody starts spamming, to be clear, I AM NOT LOOKING FOR A PAID OR 3RD PARTY VPN SERVICE!
Please don't suggest any, I'm not interested; I want to do this myself.

Now VPN support on BlackBerry 10 seems to be mostly vendor specific. It gets worse - there's no OpenVPN support. This makes me sad, I don't want to buy a Cisco ASA, because those things are huge, noisy, expensive and extremely difficult to configure.

However, I do see a "Generic IKEv2 VPN Server" entry. Therefore, if I can find IKEv2 VPN server software which is compatible with BlackBerry 10, then this could work.

So, I call on the community. Has anybody tried using their BlackBerry 10 device with their own private VPN server? Did it work? If it did, what server software did you use?

Even if you have not personally tested it, but know of any VPN server software which should be compatible with BlackBerry 10, please feel free to suggest it.
Ideally, it would be free, open-source, and capable of running on a low-power Linux box. However, I will still consider commercial VPN server software, or VPN server software which runs on Windows.

I've already said this once, but I'll say it again...
I am looking for BlackBerry 10 compatible VPN server software.
NOT a VPN service.

Thanks.

[Richard Buckley]

I have a Digital Ocean VPS running StrongSwan IPSEC that serves me very well. If you don't want to use a VPS you can set up a machine at home to do the same thing.

LeapSTR100-2/10.3.2.2876

[Jose Casiano]

I have a Digital Ocean VPS running StrongSwan IPSEC that serves me very well. If you don't want to use a VPS you can set up a machine at home to do the same thing.

LeapSTR100-2/10.3.2.2876

I'm also interested in how do you set that up though any good literature?

Posted via CB10

[Someone7272]

I'm also interested in how do you set that up though any good literature?

I did some more digging, and found this Raspberry Pi VPN guide on CrackBerry.

However, I have a problem with this guide:

leftid=xxx.xxx.xxx.xxx #(What Is My IP Address? Lookup IP, Hide IP, Change IP, Trace IP and more...)

This part of the guide assumes that you've got a static public IP address configured.
Unfortunately our ISP doesn't allow this functionality for residential customers, so we're using a Dynamic DNS service. I'm not sure if this will work, but I guess it's worth buying a Raspberry Pi (they're only �30) to test it out with anyway.

[Richard Buckley]

Your best bet is to find a How To that matches the system you are using. A Raspberry Pi is a good choice if you want to have your endpoint at home. But dynamic IP addressing is just one issue you will have to deal with. The main one is that most home Internet connections are asymetric. That is they have a high downstream bandwidth and a low upstream bandwidth. How this affects your VPN depends on how you are going to use it. If you just want secure access to your home network, then you will have to accept the ansymetric bandwidth. However it sounds like you want to use your VPN to access websites when you are away from home. In this case all packets to and from your phone through your home based VPN server will have to transit the low bandwidth upstream leg at least once. This will limit your maximum through put to whatever the lower bandwidth of your connection is. A simple diagram may help

Code:

 Phone
   |
   |
Internet ---------Highspeed Downstream -----> Home
Internet<----------Lowspeed Upstream<------- VPN Server
   |
   |
Web Site

On the other hand a VPS will be hosted in a data centre with a multi-gigabit fibre connection to the backbone. For about $US5/month you get all the machine you need to run a VPN (or two, I run both IPSec and OpenVPN on mine), web server, mail server. Backup power, lots of bandwith and probably more data than you can use.

The best thing about doing it yourself though is you get to decide what is important to you and then provide those features for yourself.

[gariac]

I have a Digital Ocean VPS running StrongSwan IPSEC that serves me very well. If you don't want to use a VPS you can set up a machine at home to do the same thing.

LeapSTR100-2/10.3.2.2876

I have a Digital Ocean VPS and got the Strong Swan VPN "working", but never could figure how to "dial out". Maybe you can post a write I on the Digital Ocean community pages. I think Digital Ocean will even credit you (as in not getting charged) for some articles.

I used up a ridiculous amount of Tickerguy's time and just felt bad about bothering him as much as I did. I already have a good self signed cert.

I'm using a freebsd droplet.

Posted via CB10

[Richard Buckley]

I have a Digital Ocean VPS and got the Strong Swan VPN "working", but never could figure how to "dial out". Maybe you can post a write I on the Digital Ocean community pages. I think Digital Ocean will even credit you (as in not getting charged) for some articles.

I used up a ridiculous amount of Tickerguy's time and just felt bad about bothering him as much as I did. I already have a good self signed cert.

I'm using a freebsd droplet.

Posted via CB10

Not sure what you mean by dialing out.

Two things:

First, I'm not using certificates. People always think certificates are better without really thinking it through. There is no real security advantage using a PK certificate over a shared symmetric key of equivalent entropy. In fact the other way around since you need a 4096 bit RSA key pair to get the same brute force strength as a 256 bit key derived from a strong password. The only problem with using password derived shared secrets is that if you share them too much they aren't secrets anymore. Since only my wife and I use my VPN, only I know the shared secret. Not using certificates makes getting IPSEC going a lot simpler, so you should think about the use case for certificates in your situation.

