iPhone VPN Howto
There are several reasons to setup a VPN to your home LAN. For more professional business situations, you probably want to get some Cisco hardware. But if you just need a simple way to access a home network securely from your iPhone, then it’s easy to do it yourself without buying any additional hardware.
A full breakdown and deep exploration of all the various types and configurations of VPNs is beyond the scope of this article, but basically you choose between Point-to-Point-Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). Today we will work with PPTP.
If you run Linux (BSD, Darwin, et al.) you can download the open source PoPToP project. This is a PPTP server daemon (pptpd) that works in conjunction with your system PPP daemon (pppd) to authenticate users, assign an IP address, and tunnel the traffic. There are a bunch of options you can use with pppd and pptpd. I will show you the basics to get it up and running in 10 minutes.
First, install PoPToP via the preferred method for your platform. I had no trouble compiling it from source.
You will need 3 configuration files:
/etc/pptpd.conf
/etc/ppp/options.pptpd
/etc/ppp/chap-secrets
The first file needs to contain only 3 lines to work:
option /etc/ppp/options.pptpd
localip 192.168.1.10
remoteip 192.168.1.100-150
Where the first line points to the pptpd plugin for ppp (don’t change this), the localip option is the IP address of the server you are going to be accepting connections on (the same server the file is on) and the remoteip designates the range of addresses to assign to incoming users, much like a DHCP pool.
Next, the /etc/ppp/options.pptpd file:
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
lock
nobsdcomp
nologfd
This forces MS-CHAP version 2 authentication and DNS assignments for the iPhone. In the above, I use Google’s public DNS servers but you are free to use whatever you want.
Finally, the /etc/ppp/chap-secrets file, which contains all your users:
yourusername pptpd yourpassword *
Replace yourusername and yourpassword, but leave the pptpd and *. This instructs the PPP daemon to use the pptpd plugin and allow connections from any incoming address, which you will want on a mobile device.
Almost done. We just need to add some sort of startup script and iptables rules.
I manage a good deal of my init scripts by making one for each service and calling them from /etc/rc.d/rc.local
Here’s the one for the pptpd:
#!/bin/sh
# /etc/rc.d/rc.pptpd
if [ "$1" = "stop" ]; then
echo "Stopping PPTP VPN daemon"
killall pptpd
else # assume $1 = start:
echo "Starting PPTP VPN daemon"
/usr/local/sbin/pptpd
fi
I use a very tightly configured set of iptables rules, so I need to explicitly allow the PPTP port, TCP 1723.
#!/bin/sh
# /etc/rc.d/rc.iptables
(large irrelevent sections omitted)
/usr/sbin/iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
You may also wish to let your server handle routing all Internet traffic to your iPhone:
# Allow VPN Internet traffic through
echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/usr/sbin/iptables -A FORWARD -i eth0 -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT
The above is optional, but it may help you get around annoying firewalls. You will probably also need to forward TCP port 1723 on your router.
That’s it as for the server. Now the iPhone. In iOS 4, go to
Settings > VPN > Add VPN Configuration…
Select PPTP
Description: My Network
Server: Your network’s public IP address
Account: What you put for yourusername in chap-secrets
RSA SecurID: OFF
Password: What you put for yourpassword in chap-secrets
Encryption Level: Auto
Send All Traffic: This is optional, but if you enable it, you will need the above iptables rules to allow passthrough Internet traffic
The point is that the default options should just work. And there is nothing iPhone-specific about this; uou should be able to connect from any PPTP client on any platform.
Next up, L2TP.