This tool is for penetration testing only. Never use a DNS resolver connected to the Internet on your IS.
Our VPN infrastructure is hosted on the Amazon EC2 & OVH clouds
open-source software: Java server, Flex client for Adobe AIR and Perl client are available on GitHub
Here is the official documentation about the VPN-over-DNS Android application. It also applies to the Windows & Mac OS X versions (known as the Value Pack). Follow those step-by-step instructions to explore the many features available with VPN-over-DNS.
Table of contents
1- Start the application
installing third party software: free Adobe AIR ™ runtime
2- Create a VPN account
create an account on our server farm
3- Configure your mail account
configure your mail provider and credentials
4- Check your mails
basic configuration troubleshooting
5- Reading and writing mails
access your remote mailbox through DNS requests
6- Set the locale, choose a skin
change language and select your prefered skin
7- Browsing the Internet
learn how to use the native browser
8- Browsing with Chrome
use an external browser for advanced features: tabs, zoom modes and bookmarks
9- Browsing with images
more advanced features: images, Cookies, JavaScript, CSS & SSL support
10- Port redirection
local port forwarding and sharing the tunnel to your iPad or laptop
11- Advanced mail features
attachements, other MIME capabilities, conversation threads filtering & multiple mailboxes handling
Start the application
To launch the application, you need to tap on the icon named "VPN DNS" (see fig.1). In case it would be the first time you start an application depending on the free Adobe AIR ™ runtime, the application will ask you to install this runtime also: just tap on "install" (see fig.2). If you do not see this Adobe requirement screen, you can go directly to the next section named Create a VPN account.
 |
 |
| fig.1: the application icon | fig.2: need to install Adobe AIR ™ |
After having tapped on "install", your device asks you to choose the third party application that will be launched to install the Adobe AIR ™ runtime. You need to choose "Play Store" or "Android Market" (only one of those two names may appear on the selection list, choose any - see fig.3). You are now redirected to the Adobe AIR ™ plugin available for free on the Play Store. Just click on "Install" to start to download the plugin (see fig.4).
 |
 |
| fig.3: choose "Play Store" or "Android Market" | fig.4: click on "Install" |
Finally, click on "Accept & download" to proceed to the installation (see fig.5 and fig.6).
 |
 |
| fig.5: click on "Accept & download" | fig.6: wait while downloading AIR |
When air download is complete, comme back to the home screen of your device and tap again on the VPN-over-DNS icon (see fig.7). You should now see the first screen of the application (see fig.8).
|
 |
| fig.7: the application icon | fig.8: welcome message |
Create a VPN account
When you very first launch the application (see fig.9), you need to create an account on our VPN server farm. For this purpose, click "Create account", enter your name, choose your private password and enter it twice. Then click on "Create" (see fig.10). Note that you need to get a full Internet connection during those steps, since the application will send your new credentials to our servers over a secured SSL/TLS connection. This step is not performed on top of DNS requests, that are far less secured than a SSL/TLS channel protected by our X.509 certificate signed by UserTrust/Comodo. You may get such an error message like in fig.11 in case you do not have an Internet connection.
 |
 |
 |
| fig.9: application first screen | fig.10: create an account | fig.11: no Internet connection |
Configure your mail account
Being logged in, you first see the welcome pop-up on the status screen (see fig.12). Click on "OK" to close the pop-up (see fig.13). You will then discover the four tabs of the application : Status tab, Mail tab, Browser tab and Settings tab. We will explore each of those tabs later in this step-by-step documentation, you should now first click on the Settings tab to configure your mail (see fig.14).
 |
 |
 |
| fig.12: first login | fig.13: status screen | fig.14: settings screen |
VPN-over-DNS is currently integrated with those four Mail Providers : GMail from Google, HotMail/Live from Microsoft, Yahoo! Mail from Yahoo! and FastMail from Opera. VPN-over-DNS can push & pull your mails only from these providers. If your mail is hosted at a provider not in this list, for instance a mail service at your Local Internet Provider or by your company, you need to first create a new account on one of those four providers and configure your mail provider to forward to this new account every mail your receive. Such a forwarding configuration is common and should certainly be supported by your specific mail provider.
