Tag: confidentiality

Why computer can’t connect to Wi-Fi Hotspot on Android phone for a long time (SOLVED)

Why my computer cannot connect to the Android mobile Wi-Fi hotspot for a long time

After updating Android, I ran into a problem that the computer sees a mobile hotspot, but at the same time:

1. It does not try to connect to it automatically

2. When I select the Access Point manually, an attempt is made to connect, which ends in failure after about a minute

See also:

Additional symptoms of the problem:

3. Before the Android update on the phone, connecting to the Hotspot was fast and without problems

4. The computer can sometimes connect to the mobile hotspot

5. New devices quickly connect to Hotspot on Android without problems

One reason for this behavior could be a new setting that allows you to use an arbitrary MAC address for the mobile hotspot.

How to set permanent or random MAC address for Hotspot on Android

Go to Settings → Connections → Mobile Hotspot and Tethering → Mobile Hotspot.

Click the “Configure” button.

Click the “Advanced” button.

Look for “MAC address type”.

There are two options to choose from:

  • Randomized MAC
  • Phone MAC

If you select the first option (“Randomized MAC”), a random MAC address will be generated for the created Mobile Access Point. If you select the second option (“Phone MAC”), the permanent MAC address of the phone will be used for the created mobile hotspot.

Select “Phone MAC”, save the settings and check if this solves the problem with the slow connection to the Hotspot on Android.

What is the “Randomized MAC” setting for? Is it safe to turn it off

The question may arise, why is the “Randomized MAC” setting enabled by default, which creates serious problems when connecting to a mobile hotspot? Perhaps it is very important and should not be disabled?

The MAC address of each device must be unique. More precisely, each network interface (one device, including a phone, can have several network interfaces) must have a unique MAC address. This MAC address allows you to distinguish one device from another. You can also find out the manufacturer of the device by the MAC address (for example, Samsung, Apple, and so on).

See also:

Enabling the “Randomized MAC address” setting makes it so that for a hypothetical third-party observer, an Access Point is created each time on a device unfamiliar to him.

But you need to remember that each Access Point has the following identifiers:

  1. Device MAC address (BSSID)
  2. Access Point Name (ESSID)

That is, if you are really concerned about privacy issues, then in addition to enabling the “Randomized MAC” setting, you also need to change the network name every time, otherwise the “Randomized MAC” setting loses all meaning.

In fact, most users just do not need to enable the “Randomized MAC” setting. Enabling the “Randomized MAC” setting without taking other measures (for example, changing the network name each time the AP is created) does not make much sense. But at the same time, other devices that, when connected to the AP, can be guided by its MAC address, begin to experience connection problems.

In short, if you do not have a clear understanding of what exactly you need the “Randomized MAC” setting for and/or you do not take other steps to make it difficult for your phone to be identified as an AP and at the same time you are experiencing problems connecting to a mobile AP, then you can safely disable this setting.

If your devices connect to the mobile AP without problems with the “Randomized MAC” setting enabled, you can leave it enabled.

Do I need to enable the setting “Support Wi-Fi 6 standard”

If after changing the MAC address type setting, your computer or other devices continue to experience problems connecting to the Mobile Hotspot, then pay attention to the following two settings.

The first setting is “Support Wi-Fi 6 standard”. This item is located in: Settings → Connections → Mobile Hotspot and Tethering → Mobile Hotspot → Configure → Advanced → Support Wi-Fi 6 standard.

Support Wi-Fi 6 standard” brings many technical improvements and data transfer speeds. But that's in theory. If, in practice, your devices cannot connect to the Access Point with the “Support Wi-Fi 6 standard” setting enabled, then disable it.

Choose “2.4 GHz” or “5 GHz”?

In theory, Wi-Fi at 5 GHz is faster. This is due both to the technical characteristics of the 5 GHz channels and to the fact that these channels are currently less crowded. However, in practice, the transmission area of a 5 GHz Wi-Fi signal is less than 2.4 GHz. Some older devices do not support 5 GHz operation. Some devices, even those that support 5 GHz, are slower to find the Access Point at these frequencies.

