Shared Know How


Howto: fix, find, use, make & do it guide

Linux PPTP VPN server install for use with Iphone

author Posted by: Tim on date Sep 28th, 2008 | filed Filed under: iphone, linux

I was looking into getting an vpn connection from my iphone to my server because I wouldn't want to send my email passwords and webpasswords clear over any public WIFI. Setting up an open source vpn connection from the Iphone is fairly simple but there is not much choiche of software. To my knowledge OpenVPN and Openswan are not supported so my choiche came down to: Poptop which is probably not the most secure solution because it's uses the Microsoft protocol which has a few flaws but I figured it would be much safer then nothing and if there is an evil WIFI I would guess they will just go for the easy targets.

My install is a CentOS 5.2 installation but it should work under any fairly recent Linux distribution

Setting Poptop VPN for Iphone is done in just four steps:

1 Installing Poptop on your linux server

Some distributions already have pptpd, if not you can install it from source with the following steps.

Download the latest pptpd from Sourceforge.

Unpack pptpd, configure and run make install:

  1. tar -zxvf pptpd-1.3.4.tar.gz
  2. cd pptpd-1.3.4
  3. ./configure
  4. make
  5. make install

2 Configuring pptpd (poptop)

Now we need to configure the different files used by pptpd to setup up for the vpn:

/etc/pptpd.conf

  1. option /etc/ppp/options.pptpd
  2. localip 192.168.8.1
  3. remoteip 192.168.8.234-238

/etc/ppp/options.pptpd

  1. name pptpd
  2. refuse-pap
  3. refuse-chap
  4. refuse-mschap
  5. require-mschap-v2
  6. #require-mppe-128 //comment for iphone 4<br /> 
  7. #opendns dns services, you can replace this by your dns provider
  8. ms-dns 208.67.222.222
  9. ms-dns 208.67.220.220
  10. lock
  11. nobsdcomp
  12. nologfd

/etc/ppp/chap-secrets

  1. # Secrets for authentication using CHAP
  2. #set one or more username and passwords to use with the pptp VPN
  3. # username pptpd password IP addresses
  4. username pptpd password *

3 Setup the server for Masquerading/NAT

Because we want to share the internet connection of the server with the Iphone we need to do NAT. The following couple of lines enable this. I am assuming eth0 is the network interface conneted to the internet. Just first try this out by copy and pasting this into bash but to keep it working even after a reboot you can copy the following lines into /etc/rc.local

  1. echo 1 > /proc/sys/net/ipv4/ip_forward
  2. /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  3. /sbin/iptables -A FORWARD -i eth0 -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
  4. /sbin/iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT
  5.  
  6. #and start pptpd
  7. /usr/local/sbin/pptpd

4 Configuring the Iphone

On your iphone click settings > network >VPN > Add VPN Configuration

Click PPTP and fill in a description
the hostname of the server
account = the username filled in in /etc/ppp/chap-secrets
RSA SecurID: OFF
password, as filled in in /etc/ppp/chap-secrets
Encryption Level = Auto
Send All Trafic: ON

Now press save and when Turning VPN to ON it should connect to the server.

If you have any problems don't hesistate to ask in the comments.

Update iPhone 4:

According to C&P this setup doesn't work anymore on iPhone 4. Comment the line

  1. #require-mppe-128

 

searching for web site hosting?

Did this help you? Wanna help too?

tag33 Responses to “Linux PPTP VPN server install for use with Iphone”

  1. Linux VPN server en iphone - iPhone Forum - alles over de Apple iPhone en iPhone 3G Said,

    […] vpn server poptop aan de praat gekregen met de Iphone. Als iemand geinteresseerd is. Ik heb een beschrijving online geplaatst hoe deze server te installeren en te configuren en hoe je Iphone hiermee te […]

  2. RW Said,

    IS this on a wifi, it does not work on Fido if you are not on WiFi.

  3. Tim Said,

    @RW it probably depends on your provider and plan what kind of traffic is allowed. I tested it on t-mobile in Holland

  4. howard Said,

    thanks I have been trying to do this for a while.

  5. stan Said,

    Good stuff!! Works.
    Is there a L2TP version too?

  6. ben Said,

    Thanks for the guide! Been working on this issue for a while without success. Perhaps you could offer some insight? I have configured the vpn server, but connection attempts are rejected. Only this line is recorded in the debug log:

    CTRL: Reaping child PPP

    I’ve been unable to find out what might be causing this. Any advice would be terrifically appreciated!

    Thank you

  7. Jan Said,

    Thanks for the Guide. Works outofthebox :-)

  8. Tim Said,

    Ben:

    I’ve looked into your “CTRL: Reaping child PPP” but I couldn’t find anything about it and I never encountered this problem. Did you succeed in solving it already?

  9. Robert Said,

    hi, great solution. I would like to implement it on my server as well, but I am not a LInux-guru. Could you help me (evt. by paying you a little?
    Rob

  10. Tim Said,

    Well if you do the exact steps you should be able to do it, but anyway I send you an email to see how I can help

  11. Kevin Said,

    Hey… Great guide…

    I am able to get my iPhone 3.0 to connect and say it has a vpn connection but not web traffic or anything…

    Could this have anything to do with the fact that the server does not have a different internal/external ip?

    Any help would be appreciated.

  12. Tim Said,

    Hey Kevin,

    try to connect to your vpn with a laptop. That way you can see if you can ping your server over vpn. If so you know that the vpn is right. If not, check the firewall settings of the server.

    it probably has to do with your different setup and you probably need different masquerading rules.

