Page 1 of 2 12 LastLast
Results 1 to 20 of 22
  1.    #1  
    Hi,

    I hope someone can help me with this. Here's the situation:

    My wife has a TP. She wants to use it in the wild with unsecure wireless hotspots. I'm not comfortable with that as her gmail and facebook passwords will be broadcast out in the open.

    What I've done is to set up an OpenVPN server (a Windows 7 x64 box) at home and installed the OpenVPN app on her TP. I have also installed the ProxySwitch app. I can now forward, via proxy, her web usage back to my home VPN server and onto the Internet from there. I can also do the same, via tunnels, with her non-gmail based e-mail (POP) accounts. That all works nicely. However...

    Here's the problem. I can not forward her gmail (IMAP) communications via tunnels over the VPN. The response from the e-mail app is that the host certificates do not match. I assume that to be true since the e-mail app is looking for gmail and it is finding my home VPN server first. Interestingly, I do this with my Windows laptop and Outlook seems to have no problem with it. Works like a champ. I need to keep this IMAP as that is where her contacts and calendars are.

    So, is there a way to do this? Maybe there is a way to turn off certificate checking by the e-mail app? Or is there some other way to forward the gmail (IMAP) e-mail traffic via the VPN?

    BTW, I did try to use OpenSSH and ssh tunnelling, however, either OpenSSH or one of its dependant apps prevent the HP App Catalog from working. Haven't figured out why. I just know when I install it, the App Catalog stops working and when I uninstall it, the App Catalog starts working again.

    Anyway, I would sure appreciate any help/guidance from the collective genius out there!

    Thanks!
  2. #2  
    I've just tried my VPN. I'm using the downloadable PPTP VPN from HP.
    A traceroute did show me, that all traffic is going through the tunnel.
    I can send/receive email via gmail imap and the app cat is working as well.
    I double checked on the remote VPN router and I'm quite sure everything is going through that tunnel.
    Wasn't there a setting in openVPN to route all traffic through the tunnel?
    Sorry no expert here.
  3.    #3  
    Hi,

    Thanks for the quick response!

    When you say that you are using the downloadable PPTP VPN from HP, are you doing that on the client side (TP) or on the server side? I wasn't aware of a VPN server from HP.

    I have tried the client PPTP VPN to my server. It establishes the connection fine, however, traffic bound for the Internet never seems to make it there. I can communicate fine with the server, but can't seem to get the server to forward on the traffic from the client to the Internet.

    As for OpenVPN, there is a directive (push "redirect-gateway def1") that is supposed to route all traffic from the client to the OpenVPN server. Once again, however, the traffic never seems to leave the server to the Internet. I have tried enabling IP Forwarding on the server by setting the value of Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\IPEnableRouter to 1. I have also turned off my firewall just to make sure it wasn't blocking the traffic. Still no joy.

    I have tried to attack this from the TP side as well as the server side. Coming close, but no cigar.
  4. #4  
    Sorry for being not clear. The PPTP VPN is on the client side, but wasn't included in the webOS version and therefore needed to be downloaded from the app cat to the TP.
    I connect to a VPN Router (draytek vigor). I'm not 100% sure that email is not using the local connection but for me it looks like its going through the tunnel.
    What happens when you run "traceroute www.google.com"?
    Is it using the tunnel?
  5. #5  
    Update:
    Here traceroute output WITHOUT VPN:
    Code:
    traceroute to www.google.com (74.125.39.106), 30 hops max, 38 byte packets
     1  192.168.169.1 (192.168.169.1)  3.761 ms  5.525 ms  2.835 ms
     2  rdsl-brln-de01.nw.mediaways.net (213.20.59.131)  26.160 ms  26.190 ms  25.314 ms
    192.168.169.1 is my local router
    rdsl-brln-de01.nw.mediaways.net my ISP

    Now WITH VPN
    Code:
    root@TouchPad:/# traceroute www.google.com
    traceroute to www.google.com (74.125.43.106), 30 hops max, 38 byte packets
     1  192.168.69.1 (192.168.69.1)  118.624 ms  119.376 ms  109.878 ms
     2  *  *  *
     3  83-169-179-62-isp.superkabel.de (83.169.179.62)  95.635 ms  95.657 ms  139.896 ms
    192.168.69.1 The VPN router
    83-169-179-62-isp.superkabel.de The ISP of the remote site
  6.    #6  
    Quote Originally Posted by somline View Post
    Sorry for being not clear. The PPTP VPN is on the client side, but wasn't included in the webOS version and therefore needed to be downloaded from the app cat to the TP.
    I connect to a VPN Router (draytek vigor). I'm not 100% sure that email is not using the local connection but for me it looks like its going through the tunnel.
    What happens when you run "traceroute www.google.com"?
    Is it using the tunnel?
    Thanks for clearing up which VPN you were talking about. As for traceroute Google ... when using OpenVPN I get,