Roll the spinner to select your mail provider: your selection must be moved to fit in the center of the spinner component. For instance, on fig.16, you can see the position of the spinner when HotMail is selected. Your now need to enter your mail credentials (see fig.17). Be careful that those credential are not the ones your have chosen previously when you created your VPN account. Your mail credentials are those needed to log on your Mail Provider. Note that those credentials will be sent to our server farm over a secured SSL/TLS connection. Like previously, this step is not performed on top of DNS requests, that are far less secured than a SSL/TLS channel protected by our X.509 certificate signed by UserTrust/Comodo. Your private mail credentials will never be sent over the DNS tunnel. Moreover, they are not saved on your device filesystem. Click "Save" to send your credentials and return to the main configuration screen.
 |
 |
 |
| fig.15: choose your mail provider | fig.16: HotMail is selected | fig.17: enter your mail credentials |
Check your mails
Congratulations, you have now completed the initial configuration steps ! By now, you should not any longer need to be directly connected to the Internet to use the application, send and read mails, browse the Internet, connect to your SSH server and other stuff.
To check that your configuration was successful, we will now try to download your new mails and see what happens... For this purpose, first come back on the Status screen. Then click on "Start" (see fig.18).
If you see a pop-up asking you to configure your mail provider, like on fig.19, this means that you tried to go too fast and did not proceed to some of the previous steps. You need to go back on the mail configuration screen, select again (it may be the first time...) your mail provider and save your credentials to the server farm. Try again, you shouldn't see the previous pop-up this time.
If you see a pop-up complaining about an authentication failure, like on fig.20, this means that either you have not selected correctly your mail provider, either you did not enter your mail crendentials correctly, or simply that you are using a mail provider like Google Mail, that needs you to explicitely authorize external applications like the VPN-over-DNS server farm before letting those servers access your mailbox. Thus, You should first check your mail credentials in the Settings screen, save them and try again. If it does not work, you should have received a mail from your provider Google saying that an attempt to you mailbox was denied. To solve the problem, follow the instructions in the mail. For this purpose, first connect to the following URL
with your Google Mail credentials and immediately try again to get your mails from VPN-over-DNS : Google will then identify the VPN-over-DNS server farm as an authorized external application that is now allowed to access your mailbox.
|
 |
 |
| fig.18: click on "Start" | fig.19: no mail provider selected | fig.20: invalid mail credentials |
Reading and writing mails
Once you have successfully downloaded your last 20 mails, you can browse your new mails using the Mail List screen. Tap on a mail in the scrolling list to open its content (see fig.21). You can delete every mails at once tapping on "Delete mails" on the Mail List screen (top of fig.21) or delete a mail individually by tapping on "Delete" on the individual mail screen (top of fig.22). Note that deleting every mails at once by clicking on "Delete mails" will delete read and unread mails, but will not delete new mails waiting to be sent (see next paragraph). Also note that your mailbox at your mail provider is never affected by this application: deleting mails means only deleting the local copy, not the original mail maintained by your mail provider.
To send a new mail, you first need to tap on "New mail" (see fig.21), fill the fields on the New Mail screen (see fig.23) and tap on "Save" for the new mail to be saved locally. After this step, the new mail appears in the Mail List screen until it is sent: it will not be delete even if you tap on "Delete mails" on the Mail List screen. To cancel a newly created mail, simply tap on the mail to explore its content and tap on "Delete" in the individual mail screen. Now, to send your new mails, you need to go to the Status screen and tap on "Start". This will start an upload & download mails session: at first, new mails will be sent, and after that first phase, new mails will be fetched from your mailbox hosted at your mail provider.
 |
 |
 |
| fig.21: mail list | fig.22: mail content | fig.23: new mail |
Set the locale, choose a skin
By default, at first start, if your device is configured with language French, the application is localized in french and saves this setting for further use. With any other language configuration of your device, the application is localized in english. Anytime later, you can force the current language by going to the main Configuration screen and tapping on "Change language / skin" (see fig.24). Then you can select your prefered language. Any change is applied immediately (see fig.25 and fig.26 for french-localized screen samples).
 |
 |
 |
| fig.24: localization | fig.25: mail content | fig.26: new mail |
You can also change the application skin. For this purpose, simply go to the main Configuration screen, tap on "Change language / skin" and select your prefered skin among the "geek" skin and the default "shiny" skin. You need to restart the application for the new skin to apply. For instance, fig.27, fig.28 and fig.29 are identical to fig.24, fig.25 and fig.26 except they are drawn with the "geek" skin.
 |
 |
 |
| fig.27: localization | fig.28: mail content | fig.29: new mail |
Browsing the Internet
To browse the Internet, just go to the Browser screen, a basic text-mode browser optimized for downloading web pages on top of DNS requests. When you first select the browser screen, it automatically tries to download the Bing home page. Bing is a search engine made available by Microsoft. It is similar to Google except that it even works with basic browsers that do not support features like Cookies, for instance (and this is the case with VPN-over-DNS). Don't panic: this does not mean you cannot access Google with VPN-over-DNS ! It simply means that to do so, you will need to use the port redirection feature instead of simply using the VPN-over-DNS internal browser (see the specific port redirection section for this purpose).
