Need help restricting Android tablet to SSH/VPN access only

Discussion in 'privacy problems' started by doveman, Nov 25, 2013.

Thread Status:
Not open for further replies.
  1. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I want to set my Mum's new tablet so that it can only access the Internet via the SSH server running on her Buffalo router (with Tomato firmware).

    I've got the server working and accessible remotely and so far the only app I've found that has a Global Proxy setting to redirect everything via the SSH server is SSHTunnel, although I gather that it's not totally reliable when connections drop/change and I can't expect my Mum to cope with monitoring it and re-enabling it manually.

    When it's disabled, all traffic will just go over local connection unencrypted so that's a concern as well.

    Ideally there'd be some way to setup the SSH settings at a system level, with no way to disable them and force all the traffic go out like this but I'm not sure if there is any way to achieve this.

    The other part is setting a firewall (AFWall+ or Android Firewall seem to be the main ones) to only allow traffic via the SSH server. I'm not sure what whitelist rules would be required for this. For example, SSHTunnel connects to the server at x.x.x.x:x, so I presume I'd need a rule to allow connections to this address and this port (I had a quick play with the Avast firewall, which only allows creating custom rules for IP or port, so I'd need two rules with that and it doesn't allow entering the DynDNS name, only a IP address, so that's no good).

    Then SSHTunnel has a Local Port (1984) and remote address:port (127.0.0.1:312:cool: so I presume I'd need rules to allow all of those as well (I'm not sure which of these need to be incoming/outgoing or both). Then there's the question of whether I need to allow other ports like DNS (53) and so on, or if that all goes over the SSH tunnel and doesn't require setting allow rules specifically.

    It might be that a VPN server would be more suitable for what I'm trying to acheive than a SSH server and I think the Tomato firmware on the router has that facility (or if the version currently flashed doesn't, there's probably another version I could flash that does), so if that's the case, I'd appreciate advice on locking it down that way instead. Android has built-in VPN support, so it might be possible to use that but it depends on whether it will auto-connect and stay connected all the time or if it requires user intervention and I'll still need to setup firewall rules to prevent data being sent without the VPN in case it does get disabled.
     
  2. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    (Sorry, can't seem to edit my last post).

    Another issue is whether these firewall rules will prevent the device even being able to connect to any public Wi-Fi points before redirecting the traffic via the SSH/VPN server.
     
  3. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I understand that the Buffalo router's probably not a good choice for a VPN server as it will be too slow, so I'm setting up an OpenVPN server on my Raspberry Pi instead now, although so far I can only connect to it from my LAN, not from outside, which isn't much use.

    I'm questioning whether my 24Mb/1Mb connection will be suitable for running a VPN server anyway. See here https://www.wilderssecurity.com/showthread.php?p=2312229#post2312229
     
  4. x942

    x942 Guest

    I haven't tried SSH like this but you can do it with VPN if the device is running 4.2 (jellybean) or higher.

    All you have to do is add the VPN under settings --> Networks --> VPN

    when done you now hit the menu button and check the box that says 'Always On VPN'. Now if you drop off the VPN it automatically disables WiFi/Data to prevent data leaks.
     
  5. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    Thanks for the tip x942, that certainly helps simplify things.

    However, as the Raspberry Pi is at my house and not my Mum's, it would mean all her traffic would have to go through me, which I don't mind but it would make her connection when at home much slower than it would otherwise be, so I'll keep hoping for a way for it to only switch to using the VPN when she's away from home.
     
  6. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    Actually I just thought, if it disables WiFi when she drops off the VPN, I'm not sure how it would work with using public WiFi, some of which will require passwords or web logins, as the WiFi will have been disabled as soon as she leaves the house!
     
Loading...
Thread Status:
Not open for further replies.