    1 * * *
    2 * * *
    3 * * *
    4 * * *
    5 * * *

    When using the HP VPN PPTP connection, I get,

    traceroute: bad address 'www.google.com'

    Interesting, eh?
  7. #7  
    Seems to be a problem on the server?
    You probably know that VPN is not working while you are in the same network as the VPN?
    My TP is in a 192.168.169.0 Network while the VPN is 192.168.69.0.
    Since there isn't much to configure in PPTP on TP it must be a server problem.
  8.    #8  
    Quote Originally Posted by somline View Post
    Seems to be a problem on the server?
    Maybe so, but for the life of me, I can't figure it out.
  9. vreihen's Avatar
    Posts
    495 Posts
    Global Posts
    506 Global Posts
    #9  
    With a disclaimer that I haven't tried this since webOS 1.45 on my Pre+, I determined that Palm's IMAP service at the time would not route IMAP traffic over an OpenVPN link even though traceroute and web traffic passed over the VPN link properly. I suspected at the time that it was being caused by Palm doing some type of kludge with an intermediate IMAP server to make IMAP IDLE work without killing the battery keeping the 3G radio up listening for push updates.

    Why do you need to route Gmail's IMAP connection over a VPN link? At least on my TP, Gmail uses SSL encryption by default on both IMAP (read) and SMTP (send). No passwords should ever go over the air unencrypted to Gmail from a TP.....
    Sent from my Etch-a-Sketch.

    #staycoolmybabies
  10.    #10  
    Thanks for your response.

    Quote Originally Posted by vreihen View Post
    With a disclaimer that I haven't tried this since webOS 1.45 on my Pre+, I determined that Palm's IMAP service at the time would not route IMAP traffic over an OpenVPN link even though traceroute and web traffic passed over the VPN link properly.
    I am forcing it over the OpenVPN link by specifying the IMAP and SMTP server as the OpenVPN server IP address (on that server, I use an app to forward the requests on those ports to imap.gmail.com and smtp.gmail.com). Unfortunately, the certificate checking gets in the way.

    Quote Originally Posted by vreihen View Post
    Why do you need to route Gmail's IMAP connection over a VPN link? At least on my TP, Gmail uses SSL encryption by default on both IMAP (read) and SMTP (send). No passwords should ever go over the air unencrypted to Gmail from a TP.....
    My understanding is that during the initial handshake, the passwords are exposed in the clear. Once the connection has been established, the subsequent traffic is encrypted via SSL. I could be wrong, but that is what I've been led to believe from my readings elsewhere in the past. It was the reason I set it up for my laptop, which, works perfectly. Now, if I could just get the darn TP working.

    Thanks.
  11.    #11  
    Quote Originally Posted by somline View Post
    Seems to be a problem on the server?
    I've been playing around with it some more. Using OpenVPN and the MS VPN methodology. As well, I have an old Win XP Pro box (plz don't laugh :^/ ) that I tried as a server as well.

    To this point, it appears the DNS requests are not making it past the servers. Again, I've turned off the firewall to see if it is blocking the requests, but that didn't help.

    I think you are right...there's something not right on the server, however, it is strange that it would be the same thing that is wrong with both Win 7 and Win XP.

    Appreciate any interesting ideas to pursue this. Thanks!
  12. vreihen's Avatar
    Posts
    495 Posts
    Global Posts
    506 Global Posts
    #12  
    Quote Originally Posted by y3ll0wpad View Post
    My understanding is that during the initial handshake, the passwords are exposed in the clear. Once the connection has been established, the subsequent traffic is encrypted via SSL. I could be wrong, but that is what I've been led to believe from my readings elsewhere in the past.
    The entire login handshake process is encrypted by SSL if you connect to an encrypted IMAPS port (993). Google doesn't even support unencrypted IMAP. You can prove it to yourself by telnetting to an open IMAP server on port 143 (unencrypted), which will show a text handshake. Then, telnet to port 993 (SSL), and you won't see a thing that you can read.....
    Sent from my Etch-a-Sketch.

    #staycoolmybabies
  13.    #13  
    Quote Originally Posted by vreihen View Post
    The entire login handshake process is encrypted by SSL if you connect to an encrypted IMAPS port (993). Google doesn't even support unencrypted IMAP. You can prove it to yourself by telnetting to an open IMAP server on port 143 (unencrypted), which will show a text handshake. Then, telnet to port 993 (SSL), and you won't see a thing that you can read.....
    I appreciate the info. I wanted to prove that one way or the other. I set up an open, unsecured hotspot. I then used WireShark to capture all the traffic. There's good news and bad news.