When the internal browser has downloaded the text-part of the Bing home page (remember, with the internal browser: no images, no Cookies, no JavaScript, no CSS, no SSL, but ... speed !), you should see something like fig.30. If you do not see this Bing home page, tap on "Action" and select "Home page" (fig.31). This will force a reload of the Bing home page. Once you can see the Bing home page, tap in the text area and select a request, for instance "nyt" on fig.32. To launch the query, tap on the bottom right key of the virtual keyboard ("Go") and wait about 30 secs.
 |
 |
 |
| fig.30: Bing home page | fig.31: browser actions | fig.32: searching with Bing |
You can see the answer from Bing on fig.33. Tap on a link and directly access the web site your are interrested in (see fig.34 for the New-York-Times home page, in this example). If you prefer, you can directly enter the remote URL in the address bar at the top of the browser user interface, like in fig.35, and tap "Go" to start downloading the targeted web page. When the browser is downloading a page, you can see a progress bar for each part downloaded: the page is scattered into multiple small messages or parts (about 2 kilo bytes per message part) and the progress bar shows the download progress of each message. Each time a message is downloaded, its content is displayed in the browser, so you do not need to wait for the whole page to be downloaded to see first content on the screen. Try scrolling down regularly when a page is currently being downloaded, time after time you will be able to scroll down more and more. Note that if you are not able to type an URL in the address bar, this is because the browser is currently downloading a web page and, for this reason, has disabled the address bar. In such a situation, simply tap on "Stop".
 |
 |
 |
| fig.33: Bing search results | fig.34: the NYT in text-mode | fig.35: filling a URL directly |
Browsing with Chrome
You can also browse the Internet with your prefered browser, on top of DNS requests. For this purpose, simply tap on "Action" and select "External browser" (see fig.36). You will have to choose a browser in the list of installed ones, like on fig.37 (do not forget to install Chrome separately from Google Play, in order to see it in this list). Then select your prefered browser. It will open directly on the same page you were viewing on the native browser (see fig.38 for an example with Chrome). You can now browse the Internet with your prefered brower by tapping on links or using advanced features it provides, like tabs, advanced zoom modes and bookmarks. Note that you must let VPN-over-DNS run in the background, while browsing with an external browser: if you stop the VPN-over-DNS application, your external browser will stop working.
|
 |
 |
| fig.36: launching a browser | fig.37: browser alternatives | fig.38: Chrome on top of DNS requests |
Browsing with images
In the previous section, you have learnt how to use an external browser like Chrome, as a replacement for the basic native browser integrated with the VPN-over-DNS application. It enabled you to use features like tabs or bookmarks, but you certainly noticed that you still had no support for images, Cookies, JavaScript, CSS or SSL. If you prefer to loose speed but gain support for images, Cookies, JavaScript, CSS or SSL features, you can simply use one of the two web proxies we provide you on top of DNS requests. Here are the features available by each of these proxies :
As you can see on this table, the proxy on localhost / port 8080 offers an intermediate set of features, allowing browsing on Google, using Web forms and reading or contributing to most of the general purpose public web sites. This often is the best deal between download speed and features. At the opposite, the proxy on localhost / port 8081 gives you access to the full set of advanced web features (Cascading Style Sheets, Cookies, images, JavaScript and SSL), allowing connections to private web portals like GMail, Facebook or Twitter.
Depending on the Android ROM version of your device, you will find different means of configuring the current proxy. For instance, on Ice Cream Sandwich, you can just apply the following steps. First, go to the Wi-Fi configuration screen (see fig.39). Then press your Wi-Fi network name until a pop-up appears (see fig.40). Select "Modify network config.". Scroll down to "Show advanced options" (see fig.41). Now, enable the "Show advanced options" control (see fig.43). Change the proxy settings from "None" to "Manual" (see fig.43). Enter "localhost" and "8080" or "8081", depending on your choice (see fig.44). Click "Save".