  13. Kevin Said,

    Hey TIM ty for the fast response.

    So i connected my laptop to the server through the vpn.

    One connected I am able to ping the ip for the server but not a site outside of the server. Like google.com..

    Any clue? Could this be the nat not working? Any ideas on how to check and see if that actually was setup?

  14. Tim Said,

    Hey Kevin,

    try to ping 62.212.66.201 (this server) if that doesn’t work it probably is your vpn setup! If it does work it’s the dns server/dhcp setup.

    you can see if your masquerading rules are setup by typing iptables -L

  15. Kevin Said,

    Ok, so i tried to ping this server and not to my surprise nothing.. I am doing this from a MacBook and in the connection “wizard” it is showing that it is receiving no data at all. So I check iptables and this is what it shows: http://pastebin.com/m463bcaac

    So i checked /etc/rc.local and it has:
    http://pastebin.com/m2ee7e5c8

    Which i’m not sure if any of it is right but it follows the guide so I awesome it would…

    Any ideas would be appreciated.

  16. Tim Said,

    if you start /etc/rc.local manually as root do you see any error messages?

  17. Kevin Said,

    iptables v1.3.5: Unknown arg `–state’
    Try `iptables -h’ or ‘iptables –help’ for more information.
    /etc/rc.local: line 10: RELATED,ESTABLISHED: command not found

    hmmm

  18. Kevin Said,

    eeh.. No errors now.. i moved “RELATED,ESTABLISHED” up to the line like it was supposed to be now no issues… iptables -l still has the same outprint

  19. Tim Said,

    Kevin, do you use a custom kernel or one deliverd with your distributions? and did you make sure your external interface is eth0 ? iptables -L (capital L) as root

  20. Kevin Said,

    yep eth0

    http://pastebin.com/m3cec495d

    No clue whats going on…

  21. Kevin Said,

    http://pastebin.com/m7e24f63e

    What is in the /var/log/messages

    Also im on centos 5.3 with the latest kernel build for the system…

  22. Tim Said,

    Kevin:

    Jul 23 18:10:10 rrcs-71-43-227-78 pppd[4437]: local IP address 71.43.227.78
    Jul 23 18:10:10 rrcs-71-43-227-78 pppd[4437]: remote IP address 71.43.227.78

    doesn’t look right, same ip for remote & local?! did you edit /etc/pptpd.conf described as above?

  23. Kevin Said,

    Yes… The server only has an external/remote ip….. Its on a dedicated line… 71.43.227.78……

    option /etc/ppp/options.pptpd
    localip 71.43.227.78
    remoteip 71.43.227.78

  24. Tim Said,

    Kevin, copy the options.pptpd right from the example I put here. it probably should work then. It’s a virtual network so the ip settings don’t have anything to do with the external ip

  25. adde Said,

    I can recommend a provider with pptp service.
    https://www.anonine.com/en

  26. Erixun Said,

    I have found that u must connect to Wifi first before anything else (naturally). VPN takes some time to negotiate. This gives your bandwidth hungry iPhone 1-15 seconds to roam free on the insecure network.
    I guess just makes sure EVERYTHING on the iphone does not store any passwords which gives you the few seconds necessary to connect securely and then type your passwords in when prompted (mail, chat, FB etc..). If you do have stored passwords the iPhone will spill its guts before you have time to connect the VPN.
    Apple should make a feature in the VPN section that forces all traffic over VPN regardless of network status (i.e. as soon as there is network – connect VPN – surf) to make it truly a secure option for jumping on evil Wi-Fi networks.

  27. 联通连不通─VPN | Wangling Said,

    […] 比较简单,没有特殊安全性需求的,推荐优先选择这种。搭建方法直接参照此文就行。一个 pptpd 就搞定了。注意别忘了打开 […]

  28. Raul Said,

    Hi, I’m following your guide and now i’m able to connect my iphone to the pptp sever.

    I get the right client IP address, and i can access the internet perfeclty but only using IP address, the name resolution is not working.

    Any tips about the push of the DNS server addres?

    I have the ms-dns line on options.pptpd but seems to do nothing.

    Regards

  29. Tim Said,

    Raul,

    Try changing the lines

    ms-dns 208.67.222.222
    ms-dns 208.67.220.220

    with the dns services of your provider or try 8.8.8.8 (google dns)

  30. PPTP on iPhone: Changes iPhone3 to iPhone4 Said,

    […] config I had was very much like “Tim” wrote on Shared Know How on Sept 28, 2008 — in fact, it’s a very basic, standard config, it’s a bit […]

  31. Guido Said,

    Nice article! Helped me through the dns issue I had.

    Looking at the questions about not being able to access internet via VPN: Yo might want to enable ip forwarding on the pptpd server. If you define a range of vpn client addresses outside our own subnet, you need to route packets between the ppp0 and eth0 iface:

    To enable:
    echo 1 > /proc/sys/net/ipv4/ip_forward

    Thx, Guido

  32. Dave Said,

    I just tried this setup with iOS 4.2.1, the require-mppe-128 option works fine:

    pppd[18791]: MPPE 128-bit stateless compression enabled

    and tcpdump shows that packets are encrypted. Maybe something has been changed between the earlier versions of 4.x and 4.2.1.

  33. Octi Said,

    Nice article.and helpful form me.Now work like a charm.Thanks

     Add A Comment

trackback Trackback URI | rsscomment Comments RSS