    First, the good news. You are correct in that the gmail traffic is entirely encrypted and I can see where the handshaking takes place, but I can't see any signs of account name or password. So, that's good.

    Unfortunately, I noticed that the calendar sync is displaying the account name and authorization string in clear text. I assume anyone with a mind to could take that information and hack into the account.

    So, while the gmail question seems to be safe for now, we need to figure out how to get the syncing operations (I assume this will be true with contacts as well) encrypted or passed through the VPN.

    Making progress...more to do. I appreciate the help!
  14. vreihen's Avatar
    Posts
    495 Posts
    Global Posts
    506 Global Posts
    #14  
    Quote Originally Posted by y3ll0wpad View Post
    Unfortunately, I noticed that the calendar sync is displaying the account name and authorization string in clear text. I assume anyone with a mind to could take that information and hack into the account.
    Have you reported your findings to webOS' security folks yet? To say that this behavior is asinine would be an understatement, and it should be addressed as a major security flaw in the product!!!!!
    Sent from my Etch-a-Sketch.

    #staycoolmybabies
  15.    #15  
    Quote Originally Posted by vreihen View Post
    Have you reported your findings to webOS' security folks yet? To say that this behavior is asinine would be an understatement, and it should be addressed as a major security flaw in the product!!!!!
    I wholeheartedly agree with you, however, I have no clue as to how to report it. I also wonder if there is anyone left to report it to. Is there? How do you report it?

    Still...how can I get this to go through my VPN/proxy? I don't think I want to wait around for HP.

    Thanks...
  16. vreihen's Avatar
    Posts
    495 Posts
    Global Posts
    506 Global Posts
    #16  
    Quote Originally Posted by y3ll0wpad View Post
    I wholeheartedly agree with you, however, I have no clue as to how to report it. I also wonder if there is anyone left to report it to. Is there? How do you report it?
    Send an e-mail to: webos-security<at>palm.com

    Palm.com : Security Notice

    They are still releasing updates as of a few days ago, and I'm sure that there's someone around to address security concerns. If the Google calendar sync API they are using sends logon and password info over the air as plain text in the 21st century, that is certainly worthy of a report IMO.

    Unfortunately, I cannot be of much help trying to get a VPN to tunnel the equivalent of default route.....
    Sent from my Etch-a-Sketch.

    #staycoolmybabies
  17.    #17  
    Quote Originally Posted by vreihen View Post
    Send an e-mail to: webos-security<at>palm.com

    Palm.com : Security Notice

    They are still releasing updates as of a few days ago, and I'm sure that there's someone around to address security concerns. If the Google calendar sync API they are using sends logon and password info over the air as plain text in the 21st century, that is certainly worthy of a report IMO.

    Unfortunately, I cannot be of much help trying to get a VPN to tunnel the equivalent of default route.....
    Done...thanks for the pointer. We'll see what they say.
  18. #18  
    Well, this has been answered already I guess so no more good advice needed. Speaking of VPN and security, please let me share you a new one here. It's this, the Best VPN for China that I'm sure you guys would want to consider having.
  19.    #19  
    Quote Originally Posted by y3ll0wpad View Post
    Done...thanks for the pointer. We'll see what they say.
    I still want to route all traffic via the VPN. Should I open a separate thread as this one was address to Gmail specifically?


    BTW, here's the response from HP.

    Hello,

    Thanks for bringing this to our attention. We are investigating this issue, and will keep you posted on the next steps.

    Regards,

    HP webOS Security team
    webos-security@palm.com
    www.hpwebos.com/security
  20. #20  
    Quote Originally Posted by y3ll0wpad View Post
    I appreciate the info. I wanted to prove that one way or the other. I set up an open, unsecured hotspot. I then used WireShark to capture all the traffic. There's good news and bad news.

    First, the good news. You are correct in that the gmail traffic is entirely encrypted and I can see where the handshaking takes place, but I can't see any signs of account name or password. So, that's good.

    Unfortunately, I noticed that the calendar sync is displaying the account name and authorization string in clear text. I assume anyone with a mind to could take that information and hack into the account.

    So, while the gmail question seems to be safe for now, we need to figure out how to get the syncing operations (I assume this will be true with contacts as well) encrypted or passed through the VPN.

    Making progress...more to do. I appreciate the help!
    Which Calendar? Google? via Synergy?
Page 1 of 2 12 LastLast

Posting Permissions