MetaFilter is turning ten! Help us celebrate at one of dozens of meetups.


Tags:




Debian VPN server for iPhone to connect to?
August 19, 2007 12:42 AM   RSS feed for this thread Subscribe

Best open source VPN (server-side) software for an iPhone user?

What's the best way to set up VPN on my Debian server so I can use it from my iPhone? Total VPN newbie here, although I'm experienced with using ssh tunnels. Since iPhone lacks ssh, I guess VPN is my only option for security, right?
posted by evariste to computers & internet (15 comments total) 3 users marked this as a favorite
There are several Google results for "iphone ssh" — look for "dropbear" instructions.
posted by Blazecock Pileon at 12:48 AM on August 19, 2007


Do you really need a VPN, or just remote mail access?
posted by Malor at 5:31 AM on August 19, 2007


The iPhone has built-in VPN support (see Settings/General/Network/VPN). It seems to support L2TP and PPTP.

Googling for Debian & PPTP produces a bunch of hits, including hits for PPTP server howtos.

Installing Dropbear on your iPhone is quite involved, and may not help you very much once you do. I'd definitely try getting the built-in VPN working first.
posted by schwa at 7:49 AM on August 19, 2007


I've used the PoPToP daemon on various linux distributions for years to provide the server end of various PPTP connections. It works fairly well, is stable, and most people consider it to be sufficiently secure (128bit MPPE).

'apt-get install pptpd' will install it for you on Sarge and Etch, then just follow the directions.
posted by toxic at 11:34 AM on August 19, 2007


toxic: I'm trying to follow that, but I don't know what to put in localip and remoteip in the pptpd.conf file. Can I just make something up, or do these have to be real internal network IPs that aren't being used for anything? Because I can't even tell what my internal network IP is. ifconfig only tells me my external IP address.
posted by evariste at 12:53 PM on August 19, 2007


Malor: I want to encrypt all my traffic, same thing I do with SSH tunnels. So, web browsing and email.
posted by evariste at 1:22 PM on August 19, 2007


localip and remoteip are the IP addresses used on each end of the encapsulated PPP connection, so you should use otherwise empty IP addresses from one of the reserved non-routable network blocks. When the PPTP tunnel is up, your server will have a network interface called ppp0, that will have the IP address specified in localip, and your iPhone will be assigned one of the ones in remoteip.

something like:
localip 192.168.8.1
remoteip 192.168.8.2-254

should work for your scenario as described (assuming you're not using 192.168.8.* anywhere else).

At the most basic level, you could bring up such a tunnel, and then connect to your Debian boxes daemons using the 192.168.8.1 address (just set your iPhone's mail server to that address, for instance). But, you're going to need to set up IP masquerading and forwarding on your server if you want the phone to be able to browse the internet (or reach any hosts other than your server) through the PPTP tunnel.
posted by toxic at 1:57 PM on August 19, 2007


Yay! I got a VPN connection up. I can't visit any websites or check email or accomplish anything else useful yet, but the iPhone claims it connected, and the server side shows it working as well.
posted by evariste at 2:12 PM on August 19, 2007


I can't visit any websites or check email or accomplish anything else useful yet

/sbin/iptables -A POSTROUTING -s 192.168.8.0/255.255.255.0 -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

(replace eth0 with whatever the name of your internet-connected network interface is)
posted by toxic at 2:26 PM on August 19, 2007


Output from the iptables command:
iptables: No chain/target/match by that name

The other thing did work:
cat /proc/sys/net/ipv4/ip_forward
1
posted by evariste at 2:28 PM on August 19, 2007


My iptables is empty, by the way:

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
posted by evariste at 2:30 PM on August 19, 2007


Whoops.

add '-t nat' before the -A in the iptables command.
posted by toxic at 2:30 PM on August 19, 2007


Incredible! It works! I can see any website I care to try. So my traffic is encrypted 'twixt iPhone and server now?

Here's my customary ssh tunnel setup:

ssh -N -p 22 -c 3des user@host -L 8000/localhost/3128 -L 8001/pop.mailhost.com/110 -L 8002/smtp.mailhost.com/25

And then Mail is configured to connect to POP at localhost:8001 and SMTP at localhost:25. How can I achieve something similar with the iPhone? It picked up Mail's setting, which of course doesn't work since no ssh tunnel is running on the phone. Should I just switch to using VPN on my Macbook, too, and quit it with the tunnels?
posted by evariste at 2:40 PM on August 19, 2007


Mail works fine.

Thanks so much, toxic!
posted by evariste at 3:18 PM on August 19, 2007


One reboot later, all the settings toxic gave me vanished, of course. To make them stick, I put them in /etc/rc.local. I'm not sure if there's a better way to do that, but this works so I'm happy.
posted by evariste at 2:07 PM on March 7, 2008


« Older Pounding sound in my left ear:...   |   I would like to get a solar po... Newer »
This thread is closed to new comments.


Related Questions
Hit me up with apps June 22, 2009
Iphone app filter 2009 April 8, 2009
Just bought an iPhone last night. What should I... December 9, 2008
What sites offer useful iPhone App listings &... November 23, 2008
You've got the Touch? So... uhh... now what? October 19, 2007