Linux PPTP VPN server install for use with Iphone

Submitted by Tim on 28 Sep 2008 - 17:19

I was looking into getting an vpn connection from my iphone to my server because I wouldn't want to send my email passwords and webpasswords clear over any public WIFI. Setting up an open source vpn connection from the Iphone is fairly simple but there is not much choiche of software. To my knowledge OpenVPN and Openswan are not supported so my choiche came down to: Poptop which is probably not the most secure solution because it's uses the Microsoft protocol which has a few flaws but I figured it would be much safer then nothing and if there is an evil WIFI I would guess they will just go for the easy targets.

My install is a CentOS 5.2 installation but it should work under any fairly recent Linux distribution

Setting Poptop VPN for Iphone is done in just four steps:

1 Installing Poptop on your linux server

Some distributions already have pptpd, if not you can install it from source with the following steps.

Download the latest pptpd from Sourceforge.

Unpack pptpd, configure and run make install:

tar -zxvf pptpd-1.3.4.tar.gz
cd pptpd-1.3.4
make install

2 Configuring pptpd (poptop)

Now we need to configure the different files used by pptpd to setup up for the vpn:


option /etc/ppp/options.pptpd


 name pptpd
#require-mppe-128 //comment for iphone 4
#opendns dns services, you can replace this by your dns provider


# Secrets for authentication using CHAP
#set one or more username and passwords to use with the pptp VPN
# username    pptpd   password         IP addresses
username       pptpd   password        *

3 Setup the server for Masquerading/NAT

Because we want to share the internet connection of the server with the Iphone we need to do NAT. The following couple of lines enable this. I am assuming eth0 is the network interface conneted to the internet. Just first try this out by copy and pasting this into bash but to keep it working even after a reboot you can copy the following lines into /etc/rc.local

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT

#and start pptpd

4 Configuring the Iphone

On your iphone click settings > network >VPN > Add VPN Configuration

Click PPTP and fill in a description
the hostname of the server
account = the username filled in in /etc/ppp/chap-secrets
password, as filled in in /etc/ppp/chap-secrets
Encryption Level = Auto
Send All Trafic: ON

Now press save and when Turning VPN to ON it should connect to the server.

If you have any problems don't hesistate to ask in the comments.

Update iPhone 4:

According to C&P this setup doesn't work anymore on iPhone 4. Comment the line



searching for web site hosting?


user picture>
- 09 Jan 2009 - 02:32

@RW it probably depends on your provider and plan what kind of traffic is allowed. I tested it on t-mobile in Holland
user picture>
- 07 Jan 2009 - 08:23

IS this on a wifi, it does not work on Fido if you are not on WiFi.
user picture>
- 31 Jan 2009 - 14:43

Good stuff!! Works. Is there a L2TP version too?
user picture>
- 18 Jan 2009 - 12:39

thanks I have been trying to do this for a while.
user picture>
- 10 Jun 2009 - 08:43

Thanks for the Guide. Works outofthebox :-)
user picture>
- 10 Jun 2009 - 09:25

Ben: I've looked into your "CTRL: Reaping child PPP" but I couldn't find anything about it and I never encountered this problem. Did you succeed in solving it already?
user picture>
- 25 Jul 2009 - 04:58

Yes... The server only has an external/remote ip..... Its on a dedicated line... option /etc/ppp/options.pptpd localip remoteip
user picture>

In reply to by Kevin

- 25 Jul 2009 - 16:11

Kevin, copy the options.pptpd right from the example I put here. it probably should work then. It's a virtual network so the ip settings don't have anything to do with the external ip
user picture>
- 15 Jul 2009 - 15:21

hi, great solution. I would like to implement it on my server as well, but I am not a LInux-guru. Could you help me (evt. by paying you a little? Rob
user picture>

In reply to by Robert

- 15 Jul 2009 - 23:08

Well if you do the exact steps you should be able to do it, but anyway I send you an email to see how I can help
user picture>
- 24 Jul 2009 - 00:08

yep eth0 No clue whats going on...
user picture>
- 22 Jul 2009 - 22:30

Hey Kevin, try to ping (this server) if that doesn't work it probably is your vpn setup! If it does work it's the dns server/dhcp setup. you can see if your masquerading rules are setup by typing iptables -L
user picture>
- 22 Jul 2009 - 23:33

iptables v1.3.5: Unknown arg `--state' Try `iptables -h' or 'iptables --help' for more information. /etc/rc.local: line 10: RELATED,ESTABLISHED: command not found hmmm
user picture>
- 22 Jul 2009 - 23:49

eeh.. No errors now.. i moved "RELATED,ESTABLISHED" up to the line like it was supposed to be now no issues... iptables -l still has the same outprint
user picture>
- 22 Jul 2009 - 22:57

