Linux PPTP VPN server install for use with Iphone

Submitted by Tim on 28 Sep 2008 - 17:19

I was looking into getting an vpn connection from my iphone to my server because I wouldn't want to send my email passwords and webpasswords clear over any public WIFI. Setting up an open source vpn connection from the Iphone is fairly simple but there is not much choiche of software. To my knowledge OpenVPN and Openswan are not supported so my choiche came down to: Poptop which is probably not the most secure solution because it's uses the Microsoft protocol which has a few flaws but I figured it would be much safer then nothing and if there is an evil WIFI I would guess they will just go for the easy targets.

My install is a CentOS 5.2 installation but it should work under any fairly recent Linux distribution

Setting Poptop VPN for Iphone is done in just four steps:

1 Installing Poptop on your linux server

Some distributions already have pptpd, if not you can install it from source with the following steps.

Download the latest pptpd from Sourceforge.

Unpack pptpd, configure and run make install:

tar -zxvf pptpd-1.3.4.tar.gz
cd pptpd-1.3.4
./configure
make
make install

2 Configuring pptpd (poptop)

Now we need to configure the different files used by pptpd to setup up for the vpn:

/etc/pptpd.conf

option /etc/ppp/options.pptpd
localip 192.168.8.1
remoteip 192.168.8.234-238

/etc/ppp/options.pptpd

 name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
#require-mppe-128 //comment for iphone 4
 
#opendns dns services, you can replace this by your dns provider
ms-dns 208.67.222.222
ms-dns 208.67.220.220
lock
nobsdcomp
nologfd

/etc/ppp/chap-secrets

# Secrets for authentication using CHAP
#set one or more username and passwords to use with the pptp VPN
# username    pptpd   password         IP addresses
username       pptpd   password        *

3 Setup the server for Masquerading/NAT

Because we want to share the internet connection of the server with the Iphone we need to do NAT. The following couple of lines enable this. I am assuming eth0 is the network interface conneted to the internet. Just first try this out by copy and pasting this into bash but to keep it working even after a reboot you can copy the following lines into /etc/rc.local

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT

#and start pptpd
/usr/local/sbin/pptpd

4 Configuring the Iphone

On your iphone click settings > network >VPN > Add VPN Configuration

Click PPTP and fill in a description
the hostname of the server
account = the username filled in in /etc/ppp/chap-secrets
RSA SecurID: OFF
password, as filled in in /etc/ppp/chap-secrets
Encryption Level = Auto
Send All Trafic: ON

Now press save and when Turning VPN to ON it should connect to the server.

If you have any problems don't hesistate to ask in the comments.

Update iPhone 4:

According to C&P this setup doesn't work anymore on iPhone 4. Comment the line

#require-mppe-128

searching for web site hosting?

Comments

Tim - 09 Jan 2009 - 02:32

@RW it probably depends on your provider and plan what kind of traffic is allowed. I tested it on t-mobile in Holland

RW - 07 Jan 2009 - 08:23

IS this on a wifi, it does not work on Fido if you are not on WiFi.

stan - 31 Jan 2009 - 14:43

Good stuff!! Works. Is there a L2TP version too?

howard - 18 Jan 2009 - 12:39

thanks I have been trying to do this for a while.

Jan - 10 Jun 2009 - 08:43

Thanks for the Guide. Works outofthebox :-)

Tim - 10 Jun 2009 - 09:25

Ben: I've looked into your "CTRL: Reaping child PPP" but I couldn't find anything about it and I never encountered this problem. Did you succeed in solving it already?

Kevin - 25 Jul 2009 - 04:58

Yes... The server only has an external/remote ip..... Its on a dedicated line... 71.43.227.78...... option /etc/ppp/options.pptpd localip 71.43.227.78 remoteip 71.43.227.78

Tim - 25 Jul 2009 - 16:11

Kevin, copy the options.pptpd right from the example I put here. it probably should work then. It's a virtual network so the ip settings don't have anything to do with the external ip

Robert - 15 Jul 2009 - 15:21

hi, great solution. I would like to implement it on my server as well, but I am not a LInux-guru. Could you help me (evt. by paying you a little? Rob

Tim - 15 Jul 2009 - 23:08

Well if you do the exact steps you should be able to do it, but anyway I send you an email to see how I can help

Kevin - 24 Jul 2009 - 00:08

yep eth0 http://pastebin.com/m3cec495d No clue whats going on...

