Need advice on setting up my own private VPN server for BlackBerry 10
- Hi all,
In the UK, there's a scam which fraudulently charges directly to your phone bill, simply for visiting a malicious website, or landing on a page with a malicious advert. More information on that here. If you're in the UK and using a UK network operator, I strongly recommend that you read this thread!
The scam works because UK network operators provide your phone number, based off your 3G/4G IP address to websites. If I use a VPN, that would prevent this scam from happening, as websites will only see the VPN IP address, rather than my 3G/4G IP address.
I'm considering setting up my own private VPN server at home, and route all traffic from my Z10 through that. We have an upload speed of 18Mb/s and a download speed of 70Mb/s at home, so speed should not be much of an issue here. I was previously able to do this on my iPhone 4S using a PPTP VPN server. But PPTP was compromised a long time ago, so it's obviously not supported on BlackBerry 10. I'm not looking for my VPN to be the most secure, I just want a VPN that works.
Now before everybody starts spamming, to be clear, I AM NOT LOOKING FOR A PAID OR 3RD PARTY VPN SERVICE!
Please don't suggest any, I'm not interested; I want to do this myself.
Now VPN support on BlackBerry 10 seems to be mostly vendor specific. It gets worse - there's no OpenVPN support. This makes me sad, I don't want to buy a Cisco ASA, because those things are huge, noisy, expensive and extremely difficult to configure.
However, I do see a "Generic IKEv2 VPN Server" entry. Therefore, if I can find IKEv2 VPN server software which is compatible with BlackBerry 10, then this could work.
So, I call on the community. Has anybody tried using their BlackBerry 10 device with their own private VPN server? Did it work? If it did, what server software did you use?
Even if you have not personally tested it, but know of any VPN server software which should be compatible with BlackBerry 10, please feel free to suggest it.
Ideally, it would be free, open-source, and capable of running on a low-power Linux box. However, I will still consider commercial VPN server software, or VPN server software which runs on Windows.
I've already said this once, but I'll say it again...
I am looking for BlackBerry 10 compatible VPN server software.
NOT a VPN service.
Thanks.Last edited by Someone7272; 08-19-16 at 01:46 PM. Reason: Improve readability
08-19-16 01:43 PMLike 0 - I have a Digital Ocean VPS running StrongSwan IPSEC that serves me very well. If you don't want to use a VPS you can set up a machine at home to do the same thing.
LeapSTR100-2/10.3.2.287608-19-16 03:47 PMLike 0 - 08-19-16 04:15 PMLike 0
-
However, I have a problem with this guide:
leftid=xxx.xxx.xxx.xxx #(What Is My IP Address? Lookup IP, Hide IP, Change IP, Trace IP and more...)
Unfortunately our ISP doesn't allow this functionality for residential customers, so we're using a Dynamic DNS service. I'm not sure if this will work, but I guess it's worth buying a Raspberry Pi (they're only �30) to test it out with anyway.Last edited by Someone7272; 08-19-16 at 06:04 PM. Reason: Grammar error
Jose Casiano likes this.08-19-16 06:02 PMLike 1 - Your best bet is to find a How To that matches the system you are using. A Raspberry Pi is a good choice if you want to have your endpoint at home. But dynamic IP addressing is just one issue you will have to deal with. The main one is that most home Internet connections are asymetric. That is they have a high downstream bandwidth and a low upstream bandwidth. How this affects your VPN depends on how you are going to use it. If you just want secure access to your home network, then you will have to accept the ansymetric bandwidth. However it sounds like you want to use your VPN to access websites when you are away from home. In this case all packets to and from your phone through your home based VPN server will have to transit the low bandwidth upstream leg at least once. This will limit your maximum through put to whatever the lower bandwidth of your connection is. A simple diagram may help
Code:Phone | | Internet ---------Highspeed Downstream -----> Home Internet<----------Lowspeed Upstream<------- VPN Server | | Web Site
The best thing about doing it yourself though is you get to decide what is important to you and then provide those features for yourself.08-19-16 07:41 PMLike 0 -
I used up a ridiculous amount of Tickerguy's time and just felt bad about bothering him as much as I did. I already have a good self signed cert.
I'm using a freebsd droplet.
Posted via CB1008-20-16 11:15 PMLike 0 - I have a Digital Ocean VPS and got the Strong Swan VPN "working", but never could figure how to "dial out". Maybe you can post a write I on the Digital Ocean community pages. I think Digital Ocean will even credit you (as in not getting charged) for some articles.
I used up a ridiculous amount of Tickerguy's time and just felt bad about bothering him as much as I did. I already have a good self signed cert.
I'm using a freebsd droplet.
