PPTP VPN on Ubuntu 10.04 for your iPhone / iPad

August 30, 2010

Below are the steps necessary to connect your iPhone / iPad or any other computer via a PPTP VPN.

Why would I want to do this? For various reasons such as allow you to access information and servers that are behind a firewall, or maybe you just need to route traffic through different servers.

I’ve tested this on a 256mb Rackspace Cloud instance running Ubuntu 10.04 and with an iPhone and an iPad. Thanks to Yaniv for debugging the instructions.

Disclaimer: This is for educational uses only and I take no responsibility as to what you may do with it. The PPTP VPN setup via the instructions below has no encryption and uses the simplest and lowest form of password authentication. If you require stricter encryption and authentication methods you’ll need to read more about pptpd configuration.

Assumptions:

  • The instance you are using is blank, specifically from firewall rules in iptables, otherwise, you’ll need to patch things up.
  • All commands assume you are current a root user. If you logged in as root, that’s great. If not, run:
    sudo su
  • Instead of messing a lot with iptables commands, I’m using ufw (Uncomplicated FireWall). In general, to most people, it will be easier to manage and work with.

Setting up the PPTP Server

In general we are going to create a PPTP VPN that is very basic without encryption and with basic authentication security (not fancy authentication protocols). Since Rackspace Cloud instance has an external interface (eth0) that has the instance public IP and an internal interface (eth1) with an internal IP used to communicate with your other Rackspace Cloud server (if you have them), we’ll create an alias network interface card that will have some other set of internal ips, which will be given to the devices connected via the VPN.

  1. Install the necessary software (pptpd, pptp-linux, ppp and ufw – for firewall):
    apt-get install pptpd pptp-linux ppp ufw
  2. Enable port 22 (ssh) in the firewall, so we don’t get locked out of our instance:
    ufw allow 22
  3. Enable port 1723 (pptpd) in the firewall to enable access to the pptpd dameon:
    ufw allow 1723
  4. Enable ufw:
    ufw enable
  5. Add an aliased network interface card (eth0:0): (We use the address space of 192.168.88.0/24 since its usually free for most networks for most users. You can feel free to change this address if it is already taken)
    Edit /etc/network/interfaces:

    nano /etc/network/interfaces

    Enter the following text at the end of the file:

    auto eth0:0
    iface eth0:0 inet static
    address 192.168.88.1
    netmask 255.255.255.0
    gateway (same value as listed for eth0)
    dns-nameservers (same value as listed for eth0)

    Replace the value of “gateway” with the same value you will see in this file for “eth0″, the real public network interface.
    Replace the value of “dns-nameservers” with the same value you will see in this file for “eth0″

  6. Configure the pptpd daemon:
    Edit /etc/ppp/pptpd-options:

    nano /etc/ppp/pptpd-options

    Comment out (add a “#” char at the start of the line) the following lines:
    “refuse-pap”
    “refuse-chap”
    “refuse-mschap”
    “refuse-mschap-v2″
    “require-mppe-128″

    replace “#ms-dns 10.0.0.1″ with “ms-dns 8.8.8.8″
    replace “#ms-dns 10.0.0.2″ with “ms-dns 4.4.4.4″

    The last 2 lines above sets the DNS server the devices connecting to your PPTP VPN will use. The addresses above are for the Google Public DNS server, but can be any other DNS server (including the same DNS servers as Rackspace or your hosting provider use)

    Edit /etc/pptpd.conf :

    nano /etc/pptpd.conf

    Add at the bottom of the file:

    localip 192.168.88.1
    remoteip 192.168.88.2-20

    The value of “remoteip” will be the set of IP addresses the devices connecting to the VPN will get upon successful connection. Currently, we have here 18 addresses, which is enough for 18 concurrent devices. You can make this range bigger if needed.

  7. Configure the username and password that will be used to authenticate client accessing the VPN:
    Edit /etc/ppp/chap-secrets:

    nano /etc/ppp/chap-secrets
    # client server secret IP addresses
    [UserName] pptpd [Password] *

    Replace [UserName] with the username you wish to use.
    Replace [Password] with the password you wish to use (I suggest a long random password. Try this generator)

  8. Enable IP forwarding in the kernel:
    Edit /etc/sysctl.conf :

    nano /etc/sysctl.conf

    Uncomment the line “net.ipv4.ip_forward=1″
    For IPv6, uncomment “net.ipv6.conf.all.forwarding=1″

  9. Enable IP forwarding in ufw:
    Edit /etc/default/ufw:

    nano /etc/default/ufw

    Change the value of “DEFAULT_FORWARD_POLICY” from “DROP” to “ACCEPT”

  10. Add IP masquerading rule in ufw, so that NAT will work and devices connecting to the VPN will be seen as if the traffic goes out of the VPN server:
    Edit /etc/ufw/before.rules:

    nano /etc/ufw/before.rules

    Paste the text below after the header and before the “*filter” rules:

    # nat Table rules
    *nat
    :POSTROUTING ACCEPT [0:0]

    # Allow forward traffic from eth0:0 to eth0
    -A POSTROUTING -s 192.168.88.0/24 -o eth0 -j MASQUERADE

    # don’t delete the ‘COMMIT’ line or these nat table rules won’t be processed
    COMMIT

  11. Reboot the machine, cross your fingers and hope for the best :-)

Configuring your iPhone / iPad

  1. In your iPhone / iPad go to “Settings” -> “General” -> “Network” -> “VPN”
    PPTP VPN Configuration
  2. Select “Add VPN Configuration”
  3. Select “PPTP”
  4. In “Description” enter the name of the VPN connection
  5. In “Server” enter the IP address of the server (or a server name, if you mapped the server’s IP address to a domain name)
  6. In “Account” enter the username you have entered into the “/etc/ppp/chap-secrets” file
  7. In “Password” enter the password you entered for the above username in “/etc/ppp/chap-secrets”
  8. Make sure “Send All Traffic” is turned to “ON”
  9. Set “Encryption Level” to “None” (this is how we configured the PPTP server in this post, if you setup an encryption try to keep it in “Auto”
  10. Select save