Tim - 22 Jul 2009 - 22:30

Hey Kevin, try to ping 62.212.66.201 (this server) if that doesn't work it probably is your vpn setup! If it does work it's the dns server/dhcp setup. you can see if your masquerading rules are setup by typing iptables -L

Kevin - 22 Jul 2009 - 23:33

iptables v1.3.5: Unknown arg `--state' Try `iptables -h' or 'iptables --help' for more information. /etc/rc.local: line 10: RELATED,ESTABLISHED: command not found hmmm

Kevin - 22 Jul 2009 - 23:49

eeh.. No errors now.. i moved "RELATED,ESTABLISHED" up to the line like it was supposed to be now no issues... iptables -l still has the same outprint

Kevin - 22 Jul 2009 - 22:57

Ok, so i tried to ping this server and not to my surprise nothing.. I am doing this from a MacBook and in the connection "wizard" it is showing that it is receiving no data at all. So I check iptables and this is what it shows: http://pastebin.com/m463bcaac So i checked /etc/rc.local and it has: http://pastebin.com/m2ee7e5c8 Which i'm not sure if any of it is right but it follows the guide so I awesome it would... Any ideas would be appreciated.

Tim - 22 Jul 2009 - 23:04

if you start /etc/rc.local manually as root do you see any error messages?

Tim - 21 Jul 2009 - 11:46

Hey Kevin, try to connect to your vpn with a laptop. That way you can see if you can ping your server over vpn. If so you know that the vpn is right. If not, check the firewall settings of the server. it probably has to do with your different setup and you probably need different masquerading rules.

Kevin - 21 Jul 2009 - 08:15

Hey... Great guide... I am able to get my iPhone 3.0 to connect and say it has a vpn connection but not web traffic or anything... Could this have anything to do with the fact that the server does not have a different internal/external ip? Any help would be appreciated.

Kevin - 24 Jul 2009 - 00:11

http://pastebin.com/m7e24f63e What is in the /var/log/messages Also im on centos 5.3 with the latest kernel build for the system...

Tim - 23 Jul 2009 - 09:12

Kevin, do you use a custom kernel or one deliverd with your distributions? and did you make sure your external interface is eth0 ? iptables -L (capital L) as root

adde - 31 Aug 2009 - 19:17

I can recommend a provider with pptp service. https://www.anonine.com/en

Erixun - 10 Feb 2010 - 15:08

I have found that u must connect to Wifi first before anything else (naturally). VPN takes some time to negotiate. This gives your bandwidth hungry iPhone 1-15 seconds to roam free on the insecure network. I guess just makes sure EVERYTHING on the iphone does not store any passwords which gives you the few seconds necessary to connect securely and then type your passwords in when prompted (mail, chat, FB etc..). If you do have stored passwords the iPhone will spill its guts before you have time to connect the VPN. Apple should make a feature in the VPN section that forces all traffic over VPN regardless of network status (i.e. as soon as there is network - connect VPN - surf) to make it truly a secure option for jumping on evil Wi-Fi networks.

Guido - 07 Sep 2010 - 21:33

Nice article! Helped me through the dns issue I had. Looking at the questions about not being able to access internet via VPN: Yo might want to enable ip forwarding on the pptpd server. If you define a range of vpn client addresses outside our own subnet, you need to route packets between the ppp0 and eth0 iface: To enable: echo 1 > /proc/sys/net/ipv4/ip_forward Thx, Guido

ben - 30 Apr 2009 - 07:44

Thanks for the guide! Been working on this issue for a while without success. Perhaps you could offer some insight? I have configured the vpn server, but connection attempts are rejected. Only this line is recorded in the debug log: CTRL: Reaping child PPP I've been unable to find out what might be causing this. Any advice would be terrifically appreciated! Thank you

Kevin - 22 Jul 2009 - 19:20

Hey TIM ty for the fast response. So i connected my laptop to the server through the vpn. One connected I am able to ping the ip for the server but not a site outside of the server. Like google.com.. Any clue? Could this be the nat not working? Any ideas on how to check and see if that actually was setup?

Tim - 24 Jul 2009 - 13:03

Kevin: Jul 23 18:10:10 rrcs-71-43-227-78 pppd[4437]: local IP address 71.43.227.78 Jul 23 18:10:10 rrcs-71-43-227-78 pppd[4437]: remote IP address 71.43.227.78 doesn't look right, same ip for remote & local?! did you edit /etc/pptpd.conf described as above?

Raul - 20 Apr 2010 - 01:02

Hi, I'm following your guide and now i'm able to connect my iphone to the pptp sever. I get the right client IP address, and i can access the internet perfeclty but only using IP address, the name resolution is not working. Any tips about the push of the DNS server addres? I have the ms-dns line on options.pptpd but seems to do nothing. Regards

Tim - 20 Apr 2010 - 10:07

(No subject)

Raul, Try changing the lines -- ms-dns 208.67.222.222 ms-dns 208.67.220.220 -- with the dns services of your provider or try 8.8.8.8 (google dns)

Dave - 22 Dec 2010 - 06:37

I just tried this setup with iOS 4.2.1, the require-mppe-128 option works fine: pppd[18791]: MPPE 128-bit stateless compression enabled and tcpdump shows that packets are encrypted. Maybe something has been changed between the earlier versions of 4.x and 4.2.1.

Linux PPTP VPN server install for use with Iphone

Comments

(No subject)

Add new comment

Filtered HTML

aboutme