Batboard

I recently got an HTC Thunderbolt on Verizon service. I learned how to set up a vpn to my remote sites so I can monitor and control the equipment with poor results. Droid user forums are not very helpful. Maybe someone here has some insight.

Problem - the web pages from all the devices is excruciatingly slow to load. I cannot look at Canopy pages at all.

I divided the problem in half to determine if it is the phone or the service. It seems to be the phone. I turned on the phone wifi hotspot and had my laptop connect to it. The laptop could build a vpn through the Verizon service, and load pages from every device at a reasonable 25-30kbps. Not a barn burner, but satisfactory for system management. I dropped the laptop vpn, connected the phone vpn, and again the laptop could get pages from all the devices. I repeated the experiment at home and at work to verify the hotspot and a laptop could always work no matter what level of data service (basic, 3G, 4G), was reported on the phone. Same results - laptop good, droid bad.

I tried four different droid web browsers - the native Chrome that came with the phone, Firefox, Opera Mobile, and Dolphin. I saw no difference in performance loading these pages. Opera Mobile seemed to work the best in loading all the other places I haunt on the web. All of them failed to load a Canopy page, and they were all slow to load a router page, a NXU, and a SNV-12 page. All of them continue to perform fine loading other web pages through the vpn through the router at the far end.

So, any ideas on what the droid platform limitation is? The Verizon service seems to be working. It's not throttleing the vpn. XP and Vista laptops work fine through the hotspot. It seems to be the phone unable to render the pages returned by all of these devices from Cisco, Raytheon, and Motorola.

Is there a bunch of Javascript crap on the management pages? It may be overwhelming the much smaller processor in the phone, causing things to run slowly...

Ya know, that just occurred to me too as I went back to the routers to see if they were blocking content or if a filter was applied. Java and ActiveX were not checked, but it made me wonder about the droid. A little google-fu shows that droid does not support java in a web browser ... yet. One link said to get DolphnHD. I'm off to try it.

One other thing to keep in mind is there is a difference between throughput and latency. EvDO and LTE have good throughput *if you can get a stream running*, but they have horrible latency. So if you are pulling down one big file, they haul ass. If you are making a large number of small requests, the latency becomes the dominating factor.

If you can, put your phone on a WiFi connection with a known low latency to the sites, and try that (and for the absolute test, activate flight mode (disable the cell subsystem) then re-activate WiFi, to be sure you are using WiFi not 3G/4G). If you see improvement, you know latency is killing you. If you don't, it could be the browser.

I would suggest using remote desktop or VNC (shudder) to log in to another computer with all the VPN tunnels. I use Jump ($20) from the app store (don't know if it is made for the droid or not, but I am sure there is something similar) on both iPhone/iPad and it works extremely well for remote control over the computer. That will let you use the CPU of a desktop that supports all the browser stuff required and be light weight enough to use via VPN.

There is of course log me in and other services which probably have Android clients as well.

Alex

I have a Moto Atrix and I use Wyse PocketCloud pro. It's a bit costly (but less than $20). It supports RDP and VNC and it works great combined with Android's VPN client.

Wowbagger wrote:One other thing to keep in mind is there is a difference between throughput and latency. EvDO and LTE have good throughput *if you can get a stream running*, but they have horrible latency. So if you are pulling down one big file, they haul ass. If you are making a large number of small requests, the latency becomes the dominating factor.

If you can, put your phone on a WiFi connection with a known low latency to the sites, and try that (and for the absolute test, activate flight mode (disable the cell subsystem) then re-activate WiFi, to be sure you are using WiFi not 3G/4G). If you see improvement, you know latency is killing you. If you don't, it could be the browser.

Thanks WB. I got lucky this week. Was at a location with zero cell service but an open wifi. No joy. VPN connection quick and easy. Pages from normal web sites reasonably fast to load, but pages from my devices were as slow as ever. Laptop tethered through the phone worked just fine. I am pretty certain it is the droid platform.

alex wrote:I would suggest using remote desktop or VNC (shudder) to log in to another computer with all the VPN tunnels. I use Jump ($20) from the app store (don't know if it is made for the droid or not, but I am sure there is something similar) on both iPhone/iPad and it works extremely well for remote control over the computer. That will let you use the CPU of a desktop that supports all the browser stuff required and be light weight enough to use via VPN.

There is of course log me in and other services which probably have Android clients as well.

Alex

I have considered that. I am kinda familiar with VNC. Used it in the past for remote desktop access. It is super handy for training dispatchers over the phone. There is a version of VNC for the droid. I haven't played with it yet, but will bump it up in my roundtoit list. We have some old PC's I could dedicate to this project if necessary.