Be Sociable, Share!

tags: , , , , , , ,
posted in iPad, iPhone, Tips n' Tricks, Ubuntu by Eran Sandler

Follow comments via the RSS Feed | Leave a comment | Trackback URL

  • http://na jbraddy

    very useful. one of the most effective/efficient pptp server builds found…through hours of research. managed to build working configuration connecting iphone 3g using native vpn client. also tested winxp native client. use: for internet connection while on work network limited to vpn users only. connect back to home network to browse personal desktop using windows remote desktop. just what I was looking and hoping for after finding that cisco pix 501($50 on ebay) doesn’t support the iphone vpn client as well as the most recent linksys vpn router.

  • http://www.vishalmalli.com Vishal Malli

    Thank you so much!!! Works perfectly with my Droid 2 on Verizon 3G. :)

  • Jack

    Great. Works instantly, saved me a lot of trial & error.
    Thx!

  • (0nflctr

    Extremely well put together, works great with the iPad and on ubuntu 11.04

  • Citizen Dos

    Why would one use an insecure vpn?

  • Anonymous

    Will it be ok to install this along with openvpn? I currently have openvnp installed but it doesn’t support pptp.

  • http://www.foxyvpn.com/ US VPN

    Thank you very much for sharing this tutorial. I’ve wanted to learn how to do this.

  • Anonymous

    It should be OK. I don’t know if it will work ok when both are turned on, but in most cases it should be ok.

  • Anonymous

    You can easily configure this to be secure, but if you want just something to pass traffic through and want to reduce latency to a minimum removing any encryption and/or authentication will make it as fast as possible, not to mention not waste CPU cycles on encryption.

  • User

    Great post, finally got a working configuration via this how to.

  • Arturas

    Everything works perfectly!
    In same server there are also installed SAMBA server, after restart,
    I couldn’t connect to samba shares.

    Added the following lines in samba configuration:

    interfaces = eth0 eth0:0 lo
    bind interfaces only = yes

    # service smbd restart
    # ufw disable

    so after this step, samba is fully accessible through local network and from VPN connection.

  • http://www.comfy.ro Bijuterii argint

    thank you.

  • Garsoltero

    Hi! The weird thing is that I can connect using ANY username. Is this normal? I even tried leaving USER in blank and it connected and worked

  • http://www.foxyvpn.com us vpn

    I’ll definitely try this out on my unit, I’ve always wanted to use my VPN.

  • http://twitter.com/nealpatel711 Neal

    How can you make this secure? I don’t want anyone able to connect to it, since having username and password didn’t work for me as well; I can connect with any password.
    I’d appreciate if someone could help me make this secure.

  • http://twitter.com/maxpaluse aamy variek

    Though PPTP VPN is very popular but it is reported to suffer from serious security problems. Despite the security issues, PPTP remains one of the preferred VPN protocols. Perhaps, in the future, it might be replaced by emerging and more secure protocols like SSTP and IPsec. Countless users across the globe have subscribed to the best PPTP services and are happy with its performance.

  • Jt1315

    Works great, but you don’t need to add the sub-interface on eth0:0, it works fine without doing that.

  • http://eran.sandler.co.il/ Eran Sandler

    You are correct. But it doesn’t hurt either :-)

  • Marph2005

    hey great guide but i have some problems:

    i configured everything like you explained but why i don’t know why i can’t connect to my vpn while I’m on 3G internet? it only connects while I’m on wi-fi. also, i can’t surf in internet when I’m connected.

    what do i have to put in after
    gateway
    dns-nameservers

    where do i find those values? i have put in the ip i found in ubuntu network settings. is that right?
    is this also the ip of the server i have to put in the line on iPhone?

    sorry for so many questions but I’m very new to this… ^^

  • http://eran.sandler.co.il/ Eran Sandler

    First, someone here mentioned that you can skip the steps of creating the aliases network interface.
    If you don’t want to skip it these values are the ones configured for your eth0 interface. You can get them by typing:

    ifconfig eth0

    If all is configured correctly, even over 3G the VPN should work, however ALL traffic will pass through that server, which will make it slower. If it doesn’t work the VPN configuration is not correct on the server or your cellular provider may have limited the use of certain port through 3G.

  • Marph2005

    ok i will try again. one last question, when I’m configuring my iPhone do i have to put in the server line my IP from ubuntu? even on 3G internet?

  • http://eran.sandler.co.il/ Eran Sandler

    Yes. In the iPhone the IP address should be the public IP address of your ubuntu server.

  • Marph2005

    thx for the help. it is working now but only on my home wifi again. i found out that i maybe have to change my IPs to get everything working on 3G. I will try that out later.

  • Marshal Drake

    The addresses above are for the Google Public DNS server, but can be any other DNS server. 8.8.4.4 is also an alternative for their Public DNS.

    chicago colocation

  • http://technisize.com/ azimuth

    im trying to run vpn on my ubuntu 11.10…. i guess it isn’t easy as i thought it could be…

    Thanks a lot!

    Im going to try this! Surely!

Switch to our mobile site

 
Powered by Wordpress and MySQL. Theme by Shlomi Noach, openark.org