Posted via CB10
Two things:
First, I'm not using certificates. People always think certificates are better without really thinking it through. There is no real security advantage using a PK certificate over a shared symmetric key of equivalent entropy. In fact the other way around since you need a 4096 bit RSA key pair to get the same brute force strength as a 256 bit key derived from a strong password. The only problem with using password derived shared secrets is that if you share them too much they aren't secrets anymore. Since only my wife and I use my VPN, only I know the shared secret. Not using certificates makes getting IPSEC going a lot simpler, so you should think about the use case for certificates in your situation.
Second, I'm using CentOS 7 and followed a good How To written for CentOS 7 and Digital Ocean. I used BSD many years ago and found it to be a superb OS. I haven't used Free BSD, however it seems to push the envelope like the Debian crowd and Fedora. IPSEC is not the most popular VPN in the free x86 OS community, and it makes the greatest demands on standards compliance. One is often better off with a distribution that hangs back from the bleeding edge and concentrates on stability and standards.
One final bit of advice, if you have ever used OpenVPN don't try to use your knowledge of it on IPSEC, they are completely different animals.
LeapSTR100-2/10.3.2.287608-21-16 08:17 AMLike 0 - Not sure what you mean by dialing out.
Two things:
First, I'm not using certificates. People always think certificates are better without really thinking it through. There is no real security advantage using a PK certificate over a shared symmetric key of equivalent entropy. In fact the other way around since you need a 4096 bit RSA key pair to get the same brute force strength as a 256 bit key derived from a strong password. The only problem with using password derived shared secrets is that if you share them too much they aren't secrets anymore. Since only my wife and I use my VPN, only I know the shared secret. Not using certificates makes getting IPSEC going a lot simpler, so you should think about the use case for certificates in your situation.
Second, I'm using CentOS 7 and followed a good How To written for CentOS 7 and Digital Ocean. I used BSD many years ago and found it to be a superb OS. I haven't used Free BSD, however it seems to push the envelope like the Debian crowd and Fedora. IPSEC is not the most popular VPN in the free x86 OS community, and it makes the greatest demands on standards compliance. One is often better off with a distribution that hangs back from the bleeding edge and concentrates on stability and standards.
One final bit of advice, if you have ever used OpenVPN don't try to use your knowledge of it on IPSEC, they are completely different animals.
LeapSTR100-2/10.3.2.2876
I will go look for the centos guide, but of course the firewall will be different.
I needed the cert for email anyway. Sometimes certs are easy, like prosody. But the VPN and email were very particular.
Posted via CB1008-21-16 06:56 PMLike 0 - By dialing out, I mean I can't connect to the Internet. The VPN is established, but I can't connect to the outside world. I have google's DNS on the dropplet.
I will go look for the centos guide, but of course the firewall will be different.
I needed the cert for email anyway. Sometimes certs are easy, like prosody. But the VPN and email were very particular.
Posted via CB10
Just because you have the certificate doesn't mean it is better to use it. It is generally easier to setup email over TLS with a certificate than without. Not true with strong swan.
If you are committed to Free BSD you need to find a good current description of how to do it for that OS. Either that or you will need to work out all the OS requirements yourself.
LeapSTR100-2/10.3.2.287608-22-16 03:49 AMLike 0 - That sounds like you don't have IP forwarding turned on. In Linux that is a kernel parameter. Don't know ho that is handled in Free BSD. Then you will need to have NAT configured.
Just because you have the certificate doesn't mean it is better to use it. It is generally easier to setup email over TLS with a certificate than without. Not true with strong swan.
If you are committed to Free BSD you need to find a good current description of how to do it for that OS. Either that or you will need to work out all the OS requirements yourself.
LeapSTR100-2/10.3.2.2876
Posted via CB1008-22-16 04:10 AMLike 0 - Your best bet is to find a How To that matches the system you are using. A Raspberry Pi is a good choice if you want to have your endpoint at home. But dynamic IP addressing is just one issue you will have to deal with. The main one is that most home Internet connections are asymetric. That is they have a high downstream bandwidth and a low upstream bandwidth.
However, a Raspberry Pi is an ideal unit for this, because it's small, lightweight and power efficient. I believe that dynamic IP addressing, use of certificates/PKI infrastructure and my maxxed credit card are the only things holding me back from doing this.08-22-16 08:04 PMLike 0 - Check this copy/paste , maybe exemple address is not in use but its easy to find one that work .
