Tag Archives: Deutsche Telekom

StrongSwan Client with Ubuntu 16.04 LTS

So, I’m a regular user of public WLAN hotspots, those of Deutsche Telekom among others. Being the paranoid digital self-defense person I am, I’ve been using a VPN service for quite some time now. I recently noticed that my PPTP client setup stopped working at hotspot locations run by Deutsche Telekom that I regularly use, when it still worked from home or some other hotspots I use. I embarked on a journey to teach my Ubuntu laptop some more VPN protocols. OpenVPN worked like a charm with just installing the obvious packages for network-manager. StrongSwan, however, didn’t cooperate quite as easily, due to Ubuntu 16.04 having packages in its repository which are known to not work with the version of network-manager also in that version.

OK, use the source, Luke …

But rather than compile from source tarball and clutter my system with stuff, I found the repositories for zesty have the versions I need. So, I decided to backport that:

  1. Edit /etc/apt/sources.list
    1. uncomment all deb-src lines and insert one line: deb-src http://de.archive.ubuntu.com/ubuntu/ zesty main restricted universe multiverse
  2. apt-get update
  3. apt-get install build-essential
  4. mkdir strongswan
  5. cd strongswan
  6. apt-get build-dep strongswan
  7. apt-get source strongswan
  8. export DEB_BUILD_OPTIONS=nocheck
  9. dpkg-buildpackage -us -uc
  10. dpkg -i strongswan-nm_5.5.1-1ubuntu3_amd64.deb libstrongswan_5.5.1-1ubuntu3_amd64.deb strongswan-libcharon_5.5.1-1ubuntu3_amd64.deb
  11. cd ..
  12. mkdir nm-strongswan
  13. apt-get build-dep network-manager-strongswan
  14. apt-get source network-manager-strongswan
  15. dpkg-buildpackage -us -uc
  16. dpkg -i network-manager-strongswan_1.4.1-1_amd64.deb

Then configure as per wiki page.

Now, I only need to find out how to trust the VPN provider’s certificate when their IKEv2 configuration howtos all seem to rely on turning certificate verification off.

Tagged , , , ,

Login to Telekom Hotspot on Linux command line

So, my old laptop has been reactivated to a 16.04 LTS ubuntu release. When traveling, I frequently do use the Telekom Hotspot services, and given how I like using the Tor Browser (with some additional plugins just because I’m fed up with all the tracking) there’s a litle issue: I need to log in to a web page to start using the hotspots, but I cannot start browsing with the Tor browser before I have a network connection.

No big deal on a Mac with the wispr stuff to automatically fill out the captive portal pages for you, or at least automatically pop them up in a window separate from your browser. So, what are the options on Linux?

  1. Start firefox, first, log in to the hotspot, shut down firefox again to then start the Tor browser.
  2. Somehow work in a “-new-instance” argument into starting Tor Browser so you can actually do #1 but leave firefox open (which helps with stuff like posting on wordpress.)
  3. Use some entirely other browser unrelated to firefox as your second/first browser to log in to the hotspot
  4. Use a WISPR client like this one (though the page has issues as of writing this), but the whole approach seems like a security issue.
  5. log in to the hotspot on the command line

So, yes … Linux geeks chose option #5:


use strict;
use Term::ReadKey;

my $username;
my $password;

print "username: ";
$username = <>;
chomp $username;

ReadMode ('noecho');
print "password: ";
$password = <>;
chomp $password;
ReadMode ('restore');

print "\n";

system ( "curl 'https://hotspot.t-mobile.net/wlan/rest/login' -H 'Host: hotspot.t-mobile.net' -H 'User-Agent: Mozilla/5.0 (X1
1; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0' -H 'Accept: application/json, text/plain, */*' -H 'Accept-Lang
uage: en-US,en;q=0.5' --compressed -H 'Content-Type: application/json;charset=utf-8' -H 'X-Hash: AjbCkwnbQWKb+eKqFSelsyugcyVt
XiU1ZkUjnqDYhsA=' -H 'Referer: https://hotspot.t-mobile.net/TD/hotspot/Tank_Rast_Petro/en_GB/index.html' -H 'Content-Length: 
57' -H 'Cookie: JSESSIONID=1111D92CBA6C27FE69D13F04F5CD4497.P3; POPUPCHECK=1496237026311; DT_H=NzY5OTk0MTgy' -H 'Connection: 
keep-alive' -d '{\"username\":\"$username\",\"password\":\"$password\"}' ");

Make sure you have the Term::ReadKey module installed. On Xenial you do:

apt install libterm-readkey-perl

Tagged , , ,

Deutsche Telekom is driving me crazy

For years and years I had not allowed Deutsche Telekom to withdraw payments from my bank account before recently ordering a phone and DSL flat rate which required you to consent to that and also to the use of “Rechnung Online” which is Deutsche Telekom’s on-line bill presentment system. “Well,” I thought, “I can always cancel an incorrect withdrawal, and with invoices and call details sent to me via encrypted PDF, that’s quite like what I had before.”

What I didn’t quite anticipate was that Deutsche Telekom would go and quit the service of sending call details through encrypted PDFs, just because they found it convenient to integrate Rechnung Online with the T-Online Netzausweis (their SSO system). That makes the encryption key my T-Online email address which is quite easy to learn. So they don’t send emails with call details anymore to protect my privacy. I can retrieve the details from the online portal, but there they keep them for a maximum of eighty days. However, I need them for my tax declaration and cannot afford to lose them. Therefore, I need to remember visiting the portal every two months and download my recent call data. That’s especially cute in a time where telecom providers will soon be required to keep connection data for years to fight Terror (and Christmas presents are delivered by Santa Claus).

