PPTP VPN on Ubuntu 10.04 for your iPhone / iPad

August 30, 2010

Below are the steps necessary to connect your iPhone / iPad or any other computer via a PPTP VPN.

Why would I want to do this? For various reasons such as allow you to access information and servers that are behind a firewall, or maybe you just need to route traffic through different servers.

I’ve tested this on a 256mb Rackspace Cloud instance running Ubuntu 10.04 and with an iPhone and an iPad. Thanks to Yaniv for debugging the instructions.

Disclaimer: This is for educational uses only and I take no responsibility as to what you may do with it. The PPTP VPN setup via the instructions below has no encryption and uses the simplest and lowest form of password authentication. If you require stricter encryption and authentication methods you’ll need to read more about pptpd configuration.

Assumptions:

  • The instance you are using is blank, specifically from firewall rules in iptables, otherwise, you’ll need to patch things up.
  • All commands assume you are current a root user. If you logged in as root, that’s great. If not, run:
    sudo su
  • Instead of messing a lot with iptables commands, I’m using ufw (Uncomplicated FireWall). In general, to most people, it will be easier to manage and work with.

Setting up the PPTP Server

In general we are going to create a PPTP VPN that is very basic without encryption and with basic authentication security (not fancy authentication protocols). Since Rackspace Cloud instance has an external interface (eth0) that has the instance public IP and an internal interface (eth1) with an internal IP used to communicate with your other Rackspace Cloud server (if you have them), we’ll create an alias network interface card that will have some other set of internal ips, which will be given to the devices connected via the VPN.

  1. Install the necessary software (pptpd, pptp-linux, ppp and ufw – for firewall):
    apt-get install pptpd pptp-linux ppp ufw
  2. Enable port 22 (ssh) in the firewall, so we don’t get locked out of our instance:
    ufw allow 22
  3. Enable port 1723 (pptpd) in the firewall to enable access to the pptpd dameon:
    ufw allow 1723
  4. Enable ufw:
    ufw enable
  5. Add an aliased network interface card (eth0:0): (We use the address space of 192.168.88.0/24 since its usually free for most networks for most users. You can feel free to change this address if it is already taken)
    Edit /etc/network/interfaces:

    nano /etc/network/interfaces

    Enter the following text at the end of the file:

    auto eth0:0
    iface eth0:0 inet static
    address 192.168.88.1
    netmask 255.255.255.0
    gateway (same value as listed for eth0)
    dns-nameservers (same value as listed for eth0)

    Replace the value of “gateway” with the same value you will see in this file for “eth0″, the real public network interface.
    Replace the value of “dns-nameservers” with the same value you will see in this file for “eth0″

  6. Configure the pptpd daemon:
    Edit /etc/ppp/pptpd-options:

    nano /etc/ppp/pptpd-options

    Comment out (add a “#” char at the start of the line) the following lines:
    “refuse-pap”
    “refuse-chap”
    “refuse-mschap”
    “refuse-mschap-v2″
    “require-mppe-128″replace “#ms-dns 10.0.0.1″ with “ms-dns 8.8.8.8″
    replace “#ms-dns 10.0.0.2″ with “ms-dns 8.8.4.4″

    The last 2 lines above sets the DNS server the devices connecting to your PPTP VPN will use. The addresses above are for the Google Public DNS server, but can be any other DNS server (including the same DNS servers as Rackspace or your hosting provider use)

    Edit /etc/pptpd.conf :

    nano /etc/pptpd.conf

    Add at the bottom of the file:

    localip 192.168.88.1
    remoteip 192.168.88.2-20

    The value of “remoteip” will be the set of IP addresses the devices connecting to the VPN will get upon successful connection. Currently, we have here 18 addresses, which is enough for 18 concurrent devices. You can make this range bigger if needed.

