Android Tethering And VPNs

android_robot I have finally succumbed to the 24/7 connected world and have purchased a Google Nexus 4 running a vanilla, as in unmessed about with, Android JellyBean. The SIM contract I have also allows for unlimited data, which is handy as there is no wireless where I live.

I also wish to tether my phone to my laptop and get Internet access when away from home. Phone tethering is when you turn your mobile phone into a broadband router, connecting it to the laptop via either a wireless hotspot or USB cable. I also want to make use of a VPN when away from home for security reasons. So I did some research and this is what I found…

VPNs

Why use a VPN? A VPN, or Virtual Private Network, is a means of tunnelling all your traffic via a secure, encrypted tunnel over the 3/4G network and the Internet to a specified end point. Whilst 3G uses encryption to secure your data, it is not a terribly good system. Also if you are using WiFi, do you trust the provider with your most private data? Possibly not if that provider is a hotel or Internet café.

The Problem With Email

When you are at home and fetch your email from your ISP’s email server, you are on their network talking directly to their servers. That traffic normally does not go out onto the Internet. Thus it is not terribly important that your email password is sent in the clear when signing into an IMAP or POP3 server. Some SMTP servers do not even require authentication when connecting to them from IP addresses owned by the ISP.

However when you access your email from your phone, that information is sent across the Internet. Thus you should always use a secure setting in your email application (either SSL or TLS). Not doing so means that your authentication details will be sent in the clear. Remember that whilst your 3/4G connection may be encrypted, the security it provides ends at the servers on the Internet belonging to your mobile phone provider. Your data will still transit the Internet in the clear.

If your email provider supports SSL or TLS then enable it on your email client and you are good to go (most webmail providers offer this level of security when accessing their POP3, IMAP and SMTP servers). If not then read on.

My ISP does not provide encrypted email servers. So I decided to configure my broadband router to provide a VPN that my phone could use for email. Thus email would be accessed as if the client was running on my home computer and not my phone.

This is not ideal as I use ADSL at home and whilst my download speed is around 5Mb/s my upload speed is 0.5Mb/s. Therefore access to email and any associated attachments is at the 0.5Mb/s rate as any traffic has to be uploaded by my router to the phone.

So when I want to read my email, I activate my VPN and start up my email client. When I am done I deactivate the VPN to get back my full data transfer rates.

This means that I had to make sure that the phone’s email client did not fetch new email in the background. If it did then it would negate the whole point of using the VPN. Luckily most email clients allow you to turn off syncing, auto-fetching and polling.

At this point some may think Oh life is too short, what the heck and take the risk. However I am quite happy using the above approach.

If you go with a VPN provider then choose a reputable one. Remember that they will have access to your unencrypted data.

Tethering With VPNs

Unfortunately the stock Android tethering application does not work with VPNs. This limitation is an oversight in the software and not a system limitation.

However there is an application called ClockworkMod Tether that will allow you to tether and use a VPN at the same time. In fact it makes use of the standard tethering application and then fixes up the routing information to make it work.

This application does not require you to root your phone but you do need to run software on the computer that you wish to connect to your phone. Also this only works for USB tethering at the moment.

There are other alternatives to ClockworkMod Tether, if you wish to try them, including PDANet.

Installing ClockworkMod Tether is detailed on their website. On the phone this is a simple application install. It is not free but you do have plenty of time to evaluate the software and even when your time runs out I believe it simply limits the amount of data you can put through it. You must have the stock Android tether application installed (Tether.apk) as well. Their site will give you download links not only for the computer based client software that you need but also this tether application, just in case you do not already have it installed on your phone. The client software supports MS-Windows, Linux and MacOS X.

I installed the Linux software onto my Debian laptop. All now works like a dream but I did have a couple of issues that needed ironing out:

  • The most important issue was I found the setup unreliable when trying to establish an initial connection. After much head scratching and experimenting I found that doing a traceroute 8.8.8.8 after about ten seconds invariably brought the link up and everything started working. It is as though something needed to be prodded in order for it to work. Alternatives to traceroute include telnet and possibly ping.
  • My /etc/resolv.conf file was updated with 8.8.8.8, which would normally be fine, but I use pdnsd for caching DNS queries. I had already configured pdnsd to use 8.8.8.8 and so wanted to stop this unnecessary update that in effect bypassed pdnsd altogether.

Just in case you do not know; 8.8.8.8 is the IP address of one of Google’s main DNS servers, the other one being 8.8.4.4.

