Comments on: Debian VPN server for iPhone to connect to?

Question: Debian VPN server for iPhone to connect to?

evariste — Sun, 19 Aug 2007 00:42:00 -0800

Best open source VPN (server-side) software for an iPhone user?

What's the best way to set up VPN on my Debian server so I can use it from my iPhone? Total VPN newbie here, although I'm experienced with using ssh tunnels. Since iPhone lacks ssh, I guess VPN is my only option for security, right?

By: Blazecock Pileon

Blazecock Pileon — Sun, 19 Aug 2007 00:48:57 -0800

There are several Google results for "iphone ssh" — look for "dropbear" instructions.

By: Malor

Malor — Sun, 19 Aug 2007 05:31:42 -0800

Do you really need a VPN, or just remote mail access?

By: schwa

schwa — Sun, 19 Aug 2007 07:49:20 -0800

The iPhone has built-in VPN support (see Settings/General/Network/VPN). It seems to support L2TP and PPTP.

Googling for Debian & PPTP produces a bunch of hits, including hits for PPTP server howtos.

Installing Dropbear on your iPhone is quite involved, and may not help you very much once you do. I'd definitely try getting the built-in VPN working first.

By: toxic

toxic — Sun, 19 Aug 2007 11:34:31 -0800

I've used the PoPToP daemon on various linux distributions for years to provide the server end of various PPTP connections. It works fairly well, is stable, and most people consider it to be sufficiently secure (128bit MPPE).

'apt-get install pptpd' will install it for you on Sarge and Etch, then just follow the directions.

By: evariste

evariste — Sun, 19 Aug 2007 12:53:41 -0800

toxic: I'm trying to follow that, but I don't know what to put in localip and remoteip in the pptpd.conf file. Can I just make something up, or do these have to be real internal network IPs that aren't being used for anything? Because I can't even tell what my internal network IP is. ifconfig only tells me my external IP address.

By: evariste

evariste — Sun, 19 Aug 2007 13:22:29 -0800

Malor: I want to encrypt all my traffic, same thing I do with SSH tunnels. So, web browsing and email.

By: toxic

toxic — Sun, 19 Aug 2007 13:57:18 -0800

localip and remoteip are the IP addresses used on each end of the encapsulated PPP connection, so you should use otherwise empty IP addresses from one of the reserved non-routable network blocks. When the PPTP tunnel is up, your server will have a network interface called ppp0, that will have the IP address specified in localip, and your iPhone will be assigned one of the ones in remoteip.

something like:
localip 192.168.8.1
remoteip 192.168.8.2-254

should work for your scenario as described (assuming you're not using 192.168.8.* anywhere else).

At the most basic level, you could bring up such a tunnel, and then connect to your Debian boxes daemons using the 192.168.8.1 address (just set your iPhone's mail server to that address, for instance). But, you're going to need to set up IP masquerading and forwarding on your server if you want the phone to be able to browse the internet (or reach any hosts other than your server) through the PPTP tunnel.

By: evariste

evariste — Sun, 19 Aug 2007 14:12:33 -0800

Yay! I got a VPN connection up. I can't visit any websites or check email or accomplish anything else useful yet, but the iPhone claims it connected, and the server side shows it working as well.

By: toxic

toxic — Sun, 19 Aug 2007 14:26:05 -0800

I can't visit any websites or check email or accomplish anything else useful yet

/sbin/iptables -A POSTROUTING -s 192.168.8.0/255.255.255.0 -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

(replace eth0 with whatever the name of your internet-connected network interface is)

By: evariste

evariste — Sun, 19 Aug 2007 14:28:32 -0800

Output from the iptables command:
iptables: No chain/target/match by that name

The other thing did work:
cat /proc/sys/net/ipv4/ip_forward
1

By: evariste

evariste — Sun, 19 Aug 2007 14:30:10 -0800

My iptables is empty, by the way:

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

By: toxic

toxic — Sun, 19 Aug 2007 14:30:51 -0800

Whoops.

add '-t nat' before the -A in the iptables command.

By: evariste

evariste — Sun, 19 Aug 2007 14:40:07 -0800

Incredible! It works! I can see any website I care to try. So my traffic is encrypted 'twixt iPhone and server now?

Here's my customary ssh tunnel setup:

ssh -N -p 22 -c 3des user@host -L 8000/localhost/3128 -L 8001/pop.mailhost.com/110 -L 8002/smtp.mailhost.com/25

And then Mail is configured to connect to POP at localhost:8001 and SMTP at localhost:25. How can I achieve something similar with the iPhone? It picked up Mail's setting, which of course doesn't work since no ssh tunnel is running on the phone. Should I just switch to using VPN on my Macbook, too, and quit it with the tunnels?

By: evariste

evariste — Sun, 19 Aug 2007 15:18:50 -0800

Mail works fine.

Thanks so much, toxic!

By: evariste

evariste — Fri, 07 Mar 2008 14:07:37 -0800

One reboot later, all the settings toxic gave me vanished, of course. To make them stick, I put them in /etc/rc.local. I'm not sure if there's a better way to do that, but this works so I'm happy.