Debian VPN Server for iPhone
This ?HowTo describes how to set-up your Debian machine as a VPN server for the iPhone.
Install the following packages:
- freeradius
- openswan
- l2tpns
Configuration
freeradius
First we configure freeradius. In /etc/freeradius/clients.conf change the default secret (line 101):
secret = mysecret
Create a default user for freeradius by adding the following lines in /etc/freeradius/users:
DEFAULT Auth-Type := System Fall-Through = Yes
l2tpns
In /etc/l2ptns/ip_range a range of IP addresses which will be assigned to VPN clients can be defined. The IP range shall be a subnet of your own internal network.
10.76.1.32/28
/etc/l2tpns/startup-config is the main configuration file for l2tpns. Most of the settings can be left commented out. Only the following lines are active in my setup:
set debug 2 set log_file "/var/log/l2tpns" set pid_file "/var/run/l2tpns.pid" set l2tp_secret "" set primary_dns 10.76.1.2 set secondary_dns 10.76.1.2 set primary_radius 127.0.0.1 set primary_radius_port 1812 set radius_secret "mysecret" set accounting_dir "/var/run/l2tpns/acct" set bind_address 10.76.1.2 set send_garp yes set peer_address 10.76.1.1 set throttle_speed 64 set cluster_interface lo set cluster_hb_interval 100 set cluster_hb_timeout 20
Make sure you have set peer_address to the IP of your router. The setting primary_radius is set to the the local IP since freeradius is running on the same machine. In my case primary_dns is set to the IP of the Debian machine since I'm running a local DNS server.
openswan
In /etc/ipsec.secrets we add our ipsec secret:
10.76.1.2: PSK "mykey"
The ipsec main configuration file /etc/ipsec.conf is looking like this:
# /etc/ipsec.conf - Openswan IPsec configuration file # This file: /usr/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Again: only enable plutodebug or klipsdebug when asked by a developer # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12:!10.76.1.0/24 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=netkey # #interfaces="ipsec0=br0" uniqueids=no # Add connections here # sample VPN connection # for more examples, see /etc/ipsec.d/examples/ #conn sample # # Left security gateway, subnet behind it, nexthop toward right. # left=10.0.0.1 # leftsubnet=172.16.0.0/24 # leftnexthop=10.22.33.44 # # Right security gateway, subnet behind it, nexthop toward left. # right=10.12.12.1 # rightsubnet=192.168.0.0/24 # rightnexthop=10.101.102.103 # # To authorize this connection, but not actually start it, # # at startup, uncomment this. # #auto=add conn road_warrior rekey=no authby=secret pfs=no keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear compress=yes # left=10.76.1.2 leftprotoport=17/1701 leftnexthop=10.76.1.1 # right=%any rightprotoport=17/%any rightsubnet=vhost:%no,%priv # auto=add
Make sure you have excluded your entire local IP range in virtual_private using !10.76.1.0/24. The setting left in the connection setup shall be set to the IP of your Debian machine. The setting leftnexthop is set to the IP of your router.