In the end I modified the node-tuntap/linux/interface-setup.sh shell script within the tether software to get around both issues listed above. My version is here:

activate_link()
{

    count=0
    while test $count -lt 5
    do
        sleep 10
        traceroute -m 2 8.8.8.8 > /dev/null 2>&1
        if test $? -eq 0
        then
            count=100
        else
            count=`expr $count + 1`
        fi
    done
    exit 0

}

if [ -z "$1" -o -z "$2" ]
then
        echo $0 ipaddress device
        echo ex: $0 10.0.0.1 tun0
        exit 1
fi

ifconfig $2 $1/24 $1
route add default $2

pdnsd-ctl status | fgrep -q 'ip: 8.8.8.8'
if test $? -ne 0
then
    echo domain localdomain >> /etc/resolv.conf
    echo search localdomain >> /etc/resolv.conf
    echo nameserver 8.8.8.8 >> /etc/resolv.conf
fi

(activate_link) &

The activate_link routine uses traceroute to prod the interface and get stuff working. The test at lines 30 and 31 make sure that the DNS entries are only added to /etc/resolv.conf if pdnsd has not been configured to use 8.8.8.8.

This tethering setup works with or without a VPN being active on the phone.

Tethering And Firewalls

I have a firewall running on my Linux laptop, provided by FireStarter. So I needed to add a few rules to cope with the tethering setup:

    iptables -I INPUT 1 -p udp -s 8.8.8.8 -j ACCEPT
    iptables -I INPUT 1 -p udp --sport 123 -j ACCEPT
    iptables -I INPUT 1 -p tcp --dport 50001 -j ACCEPT
    

The first rule is primarily for DNS. Although sniffing the connection showed some traffic between 8.8.8.8 and FireFox initiated in both directions on random UDP ports. This seemed to be something to do with field auto-completion and only seems to happen when using one of Google’s DNS servers (incidentally if anyone reading this could explain precisely what is going on here then that would be great). Restricting to just DNS ports caused very noticeable slowdowns.

The second rule is for NTP. I need to do more experimenting as I would have thought that this rule would be unnecessary as my laptop is making an outgoing request to the NTP server. But I specifically included it as something was not working.

The third rule is for the tethering software. Again I probably need to tie down the sender’s IP address.

If you want these rules to be actioned automatically as a part of FireStarter then you can put the following into /etc/firestarter/user-post:

    $IPT -I INPUT 1 -p udp -s 8.8.8.8 -j ACCEPT
    $IPT -I INPUT 1 -p udp --sport 123 -j ACCEPT
    $IPT -I INPUT 1 -p tcp --dport 50001 -j ACCEPT
    

Tether Detection And Avoidance

Some providers go to considerable lengths to detect tethering so that they can charge the customer more by putting them onto a tethering plan. This can even apply to some so-called `unlimited’ data plans.

I think this is pretty underhand. Unlimited should mean exactly that. It is up to the customer how they make use of their data plan. The rationale is that if you tether your laptop then it is far more convenient to do more stuff on the Internet, including streaming videos, than if you were doing it on your phone. Thus you are much more likely to use more bandwidth and put a greater strain on the data network that could be detrimental to other users. Ok fair enough but then why not clearly state unlimited excluding tethering in the contract rather than hiding it away in the small print, and why not simply practice a far usage policy instead? Looking at the blogs people get picked up just for using tethering and not because they are hogging bandwidth.

Tether detection can be done a number of ways:

  • Your tether application, provided by your network provider, simply sends a message through to them every time you activate tethering. This message need not go via the Internet, they have a number of communications channels open to them.
  • Your provider monitors your traffic and checks things like the TTL values on IP packets or possibly IPID values to determine the number of devices being tethered.
  • Looking at web browser agent ids in web traffic. I.e. are you using a desktop FireFox browser or a Google Chrome phone browser?

With the first point, one can simply install and use the stock Android tethering application. It would have no reason to phone home to your provider.

The second two points can be dealt with by using a VPN from the phone, and preferably a UDP based one as UDP packets carry less state information than TCP packets.

Luckily my provider essentially practices a fair usage policy. So my main concern is security. However do bear in mind that if you are on a no-tether plan then you could fall foul of your provider and end up being charged for tethering. It is unlikely that they will ban you as they cannot make money that way.

Advertisements

5 thoughts on “Android Tethering And VPNs

  1. Awesome article. I gave up on this some months ago as I couldn’t get data flowing from PC Internet once the VPN connection was established on the phone. Now I’m aware of the prod “feature” I’ll give this another go when my contract is up for renewal and the tethering data caps come into force. Thanks

  2. I already have a vpn going on my phone (StrongSwan), and I’m using the built in tethering for my laptop. Any idea how I can use the default tether to go through the vpn, or maybe you have some other software suggestions? I tried PdaNet but couldn’t get it to toggle WiFi and would rather not install software on my computer to use Clockwork.

    I have a rooted HTC One from Verizon.

    Thanks.

    • Firstly sorry for my late reply…

      I take it that you wish to tether via Wifi and not USB? If so then PDANet was the one I came across that seemed to be most successful at this (but no way guaranteed as you found out unfortunately). So I’m sorry I don’t have any other suggestions for you I’m afraid. At the time I was looking for solutions that didn’t require rooting as well. Incidentally this is why the ClockWorkMod solution required PC side software so as to get around the unrooted phone problem.

      • No problem, yeah I’m guessing it’s a long shot finding a solution that’ll work with my configuration. I do have a rooted phone though if you by chance are aware of a method for root…?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s