VPN for iPhone
Organization of a VPN server for use with iOS devices
After reading the article Warm and Tube Internet, I was worried about the problem of raising the VPN server, which can be used from iOS devices.
To use OpenVPN, you need a Jailbreak. I have not considered this option.
iOS supports L2TP, PPTP, Cisco IPSec.
Cisco IPSec works with the appropriate equipment. PPTP is sometimes cut by mobile operators. Based on this, L2TP was selected.
I already had a VQ7 server from Hetzner with Ubuntu 12.04 32 bit installed, so all the experiments were carried out on this server.
sudo aptitude install openswan
During installation, you will be prompted to create an x509 certificate. This is not necessary, as access will be used by keyword.
sudo nano /etc/ipsec.conf
The configuration is as follows:
version 2.0 config setup nat_traversal=yes # Позволяет подключаться клиентам расположенным за NAT virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=YOUR.SERVER.IP.ADDRESS leftprotoport=17/1701 right=%any rightprotoport=17/%any
Configure access to the server via IPSec:
sudo nano /etc/ipsec.secrets
The file should contain one line:
YOUR.SERVER.IP.ADDRESS %any: PSK "YourSharedSecret"
The link to the pre-shared key must be deleted , otherwise IPSec will not be able to initialize.
YOUR.SERVER.IP.ADDRESS in both files is the IP address of your server.
% any in /etc/ipsec.secrets determines which addresses can be accessed. In this case, access is allowed from all addresses.
YourSharedSecret - the key that will be used for access via IPSec.
In order for IPSec to work properly, additional settings are made:
sudo nano /root/ipsec
iptables --table nat --append POSTROUTING --jump MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done /etc/init.d/ipsec restart
The first two lines are actually used for L2TP.
We make the script executable:
sudo chmod +x /root/ipsec
Add it to rc.local
Xl2tpd is installed:
sudo aptitude install xl2tpd
sudo nano /etc/xl2tpd/xl2tpd.conf
[global] ipsec saref = yes [lns default] ip range = 10.1.2.2-10.1.2.255 local ip = 10.1.2.1 refuse chap = yes refuse pap = yes require authentication = yes # во время теста можно отключить, тогда все кто пройдет верификация ключом IPSec будут иметь доступ ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
sudo nano /etc/ppp/options.xl2tpd
require-mschap-v2 ms-dns 18.104.22.168 # Публичный DNS Google ms-dns 22.214.171.124 # Публичный DNS Google asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd # Имя сервиса, используется в настройках proxyarp lcp-echo-interval 30 lcp-echo-failure 4
sudo nano /etc/ppp/chap-secrets
# user server password ip test l2tpd testpassword *
test - username
l2tpd - service name from /etc/ppp/options.xl2tpd
testpassword - password for the user
* - range of allowed addresses for the login of this user (format 10.254.253.128/25)
After that, restart IPSec and L2TPD should activate the whole system:
sudo /etc/init.d/ipsec restart sudo /etc/init.d/xl2tpd restart
Settings> General> VPN> Add VPN Configuration.
Description - Connection name
Server - IP address of your server
The account is the user from the file / etc / ppp / chap-secrets
Password is the password from / etc / ppp / chap-secrets
The public key is YourSharedSecret from /etc/ipsec.secrets
After that in the Settings menu and in the menu Settings> General> VPN, you can enable VPN. If everything goes well, the corresponding icon will appear.
VPN will need to be turned on manually, with each use.
Setting up a connection in Windows 7
In the network and sharing control center, establishing a new network connection, creating a new connection:
Create a new VPN connection:
In the “Internet address” field, enter the IP of your server. Do not connect immediately.
After that, go into the properties of the new connection and in the settings indicate the use of L2TP, enter the YourSharedSecret key from /etc/ipsec.secrets
When connecting, specify the username and password from / etc / ppp / chap-secrets.
When writing the article were used materials link1 , link2