 |
 |
 |
| fig.39: set proxy (step 1) | fig.40: set proxy (step 2) | fig.41: set proxy (step 3) |
 |
 |
 |
| fig.42: set proxy (step 4) | fig.43: set proxy (step 5) | fig.44: set proxy (step 6) |
Now, you just need to let VPN-over-DNS run in the background and use your prefered application, a browser for instance, or any application based on web requests, like the GMail or the Facebook Android client applications. Of course, it may be more time consuming than using the native web browser integrated in the VPN-over-DNS application: up to 10 or 20 times slower, be prepared to wait a while... For instance, you can see on fig.45 the Google home page being downloaded with Chrome, on fig.46 the two running tasks (VPN-over-DNS in the background, using 15% of CPU to encapsulate Chrome HTTP requests on top of DNS requests), and on fig.47 VPN-over-DNS switched back to the foreground to see at which speed Chrome data are currently downloaded.
 |
 |
 |
| fig.45: set proxy (step 1) | fig.46: set proxy (step 2) | fig.47: set proxy (step 3) |
Port redirection
The VPN-over-DNS application can manage TCP port redirections over DNS requests, the same way a SSH client can manage TCP port redirections over a SSH session. A VPN redirection is a way to forward a local port to a remote destination on the Internet. Note that other hosts that share the same local network you are connected on can use those forwarded ports. This is similar to the "-g" option of the Unix/Linux SSH client software and, by this way, your Android device can become a bridge to the Internet, offering Internet connectivity to other local devices. For instance, VPN-over-DNS, installed on your Android device, can share the web proxies (see section "Browsing with images") to your iPad or your laptop: just connect your iPad or your laptop to the same local Wi-Fi network (for instance, the one with the captive portal you want to bypass), and configure the proxy of your iPad or laptop to the IP of your Android device, and to port 8080 or 8081 depending of the proxy you prefer. The redirections are multiplexed on the VPN channel and multiple redirections can be used simultaneously. An initial set of redirections is pre-configured, some for internal needs, some others for common usages and you can also define your own redirections.
By tapping on "Configure ports" on the Settings screen, you make the Redirection screen appear with a list of all the currently forwarded ports (see fig.48). The redirection named "Web Browser" is for internal use by the native Browser only, the one named "Web proxy (fast)" is used to implement the half-featured proxy on port 8080 we discussed about in section "Browsing with images" and the one named "Web proxy (full)" is used to implement the full-featured proxy on port 8081 we discussed about in the same section. To add a new redirection, tap on "New" and fill the local port, remote host and remote port fields. Note that the local port must be greater or equal to 1024, due to security limitations on Android (standard processes are not allowed to listen on ports lower than 1024, like on Unix/Linux systems for instance). On fig.49, you can see how to configure a port redirection for use by ConnectBot (a well-known Android SSH client); once configured, you can view this new redirection on the Redirection screen (see fig.50), but you need to restart VPN-over-DNS before being able to forward this port. You can now start ConnectBot and connect to local port 2222, in this example. You will then be logged on your SSH server. Of course, you can also forward TCP ports using ConnectBot, allowing local ports redirection to your private remote infrastructure. This is tunneling TCP on top of ConnectBot on top of VPN-over-DNS on top of DNS on top of IP. This works well. To delete a redirection you added previously, select it on the Redirection screen and tap on "Delete". The pre-configured redirections can not be removed.
 |
 |
 |
| fig.48: set proxy (step 1) | fig.49: set proxy (step 2) | fig.50: set proxy (step 3) |
Advanced mail features
To get features like attachements, other MIME capabilities, conversation threads filtering & multiple mailboxes handling, you may want to use an IMAP/POP3 capable Mail User Agent like the one named Email and shipped with any Android device, instead of the fast but basic native mail agent integrated with the VPN-over-DNS application. For this purpose, you can use the following redirections already configured: with GMail from Google, use "GMail: IMAP SSL" to fetch mails and "GMail: SMTP SSL" for outgoing mails; with HotMail/Live from Microsoft, use "HotMail: POP3 SSL" to fetch mails and "HotMail: SMTP" for outgoing mails; with FastMail from Opera, use "OperaMail: IMAP SSL" to fetch mails and "OperaMail: SMTP SSL" for outgoing mails; with Yahoo! Mail from Yahoo!, use "YahooMail: IMAP SSL" to fetch mails and "YahooMail: SMTP SSL" for outgoing mails. For instance, you can see on fig.51 the configuration for incoming mails from GMail and on fig.52 the one for outgoing mails. Note that "Accept all certificates" must be selected since the host name you entered ("localhost") will not match the host name included in the X.509 certificates your Mail Agent will receive from the remote service (the host names in those certificates are "imap.gmail.com" and "smtp.gmail.com").
 |
 |
| fig.51: incoming mails from GMail | fig.52: outgoing mails to GMail |
New mobile app from the same developer See our new amazing app for iOS: WiFi Map Explorer
Server and clients are now open-source: GPLv3 Explore the source tree on GitHub