Below are the steps necessary to connect your iPhone / iPad or any other computer via a PPTP VPN.
Why would I want to do this? For various reasons such as allow you to access information and servers that are behind a firewall, or maybe you just need to route traffic through different servers.
I’ve tested this on a 256mb Rackspace Cloud instance running Ubuntu 10.04 and with an iPhone and an iPad. Thanks to Yaniv for debugging the instructions.
Disclaimer: This is for educational uses only and I take no responsibility as to what you may do with it. The PPTP VPN setup via the instructions below has no encryption and uses the simplest and lowest form of password authentication. If you require stricter encryption and authentication methods you’ll need to read more about pptpd configuration.
Assumptions:
- The instance you are using is blank, specifically from firewall rules in iptables, otherwise, you’ll need to patch things up.
All commands assume you are current a root user. If you logged in as root, that’s great. If not, run:
[code lang=”bash”]sudo su[/code]
Instead of messing a lot with iptables commands, I’m using ufw (Uncomplicated FireWall). In general, to most people, it will be easier to manage and work with.
Setting up the PPTP Server
In general we are going to create a PPTP VPN that is very basic without encryption and with basic authentication security (not fancy authentication protocols). Since Rackspace Cloud instance has an external interface (eth0) that has the instance public IP and an internal interface (eth1) with an internal IP used to communicate with your other Rackspace Cloud server (if you have them), we’ll create an alias network interface card that will have some other set of internal ips, which will be given to the devices connected via the VPN.
Install the necessary software (pptpd, pptp-linux, ppp and ufw – for firewall):
[code lang=”bash”]apt-get install pptpd pptp-linux ppp ufw[/code]
Enable port 22 (ssh) in the firewall, so we don’t get locked out of our instance:
[code lang=”bash”]ufw allow 22[/code]
Enable port 1723 (pptpd) in the firewall to enable access to the pptpd dameon:
[code lang=”bash”]ufw allow 1723[/code]
Enable ufw:
[code lang=”bash”]ufw enable[/code]
Add an aliased network interface card (eth0:0): (We use the address space of 192.168.88.0/24 since its usually free for most networks for most users. You can feel free to change this address if it is already taken)
Edit /etc/network/interfaces:
[code lang=”bash”]nano /etc/network/interfaces[/code]
Enter the following text at the end of the file:
[code lang=”dos”]
auto eth0:0
iface eth0:0 inet static
address 192.168.88.1
netmask 255.255.255.0
gateway (same value as listed for eth0)
dns-nameservers (same value as listed for eth0)
[/code]
Replace the value of “gateway” with the same value you will see in this file for “eth0”, the real public network interface.
Replace the value of “dns-nameservers” with the same value you will see in this file for “eth0”
Configure the pptpd daemon:
Edit /etc/ppp/pptpd-options:
[code lang=”bash”]nano /etc/ppp/pptpd-options[/code]
Comment out (add a “#” char at the start of the line) the following lines:
“refuse-pap”
“refuse-chap”
“refuse-mschap”
“refuse-mschap-v2”
“require-mppe-128″replace “#ms-dns 10.0.0.1” with “ms-dns 8.8.8.8”
replace “#ms-dns 10.0.0.2” with “ms-dns 8.8.4.4”
The last 2 lines above sets the DNS server the devices connecting to your PPTP VPN will use. The addresses above are for the Google Public DNS server, but can be any other DNS server (including the same DNS servers as Rackspace or your hosting provider use)Edit /etc/pptpd.conf :
[code lang=”bash”]nano /etc/pptpd.conf[/code]
Add at the bottom of the file:
[code]
localip 192.168.88.1
remoteip 192.168.88.2-20
[/code]
The value of “remoteip” will be the set of IP addresses the devices connecting to the VPN will get upon successful connection. Currently, we have here 18 addresses, which is enough for 18 concurrent devices. You can make this range bigger if needed.
Configure the username and password that will be used to authenticate client accessing the VPN:
Edit /etc/ppp/chap-secrets:
[code lang=”bash”]nano /etc/ppp/chap-secrets[/code]
[code]
# client server secret IP addresses
[UserName] pptpd [Password] *
[/code]
Replace [UserName] with the username you wish to use.
Replace [Password] with the password you wish to use (I suggest a long random password. Try this generator)
Enable IP forwarding in the kernel:
Edit /etc/sysctl.conf :
[code lang=”bash”]nano /etc/sysctl.conf[/code]Uncomment the line “net.ipv4.ip_forward=1”
For IPv6, uncomment “net.ipv6.conf.all.forwarding=1”
Enable IP forwarding in ufw:
Edit /etc/default/ufw:
[code lang=”bash”]nano /etc/default/ufw[/code]Change the value of “DEFAULT_FORWARD_POLICY” from “DROP” to “ACCEPT”
Add IP masquerading rule in ufw, so that NAT will work and devices connecting to the VPN will be seen as if the traffic goes out of the VPN server:
Edit /etc/ufw/before.rules:
[code lang=”bash”]nano /etc/ufw/before.rules[/code]Paste the text below after the header and before the “*filter” rules:
[code]
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow forward traffic from eth0:0 to eth0-A POSTROUTING -s 192.168.88.0/24 -o eth0 -j MASQUERADE
# don’t delete the ‘COMMIT’ line or these nat table rules won’t be processed
COMMIT
[/code]
- Reboot the machine, cross your fingers and hope for the best :-)
Configuring your iPhone / iPad
In your iPhone / iPad go to “Settings” -> “General” -> “Network” -> “VPN”
Select “Add VPN Configuration”
Select “PPTP”
In “Description” enter the name of the VPN connection
In “Server” enter the IP address of the server (or a server name, if you mapped the server’s IP address to a domain name)
In “Account” enter the username you have entered into the “/etc/ppp/chap-secrets” file
In “Password” enter the password you entered for the above username in “/etc/ppp/chap-secrets”
Make sure “Send All Traffic” is turned to “ON”
Set “Encryption Level” to “None” (this is how we configured the PPTP server in this post, if you setup an encryption try to keep it in “Auto”
Select save