130 replies to this topic

[SpaceRat]

Dunno.
If there is some decent SSH client inside the app store it probably would.

I would suggest you try it using a PC as client first.
My preferred ssh client is Emtec's ZOC (https://www.emtec.com/zoc/index.html), but putty will do too.

For a simple forwarding of a CAM port to another box, OpenPLi should have autossh on their feeds.

Once properly set up, after running this command on the client box:

autossh -N -L *:12000:localhost:12000 -l root dyndns-of-your-server-box

... the client box could connect to a CAM running on port 12000 of the server box by using localhost:12000 as address, just as if the CAM was running on the client itself.

Note that the true connection is that on the ssh port (22), not on port 12000, port 12000 of the server just gets tunneled through that ssh connection.

Edited by SpaceRat, 30 November 2016 - 21:07.

[SpaceRat]

My dick is long enough, so I do not own an iPhone.
littlesat probably knows better when he says that the Apple crap can not properly do ssh.

[kermith]

Haha, yeah, I think littlesat knows. Thanks for the explanation though. Christmas is on the way so I'll have some time to dig in to this.

Looking forward to fiddle with it

[WanWizard]

My dick is long enough, so I do not own an iPhone.

 

Brillant!

[littlesat]

iOS can do SHH but it will close the tunneled ports after 5 minutrs when the application that opened the tunnel is not open in the foreground.... In addition ssh performs relativaly slow on an ipad or iphone, so it is not really suitable for streaming...
But OpenVPN performs as a charm....
The latest VPN I saw from fritzbox, without hacking the fritzbox with alternative firmware, was a password only protected VPN, which I think is not that secure in comparision by creating an own "key" set... I used easyrsa to create my own keyset for openVPN.

[WanWizard]

Correct, the Fritz uses passwords, not certificates. Whether or not that is much less secure highly depends on the password you select. For home use, I could live with a sufficiently strong password, you're not protecting a bank...

[SpaceRat]

Nowadays there are two methods to set up Fritz!Box VPNs:
a.) Through the box' UI (Less options but easier)
b.) Through an external (Windows) program called "Fritz!Box Fernzugang einrichten" (German) or "Configure FRITZ!Box VPN Connection" (English)

Both methods have in common that they use "IKEv1 Aggressive Mode", which StrongSWAN considers weak.
Once you enable "IKEv1 Aggressive Mode" in StrongSWAN, it changes its name to "WeakSWAN"

The good news is, that when you create the config using method b you get plain text config files to be imported into the Fritz!Box and these config files can be modified before import, e.g. to use "IKEv1 Main Mode".
In order to connect my Linksys WRT1900ACS using StrongSWAN on LEDE to two remote Fritz!Boxes, I first went the weakSWAN way to verify everything works, then I modified the VPN configuration for the Fritz!Boxes to use main mode and disabled aggressive mode in StrongSWAN again.

And yes, the Fritz!Box uses a PSK (Pre-Shared Key), so do most WLANs too.

The main benefit of the IPSec way of doing the VPN in the Fritz!Box is, that this method is widely supported in other devices too.
You can find instructions on how to connect to the Fritz!Box' VPN for
- Android
- Windows Phone
- Blackberry
- Small-dick-Fon (iPhone)
- Windows
- Linux
- macOS
- Cisco ASA/RV320 <-> AVM FRITZ!Box
- pfSense
- Lancom 1681V/1781V <-> FritzBox
- and many more

In turn that means that any of the devices which can connect to the Fritz!Box VPN should also offer the same connectivity to the other devices in the list.
So if Lancom routers can connect to Fritz!Box VPN and the Fritz!Box VPN can be connected from Android smartphones or iPhone's excuse for a smartphone, the iPhone excuse for a smartphone should also be able to connect to a Lancom VPN.

This means it would be helpful to know which kind of router you currently own on both sides of your desired connection, maybe they already have a common VPN support.

Sadly no E2 image known to me has the neccessary modules to be a VPN client to a IPSec/Fritz!Box VPN on its own.

[SpaceRat]

BTW:

If you happen to own routers without any VPN support inside
a.) you own shit
b.) you should check if there is LEDE or OpenWrt available for it
c.) I would go the OpenVPN way.

[kermith]

@SpaceRat Well I guess I do own shit.
And even the Fritz!Box is less secure. But with Fritz!Box and a strong password it would work great then.

So the OpenVPN with Fritz!Box and a strong password will be the best shot for both Android, iPad and another E2 box in my country house.

Really great elaboration on this guys. I really appreciate it, and haven't seen a rundown as this anywhere.