  7. Configure the username and password that will be used to authenticate client accessing the VPN:
    Edit /etc/ppp/chap-secrets:

    nano /etc/ppp/chap-secrets
    # client server secret IP addresses
    [UserName] pptpd [Password] *

    Replace [UserName] with the username you wish to use.
    Replace [Password] with the password you wish to use (I suggest a long random password. Try this generator)

  8. Enable IP forwarding in the kernel:
    Edit /etc/sysctl.conf :

    nano /etc/sysctl.conf

    Uncomment the line “net.ipv4.ip_forward=1″
    For IPv6, uncomment “net.ipv6.conf.all.forwarding=1″

  9. Enable IP forwarding in ufw:
    Edit /etc/default/ufw:

    nano /etc/default/ufw

    Change the value of “DEFAULT_FORWARD_POLICY” from “DROP” to “ACCEPT”

  10. Add IP masquerading rule in ufw, so that NAT will work and devices connecting to the VPN will be seen as if the traffic goes out of the VPN server:
    Edit /etc/ufw/before.rules:

    nano /etc/ufw/before.rules

    Paste the text below after the header and before the “*filter” rules:

    # nat Table rules
    *nat
    :POSTROUTING ACCEPT [0:0]

    # Allow forward traffic from eth0:0 to eth0
    -A POSTROUTING -s 192.168.88.0/24 -o eth0 -j MASQUERADE

    # don’t delete the ‘COMMIT’ line or these nat table rules won’t be processed
    COMMIT

  11. Reboot the machine, cross your fingers and hope for the best :-)

Configuring your iPhone / iPad

  1. In your iPhone / iPad go to “Settings” -> “General” -> “Network” -> “VPN”
    PPTP VPN Configuration
  2. Select “Add VPN Configuration”
  3. Select “PPTP”
  4. In “Description” enter the name of the VPN connection
  5. In “Server” enter the IP address of the server (or a server name, if you mapped the server’s IP address to a domain name)
  6. In “Account” enter the username you have entered into the “/etc/ppp/chap-secrets” file
  7. In “Password” enter the password you entered for the above username in “/etc/ppp/chap-secrets”
  8. Make sure “Send All Traffic” is turned to “ON”
  9. Set “Encryption Level” to “None” (this is how we configured the PPTP server in this post, if you setup an encryption try to keep it in “Auto”
  10. Select save

 


tags: , , , , , , ,
posted in iPad, iPhone, Tips n' Tricks, Ubuntu by Eran Sandler

Follow comments via the RSS Feed | Leave a comment | Trackback URL

  • http://na jbraddy

    very useful. one of the most effective/efficient pptp server builds found…through hours of research. managed to build working configuration connecting iphone 3g using native vpn client. also tested winxp native client. use: for internet connection while on work network limited to vpn users only. connect back to home network to browse personal desktop using windows remote desktop. just what I was looking and hoping for after finding that cisco pix 501($50 on ebay) doesn’t support the iphone vpn client as well as the most recent linksys vpn router.

  • http://www.vishalmalli.com Vishal Malli

    Thank you so much!!! Works perfectly with my Droid 2 on Verizon 3G. :)

  • Jack

    Great. Works instantly, saved me a lot of trial & error.
    Thx!

  • (0nflctr

    Extremely well put together, works great with the iPad and on ubuntu 11.04

  • Citizen Dos

    Why would one use an insecure vpn?

  • Anonymous

    Will it be ok to install this along with openvpn? I currently have openvnp installed but it doesn’t support pptp.

  • http://www.foxyvpn.com/ US VPN

    Thank you very much for sharing this tutorial. I’ve wanted to learn how to do this.

  • Anonymous

    It should be OK. I don’t know if it will work ok when both are turned on, but in most cases it should be ok.

  • Anonymous

    You can easily configure this to be secure, but if you want just something to pass traffic through and want to reduce latency to a minimum removing any encryption and/or authentication will make it as fast as possible, not to mention not waste CPU cycles on encryption.

  • User

    Great post, finally got a working configuration via this how to.

  • Arturas

    Everything works perfectly!
    In same server there are also installed SAMBA server, after restart,
    I couldn’t connect to samba shares.

    Added the following lines in samba configuration:

    interfaces = eth0 eth0:0 lo
    bind interfaces only = yes

    # service smbd restart
    # ufw disable

    so after this step, samba is fully accessible through local network and from VPN connection.

  • http://www.comfy.ro Bijuterii argint

    thank you.

  • Garsoltero

    Hi! The weird thing is that I can connect using ANY username. Is this normal? I even tried leaving USER in blank and it connected and worked

  • http://www.foxyvpn.com us vpn

    I’ll definitely try this out on my unit, I’ve always wanted to use my VPN.

  • http://twitter.com/nealpatel711 Neal

    How can you make this secure? I don’t want anyone able to connect to it, since having username and password didn’t work for me as well; I can connect with any password.
    I’d appreciate if someone could help me make this secure.

