Android SSH Tunnel (Beta), A Simple Alternative to IPSec/L2TP/OpenVPN (with SOCKS Proxy for Mac OS X)
Warning: I do not recommend using "SSH Tunnel" from the Play Store or using the compiled from source application (beta version) until all of the SSH Tunnel Security Concerns are resolved.
NOTE: This article is merely a WIP documentation of my R&D for finding a
sshuttle
equivalent for Android.
After starting to write my own tutorial for a VPN with IPSec/L2TP (coming soon) (based off several sources), I began to realize that this approach is flawed in its complexity (and most likely has more room for error than alternatives). The sources I used all seemed to take different approaches on MASQUERADE
vs SNAT
option in the /etc/rc.local
configuration as well. Also, none of these offered tips for configuring the server itself to be performant as a VPN (e.g. optimize latency and throughput configuration.
While I continued to write this tutorial (linked above), I recalled that I used to enjoy using this sshuttle
project (when I had used Ubuntu/Linux Mint; e.g. here was my old setup). Since I tether quite a bit, I thought it would be nice to simply have something like sshuttle
set up on my Android device (OnePlus One, rooted as well) and then have a SOCKS proxy on my MBA to tunnel through the device proxy itself (albeit this will slow my 3G/4G connection down if I use it constantly, a simple and secure tunnel is nice to have nonetheless). This is also a simple solution for securely connecting to public wi-fi hotspots or while as a guest somewhere.
I found "SSH Tunnel" by simply searching "sshuttle for android" as one would normally on Google. I was brought to this Google Groups thread, which then led me to an Android app called SSH Tunnel and its current version is v1.5.6
(as of today). The source is published at code.google.com/p/sshtunnel as well. However, upon reading the description I noticed the author has a beta going of v2.x.x
, and its last update is from 2012 (so is it stable, outdated, or not maintained?). The beta's source code is on GitHub at github.com/madeye/sshtunnel-beta. There is also an APK available to download for the beta version v2.0.3
at https://code.google.com/p/sshtunnel/downloads/list.
As many know, there are obvious concerns regarding security on publicly released APK's – and when dealing with tunneling – I'd prefer to compile from source myself. This beta source code also apparently solves a few issues such as DNS lookup leaks. I did notice that the version v0.9.8m
of OpenSSL the project uses is outdated and is vulnerable (?!) (also apparently 100,000 - 500,000 users have v1.5.6
on Android…).
Another thing – I started to file issues on the GitHub project (e.g. getting a stable release of the beta in the Play Store and updating OpenSSL), but the author then instantly disabled the Issues tab – which is questionable since the code.google.com
issues are outdated and unmaintained. I wrote to the author @madeye as well, but have not heard back yet. The beta release was once available in the Play Store according to some cached search results at https://play.google.com/store/apps/details?id=org.sshtunnel.beta&feature=more_from_developer and according to this blog post at http://support.vpnsecure.me/articles/getting-started-ssh-tunnel/android-ssh-setup-with-sshtunnel.
I also tried the Shadowsocks app (compiled from source at github.com/shadowsocks/shadowsocks-android) – however it did not have support for SSH tunneling as the SSH Tunnel app has.
It would be great to get the developer community involved with this project, as it has a lot of potential for being the well-tested/developed, simple/quick, go-to solution for a poor man's VPN (like sshuttle
) on Android.
I've compiled this list of security concerns regarding the SSH Tunnel app (in no particular order of significance):
-
Possibly uses vulnerable version of OpenSSL
-
The app contains proprietary analytics software (called "FlurryAgent") through the use of
FlurryAgent.jar
via f-droid.org)so you can be spied on while you make your secure private connections!? — CiaranG
-
Someone suggested to replace
Flurry
withCountly
and also questioned why the need for analytics on an SSH Tunnelling app is needed in the first place at https://bitbucket.org/madeye/sshtunnel/issue/1/suggestion-replace-flurry-by-countly – but upon closer look insrc/org/sshtunnel/SSHTunnelService.java:1044
it seems like in the beta version it's not used?// This is the old onStart method that will be called on the pre-2.0 // platform. On 2.0 or later we override onStartCommand() so this // method will not be called. @Override public void onStart(Intent intent, int startId) { super.onStart(intent, startId); FlurryAgent.onStartSession(this, "MBY4JL18FQK1DPEJ5Y39");
-
I discovered there is also a BitBucket repository at https://bitbucket.org/madeye/sshtunnel (in addition to this GitHub repo for SSH Tunnel... so confusing – I wonder what the
diff
looks like and/or what are the missing commits are between the two?) -
Can we use this as an alternative to
FlurryAgent.jar
? https://github.com/uniqdom/FinfAgent
-
-
The app has a beta that is two years old and was once released to the app store (but now is pulled) – what was the reasoning for that?
-
The app in the Play Store is
v1.5.6
which has DNS leaks (noted above) and seems to be much slower than the betav2.x.x
package.
TODO: Add instructions here (or fork the repo and rewrite the Readme as similar to https://github.com/shadowsocks/shadowsocks-android#build and https://github.com/yshahin/dotfiles/blob/master/zshrc#L31-L36). Then transfer and install to your Android device over USB with adb -d install my-signed-app.apk
.
TODO: Add instructions here for setting up Digital Ocean box and also instructions to tune it for http://shadowsocks.org/en/config/advanced.html (what bits of this config are even necessary if any?)
TODO: Add instructions here for generating key, adding user
ssh-keygen -t rsa -b 4096 -C "android"
TODO: Add instructions here for copying SSH key to desktop and then using adb
to push it
adb push id_rsa /sdcard/sshtunnel/key
TODO: Add instructions (and screenshots?) here showing how to configure the profile in SSH Tunnel beta app
In order for any device connected to your Android hot-spot running SSH Tunnel, you'll need to configure the device's network to use SOCKS proxy.
- Reply to google group sshuttle android question with this tutorial
- Try to get a hold of the author again
- Post to Hacker News
- Share internally among the team
Great article.
Any update? Do you currently run the compiled beta version? Any issue?