Android: Protecting your network data from local snooping

There's been a lot of news of late about the likes of NSA and GCHQ passively listening to Internet traffic. The steps in this post won't protect you from such a well resourced attacker, but will prevent others on open wifi networks and your mobile data provider from looking at the content of your phone's network traffic.

A good example of the data that can easily be collected can be seen in this recent Ars Technica post.

In this post, we'll be configuring an Android phone to conditionally connect to an OpenVPN server, dependant on whether it's associated with a specific WLAN

 

Why Conditionally?

You may find that you can simply enable a OpenVPN tunnel and leave it connected. Unfortunately, I've a few networks I connect to where I need to use local resources (and local DNS servers to resolve those resources). As those networks are all networks I trust, I've no issue with not using a VPN whilst connected.

 

Pre-Requisites

There a few things you'll require to follow through this post

Hopefully when setting up item 1, you'll have created item 2 at the same time

 

Configuring the OpenVPN Client

We're going to import our OpenVPN client config into the OpenVPN Connect app. So make sure you've copied the config (including the relevant certificates, keys etc) onto your phone - dumping it onto a microSD card is probably the easiest way.

DON'T email it to yourself, keep the keys secret!

Launch OpenVPN Connect,  and then bring up the menu

  • Import
  • Import Profile from SD Card
  • Browse to where you saved the Config and select the OpenVPN file
  • Make sure the profile drop-down contains the new profile, and then press and hold on the box
  • Choose Rename Profile
  • Give it a memorable, but easy to type name (makes life easier shortly) and make a note of it

Hit connect to make sure you can actually connect to the VPN server.

 

Configuring Tasker

No we're going to create a couple of Tasker actions and profile - one to automatically connect the VPN and the other to disconnect it. So launch Tasker

Creating the Actions

Connect -> Task -> Add Task -> Set the Name to OpenVPN -> Add Action -> Misc -> Send Intent

One thing to note, there isn't an obvious save button, when you've made a change you need to hit the back icon (with a cog) in the top left hand corner of the screen.

Use the following settings

  • Action: android.intent.action.VIEW
  • Cat: None
  • Mime Type:
  • Data:
  • Extra: net.openvpn.openvpn.AUTOSTART_PROFILE_NAME: [Insert the Profile name you set]
  • Extra:
  • Package: net.openvpn.openvpn
  • Class: net.openvpn.openvpn.OpenVPNClient
  • Target: Activity

Save until you're back at the Task's screen

 

Create a Disconnect Task

Now let's create our disconnect Task

Add Task -> Set the Name to OpenVPN Disconnect -> Add Action -> Misc -> Send Intent

Use the following settings

  • Action: android.intent.action.VIEW
  • Cat: None
  • Mime Type:
  • Data:
  • Extra:
  • Extra:
  • Package: net.openvpn.openvpn
  • Class: net.openvpn.openvpn.OpenVPNDisconnect
  • Target: Activity

Save until you hit the Tasks screen again

 

Creating the Profiles

We've now created our actions, but need to create some profiles so that Tasker knows when to trigger the actions. Think of a profile as a simple conditional statement (i.e. if ( wifi.connected.to == $ssid) ).

From the Tasker main screen

Profiles -> Add Profile -> State -> Net -> Wifi connected

Use settings

  • SSID: Whatever your home wifi SSID is

Save

You'll be prompted to select a task, choose Disconnect OpenVPN

 

Away Profile

Now lets create a profile to identify when we're not at home

Profiles -> Add Profile -> State -> Net -> Wifi connected

Use settings

  • SSID: Whatever your home wifi SSID is
  • Invert: checked

Save

You'll be prompted to select a task, choose OpenVPN

 

Minor Bugfix

You may occasionally find that you end up connected to the VPN whilst on your home network, usually as the result of a brief network drop (either from walking around the building or because you've switched between physical access points). To work around this, we need to re-check the state context and kill the connection if necessary.

First, we need to give our profiles names

Profiles

Hold down on the first profile (wifi connected), and then click the big A in the menu bar. Call the profile Home. Now repeat for the other and call it NotHome

Next, we need to edit the connection task, the easiest way is for us to check a few seconds after connecting to the VPN whether that connection was actually necessary

Tasks -> OpenVPN -> Add Action -> Task -> Wait -> 10 Seconds -> Save

Now, we need to add an action to disconnect the OpenVPN session, but only if the relevant profile applies

Tasks -> OpenVPN -> Add Action -> Misc -> Send Intent

We use almost the same settings as the disconnect Action we created earlier, but with a conditional

  • Action: android.intent.action.VIEW
  • Cat: None
  • Mime Type:
  • Data:
  • Extra:
  • Extra:
  • Package: net.openvpn.openvpn
  • Class: net.openvpn.openvpn.OpenVPNDisconnect
  • Target: Activity
  • If: (hit the plus to add one). %PACTIVE Matches (~) Home

Save and exit

10 seconds after connecting to the VPN, Tasker should now look to see whether the profile 'Home' has been activated and if it has send the disconnect intent. We could, potentially, have achieved a similar effect by simply inserting a 10 second delay into the disconnect task. The variable PACTIVE contains a CSV of all the currently active profiles (of which Home should be one if we're on a matching SSID).

That's Everything

We're all set up. You'll want to test to be sure it's working, but we've now created a config that will ensure that OpenVPN is enabled and connected whenever we're not connected to our home wireless.

If you wanted to 'whitelist' additional wifi SSIDs you simply need to create additional profiles for those Wifi points and assign them the Disconnect OpenVPN task.