  • http://twitter.com/maxpaluse aamy variek

    Though PPTP VPN is very popular but it is reported to suffer from serious security problems. Despite the security issues, PPTP remains one of the preferred VPN protocols. Perhaps, in the future, it might be replaced by emerging and more secure protocols like SSTP and IPsec. Countless users across the globe have subscribed to the best PPTP services and are happy with its performance.

  • Jt1315

    Works great, but you don’t need to add the sub-interface on eth0:0, it works fine without doing that.

  • http://eran.sandler.co.il/ Eran Sandler

    You are correct. But it doesn’t hurt either :-)

  • Marph2005

    hey great guide but i have some problems:

    i configured everything like you explained but why i don’t know why i can’t connect to my vpn while I’m on 3G internet? it only connects while I’m on wi-fi. also, i can’t surf in internet when I’m connected.

    what do i have to put in after
    gateway
    dns-nameservers

    where do i find those values? i have put in the ip i found in ubuntu network settings. is that right?
    is this also the ip of the server i have to put in the line on iPhone?

    sorry for so many questions but I’m very new to this… ^^

  • http://eran.sandler.co.il/ Eran Sandler

    First, someone here mentioned that you can skip the steps of creating the aliases network interface.
    If you don’t want to skip it these values are the ones configured for your eth0 interface. You can get them by typing:

    ifconfig eth0

    If all is configured correctly, even over 3G the VPN should work, however ALL traffic will pass through that server, which will make it slower. If it doesn’t work the VPN configuration is not correct on the server or your cellular provider may have limited the use of certain port through 3G.

  • Marph2005

    ok i will try again. one last question, when I’m configuring my iPhone do i have to put in the server line my IP from ubuntu? even on 3G internet?

  • http://eran.sandler.co.il/ Eran Sandler

    Yes. In the iPhone the IP address should be the public IP address of your ubuntu server.

  • Marph2005

    thx for the help. it is working now but only on my home wifi again. i found out that i maybe have to change my IPs to get everything working on 3G. I will try that out later.

  • Marshal Drake

    The addresses above are for the Google Public DNS server, but can be any other DNS server. 8.8.4.4 is also an alternative for their Public DNS.

    chicago colocation

  • http://technisize.com/ azimuth

    im trying to run vpn on my ubuntu 11.10…. i guess it isn’t easy as i thought it could be…

    Thanks a lot!

    Im going to try this! Surely!

  • Info

    I’m installing pptp on a new installed ubuntu server(11.10) and have some questions. What do I put for dns nameserver field in interfaces file? Also each time I start ufw, port 80 seems to be blocked. The server has no other firewall setup, only ufw has been enabled.

  • http://eran.sandler.co.il/ Eran Sandler

    For DNS, I specified Google’s Public DNS (8.8.8.8 and 4.4.4.4).

    For port 80, I didn’t open it specifically, you’ll have to open it using the command:
    “ufw allow 80″

  • Info

    I’m having alittle trouble getting VPN to browse the net while connected. I’m connected to my VPN however. Under dns-name servers in interfaces we put 8.8.8.8 & 4.4.4.4? Also if I uncomment the two lines ‘ms-dns & add 8.8.8.8 & 4.4.4.4, I cannot connect to VPN.

  • http://eran.sandler.co.il/ Eran Sandler

    Are you running on Rackspace Cloud? Are you using the exact same version of Ubuntu?

    Did you turn on on your iPhone / iPad the “Send all Traffic” flag in the VPN configuration?

  • Anonymous

    I am running ubuntu 11.10 server. Your provided ms-dnsxxxxx doesn’t seem to work for me. If I use your, I can’t connect to my vpn. If I use this ms-dns 208.67.222.222
    ms-dns 208.67.220.220, I can connect but I don’t have internet access nor can I check my email from my iphone. The ‘send all traffic’ is set to on.

    Further testing, is that I can connect to the vpn and the internet if ufw and shorewall is disabled. I am not sure what is causing this.

  • http://profiles.yahoo.com/u/5WUGSFKL5IZIULKL6LSFYU7X7I Duckie !!!

