VPN for iPhone
Organization of a VPN server for use with iOS devices
After reading the article Warm and Tube Internet, I was worried about the problem of raising the VPN server, which can be used from iOS devices.
To use OpenVPN, you need a Jailbreak. I have not considered this option.
iOS supports L2TP, PPTP, Cisco IPSec.
Cisco IPSec works with the appropriate equipment. PPTP is sometimes cut by mobile operators. Based on this, L2TP was selected.
I already had a VQ7 server from Hetzner with Ubuntu 12.04 32 bit installed, so all the experiments were carried out on this server.
IPsec Installation
Installs OpenSwan
sudo aptitude install openswan
During installation, you will be prompted to create an x509 certificate. This is not necessary, as access will be used by keyword.
IPsec setup:
sudo nano /etc/ipsec.conf
The configuration is as follows:
version 2.0
config setup
nat_traversal=yes # Позволяет подключаться клиентам расположенным за NAT
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=YOUR.SERVER.IP.ADDRESS
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
Configure access to the server via IPSec:
sudo nano /etc/ipsec.secrets
The file should contain one line:
YOUR.SERVER.IP.ADDRESS %any: PSK "YourSharedSecret"
The link to the pre-shared key must be deleted , otherwise IPSec will not be able to initialize.
YOUR.SERVER.IP.ADDRESS in both files is the IP address of your server.
% any in /etc/ipsec.secrets determines which addresses can be accessed. In this case, access is allowed from all addresses.
YourSharedSecret - the key that will be used for access via IPSec.
In order for IPSec to work properly, additional settings are made:
sudo nano /root/ipsec
Content:
iptables --table nat --append POSTROUTING --jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart
The first two lines are actually used for L2TP.
We make the script executable:
sudo chmod +x /root/ipsec
Add it to rc.local
Install L2TP:
Xl2tpd is installed:
sudo aptitude install xl2tpd
Configure L2TP:
sudo nano /etc/xl2tpd/xl2tpd.conf
Content:
[global]
ipsec saref = yes
[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.1
refuse chap = yes
refuse pap = yes
require authentication = yes # во время теста можно отключить, тогда все кто пройдет верификация ключом IPSec будут иметь доступ
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
Additional settings:
sudo nano /etc/ppp/options.xl2tpd
Content:
require-mschap-v2
ms-dns 8.8.8.8 # Публичный DNS Google
ms-dns 8.8.4.4 # Публичный DNS Google
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd # Имя сервиса, используется в настройках
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
Adding Users:
sudo nano /etc/ppp/chap-secrets
File format
# user server password ip
test l2tpd testpassword *
test - username
l2tpd - service name from /etc/ppp/options.xl2tpd
testpassword - password for the user
* - range of allowed addresses for the login of this user (format 10.254.253.128/25)
After that, restart IPSec and L2TPD should activate the whole system:
sudo /etc/init.d/ipsec restart
sudo /etc/init.d/xl2tpd restart
IPhone setup:
Settings> General> VPN> Add VPN Configuration.
Description - Connection name
Server - IP address of your server
The account is the user from the file / etc / ppp / chap-secrets
Password is the password from / etc / ppp / chap-secrets
The public key is YourSharedSecret from /etc/ipsec.secrets
After that in the Settings menu and in the menu Settings> General> VPN, you can enable VPN. If everything goes well, the corresponding icon will appear.
VPN will need to be turned on manually, with each use.
Setting up a connection in Windows 7
In the network and sharing control center, establishing a new network connection, creating a new connection:
Create a new VPN connection:
In the “Internet address” field, enter the IP of your server. Do not connect immediately.
After that, go into the properties of the new connection and in the settings indicate the use of L2TP, enter the YourSharedSecret key from /etc/ipsec.secrets
When connecting, specify the username and password from / etc / ppp / chap-secrets.
When writing the article were used materials link1 , link2