An app called phone my pc works real well too.

alex wrote:I would suggest using remote desktop or VNC (shudder) to log in to another computer with all the VPN tunnels. I use Jump ($20) from the app store (don't know if it is made for the droid or not, but I am sure there is something similar) on both iPhone/iPad and it works extremely well for remote control over the computer. That will let you use the CPU of a desktop that supports all the browser stuff required and be light weight enough to use via VPN.

There is of course log me in and other services which probably have Android clients as well.

Alex

TeamViewer is another freebie.

That's actually a pretty neat program - completely forgot about it.

Alex

Haven't looked into that. Thanks.

alex wrote:TeamViewer is another freebie.

That's actually a pretty neat program - completely forgot about it.

Alex

We use that here, as they have a good Linux client as well as Windows.

It works well - better if you use the actual client software rather than the browser embedded version.

Bill_G wrote:Ya know, that just occurred to me too as I went back to the routers to see if they were blocking content or if a filter was applied. Java and ActiveX were not checked, but it made me wonder about the droid. A little google-fu shows that droid does not support java in a web browser ... yet. One link said to get DolphnHD. I'm off to try it.

I didn't say Java - I said JavaScript, which it does support. All of the new cute web interfaces use lots of JavaScript/AJAX/etc. to make them feel more like a desktop app. I bet that's your problem.

Do a view source on the page (from a desktop) and it should be very apparent.

tvsjr wrote:

Bill_G wrote:Ya know, that just occurred to me too as I went back to the routers to see if they were blocking content or if a filter was applied. Java and ActiveX were not checked, but it made me wonder about the droid. A little google-fu shows that droid does not support java in a web browser ... yet. One link said to get DolphnHD. I'm off to try it.

I didn't say Java - I said JavaScript, which it does support. All of the new cute web interfaces use lots of JavaScript/AJAX/etc. to make them feel more like a desktop app. I bet that's your problem.

Do a view source on the page (from a desktop) and it should be very apparent.

Shows how much I know. I thought they were one and the same. A little web study proves otherwise. Thanks for the heads up.

But! that wasn't the problem. Got it figured out - (drum roll please) - turn off droid vpn client pptp encryption. Whodathunkit?

Redid my experiment, and determined that laptop thru droid hotspot thru droid vpn to site was as slow as the droid experience. Laptop thru droid hotspot thru laptop vpn good, thru droid vpn bad. Over and over again. Turns to stone through the native droid vpn pptp client. So, that sparked a google of droid vpn clients which found a discussion in the droid forums with all these folks saying how terrible the vpn is, super slow, never connects, and other folks saying no problem, works great, and finally one guy saying "oh yeah, btw, turn off encryption".

Bingo! Edit this tunnel in droid settings, turned off encryption, and now I can load all the Canopy links like I was standing there. Every device - the routers, voter, Canopys, and serial servers - all load perfectly. I can even watch the voter modules in real time as the customer uses the system. Fantastic.

The smartphone is a productivity increaserfier.

So you are now running an unencrypted link between a cellphone and communications equipment? Please tell me I'm missing something?

Yeah. Kinda defeats the purpose of a vpn, don't it? They kinda screwed up the P part in vpn.

And amazingly enough, even though that occurred to me too as I read it in the droid forums, nobody else mentioned it despite their claims of being IT pros. So, either I'm missing something about the nature of the vpn protocol (which is not too far of a stretch), or all the folks in the know are going "shhhh".

Drilling further into the droid forums, this is a well known, and as yet, unaddressed problem with the droid platform. PPTP only works through a droid if you turn off encyption. L2TP has limited success depending on the server. Time to learn me more about the routers we're using.

Ha! Drilling even further into subjects I am not strong in, it appears droid does not support encryption in l2tp either.

If your VPN endpoints are allowing connections without encryption, you need to take your LAN tech out and beat him with a clue-by-four.

If your *infrastructure* (e.g. your routers, your base stations, etc.) are allowing non-encrypted connections (HTTP rather than HTTPS) you need to beat upon your admins with a second clue-by-four.

And $DEITY help you if there's even a mention of telnet...

Well guys, in this case the tech is me. Duly noted. You won't do it. I say let's do a real risk assessment.

Exactly what is PPTP? My reading says it has the MPPE layer that was cracked years ago because Microsoft (the M in MPPE) weakly implemented security. If you would good with using PPTP before you knew its security was broken, why aren't you good with it now? The envelope excryption is gone, but the session passwords are still protected by chap and pap.

Where would the bad guys get in? Would they spoof it over the air? At Verizon? At CenturyLink in the dsl?

If you read the link above, it says that IPsec isn't implemented correctly dropping the excryption during the session while maintaining connectivity. What's left?

Knowing all this, would you still use a droid to do your banking?

Bill_G wrote:Knowing all this, would you still use a droid to do your banking?

I would be no less worried and no more worried than using my PC - again, if a bank isn't using HTTPS for everything, then I won't bank online with them, no matter what the physical layer security is, because it demonstrates the bank has a very poor understanding of security. If they get simple things HTTP vs. HTTPS wrong, are they really going to be fully secure on things like data storage, backup, principle of least access, etc. that are hard?