Although it is recommended to select the 5 GHz band in the Access Point settings, if you are not satisfied with the quality of the mobile Access Point, you can change the Frequency Band of your Access Point. To do this, go to: Settings → Connections → Mobile Hotspot and Tethering → Mobile Hotspot → Configure → Band. There you will be presented with a choice of:

  • 2.4 GHz
  • 5 GHz preferred

Switch to “2.4 GHz” and see if that solves your problem.

How to make VirtualBox virtual machines destroy on computer restart

How to use VirtualBox on Linux so that virtual machines and their settings are not saved

The desire to completely destroy virtual machines is extraordinary and may be related to security and privacy. However, there are at least two ways to achieve the desired effect: the virtual machines will be destroyed as soon as the computer is turned off.

1. Using VirtualBox on a Live System

If you need VirtualBox without saving settings, then you can work in a Live system.

Boot into Live mode, run the command to install VirtualBox:

sudo apt install virtualbox virtualbox-ext-pack

After the command completes, you can start VirtualBox, create virtual machines in it and work in them.

On the next reboot, all changes made will be lost.

To get VirtualBox again, repeat the previous steps exactly.

2. Saving virtual machines in the /tmp directory

The second method involves using a regular Linux installation or Persistence.

If you are working with a Live system, select “Live USB Persistence” or “Live USB Encrypted Persistence” when booting.

Install VirtualBox:

sudo apt install virtualbox virtualbox-ext-pack

Then open VirtualBox and go to menu File → Preferences → General.

Set “Default Machine Folder” to /tmp

As a result, all virtual machines will store their settings in the /tmp directory.

On each reboot, the /tmp directory is automatically cleared.

As a result, after the reboot, the VirtualBox executable files will remain in the system, but all virtual machines will be deleted.

If you are running a Live system, you will also need to select “Live USB Persistence” or “Live USB Encrypted Persistence” on subsequent reboots.

How to connect to Tor with OpenVPN

Connecting to Tor via a VPN is usually used in practice not so much to increase anonymity (although such use takes place), but to bypass the blocking of the Tor network. In some countries, the Tor network is blocked at the state level, so to connect the Tor browser or the Tor service, you must use bridges – intermediate nodes of the Tor network. Instead of bridges, you can connect to the Tor network through a VPN.

In fact, connecting to Tor via a VPN is even easier than using bridges.

Please note that due to the peculiarities of the blocking implementation (for example, blocking is performed only at the level of providers of the last mile), even the VPN of the country in which the Tor network is blocked can be used to bypass the connection blocking to the Tor network.

Signs that the ISP is blocking access to the Tor network are that the connection to Tor stops at the very first stages.

For example, Tor Browser freezes at the inscription:

Connecting to a Tor relay
Tor Browser routes your traffic over the Tor Network, run by thousands of volunteers around the world.

Another possible error:

Loading relay information

When trying to use the Tor service by starting it with the command

sudo systemctl start tor

status check

systemctl status tor

will show that the initial bootstrap stopped at 5%, that is, at the stage of connecting to the relay:

Jan 08 11:21:40 HackWare systemd[1]: Started Anonymizing overlay network for TCP.
Jan 08 11:21:41 HackWare Tor[25392]: Bootstrapped 5% (conn): Connecting to a relay

To connect to the Tor network over a VPN, start by connecting to a VPN server, for example using OpenVPN.

Right after that, you can use the Tor service as usual – no additional configuration is required.

The Tor Browser successfully connects to the Tor network and opens websites.

The tor service successfully establishes a connection to the Tor network.

See also:

Script to connect and disconnect from OpenVPN depending on server availability

Task:

Branch subnets are connected via OpenVPN. All clients connect to the server and routes to the Internet are set through the OpenVPN server. Everything works, but there is a problem. If the OpenVPN server for some reason loses Internet connection, then all other branches also lose Internet access, because the traffic does not go through its gateway, but through the OpenVPN server. Is there any way to write a script to:

1. If there was no connection to the OpenVPN server, the routes were restored and worked through their own gateway.

2. Once every 2-3 minutes the client would try to connect to the OpenVPN server.

3. When the connection is restored, the routes would be registered again through the OpenVPN server.

Solution:

In theory, it is quite possible to write a script in Bash (for Linux) or PowerShell (for Windows) that would ping the OpenVPN server and if the server is online connecting to it or if the connection is already present, it would do nothing. And if the OpenVPN server is offline, then it would disconnect from it or do nothing if the server is already offline. On Linux, such a script can be added to startup and then run regularly using Systemd timers or Cron. In Windows, too, this can be solved using the Windows Task Scheduler.