Second, I'm using CentOS 7 and followed a good How To written for CentOS 7 and Digital Ocean. I used BSD many years ago and found it to be a superb OS. I haven't used Free BSD, however it seems to push the envelope like the Debian crowd and Fedora. IPSEC is not the most popular VPN in the free x86 OS community, and it makes the greatest demands on standards compliance. One is often better off with a distribution that hangs back from the bleeding edge and concentrates on stability and standards.

One final bit of advice, if you have ever used OpenVPN don't try to use your knowledge of it on IPSEC, they are completely different animals.

LeapSTR100-2/10.3.2.2876

[gariac]

Not sure what you mean by dialing out.

Two things:

First, I'm not using certificates. People always think certificates are better without really thinking it through. There is no real security advantage using a PK certificate over a shared symmetric key of equivalent entropy. In fact the other way around since you need a 4096 bit RSA key pair to get the same brute force strength as a 256 bit key derived from a strong password. The only problem with using password derived shared secrets is that if you share them too much they aren't secrets anymore. Since only my wife and I use my VPN, only I know the shared secret. Not using certificates makes getting IPSEC going a lot simpler, so you should think about the use case for certificates in your situation.

Second, I'm using CentOS 7 and followed a good How To written for CentOS 7 and Digital Ocean. I used BSD many years ago and found it to be a superb OS. I haven't used Free BSD, however it seems to push the envelope like the Debian crowd and Fedora. IPSEC is not the most popular VPN in the free x86 OS community, and it makes the greatest demands on standards compliance. One is often better off with a distribution that hangs back from the bleeding edge and concentrates on stability and standards.

One final bit of advice, if you have ever used OpenVPN don't try to use your knowledge of it on IPSEC, they are completely different animals.

LeapSTR100-2/10.3.2.2876

By dialing out, I mean I can't connect to the Internet. The VPN is established, but I can't connect to the outside world. I have google's DNS on the dropplet.

I will go look for the centos guide, but of course the firewall will be different.

I needed the cert for email anyway. Sometimes certs are easy, like prosody. But the VPN and email were very particular.

Posted via CB10

[Richard Buckley]

By dialing out, I mean I can't connect to the Internet. The VPN is established, but I can't connect to the outside world. I have google's DNS on the dropplet.

I will go look for the centos guide, but of course the firewall will be different.

I needed the cert for email anyway. Sometimes certs are easy, like prosody. But the VPN and email were very particular.

Posted via CB10

That sounds like you don't have IP forwarding turned on. In Linux that is a kernel parameter. Don't know ho that is handled in Free BSD. Then you will need to have NAT configured.

Just because you have the certificate doesn't mean it is better to use it. It is generally easier to setup email over TLS with a certificate than without. Not true with strong swan.

If you are committed to Free BSD you need to find a good current description of how to do it for that OS. Either that or you will need to work out all the OS requirements yourself.

LeapSTR100-2/10.3.2.2876

[gariac]

That sounds like you don't have IP forwarding turned on. In Linux that is a kernel parameter. Don't know ho that is handled in Free BSD. Then you will need to have NAT configured.

Just because you have the certificate doesn't mean it is better to use it. It is generally easier to setup email over TLS with a certificate than without. Not true with strong swan.

If you are committed to Free BSD you need to find a good current description of how to do it for that OS. Either that or you will need to work out all the OS requirements yourself.

LeapSTR100-2/10.3.2.2876

Well IP forwarding gives me something to work on. It gets plenty of hits. I settled into ipfw, which doesn't seem to be the most popular firewall on freebsd. I don't want to set up another droplet, so I will stick with freebsd. I've used suse Linux since the mid 90s, so freebsd gives me something new to learn. Of course job # 1 was to install bash on freebsd to maintain my sanity.

Posted via CB10

[Someone7272]

Your best bet is to find a How To that matches the system you are using. A Raspberry Pi is a good choice if you want to have your endpoint at home. But dynamic IP addressing is just one issue you will have to deal with. The main one is that most home Internet connections are asymetric. That is they have a high downstream bandwidth and a low upstream bandwidth.

This isn't really an issue. We have a 18Mb/s upstream, which is faster than any 3G/4G speed I have achieved on my BlackBerry Z10. Theoretically, it should be capable of more, but that's more than fast enough for web browsing, and even video streaming.

However, a Raspberry Pi is an ideal unit for this, because it's small, lightweight and power efficient. I believe that dynamic IP addressing, use of certificates/PKI infrastructure and my maxxed credit card are the only things holding me back from doing this.