Ok, so i tried to ping this server and not to my surprise nothing.. I am doing this from a MacBook and in the connection "wizard" it is showing that it is receiving no data at all. So I check iptables and this is what it shows: So i checked /etc/rc.local and it has: Which i'm not sure if any of it is right but it follows the guide so I awesome it would... Any ideas would be appreciated.
user picture>
- 22 Jul 2009 - 23:04

if you start /etc/rc.local manually as root do you see any error messages?
user picture>
- 21 Jul 2009 - 11:46

Hey Kevin, try to connect to your vpn with a laptop. That way you can see if you can ping your server over vpn. If so you know that the vpn is right. If not, check the firewall settings of the server. it probably has to do with your different setup and you probably need different masquerading rules.
user picture>
- 21 Jul 2009 - 08:15

Hey... Great guide... I am able to get my iPhone 3.0 to connect and say it has a vpn connection but not web traffic or anything... Could this have anything to do with the fact that the server does not have a different internal/external ip? Any help would be appreciated.
user picture>
- 24 Jul 2009 - 00:11 What is in the /var/log/messages Also im on centos 5.3 with the latest kernel build for the system...
user picture>
- 23 Jul 2009 - 09:12

Kevin, do you use a custom kernel or one deliverd with your distributions? and did you make sure your external interface is eth0 ? iptables -L (capital L) as root
user picture>
- 31 Aug 2009 - 19:17

I can recommend a provider with pptp service.
user picture>
- 10 Feb 2010 - 15:08

I have found that u must connect to Wifi first before anything else (naturally). VPN takes some time to negotiate. This gives your bandwidth hungry iPhone 1-15 seconds to roam free on the insecure network. I guess just makes sure EVERYTHING on the iphone does not store any passwords which gives you the few seconds necessary to connect securely and then type your passwords in when prompted (mail, chat, FB etc..). If you do have stored passwords the iPhone will spill its guts before you have time to connect the VPN. Apple should make a feature in the VPN section that forces all traffic over VPN regardless of network status (i.e. as soon as there is network - connect VPN - surf) to make it truly a secure option for jumping on evil Wi-Fi networks.
user picture>
- 07 Sep 2010 - 21:33

Nice article! Helped me through the dns issue I had. Looking at the questions about not being able to access internet via VPN: Yo might want to enable ip forwarding on the pptpd server. If you define a range of vpn client addresses outside our own subnet, you need to route packets between the ppp0 and eth0 iface: To enable: echo 1 > /proc/sys/net/ipv4/ip_forward Thx, Guido
user picture>
- 30 Apr 2009 - 07:44

Thanks for the guide! Been working on this issue for a while without success. Perhaps you could offer some insight? I have configured the vpn server, but connection attempts are rejected. Only this line is recorded in the debug log: CTRL: Reaping child PPP I've been unable to find out what might be causing this. Any advice would be terrifically appreciated! Thank you
user picture>
- 22 Jul 2009 - 19:20

Hey TIM ty for the fast response. So i connected my laptop to the server through the vpn. One connected I am able to ping the ip for the server but not a site outside of the server. Like Any clue? Could this be the nat not working? Any ideas on how to check and see if that actually was setup?
user picture>
- 24 Jul 2009 - 13:03

Kevin: Jul 23 18:10:10 rrcs-71-43-227-78 pppd[4437]: local IP address Jul 23 18:10:10 rrcs-71-43-227-78 pppd[4437]: remote IP address doesn't look right, same ip for remote & local?! did you edit /etc/pptpd.conf described as above?
user picture>
- 20 Apr 2010 - 01:02

Hi, I'm following your guide and now i'm able to connect my iphone to the pptp sever. I get the right client IP address, and i can access the internet perfeclty but only using IP address, the name resolution is not working. Any tips about the push of the DNS server addres? I have the ms-dns line on options.pptpd but seems to do nothing. Regards
user picture>
- 20 Apr 2010 - 10:07

Raul, Try changing the lines -- ms-dns ms-dns -- with the dns services of your provider or try (google dns)
user picture>
- 22 Dec 2010 - 06:37

I just tried this setup with iOS 4.2.1, the require-mppe-128 option works fine: pppd[18791]: MPPE 128-bit stateless compression enabled and tcpdump shows that packets are encrypted. Maybe something has been changed between the earlier versions of 4.x and 4.2.1.

Add new comment

The content of this field is kept private and will not be shown publicly.

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.