But, IMHO, this is a radically wrong approach. It is necessary to strive to ensure that the OpenVPN server is always online. Because for some reason it is needed in the work of users if they connect to it, right? And if so, then when users disconnect from OpenVPN, there will be failures in connecting to local resources.

And nevertheless, here are examples of scripts.

For Windows, the script is written in PowerShell, create the vpn.ps1 file and copy it into it (replace the IP address of the OpenVPN server and the path to the configuration file with yours):

# OpenVPN server IP address
$openvpnIP='185.117.153.79'
# path to the configuration file for connecting the client to the OpenVPN server
$openvpnFILE='C:\Users\MiAl\client1.ovpn'

if (Test-Connection -TargetName $openvpnIP -IPv4 -Count 1 -Quiet -TimeoutSeconds 1)
{
	'OpenVPN server is up'
	if (Get-Process | Where-Object { $_.Name -eq "openvpn" })
	{
		'OpenVPN connection is active.  Nothing to do'
	}
		else
	{
		Write-Warning 'No OpenVPN connections, trying to connect...'
		 & "C:\Program Files\OpenVPN\bin\openvpn.exe" --config $openvpnFILE &
	}
}
else
{
	Write-Warning 'OpenVPN server is down'
	if (Get-Process | Where-Object { $_.Name -eq "openvpn" })
	{
		'OpenVPN connection is active, let us kill it'
		Get-Process | Where-Object { $_.Name -eq "openvpn" } | Select-Object -First 1 | Stop-Process
	}
	else
	{
		Write-Warning 'No OpenVPN connections. Nothing to do'
	}
}

Check like this:

.\vpn.ps1

The OpenVPN server is online, so the script connects to it and does nothing on subsequent checks. Checking the client's IP shows that Internet access is really through OpenVPN:

OpenVPN is offline, so the script disconnects from it. On subsequent checks, the script does nothing until the OpenVPN server is available. When OpenVPN is online again, a connection is made to it.

Use Windows Task Manager to run your script like this:

powershell -File vpn.ps1 -WindowStyle Hidden

Furthermore create the script that it runs under a specific user account and not only when that user is logged on. Otherwise you'll see a console window.

Sample script for Linux – create a vpn.sh file and copy into it:

#!/bin/bash

# OpenVPN server IP address
openvpnIP='185.117.153.79'
# path to the configuration file for connecting the client to the OpenVPN server
openvpnFILE='/home/mial/bin/OpenVPNassistent-конфигурации/configs/client1.ovpn'

isOpenVPNActive=`pgrep openvpn`

timeout 1 ping -c 1 $openvpnIP > /dev/null;
if [ $? -eq 0 ]; then
	echo 'OpenVPN server is up'
	if [ -z "$isOpenVPNActive" ]; then
		echo 'No OpenVPN connections, trying to connect.'
		sudo openvpn "$openvpnFILE" &
	else
		echo 'OpenVPN connection is active. Nothing to do'	 
	fi	
else
	echo 'OpenVPN server is down'
	if [ -z "$isOpenVPNActive" ]; then
		echo 'No OpenVPN connections. Nothing to do.'
	else
		echo 'OpenVPN connection is active, let us kill it.'
		kill "$isOpenVPNActive"
	fi 
fi

Run like this:

sudo bash vpn.sh

The OpenVPN server is online, so the script connects to it and does nothing on subsequent checks. Checking the client's IP shows that Internet access is really through OpenVPN. OpenVPN is offline, so the script disconnects from it. On subsequent checks, the script does nothing until the OpenVPN server is available. When OpenVPN is online again, a connection is made to it.

To run regularly, use systemd's .timer or cron.

See also:

How to manage VPN Settings in GNOME 3

A popular example of a Linux distribution using GNOME 3 is Ubuntu.