check for external iP and edit ipsec.conf
backup your original /etc/ipsec.conf if something goes wrong
sudo cp /etc/ipsec.conf /etc/ipsec.conf.backup
make file
nano updateip.conf.tmpl
and copy lines from your's /etc/ipsec.conf and make one change in it (see green text)
config setup
strictcrlpolicy=no
conn %default
keyexchange=ikev2
conn rem
rekey=no
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=CHANGE_ME #dont change word "CHANGE_ME" it will be used in script)
right=%any
rightsourceip=192.168.2.1/29
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
script to renewip:
sudo nano renewip
(checking your external IP and change it to new ip CHANGE_ME to $externalIp(new found ip) and moving new cofiguration file (ipsec.conf ) in use)
(put in lines)
<?php
$externalContent = file_get_contents('http://ipecho.net/plain');
preg_match('/\b(?:\d{1,3}\.){3}\d{1,3}\b/', $externalContent, $m);
$externalIp = $m[0];
system("cat /home/pi/updateip.conf.tmpl | sed -e s/CHANGE_ME/$externalIp/g > /home/pi/newip.conf");
system("sudo mv /home/pi/newip.conf /etc/ipsec.conf");
?>
use cron to run every day 06:00
crontab -e
(add line to bottom)
00 06 * * * /usr/bin/php /home/pi/renewip08-23-16 02:43 AMLike 0 - heare is link where you can find solution for Dynamic IP !
look at bottom of "Guide for running VPN server on Raspberry PI :" "solution 2: " !!!!
WARIO's : VPN server for Blackberry 1008-23-16 02:49 AMLike 0 - heare is link where you can find solution for Dynamic IP !
look at bottom of "Guide for running VPN server on Raspberry PI :" "solution 2: " !!!!
WARIO's : VPN server for Blackberry 10
Code:Sep 4 00:50:22 raspberrypi charon: 07[CFG] left nor right host is our side, assuming left=local Sep 4 00:50:22 raspberrypi charon: 07[CFG] adding virtual IP address pool (address range of Pi) Sep 4 00:50:22 raspberrypi charon: 07[CFG] added configuration 'rem' Sep 4 00:51:05 raspberrypi charon: 09[NET] received packet: from (ip address of Z10)[21339] to (ip address of Pi)[500] (400 bytes) Sep 4 00:51:05 raspberrypi charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Sep 4 00:51:05 raspberrypi charon: 09[IKE] (ip address of Z10) is initiating an IKE_SA Sep 4 00:51:05 raspberrypi charon: 09[IKE] local host is behind NAT, sending keep alives Sep 4 00:51:05 raspberrypi charon: 09[IKE] remote host is behind NAT Sep 4 00:51:05 raspberrypi charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Sep 4 00:51:05 raspberrypi charon: 09[NET] sending packet: from (ip address of Pi)[500] to (ip address of Z10)[21339] (312 bytes) Sep 4 00:51:06 raspberrypi charon: 10[NET] received packet: from (ip address of Z10)[59013] to (ip address of Pi)[4500] (284 bytes) Sep 4 00:51:06 raspberrypi charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi CPRQ(ADDR MASK DNS DNS NBNS NBNS VER) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Sep 4 00:51:06 raspberrypi charon: 10[CFG] looking for peer configs matching (ip address of Pi)[%any]...(ip address of Z10)[test] Sep 4 00:51:06 raspberrypi charon: 10[CFG] selected peer config 'rem' Sep 4 00:51:06 raspberrypi charon: 10[IKE] EAP-Identity request configured, but not supported Sep 4 00:51:06 raspberrypi charon: 10[IKE] loading EAP_MSCHAPV2 method failed Sep 4 00:51:06 raspberrypi charon: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Sep 4 00:51:06 raspberrypi charon: 10[ENC] generating IKE_AUTH response 1 [ IDr EAP/FAIL ] Sep 4 00:51:06 raspberrypi charon: 10[NET] sending packet: from (ip address of Pi)[4500] to (ip address of Z10)[59013] (92 bytes)
I've been working on this for 2 days now, and it's really making me wanna toss the damned thing out of the window !
Also, when I installed strongSwan...
Searching around has yielded some "solutions" for the EAP_MSCHAPV2 problem, but none of these so-called "solutions" have worked for me.
Hope you can understand my frustration. Can anybody help me with this?
Thanks.Last edited by Someone7272; 09-03-16 at 08:17 PM.
09-03-16 08:06 PMLike 0 -
- Forum
- BlackBerry 10 Phones & OS
- BlackBerry 10 OS
Need advice on setting up my own private VPN server for BlackBerry 10
Similar Threads
-
Great Quarter for BlackBerry
By mutigbeere in forum Armchair CEOReplies: 10Last Post: 09-17-16, 06:53 PM -
Interesting Comparison Article: BlackBerry DTEK50 vs BlackBerry Priv (source: V3 UK)
By BigAl_BB9900 in forum BlackBerry DTEK50Replies: 20Last Post: 08-22-16, 10:07 AM -
I just installed Marshmallow 6.0.1 on my Priv and now having wifi issues.
By CrackBerry Question in forum Ask a QuestionReplies: 1Last Post: 08-19-16, 03:00 PM -
Having goofy behavior on my Passport
By CrackBerry Question in forum Ask a QuestionReplies: 0Last Post: 08-19-16, 12:19 PM
LINK TO POST COPIED TO CLIPBOARD