[Warios]

Check this copy/paste , maybe exemple address is not in use but its easy to find one that work .




check for external iP and edit ipsec.conf

backup your original /etc/ipsec.conf if something goes wrong
sudo cp /etc/ipsec.conf /etc/ipsec.conf.backup

make file
nano updateip.conf.tmpl
and copy lines from your's /etc/ipsec.conf and make one change in it (see green text)


config setup
strictcrlpolicy=no

conn %default

keyexchange=ikev2


conn rem
rekey=no
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=CHANGE_ME #dont change word "CHANGE_ME" it will be used in script)
right=%any
rightsourceip=192.168.2.1/29
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add


script to renewip:

sudo nano renewip
(checking your external IP and change it to new ip CHANGE_ME to $externalIp(new found ip) and moving new cofiguration file (ipsec.conf ) in use)

(put in lines)

<?php
$externalContent = file_get_contents('http://ipecho.net/plain');
preg_match('/\b(?:\d{1,3}\.){3}\d{1,3}\b/', $externalContent, $m);
$externalIp = $m[0];

system("cat /home/pi/updateip.conf.tmpl | sed -e s/CHANGE_ME/$externalIp/g > /home/pi/newip.conf");
system("sudo mv /home/pi/newip.conf /etc/ipsec.conf");
?>


use cron to run every day 06:00
crontab -e
(add line to bottom)
00 06 * * * /usr/bin/php /home/pi/renewip

[Warios]

heare is link where you can find solution for Dynamic IP !
look at bottom of "Guide for running VPN server on Raspberry PI :" "solution 2: " !!!!

WARIO's : VPN server for Blackberry 10

[Someone7272]

heare is link where you can find solution for Dynamic IP !
look at bottom of "Guide for running VPN server on Raspberry PI :" "solution 2: " !!!!

WARIO's : VPN server for Blackberry 10

Thanks so much for responding, but this isn't working for me.

Code:

Sep  4 00:50:22 raspberrypi charon: 07[CFG] left nor right host is our side, assuming left=local
Sep  4 00:50:22 raspberrypi charon: 07[CFG] adding virtual IP address pool (address range of Pi)
Sep  4 00:50:22 raspberrypi charon: 07[CFG] added configuration 'rem'
Sep  4 00:51:05 raspberrypi charon: 09[NET] received packet: from (ip address of Z10)[21339] to (ip address of Pi)[500] (400 bytes)
Sep  4 00:51:05 raspberrypi charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Sep  4 00:51:05 raspberrypi charon: 09[IKE] (ip address of Z10) is initiating an IKE_SA
Sep  4 00:51:05 raspberrypi charon: 09[IKE] local host is behind NAT, sending keep alives
Sep  4 00:51:05 raspberrypi charon: 09[IKE] remote host is behind NAT
Sep  4 00:51:05 raspberrypi charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Sep  4 00:51:05 raspberrypi charon: 09[NET] sending packet: from (ip address of Pi)[500] to (ip address of Z10)[21339] (312 bytes)
Sep  4 00:51:06 raspberrypi charon: 10[NET] received packet: from (ip address of Z10)[59013] to (ip address of Pi)[4500] (284 bytes)
Sep  4 00:51:06 raspberrypi charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi CPRQ(ADDR MASK DNS DNS NBNS NBNS VER) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Sep  4 00:51:06 raspberrypi charon: 10[CFG] looking for peer configs matching (ip address of Pi)[%any]...(ip address of Z10)[test]
Sep  4 00:51:06 raspberrypi charon: 10[CFG] selected peer config 'rem'
Sep  4 00:51:06 raspberrypi charon: 10[IKE] EAP-Identity request configured, but not supported
Sep  4 00:51:06 raspberrypi charon: 10[IKE] loading EAP_MSCHAPV2 method failed
Sep  4 00:51:06 raspberrypi charon: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep  4 00:51:06 raspberrypi charon: 10[ENC] generating IKE_AUTH response 1 [ IDr EAP/FAIL ]
Sep  4 00:51:06 raspberrypi charon: 10[NET] sending packet: from (ip address of Pi)[4500] to (ip address of Z10)[59013] (92 bytes)

I've even tried this tutorial on the BlackBerry subreddit, and it still didn't work with the same message, "loading EAP_MSCHAPV2 method failed"!!!
I've been working on this for 2 days now, and it's really making me wanna toss the damned thing out of the window !

Also, when I installed strongSwan...

1.INSTALL STRONGSWAN 5.0.4:

Code:

sudo nano /etc/apt/sources.list

(add line )

Code:

deb http://p.quinput.eu/debfarm/ unstable all

Code:

sudo apt-get-update
sudo apt-get install strongswan

This downloaded version 5.2.1, rather than version 5.0.4. But I can't really see that as being the cause of this problem.

Searching around has yielded some "solutions" for the EAP_MSCHAPV2 problem, but none of these so-called "solutions" have worked for me.
Hope you can understand my frustration. Can anybody help me with this?

Thanks.

[Warios]

I didnt update Strongswan on my server and that can be issue if you did ! Maybe they change something in source i dont repai if is not broken ?!?! Something like that was issue when i was making guide , with 5.0.0 !!!
Try downgrade to 5.0.4 and check if it helps ?