How to add OpenVPN connection settings to GNOME 3

To add an OpenVPN connection, click on the network connection icon and expand the connections section.

Select “Wired Settings”:

You will find yourself in the OS settings. On the “Network” tab, you can add a new VPN connection or manage existing ones. Click the plus sign (+) to add a new one.

You can enter the data manually, or import the OpenVPN connection settings from the .ovpn file.

With manual configuration, you do not need to change anything in the “IPv4” and “IPv6” tabs. Some of the settings are located on the “Identity” tab, to access other settings, click the “Advanced” button:

How to connect to OpenVPN on GNOME 3

You can enable OpenVPN connection by clicking on the network connections button, then selecting the desired VPN connection.

You can also go to Network Settings and enable the selected OpenVPN connection there.

How to change OpenVPN connection settings in GNOME 3

To edit VPN connections, click on the network connections button, then expand the VPN list and select “VPN Settings”.

Select the connection you want to change and press the gear.

How to remove OpenVPN connection in GNOME 3

To remove an OpenVPN connection, go to its settings, as shown just above, and click the “Remove VPN” button.

How to manage VPN Settings in Xfce

Popular distributions with Xfce include Kali Linux and Xubuntu.

In Xfce, networks are managed in the “Network Connections” window.

How to add OpenVPN connection settings to Xfce

There are two ways to add a new OpenVPN connection:

1) Right-click on the network connection icon and select “Edit Connections”:

In the Network Connections, click the plus sign (+).

2) Or left-click on the network connection icon and select “VPN Connections”→ “Add a VPN Connection”.

Select your preferred VPN connection type.

To import a VPN connection from a file, select “Import a saved VPN configuration”.

Click the “Create” button and specify the settings file.

With manual configuration, you do not need to change anything on the “General”, “Proxy”, “IPv4 Settings”, and “IPv6 Settings” tabs. Some of the settings are located on the “VPN” tab, to access other settings, click the “Advanced” button.

How to connect to OpenVPN in Xfce

To connect to OpenVPN, left-click on the network connection icon and select “VPN Connections” and then select the desired connection.

If the connection is successful, a check mark will appear next to the VPN connection name.

How to change or remove OpenVPN connection settings in Xfce

To add, change and remove VPN connections, go to Network Connections, for this, right-click on the network connection icon and select “Edit Connections”.

How to manage VPN Settings in Cinnamon

The Cinnamon desktop environment is primarily characteristic of Linux Mint.

Network Connections and Network Settings in Cinnamon

When you click on the network connection icon (its appearance depends on whether you are using a wired or wireless connection), two options will be available to manage networks:

  • Network Settings – featured by Cinnamon (therefore, it is present only in this desktop environment)
  • Network Connections – featured by NetworkManager (hence, it is present in any distribution with NetworkManager)

In general, these settings allow you to do the same things: add, edit and remove network connections.

Network Settings contains a list of Wi-Fi networks available for connection, as well as a list of OpenVPN settings, proxies, wired connections. In Network Settings, you can activate a particular network connection.

Network Connections does not show Wi-Fi networks available for connection, but it stores the settings of the networks to which the computer has ever connected.

Managing OpenVPN Connections in Network Settings

To remove an OpenVPN connection, select it and click the minus sign (-).

The connection will be dropped without confirmation.

Click the plus sign (+) to add an OpenVPN connection.

You will be presented with 2 options:

  • OpenVPN (compatible with the OpenVPN server) – you will need to enter the settings manually and specify the certificate files
  • Import from file – import settings from an .ovpn file

With manual configuration, you don't need to change anything in the “IPv4” and “IPv6” tabs. Some of the settings are located on the “Identity” tab, to access other settings, click the “Advanced” button:

To edit an OpenVPN connection, select it and click the gear icon.

Some of the settings are located on the “Identity” tab.

To access other settings, click the “Advanced” button.

Managing OpenVPN Connections in Network Connections

To remove an OpenVPN connection, select it and click the minus sign (-).

Click the plus sign (+) to add an OpenVPN connection.