Anyway, I’ve been pulling my hair trying to get Deutsche Telekom realize that I regard it bad customer service to just cancel a service of their own accord without providing a equivalent alternative. If the current encryption password is to weak, let’s use a better mechanism. I’d even buy a certificate for it from the Telekom Trustcenter, but those folks fail to comprehend what it is I want from them.

Observe this translated email conversation:


Friday, Dec 12th 2007, 17:10 +0100 Deutsche Telekom AG wrote:
> We would ask for your understanding that henceforth we will be providing
> your call details on-line, only. Download is easier than the current
> mechanism and you will receive your data over a secure SSL connection.

I have no understanding whatsoever for that!

Esp. because now I have to download the data within 80 days. Previously
it simply arrived in an email and I could decrypt it at the end of the year
for my tax declaration. Now, I need to remember downloading the call
details every two months at the latest or be asking for trouble with
the tax office.

This is a good cause for not using Rechnung Online!

Kind regards,

Karl H. Beckers

Deutsche Telekom:

Dear Mr. Beckers,

thanks a lot for your email.

We are pleased to inform you about the display of call details in Rechnung Online.

Please first register with Rechung Online:


The desired overview of your current invoice can be found choosing the menu item
„Aktuelle Einzelverbindungen“.

If you wish to see the call details of earlier invoices chose the invoice in
question through the menu item „Rechnungsarchiv“ and then click on
„Einzelverbindungen“ and „Dokumentenansicht“. Printing and download are
possible through the Acrobat Reader's menu bar.

[blah blah blah]

Please note that for data privacy reasons we can only store your call details
for 80 days after invoicing.

[you don't say]

Further questions regarding Rechnung Online or other products of Deutsche
Telekom we will gladly answer through email at any time.

Kind regards,

Your Deutsche Telekom

Me again:

Thanks a lot for your reply, too, which completely missed to address my

I have seen the features of Rechnung Online. The salient point here, though,
is that with a paper invoice it the decision how long I keep it is mine. At
the time I consented to using REO, there was a comparable functionality. The
call details were sent via email and again the decision was mine when I
looked at it and how long I kept it.

Now, this functionality was cancelled of your own accord and I am forced
to download the call details myself, every two months. That to me is a
decisive step back in terms of service quality. Other providers still send
invoices as encrypted and digitally signed PDFs, even conforming to our
laws for digital signatures. A return to paper-based invoices will require
a fee again, I am sure.

I am beginning to see some benefit in preventive storage of call data in
the war against terror.


Karl H. Beckers

Deutsche Telekom:

Dear Mr. Beckers,

thanks a lot for your email.

The password for call detail encryption used to equal your Rechnung Online
user name.

Because this user name, after the integration with T-Online Netzausweis,
is your T-Online email address, data privacy protection can no longer
be completely guaranteed.

For that reason we can only provide your call details through the on-line
[or you could try to find a better encryption]

[blah blah blah]

Kind regards,

Your Deutsche Telekom


Wednesday, Jan 2nd 2008, 09:04 +0000 Rechnung-Online@telekom.de wrote:
> Because this user name, after the integration with T-Online Netzausweis,
> is your T-Online email address

I have not asked for that integration.

Besides, inside the T-xxx customer center, there are already N passwords.
A means for maintaining another password for call detail encryption would
have done no harm. I would even buy an X509 certificate with which
the whole stuff could be perfectly well encrypted in a secure way.

So it remains, you have cancelled a functionality without an equivalent


Karl H. Beckers

Deutsche Telekom:

Dear Mr. Beckers,

thanks a lot for your email.

Have you lost your password for Rechnung Online?
We are glad to be of assistance.

Please click on www.telekom.de/reo/passwort

[blah blah blah ... more details about how to reset your password.]

Me (somewhat worked up by now):

Wednesday, Jan 2nd 2008, 13:22 +0000 Rechnung-Online@telekom.de wrote:
> Have you lost your password for Rechnung Online?
> We are glad to be of assistance.

Am I talking Dutch?
I do have my password. I can use REO. But you have gone and cancelled a
functionality important to me, which made REO equivalent to paper

I don't WANT to have to download call details every two months, because
I am sure to forget this now and again and will have to discuss that
with my local tax office. Delivery of call details by email let me accept
REO, now it is no longer an option.

In the past, I also did not have to call you and ask you to send me an
invoice. You did that automatically, with call details. That's what I
want to have again.

Karl H. Beckers

Deutsche Telekom:

Dear Mr. Beckers,

thanks a lot for your email.

[will you quit that, please]

We apologize for your inconveniences.

You have received Rechnung Online in conjunction with a Call &
Surf Package. Rechnung Online is included in this package. Only that
way can we provide this offer at such discounted rates.

Please understand that you can download your invoices on-line and
save it on your PC for further use (e. g. to print it).

Call details are, in conjunction with your Call & Surf package, presented
on-line, only. Call details can be saved on your PC as often as you want
and be processed in whatever way you wish.

Do you know everything Rechnung Online can do for you?
Let us convince you of the comfortable possibilities of electronic bill

For example our free service "Invoice via email". With that you can
have your invoice be sent to your computer in an email.
[are you kidding me?]

This is killing me!

Dear customer: We are sorry for any inconveniences, but you will have to swallow them.

Well, we’ll talk about that again when my current contract expires.

Tagged , ,