Direct ALL android traffic through SSH tunnel

android linux ssh iptables cyanogenmod
13,085

Solution 1

Have you tried using sshtunnel? Iptables alone is not enough to do this.

As for an overview of how it's actually done:

  1. Login to your server with ssh and forward the HTTP proxy port to the Android device. Thus any traffic going to localhost:3128 will actually go to the remote machine (your home router).
  2. Because Android doesn't have a global proxy setting, you make redirect all traffic going to port 80 (and 443 for HTTPS) to localhost:3128. That's where iptables comes in:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to localhost:3128

If you want to redirect other protocols too, you use a SOCKS proxy with a similar setup. To redirect DNS, redirect port 53 through the tunnel, etc.

All in all to complete conceal 'all traffic' is not that easy, so just use the app. If you want to patch Cyanogenmod to do this, look at the source and modify the startup scripts.

Solution 2

This doesn't solve your use case because this only directs the traffic of firefox, but you don't need root.

TL;DR

  1. Install Termux app on android, EDIT IMPORTANT: Termux does not receive updates on Play Store anymore. Install the application and add-ons from F-Droid instead.

  2. In termux install openssh pkg i -y openssh

  3. ssh into server using dynamic port forwarding ssh user@server -D12345

  4. Install Firefox Beta on android (at this time, plain Firefox doesn't support configuring with about:config)

  5. Open Firefox Beta, and go to about:config

  6. Search proxy

  7. Look for and set the following properties:

    network.proxy.allow_hijacking_localhost: true
network.proxy.socks: localhost
network.proxy.socks_port: 12345
network.proxy.type: 1

    make sure network.proxy.socks_port matches with the port in the ssh command above

  8. Done!, you are now navigating through the ssh server on Firefox

Full instructions using ssh-keys

Usage

  1. Open Termux and run ssh user@server -D12345 (or just press Up+Enter if you have run this command previously)
  2. Navigate using the proxy-configured Firefox
  3. Done!, your traffic is going through the server

Install

Setup Android

Termux

  1. Install Termux

  2. Configure ssh client by running the following commands:

    # Ask for storage permission
termux-setup-storage &&
# Install openssh
apt install -y openssh &&
# Generate an SSH key
ssh-keygen -t ecdsa -f ~/.ssh/id_ecdsa &&
# Set a password for the private key
# Get public key
echo -e '\nCopy the following public key:'
cat ~/.ssh/id_ecdsa.pub

  3. (Optional) If you have access to the server with ssh, then run:

    ssh-copy-id user@server

    If not, you need to manually add the public key to the server. This is explained below in the Setup server section

Firefox

  1. Install Firefox Beta - normal firefox might work if you can access to about:config

  2. Open Firefox and go to the url about:config, search proxy and set the following configurations:

    network.proxy.allow_hijacking_localhost: true
network.proxy.socks: localhost
network.proxy.socks_port: 12345
network.proxy.type: 1

    make sure network.proxy.socks_port matches with the port used in the ssh command in the Usage section

Setup server

If you succesfully run the command ssh-copy-id there's nothing to do here.
But if not, you need to manually add the public key generated:

echo 'public key' >> ~/.ssh/authorized_keys

In the future I will be keeping this up-to-date here: https://github.com/madacol/knowledge/blob/master/Ssh%20poor-man's-vpn%20on%20android.md

Share:
13,085
CatZilla
Author by

CatZilla

Updated on June 11, 2022

Comments

  • CatZilla
    CatZilla almost 2 years

    I am trying to completely conceal all traffic on my phone from the wireless provider.

    I would like to do this by directing the traffic through an SSH tunnel to my home router through iptables (not sure if they help?).

    The phone is rooted and is running CyanogenMod 7.1 (and is therefore iptables-capable).

    I've looked at this question, but I am still sort of shaky on the details. That question sort of describes how to do this for a single port - but how can I do this for every single packet on every single port?

    This question is of both practical and academic interest. Thanks.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to forward http request to a proxy server?
Cant SSH into server, not responding
iptables restrict ssh session by mac address
iptables NAT doesn't preserve remote IP
How do I block every connection except vpn and ssh without endangering the state of my vps?
How to block all ports except 80,443 with iptables?
Linux: Can I monitor all http connections to my site live? like tail -f /file/log.log only for http connections?
iptables to allow only ssh and https
How to allow SSH only from local network via iptables
SSH whitelist 2 addresses