OpenConnect DNS Only + Google Only

I’m using 4G by China Mobile, but the DNS it provides really sucks. Changing DNS from Cellular Data on a not-jailbroken iPhone is impossible so far as I know (I tried mobileconfig but can find any working options).

The first idea is pushing DNS from a PPTP server, which I wrote: Notes: PPTP/L2TP Server on Ubuntu.
I can create two connections on my iOS, one set default route, one not. All users share a same setting from PPTPd, it’s almost impossible if I want to use a different DNS in these two connections, changing default pptp port from 1723 to others is not as easy as it is on windows.
Don’t forget that PPTP is what GF*W likes.
Continue reading “OpenConnect DNS Only + Google Only” »

OpenConnect DNS Only + Google Only by @sskaje: https://sskaje.me/2014/06/openconnect-dns-google/

Incoming search terms:

Google IP Address Ranges

Google introduces its TXT/spf records including all Google’s IP: Google IP address ranges

_netblocks.google.com describes ipv4 ranges.

_netblocks2.google.com describes ipv6 ranges

_netblocks3.google.com is currently empty.

Now we have list of IPv4 ranges, but we know google provides a public dns service, 8.8.8.8/8.8.4.4 (for ipv6 2001:4860:4860::8888/2001:4860:4860::8844).
we can treat these two as 8.8.8.8/32 and 8.8.4.4/32 or just make it as 8.8.0.0/16.

IP/CIDR IP Begin IP End Netmask
216.239.32.0/19 216.239.32.0 216.239.63.255 255.255.224.0
64.233.160.0/19 64.233.160.0 64.233.191.255 255.255.224.0
66.249.80.0/20 66.249.80.0 66.249.95.255 255.255.240.0
72.14.192.0/18 72.14.192.0 72.14.255.255 255.255.192.0
209.85.128.0/17 209.85.128.0 209.85.255.255 255.255.128.0
66.102.0.0/20 66.102.0.0 66.102.15.255 255.255.240.0
74.125.0.0/16 74.125.0.0 74.125.255.255 255.255.0.0
64.18.0.0/20 64.18.0.0 64.18.15.255 255.255.240.0
207.126.144.0/20 207.126.144.0 207.126.159.255 255.255.240.0
173.194.0.0/16 173.194.0.0 173.194.255.255 255.255.0.0
8.8.8.8/32 8.8.8.8 8.8.8.8 255.255.255.255
8.8.4.4/32 8.8.4.4 8.8.4.4 255.255.255.255
8.8.0.0/16 8.8.0.0 8.8.255.255 255.255.0.0
Google IP Address Ranges by @sskaje: https://sskaje.me/2014/06/google-ip-address-ranges/

Incoming search terms:

Cisco AnyConnect Clients 3.1.05170 download

Available for OS X, Windows, Linux, but unfortunately I didn’t figure out how to use it with OpenConnect when using public key authentication.
OpenConnect Public Key Authentication
Open Connect Server Configuration (Working for iOS)
OpenConnect on Ubuntu

OCServ with AnyConnect on OSX

Download: http://dl.sskaje.me/anyconnect/

Continue reading “Cisco AnyConnect Clients 3.1.05170 download” »

Cisco AnyConnect Clients 3.1.05170 download by @sskaje: https://sskaje.me/2014/06/cisco-anyconnect-clients-3-1-05170-download/

Incoming search terms:

OpenConnect Public Key Authentication

Here are old articles about OpenConnect, the open source AnyConnect server:
OpenConnect on Ubuntu
Open Connect Server Configuration (Working for iOS)
Cisco AnyConnect Client for OS X/Windows/Linux (Version 3.1.05160)

This time, OCServ 0.80 on Ubuntu 14.04.
And still doesn’t work for OS X.

I was using password based authentication, but clients on iOS can not remember my password.
So now add some configurations based on “Open Connect Server Configuration (Working for iOS)“.

Create Client Certificates

Just follow the manual: http://www.infradead.org/ocserv/manual.html.
If you already have a CA based on openssl, I have another article: Generate Certificate with GnuTLS and Sign with OpenSSL.

Here is my user.tmpl:

After the pkcs12 is created like ‘Create Client Config’ in “iOS IPSec VPN Server on Ubuntu“, the mobileconfig should be also created.
Remember to leave the ‘Account‘ and ‘Group‘ BLANK in the VPN page.

Update config

Copy a new sample.config from source, edit it following Open Connect Server Configuration (Working for iOS)

Now comes the certificate authentication related changes:

auth

I tried to use both certificate and plain, but failed.
Just keep the certificate one.

server-cert & server-key

You can add your own certificate or get it somewhere like startssl.com.
I got my certificates from startssl.com, class 1, I got three files: ca.pem, sub.class1.server.ca.pem, and my own ssl.crt:

If you don’t make these three in a right order, you’ll see errors below in syslog:

The server-key I got from startssl is encrypted, decrypt it:

Encrypted private key would result:

ca-cert

This ca-cert is for CLIENT certificates!

cert-user-oid & cert-group-oid

Follow the comment:

cisco-client-compat

Enable this! Thanks to @simamy.

OpenConnect Public Key Authentication by @sskaje: https://sskaje.me/2014/06/openconnect-public-key-authentication/

Incoming search terms:

Set up Port Proxy for Google

I found some ways making most of google’s services working in my working place, but not for google docs, google drive, google plus…

I got a VPS somewhere, windows 2003, which is quite easy creating a port proxy.

Steps:
Make sure you have 443 port not in use.

Install IPv6

To make the portproxy work on windows 2003, IPv6 must be installed, even for a v4 to v4 proxy.

Create the portproxy

Syntax can be found here: Netsh commands for Interface Portproxy

Check if port is open

After the add operation, check if the 443 port is open using:

Delete the portproxy

Same syntax as above.

Create portproxy on Port 80

Set up Port Proxy for Google by @sskaje: https://sskaje.me/2014/06/set-port-proxy-for-google/