Debian VPN Server for iPhone

This ?HowTo describes how to set-up your Debian machine as a VPN server for the iPhone.

Install the following packages:

Configuration

freeradius

First we configure freeradius. In /etc/freeradius/clients.conf change the default secret (line 101):

        secret          = mysecret

Create a default user for freeradius by adding the following lines in /etc/freeradius/users:

DEFAULT         Auth-Type := System
                Fall-Through = Yes

l2tpns

In /etc/l2ptns/ip_range a range of IP addresses which will be assigned to VPN clients can be defined. The IP range shall be a subnet of your own internal network.

10.76.1.32/28

/etc/l2tpns/startup-config is the main configuration file for l2tpns. Most of the settings can be left commented out. Only the following lines are active in my setup:

set debug 2
set log_file "/var/log/l2tpns"
set pid_file "/var/run/l2tpns.pid"
set l2tp_secret ""
set primary_dns 10.76.1.2
set secondary_dns 10.76.1.2
set primary_radius 127.0.0.1
set primary_radius_port 1812
set radius_secret "mysecret"
set accounting_dir "/var/run/l2tpns/acct"
set bind_address 10.76.1.2
set send_garp yes
set peer_address 10.76.1.1
set throttle_speed 64
set cluster_interface lo
set cluster_hb_interval 100
set cluster_hb_timeout 20

Make sure you have set peer_address to the IP of your router. The setting primary_radius is set to the the local IP since freeradius is running on the same machine. In my case primary_dns is set to the IP of the Debian machine since I'm running a local DNS server.

openswan

In /etc/ipsec.secrets we add our ipsec secret:

10.76.1.2: PSK "mykey"

The ipsec main configuration file /etc/ipsec.conf is looking like this:

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12:!10.76.1.0/24
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=netkey
        #
        #interfaces="ipsec0=br0"
        uniqueids=no
        

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it, 
#               # at startup, uncomment this.
#               #auto=add

conn road_warrior
        rekey=no
        authby=secret
        pfs=no
        keyingtries=3
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        compress=yes
        #
        left=10.76.1.2
        leftprotoport=17/1701
        leftnexthop=10.76.1.1
        #
        right=%any
        rightprotoport=17/%any
        rightsubnet=vhost:%no,%priv
        #
        auto=add

Make sure you have excluded your entire local IP range in virtual_private using !10.76.1.0/24. The setting left in the connection setup shall be set to the IP of your Debian machine. The setting leftnexthop is set to the IP of your router.