    Ok. After messing with it another day, I got it working 99%. In my case, I had to add some entries to my shorewall files.
    shorewall/interfaces – vpn ppp+
    shorewall/zones – vpn ipv4
    shorewall/policy – vpn all accept

    For that 1% not working. How can I get it to connect locally? I only can get it to work remotely. However, if I use my local ip, I can connect.

    Also, someone mentioned this early, I can connect using any password and username. How can I get it more secure?

  • http://eran.sandler.co.il/ Eran Sandler

    I’m quite sure this has to do with UFW and Shorewall. Something is blocking part of the things.

    Regarding security – I specifically didn’t set much security (although a wrong password in my original setting will fail) since I didn’t want to secure anything to avoid adding latency (in my use-case).

    You can read a bit more about pptpd and how to configure it to be a bit more secure.

  • http://profiles.yahoo.com/u/5WUGSFKL5IZIULKL6LSFYU7X7I Duckie !!!

    I am with you about not having too much security. I am using this mostly for going through my proxy to block ads when browsing via the iphone. However, at the minimum, I would like the password to fail if input wrong. What am I doing wrong?

  • http://twitter.com/wammz Fannuel Wamambo

    I have tried to follow these Howtos,particularly this one : http://home.inestdia.com/localserver/setupapptpvpnserverubuntuathome.but here is what i am failing to understand,i have a ubuntu box with localip 192.168.1.2 behind a pix firewall that has a lan ip of 192.168.1.1 and wan ip which is my public ip.what i fail to understand is,where do i specify the public ip in the settings?do i input 192.168.1.2 pr the ublic ip in the pptp.conf file?also my default ubuntu 11.10 vpn cliend asks me for a gateway when setting up the connection,which ip do i use there?also has anyone managed and tested the opening of port 1723 on pix 6.3 firewall
    Thanks in advance.

  • http://eran.sandler.co.il/ Eran Sandler

    If you have a PIX router – I think most models have a built-in VPN to use so you don’t really need all of this.

    In the case that you do want to use this you’ll first need to forward the relevant ports in your PIX to that specific computer which is more than just opening them up.

    I don’t know which public IP are you referring to and in which settings?

  • http://twitter.com/wammz Fannuel Wamambo

    Thanks for the quick response.What i mean is,if i set the localip as 192.168.1.2 and then i go outside the lan,how then do i tell my pptp client the identity of the pptp server.I thought i would input the public ip on the localip so tht wen the requests comes thru on the pix(where the public ip is set),it would then “nat” to the ubuntu pptp server machine.also,my client asks the gateway when setting up the connection,what do i put there?

    Thanks once again.

  • wilson

    the google dns servers are 8.8.8.8 and 8.8.4.4, not 4.4.4.4. See https://developers.google.com/speed/public-dns/

  • http://eran.sandler.co.il/ Eran Sandler

    Thanks for the update. I’ll update the post. When I wrote it 4.4.4.4 and 8.8.8.8 were the addresses. It seems to have change now.

  • LOCOSP

    Hi, how about this thing in Your guide is

    “refuse-mschap-v2″ to hash it

    And in my file by default is “require-mschap-v2″ ?!

    Comment it ass well?

  • http://eran.sandler.co.il/ Eran Sandler

    I wanted this VPN to mostly be passthrough, not something to secure the connection of 2 locations, so I disable ANY encryption or authentication mechanism to achieve that.

    If you are trying to do the same, I think you can comment out “require-mschap-v2″.

  • LOCOSP

    Ok, thank You for reply.
    I understand that, but all wanted to say, that You have mistake: is “require-mschap-v2″ You wrote “refuse-mschap-v2″…

    It’s not a big thing but that guide must be perfect ;) !

    Peace…

  • LOCOSP

    Sorry for second post but few days ago i had problems with starting whole system after installing VPN so i removed pptpd from /etc/init.d/ can anyone tell me how to recover it because reinstall doesn’t help …

  • tgn

    step 5 is not necessary. there is no need to make an interface eth0:0
    samba configuration:
    interfaces = eth0 ppp* lo
    bind interfaces only = yes
    works perfectly for me.
    i do not prefer to switch the whole firewall off.
    2 rules for the local and the vpn subnets are necessary:
    ufw allow from 10.1.2.0/24 to any
    ufw allow from 192.168.88.0/24 to any

    thanks and best regards

Switch to our mobile site

 
Powered by Wordpress and MySQL. Theme by Shlomi Noach, openark.org