Shared Know How


Howto: fix, find, use, make & do it guide

Linux PPTP VPN server install for use with Iphone

author Posted by: Tim on date Sep 28th, 2008 | filed Filed under: iphone, linux

I was looking into getting an vpn connection from my iphone to my server because I wouldn't want to send my email passwords and webpasswords clear over any public WIFI. Setting up an open source vpn connection from the Iphone is fairly simple but there is not much choiche of software. To my knowledge OpenVPN and Openswan are not supported so my choiche came down to: Poptop which is probably not the most secure solution because it's uses the Microsoft protocol which has a few flaws but I figured it would be much safer then nothing and if there is an evil WIFI I would guess they will just go for the easy targets.

My install is a CentOS 5.2 installation but it should work under any fairly recent Linux distribution

Setting Poptop VPN for Iphone is done in just four steps:

1 Installing Poptop on your linux server

Some distributions already have pptpd, if not you can install it from source with the following steps.

Download the latest pptpd from Sourceforge.

Unpack pptpd, configure and run make install:

tar -zxvf pptpd-1.3.4.tar.gz
cd pptpd-1.3.4
./configure
make
make install

2 Configuring pptpd (poptop)

Now we need to configure the different files used by pptpd to setup up for the vpn:

/etc/pptpd.conf

option /etc/ppp/options.pptpd
localip 192.168.8.1
remoteip 192.168.8.234-238

/etc/ppp/options.pptpd

 name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
 
#opendns dns services, you can replace this by your dns provider
ms-dns 208.67.222.222
ms-dns 208.67.220.220
lock
nobsdcomp
nologfd

/etc/ppp/chap-secrets

# Secrets for authentication using CHAP
#set one or more username and passwords to use with the pptp VPN
# username    pptpd   password         IP addresses
username       pptpd   password        *

3 Setup the server for Masquerading/NAT

Because we want to share the internet connection of the server with the Iphone we need to do NAT. The following couple of lines enable this. I am assuming eth0 is the network interface conneted to the internet. Just first try this out by copy and pasting this into bash but to keep it working even after a reboot you can copy the following lines into /etc/rc.local

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT
 
#and start pptpd
/usr/local/sbin/pptpd

4 Configuring the Iphone

On your iphone click settings > network >VPN > Add VPN Configuration

Click PPTP and fill in a description
the hostname of the server
account = the username filled in in /etc/ppp/chap-secrets
RSA SecurID: OFF
password, as filled in in /etc/ppp/chap-secrets
Encryption Level = Auto
Send All Trafic: ON

Now press save and when Turning VPN to ON it should connect to the server.

If you have any problems don't hesistate to ask in the comments.

Did this help you? Wanna help too?
tagsTags: , , , , ,

tag26 Responses to “Linux PPTP VPN server install for use with Iphone”

  1. Linux VPN server en iphone - iPhone Forum - alles over de Apple iPhone en iPhone 3G Said,
    September 29th, 2008 at 2:53 pm edit

    [...] vpn server poptop aan de praat gekregen met de Iphone. Als iemand geinteresseerd is. Ik heb een beschrijving online geplaatst hoe deze server te installeren en te configuren en hoe je Iphone hiermee te [...]

  2. RW Said,
    January 7th, 2009 at 8:23 am edit

    IS this on a wifi, it does not work on Fido if you are not on WiFi.

  3. Tim Said,
    January 9th, 2009 at 2:32 am edit

    @RW it probably depends on your provider and plan what kind of traffic is allowed. I tested it on t-mobile in Holland

  4. howard Said,
    January 18th, 2009 at 12:39 pm edit

    thanks I have been trying to do this for a while.

  5. stan Said,
    January 31st, 2009 at 2:43 pm edit

    Good stuff!! Works.
    Is there a L2TP version too?

  6. ben Said,
    April 30th, 2009 at 7:44 am edit

    Thanks for the guide! Been working on this issue for a while without success. Perhaps you could offer some insight? I have configured the vpn server, but connection attempts are rejected. Only this line is recorded in the debug log:

    CTRL: Reaping child PPP

    I’ve been unable to find out what might be causing this. Any advice would be terrifically appreciated!

    Thank you

  7. Jan Said,
    June 10th, 2009 at 8:43 am edit

    Thanks for the Guide. Works outofthebox :-)

  8. Tim Said,
    June 10th, 2009 at 9:25 am edit

    Ben:

    I’ve looked into your “CTRL: Reaping child PPP” but I couldn’t find anything about it and I never encountered this problem. Did you succeed in solving it already?

  9. Robert Said,
    July 15th, 2009 at 3:21 pm edit

    hi, great solution. I would like to implement it on my server as well, but I am not a LInux-guru. Could you help me (evt. by paying you a little?
    Rob

  10. Tim Said,
    July 15th, 2009 at 11:08 pm edit

    Well if you do the exact steps you should be able to do it, but anyway I send you an email to see how I can help

  11. Kevin Said,
    July 21st, 2009 at 8:15 am edit

    Hey… Great guide…

    I am able to get my iPhone 3.0 to connect and say it has a vpn connection but not web traffic or anything…

    Could this have anything to do with the fact that the server does not have a different internal/external ip?

