Consulting Ian Tighe Putting Technology To Work

Adding Value

Technology and Project Advice


Making Things Work Better
Know-How
Linux:: iPhone:: PPTP:: Quick Configuration Guide
The recent introduction of the iPhone caused us to work out how to get our emails from our mail server onto our iPhones. Having sorted out how to do that we were then needed to secure the data as it moved between our server and our iPhones and vice versa . Wandering around in central London with various free wireless hotspots picking up our device and it dutifully going off to get our emails was great - but an eavesdropper could easily see this. We wanted to protect against this so we investigated how we might encrypt our data. We wanted our mail content to be accessible but we wanted the content, account and password to be private. When operating over wireless networks it was relatively easy to be scanned by an intruder so we decided to implement a tunnel across the internet to our servers.

We wanted immediate set up with least hassle so we chose PPTD; PPP over a tunnel. This is easy to set up and is reasonably safe to operate if you follow one basic rule - that being use a long password (at least 12 characters and better 18+) and try and make the characters unique. You do not have to type the password each time you connect so as long as your system admin knows it you don't have to remember it and use it very often.

We chose a tunnel approach but needed very fast setup and ease of use. The way tunnels work is that you establish a tunnel down which you can push your data to your server and receive data back again. The tunnel is protected because its is encrypted. So if an eavesdropper captures data coming from/to your iPhone all he will see is encrypted data that he can make no sense of. When the data leaves the tunnel in the safety of your PC or iPhone it gets decrypted for your mail client or mail server to use as normal. So your mail client on the iPhone (or any other device for that matter) is sending its data through the tunnel to your server safely without anyone being able to intercept it in any meaningful way.

PPTP is said not to be the safest or most secure of tunnels. It does stop eavesdroppers who casually come across your wireless traffic and it is very fast to set up. Experts are divided though and some say use IPsec (which is more difficult to set up) and others say PPTD is good enough if you use long password secrets. Your choice! For our part we went with PPTP for the simplicity and speed of getting it going.

First we acquired "poptop" which is an implementation of PPTP for our Linux servers. That installed fine from an RPM at sourceforge.

We configured our systems. In reality we did not use the addresses below as we have multiple subnets whereas we think you probably have one subnet which we have assumed to be 192.168.1.0/24. As such we have set it out below as many users would need to do so.

Make sure you save a copy of any original files you edit just in case you want to roll back from any changes made that go wrong.

We configured it on the server as follows: /etc/pptpd.conf

In this file we added our local IP address as:

localip 192.168.1.10

We also put in the range of IP addresses that pptp would use for its tunnel activity.

remoteip 192.168.1.100-200

These addresses should not appear in any range you have used with DHCP.

Next we go to the file /etc/ppp/chap-secrets. Here we will create our long password/secret.
You need to insert a line in this file that identifies the user, the server name, the secret and the IP address it could like this:

iPhoneUser servername long_secret_password_using_unique_chars *

or more realistically

iphone-19 pptpd-server mypasswordthatislongandstrongwith02459873 *

Now we move on to the /etc/ppp/options.pptpd file

There should be a file already set up which you can make some changes to.
Anyway to the options file:

Insert a line as below if there is not one to change.

name servername

The name must match the server name you used in the chap-secrets file.

We used MPPE-128 to get best possible encryption. So we have a line that says

require-mppe-128

We set up the ms-dns servers as:

ms-dns 192.168.1.10
ms-dns 192.168.1.11

and we set the wins servers as:

ms-wins 192.168.1.10
ms-wins 192.168.1.11

we included a line for proxying ARP

proxyarp

Save all files and start/restart pptpd

You should now have a process listening for connections. Make sure any firewall is not preventing traffic from reaching the pptpd process.

On the iPhone you need to set up a connection that will be used to connect into the Linux server you have just established.

Go to settings->general->network->VPN

Choose settings and touch pptp

Insert the server name e.g servername.mydomain.com (you should be able to use an IP address here but this is untried)
Set RSASecurID to off
Insert the account name - we used iPhoneUser in one of the examples above so repeat whatever you used here.
Insert the long password secret you inserted in the file above - the one in chap-secrets.
Set encryption level to auto
Set Send all traffic to ON
Set proxy to off

Now save that config.

After saving you will have an option to turn on your VPN tunnel. Do this and try and connect.
All should be well. If not go back and check each step to make sure all is correct.

We have confirmed this works over our private WiFi networks and over public free-bee ones too. Not always straight forward as time-outs sometimes occur. Over GPRS and EDGE its a little more temperamental but keep trying when you have better coverage and we think it will be fine - eventually.

Should you need professional help in setting up or managing your systems please do contact us. Use the Contact link to send us a message.

Return to Know-How Index of articles
Return to Home Page
Copyright © Consulting Ian Tighe 2005-2008.