In the drop-down list, you will have many options available, 2 of them are related to OpenVPN:

  • OpenVPN – you will need to enter the settings manually and specify the certificate files
  • Import a saved VPN configuration

With manual configuration, you do not need to change anything on the “General”, “Proxy”, “IPv4 Settings”, and “IPv6 Settings” tabs. Some of the settings are located on the “VPN” tab, to access other settings, click the “Advanced” button.

To edit an OpenVPN connection, select it and click the gear icon.

Connecting to OpenVPN server

You can add multiple OpenVPN connections and enable any of them depending on your needs. You can enable them as in the main NetworkManager panel – click on the selected connection:

You can also enable VPN connections in Network Settings, to do this, select the desired VPN connection and click the switch:

Simultaneous use of multiple OpenVPNs on one server

You can simultaneously use several OpenVPN processes on the same server, while they will work on different ports and provide separate virtual private networks that do not overlap with each other.

Multiple instances of OpenVPN are provided out of the box, but additional configuration is required.

1. OpenVPN services must use different ports

All OpenVPN services must use a free port. Remember that the same UDP and TCP port numbers are different ports, that is, you can use the same port number in two instances of OpenVPN, provided that one of them is a UDP port and the other is a TCP port.

If two OpenVPN services use the same port, then the OpenVPN instance that is started first will work without error, and the second instance will not start due to the error “TCP/UDP: Socket bind failed on local address [AF_INET][undef]:…: Address already in use (errno=98)”, for example:

2021-11-02 09:26:50 us=736094 TCP/UDP: Socket bind failed on local address [AF_INET][undef]:53: Address already in use (errno=98)
2021-11-02 09:26:50 us=736216 Exiting due to fatal error

2. Range of addresses of the virtual private network

By default, a range of IP addresses for a virtual private network is specified in the server configuration file, for example:

server 10.8.0.0 255.255.255.0

Additional instances of the OpenVPN service must use different ranges. For example, for the second service, you can specify the following range:

server 10.8.1.0 255.255.255.0

For the third service, you can specify the following range of IP addresses, and so on:

server 10.8.2.0 255.255.255.0

3. Traffic routing for all virtual private networks

The section “Enable traffic routing on the OpenVPN server” shows how to enable NAT for VPN traffic so that clients can make connections to the Internet. The example in the above section shows how to configure routing for traffic from the 10.8.1.0/24 subnet. Since additional instances of the OpenVPN service use different subnets (for example, 10.8.1.0/24), in order for the clients of these virtual networks to access the Internet, you must configure routing for each of these networks.

An example of the original contents of the /root/bin/vpn_route.sh file:

#!/bin/sh

# specify the name of the interface, otherwise the script will try to select it automatically
#DEV='eth0'
DEV='ens3'
PRIVATE=10.8.0.0/24
 
if [ -z "$DEV" ]; then
	DEV="$(ip route | grep default | head -n 1 | awk '{print $5}')"
fi
# Turn forwarding packets on from the tunnel interface
# they got to the external interface
sysctl net.ipv4.ip_forward=1
# Make sure iptables do not block redirected traffic:
iptables -I FORWARD -j ACCEPT
# Network Address Translation (NAT) for packets coming from the tunnel
# When forwarding is enabled, packets are forwarded by default.
# with the original address unchanged, that is, in our case 10.8.0.*
# such packages are either deleted at the ISP gateway, or even if they are
# go to the destination, the answer never finds a way back.
# These private addresses are not routed to the Internet.
#
# The solution is Network Address Translation (NAT) of outgoing traffic,
# i.e. replace private 10.8.0.* address with the public IP address of the VPN server.
# This will allow responses to reach the VPN server,
# and there they will be sent back to the tunnel.
iptables -t nat -I POSTROUTING -s $PRIVATE -o $DEV -j MASQUERADE

The file /root/bin/vpn_route.sh which has added NAT for subnets 10.8.1.0/24, 10.8.2.0/24, and 10.8.3.0/24:

#!/bin/sh
 
DEV='ens3'
PRIVATE=10.8.0.0/24
 
if [ -z "$DEV" ]; then
	DEV="$(ip route | grep default | head -n 1 | awk '{print $5}')"
fi

sysctl net.ipv4.ip_forward=1

iptables -I FORWARD -j ACCEPT

iptables -t nat -I POSTROUTING -s $PRIVATE -o $DEV -j MASQUERADE

iptables -t nat -I POSTROUTING -s 10.8.1.0/24 -o $DEV -j MASQUERADE

iptables -t nat -I POSTROUTING -s 10.8.2.0/24 -o $DEV -j MASQUERADE

To check the NAT settings, run the command

iptables -L -t nat

4. Configuring local static addresses

If you used the section “How to make static IPs for OpenVPN clients” and added entries like “ifconfig-push 10.8.0.10 255.255.255.0” to the file “/etc/openvpn/ccd/client1”, then you need to use different client names for the second and subsequent OpenVPN networks as they use different VPN IP ranges.

5. Starting and adding the second and subsequent OpenVPN services to startup

Note that with systemctl you can use a command like

openvpn-server@<configuration>.service

where <configuration> is a configuration file located in the /etc/openvpn/server/ folder, but without the .conf extension

For example, the second configuration file for the second instance of the OpenVPN service is placed in the /etc/openvpn/server/server-tcp.conf file, then the program for starting the service is as follows:

sudo systemctl start openvpn-server@server-tcp.service

Checking the status of the service with the server-tcp.conf configuration file:

systemctl status openvpn-server@server-tcp.service

View OpenVPN service errors with server-tcp.conf config file:

journalctl -xeu openvpn-server@server-tcp.service

Add service to startup:

sudo systemctl enable openvpn-server@server-tcp.service

See also:

Comparison of performance (data transfer rate) of OpenVPN over UDP and TCP

The previous article showed how to use OpenVPN with TCP instead of the default UDP. It is also known that the use of the TCP protocol is not recommended because, due to the “overhead” of the TCP transport protocol, less payload will be transmitted, since part of the channel will be occupied by the transmission of overhead information necessary to control the integrity of transmitted packets. But how exactly will switching from UDP to TCP affect the performance of the OpenVPN server and the speed of receiving and sending data? This article is devoted to the answer to this question.

My internet connection speed without using OpenVPN:

My internet connection speed using OpenVPN over UDP:

My internet connection speed using OpenVPN over TCP:

As you can see, the speed loss when migrating from UDP to TCP is quite significant. The difference in speed between the absence of OpenVPN and OpenVPN over UDP is negligible – in fact, in both cases, the speed is practically limited by the maximum bandwidth of my network.

See also:

How to use OpenVPN with TCP protocol

By default, OpenVPN uses UDP and it is officially recommended to use it. However, TCP also works great with OpenVPN and you can use it if needed. Theoretically, the TCP protocol has more “overhead”, that is, some part of the transmitted data will not carry the payload, but is only necessary for the normal operation of TCP, which monitors the safety and integrity of transmitted packets.

In my case, the need to add TCP support arose due to the fact that with some ISPs OpenVPN on the UDP protocol could not connect due to an error (the error will be discussed later), but it worked fine on the TCP protocol.

To configure OpenVPN to work with TCP, you need to know the following points:

1. The protocol must be specified explicitly

In the settings of the configuration files, instead of the line

;proto tcp

use on the server the line

proto tcp-server

and on the client the line

proto tcp-client

For reference: UDP protocol on both the server and the client is denoted the same way:

proto udp

2. The TCP protocol must be specified in the configuration files of both the server and the client

Protocol settings are not transferred from the server and must be explicitly specified not only on the server itself, but also for each client in the configuration file.

3. Do not use the explicit-exit-notify option

In the server config file, don't use the setting (just remove this line):

explicit-exit-notify 1

Otherwise, you will encounter the error:

Options error: --explicit-exit-notify can only be used with --proto udp

4. The port must be free

This applies equally to how OpenVPN works with UDP and TCP: the selected port must be free, otherwise you will encounter the error “TCP/UDP: Socket bind failed on local address [AF_INET][undef]:…: Address already in use (errno=98)”, for example:

2021-11-02 09:26:50 us=736094 TCP/UDP: Socket bind failed on local address [AF_INET][undef]:53: Address already in use (errno=98)
2021-11-02 09:26:50 us=736216 Exiting due to fatal error

See also: 

Loading...
X