Debian VPN server for iPhone to connect to?
August 19, 2007 12:42 AM   Subscribe

Best open source VPN (server-side) software for an iPhone user?

What's the best way to set up VPN on my Debian server so I can use it from my iPhone? Total VPN newbie here, although I'm experienced with using ssh tunnels. Since iPhone lacks ssh, I guess VPN is my only option for security, right?
posted by evariste to Computers & Internet (15 answers total) 5 users marked this as a favorite
 
There are several Google results for "iphone ssh" — look for "dropbear" instructions.
posted by Blazecock Pileon at 12:48 AM on August 19, 2007


Do you really need a VPN, or just remote mail access?
posted by Malor at 5:31 AM on August 19, 2007


Best answer: The iPhone has built-in VPN support (see Settings/General/Network/VPN). It seems to support L2TP and PPTP.

Googling for Debian & PPTP produces a bunch of hits, including hits for PPTP server howtos.

Installing Dropbear on your iPhone is quite involved, and may not help you very much once you do. I'd definitely try getting the built-in VPN working first.
posted by schwa at 7:49 AM on August 19, 2007


Best answer: I've used the PoPToP daemon on various linux distributions for years to provide the server end of various PPTP connections. It works fairly well, is stable, and most people consider it to be sufficiently secure (128bit MPPE).

'apt-get install pptpd' will install it for you on Sarge and Etch, then just follow the directions.
posted by toxic at 11:34 AM on August 19, 2007


Response by poster: toxic: I'm trying to follow that, but I don't know what to put in localip and remoteip in the pptpd.conf file. Can I just make something up, or do these have to be real internal network IPs that aren't being used for anything? Because I can't even tell what my internal network IP is. ifconfig only tells me my external IP address.
posted by evariste at 12:53 PM on August 19, 2007


Response by poster: Malor: I want to encrypt all my traffic, same thing I do with SSH tunnels. So, web browsing and email.
posted by evariste at 1:22 PM on August 19, 2007


Best answer: localip and remoteip are the IP addresses used on each end of the encapsulated PPP connection, so you should use otherwise empty IP addresses from one of the reserved non-routable network blocks. When the PPTP tunnel is up, your server will have a network interface called ppp0, that will have the IP address specified in localip, and your iPhone will be assigned one of the ones in remoteip.

something like:
localip 192.168.8.1
remoteip 192.168.8.2-254

should work for your scenario as described (assuming you're not using 192.168.8.* anywhere else).

At the most basic level, you could bring up such a tunnel, and then connect to your Debian boxes daemons using the 192.168.8.1 address (just set your iPhone's mail server to that address, for instance). But, you're going to need to set up IP masquerading and forwarding on your server if you want the phone to be able to browse the internet (or reach any hosts other than your server) through the PPTP tunnel.
posted by toxic at 1:57 PM on August 19, 2007


Response by poster: Yay! I got a VPN connection up. I can't visit any websites or check email or accomplish anything else useful yet, but the iPhone claims it connected, and the server side shows it working as well.
posted by evariste at 2:12 PM on August 19, 2007


Best answer: I can't visit any websites or check email or accomplish anything else useful yet

/sbin/iptables -A POSTROUTING -s 192.168.8.0/255.255.255.0 -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

(replace eth0 with whatever the name of your internet-connected network interface is)
posted by toxic at 2:26 PM on August 19, 2007


Response by poster: Output from the iptables command:
iptables: No chain/target/match by that name

The other thing did work:
cat /proc/sys/net/ipv4/ip_forward
1
posted by evariste at 2:28 PM on August 19, 2007


Response by poster: My iptables is empty, by the way:

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
posted by evariste at 2:30 PM on August 19, 2007


Best answer: Whoops.

add '-t nat' before the -A in the iptables command.
posted by toxic at 2:30 PM on August 19, 2007


Response by poster: Incredible! It works! I can see any website I care to try. So my traffic is encrypted 'twixt iPhone and server now?

Here's my customary ssh tunnel setup:

ssh -N -p 22 -c 3des user@host -L 8000/localhost/3128 -L 8001/pop.mailhost.com/110 -L 8002/smtp.mailhost.com/25

And then Mail is configured to connect to POP at localhost:8001 and SMTP at localhost:25. How can I achieve something similar with the iPhone? It picked up Mail's setting, which of course doesn't work since no ssh tunnel is running on the phone. Should I just switch to using VPN on my Macbook, too, and quit it with the tunnels?
posted by evariste at 2:40 PM on August 19, 2007


Response by poster: Mail works fine.

Thanks so much, toxic!
posted by evariste at 3:18 PM on August 19, 2007


Response by poster: One reboot later, all the settings toxic gave me vanished, of course. To make them stick, I put them in /etc/rc.local. I'm not sure if there's a better way to do that, but this works so I'm happy.
posted by evariste at 2:07 PM on March 7, 2008


« Older Experiences with pulsatile tinnitus?   |   Is there a solar powered bird fountain that won't... Newer »
This thread is closed to new comments.