 

@Dimmie, I also have your aspect of legality in to consideration, but as I see more and more people use their tabs and smartphones for watching TV and recorded material from their boxes at home and eventually we will have a flat rate on cellular data this will become a reality. The box that I've got from my TV provider at my house really stinks and for example Netflix on it is slow as s**t. Also I can't install Plex on it. That is why I chose a E2 box which will make me to do whatever I want to it, I'm also getting a brand new spanking Vu+ Uno 4K next week. I only pray that OpenPli will have an image for it. And a small hope that my CI+ card would work, because what I really miss with my E2 boxes is that I could watch HD channels from my CI+ card. I've heard that this is possible on some boxes with some images, but I love the OpenPli and will not want to change away from it.  

Edited by kermith, 1 December 2016 - 13:59.

[SpaceRat]

Well, you avoid to tell us, which router model(s) you got ...
For many routers, you can grab and install LEDE/OpenWrt and have OpenVPN with that.

E.g. TP-Link makes junk routers, they are crap like hell. But you can install LEDE/OpenWrt on most of them to make them decent routers.

[kermith]

There's no secret. At my home I've got Netgear Genie R6300v2 which I bought myself and exchanged for the shitty one I got at the start on my subscription from my ISP, which didn't have the possibility to remotely control it.

 

At my country house I've got a brand new Techicolor 799 Xtream, which is very good and have a great WiFi.

[SpaceRat]

Netgear stinks (The Technicrap isn't even worth mentioning).

However, at least DD-WRT is available for your Netgear R6300v2, which isn't as good as LEDE or at least OpenWrt, but it should to the job:
http://www.dd-wrt.co...Netgear_R6300v2

DD-WRT has support for OpenVPN: http://www.dd-wrt.co...dex.php/OpenVPN

So I would upgrade the Netgear using DD-WRT and add OpenVPN to it.
After that, you can set up the Netgear as OpenVPN server and the outside E2 box as an OpenVPN client to that server.

Your outside E2 box can then access the E2 box at home (and anything else at home) through the VPN (almost) as if it was at home too.
No port forwarding required on the outside side and only one on the server side for OpenVPN to get secure access to everything.

[littlesat]

Whether or not that is much less secure highly depends on the password you select. For home use, I could live with a sufficiently strong password, you're not protecting a bank... 

->

And what master key do you think they use???

[WanWizard]

Afaik neither of them to VPN's out of the box.

[kermith]

Netgear stinks (The Technicrap isn't even worth mentioning).

However, at least DD-WRT is available for your Netgear R6300v2, which isn't as good as LEDE or at least OpenWrt, but it should to the job:
http://www.dd-wrt.co...Netgear_R6300v2

DD-WRT has support for OpenVPN: http://www.dd-wrt.co...dex.php/OpenVPN

So I would upgrade the Netgear using DD-WRT and add OpenVPN to it.
After that, you can set up the Netgear as OpenVPN server and the outside E2 box as an OpenVPN client to that server.

Your outside E2 box can then access the E2 box at home (and anything else at home) through the VPN (almost) as if it was at home too.
No port forwarding required on the outside side and only one on the server side for OpenVPN to get secure access to everything.

 

Wow, thanks, sounds really nice. Thanks for providing the info!!

Really interesting.... think I'm close to a solution here.

 

 

 

Whether or not that is much less secure highly depends on the password you select. For home use, I could live with a sufficiently strong password, you're not protecting a bank... 

->

And what master key do you think they use???

 

I could use a highly secure password, like 24 digits It's not like I have to fill this in every time I connect to the box, right. If I set this up it would remember my password?

 

 

Afaik neither of them to VPN's out of the box.

 

Can't understand what you're saying....

 

[SpaceRat]

BTW:

I wrote some SSH How-To with plenty of pictures (but in German) more than two years ago in the HDMU Forum
How-To: Box sicher ins Internet freigeben

It covers SSH incl. Port Tunneling using PuTTY and ConnectBot, however it is based on the HDMU-Image for sh4 boxes which differs a bit from what we have now:
- dropbear was started by inetd
- dropbearkey created more compatible key files back then

At the moment I'm rewriting that how to inside the OpenATV forum:
Sicherer Fernzugriff auf den Receiver (SSH, VPN, OpenWebif mit HTTPS)
... and this time it is going to cover
- SSH incl. Port Tunneling and file access using FileZilla, PuTTY, ZOC and ConnectBot
- VPNs
- OpenWebif hardening with HTTPS

It will be in German too, though

But if anyone wants to spend his time translating it or just wants to steal the images, feel free to.

[kermith]

Thanks, I do understand some German. Swedish and German are quite similar and reading in German I understand the context.
Will be easy to translate

[littlesat]

For ssh tunelling and enigma images milo has for years a how to.....

[SpaceRat]

I know.
Mine is losely based on his.

English is fine for me and you but there really are enough German users that can't read English for toffee, that's why I wrote a German one.
And I got more into the details and also cover other clients, e.g. FileZilla, ConnectBot, ...

Edited by SpaceRat, 1 December 2016 - 20:02.

[MiLo]

For a simple forwarding of a CAM port to another box, OpenPLi should have autossh on their feeds.

It's in the feed, a simple "opkg install autossh" should add it to your box.