And likewise: if your P25 controller is allowing HTTP access, if your routers are allowing HTTP access - if you can't even get THAT right! - then you likely have bigger worries than me sniffing the packets over your phone line.

Bill_G wrote:Well guys, in this case the tech is me. Duly noted. You won't do it. I say let's do a real risk assessment.

Exactly what is PPTP? My reading says it has the MPPE layer that was cracked years ago because Microsoft (the M in MPPE) weakly implemented security. If you would good with using PPTP before you knew its security was broken, why aren't you good with it now? The envelope excryption is gone, but the session passwords are still protected by chap and pap.

Where would the bad guys get in? Would they spoof it over the air? At Verizon? At CenturyLink in the dsl?

If you read the link above, it says that IPsec isn't implemented correctly dropping the excryption during the session while maintaining connectivity. What's left?

Knowing all this, would you still use a droid to do your banking?

The Point-to-Point Tunneling Protocol uses an unencrypted link to pass point-to-point packets between the PPTP host and clients. Encryption and even authentication are not part of the standard and are left as an exercise to individual implementations. The most common ones include, as you stated, MPPE. The encryption provided here is implemented in RC4 which is not the most secure and is therefore not advisable for accessing confidential or critical resources.

99% of people don't have to sign into a VPN to do their banking. Android's implementation of HTTPS is quite adequate.

The fact is, impersonating a cell tower is more or less trivial to anybody who can get the necessary hardware. The bad guy could easily trick your phone into affiliating to his "tower" and watch as you signed into an unencrypted communications network, and with almost no effort acquire all credentials used - namely those used to sign into infrastructure and other related equipment. A cursory google search yields a few papers, including one by Bruce Schneier, which show that MS-CHAP can be brute-forced using hardware that's pretty much readily available.

I do agree that Android's VPN implementation is lacking. I have the Moto Atrix 4G, and AT&T released Gingerbread to it with a custom implementation of IPsec. I can now connect to my firewall at AES-128 encryption.

Wowbagger wrote:

Bill_G wrote:Knowing all this, would you still use a droid to do your banking?

I would be no less worried and no more worried than using my PC - again, if a bank isn't using HTTPS for everything, then I won't bank online with them, no matter what the physical layer security is, because it demonstrates the bank has a very poor understanding of security. If they get simple things HTTP vs. HTTPS wrong, are they really going to be fully secure on things like data storage, backup, principle of least access, etc. that are hard?

And likewise: if your P25 controller is allowing HTTP access, if your routers are allowing HTTP access - if you can't even get THAT right! - then you likely have bigger worries than me sniffing the packets over your phone line.

Okay. You feel more comfortable with SSL despite its vulnerabilities. If http access is your concern, then you are at odds with the industry. Most new devices including Canopy and Huawei are port 80 only. There is no serial port. You don't use proprietary RSS to configure it. There is no cli with arcane syntax structure to master. Some devices let you change the port number. Some don't. HTTP is how it gets done. It's not up to me how I interface to a device. Its a fact of life.

Again, the question is the droid. Verizon supports all iterations of vpn through the droid and through their system. It is the droid platform that does not fully support vpn from the droid. There is a distinction. If you were a field tech, would you never use your droid to access any system you were responsible for - that you would always tether your laptop to your phone first to establish a secure session?

bezking wrote:99% of people don't have to sign into a VPN to do their banking. Android's implementation of HTTPS is quite adequate.

The fact is, impersonating a cell tower is more or less trivial to anybody who can get the necessary hardware. The bad guy could easily trick your phone into affiliating to his "tower" and watch as you signed into an unencrypted communications network, and with almost no effort acquire all credentials used.

I do agree that Android's VPN implementation is lacking. I have the Moto Atrix 4G, and AT&T released Gingerbread to it with a custom implementation of IPsec. I can now connect to my firewall at AES-128 encryption.

Okay. How would you implement SSL/port 448, or AES on equipment that doesn't support it? That is the rub. Here are the boxes sold by the multinational rf infrastructure engineering and manufacturing corporation. Go install them. Whenever the equipment need support, drive to site?

That's the whole point of a VPN - that even if your individual resources are insecure, the link into the network is safe enough that someone watching from the outside wouldn't be able to do or see anything harmful. When you disable encryption you remove this critical security layer.

So you would use a vpn. Just not from the droid. How about through the droid?

Absolutely. Your droid should support "L2TP over IPSec with PSK" VPN - the IPSec (IP Security) portion of this provides strong encryption that will be suitable for your application. The PSK means that a password will be used instead of a certificate system. I would take a look at whatever is providing your VPN and see if this method could be used instead of PPTP or straight L2TP...

Oh, I love setting up l2tp ipsec policies. That is always a party.