    Any help would be appreciated.

  12. Tim Said,
    July 21st, 2009 at 11:46 am edit

    Hey Kevin,

    try to connect to your vpn with a laptop. That way you can see if you can ping your server over vpn. If so you know that the vpn is right. If not, check the firewall settings of the server.

    it probably has to do with your different setup and you probably need different masquerading rules.

  13. Kevin Said,
    July 22nd, 2009 at 7:20 pm edit

    Hey TIM ty for the fast response.

    So i connected my laptop to the server through the vpn.

    One connected I am able to ping the ip for the server but not a site outside of the server. Like google.com..

    Any clue? Could this be the nat not working? Any ideas on how to check and see if that actually was setup?

  14. Tim Said,
    July 22nd, 2009 at 10:30 pm edit

    Hey Kevin,

    try to ping 62.212.66.201 (this server) if that doesn’t work it probably is your vpn setup! If it does work it’s the dns server/dhcp setup.

    you can see if your masquerading rules are setup by typing iptables -L

  15. Kevin Said,
    July 22nd, 2009 at 10:57 pm edit

    Ok, so i tried to ping this server and not to my surprise nothing.. I am doing this from a MacBook and in the connection “wizard” it is showing that it is receiving no data at all. So I check iptables and this is what it shows: http://pastebin.com/m463bcaac

    So i checked /etc/rc.local and it has:
    http://pastebin.com/m2ee7e5c8

    Which i’m not sure if any of it is right but it follows the guide so I awesome it would…

    Any ideas would be appreciated.

  16. Tim Said,
    July 22nd, 2009 at 11:04 pm edit

    if you start /etc/rc.local manually as root do you see any error messages?

  17. Kevin Said,
    July 22nd, 2009 at 11:33 pm edit

    iptables v1.3.5: Unknown arg `–state’
    Try `iptables -h’ or ‘iptables –help’ for more information.
    /etc/rc.local: line 10: RELATED,ESTABLISHED: command not found

    hmmm

  18. Kevin Said,
    July 22nd, 2009 at 11:49 pm edit

    eeh.. No errors now.. i moved “RELATED,ESTABLISHED” up to the line like it was supposed to be now no issues… iptables -l still has the same outprint

  19. Tim Said,
    July 23rd, 2009 at 9:12 am edit

    Kevin, do you use a custom kernel or one deliverd with your distributions? and did you make sure your external interface is eth0 ? iptables -L (capital L) as root

  20. Kevin Said,
    July 24th, 2009 at 12:08 am edit

    yep eth0

    http://pastebin.com/m3cec495d

    No clue whats going on…

  21. Kevin Said,
    July 24th, 2009 at 12:11 am edit

    http://pastebin.com/m7e24f63e

    What is in the /var/log/messages

    Also im on centos 5.3 with the latest kernel build for the system…

  22. Tim Said,
    July 24th, 2009 at 1:03 pm edit

    Kevin:

    Jul 23 18:10:10 rrcs-71-43-227-78 pppd[4437]: local IP address 71.43.227.78
    Jul 23 18:10:10 rrcs-71-43-227-78 pppd[4437]: remote IP address 71.43.227.78

    doesn’t look right, same ip for remote & local?! did you edit /etc/pptpd.conf described as above?

  23. Kevin Said,
    July 25th, 2009 at 4:58 am edit

    Yes… The server only has an external/remote ip….. Its on a dedicated line… 71.43.227.78……

    option /etc/ppp/options.pptpd
    localip 71.43.227.78
    remoteip 71.43.227.78

  24. Tim Said,
    July 25th, 2009 at 4:11 pm edit

    Kevin, copy the options.pptpd right from the example I put here. it probably should work then. It’s a virtual network so the ip settings don’t have anything to do with the external ip

  25. adde Said,
    August 31st, 2009 at 7:17 pm edit

    I can recommend a provider with pptp service.
    https://www.anonine.com/en

  26. Erixun Said,
    February 10th, 2010 at 3:08 pm edit

    I have found that u must connect to Wifi first before anything else (naturally). VPN takes some time to negotiate. This gives your bandwidth hungry iPhone 1-15 seconds to roam free on the insecure network.
    I guess just makes sure EVERYTHING on the iphone does not store any passwords which gives you the few seconds necessary to connect securely and then type your passwords in when prompted (mail, chat, FB etc..). If you do have stored passwords the iPhone will spill its guts before you have time to connect the VPN.
    Apple should make a feature in the VPN section that forces all traffic over VPN regardless of network status (i.e. as soon as there is network – connect VPN – surf) to make it truly a secure option for jumping on evil Wi-Fi networks.

     Add A Comment

trackback Trackback URI | rsscomment Comments RSS