This ?HowTo describes how to set-up your Debian machine as a VPN server for the iPhone.

Install the following packages:

Configuration

freeradius

First we configure freeradius. In /etc/freeradius/clients.conf change the default secret (line 101):

        secret          = mysecret

Create a default user for freeradius by adding the following lines in /etc/freeradius/users:

DEFAULT         Auth-Type := System
                Fall-Through = Yes

l2tpns

In /etc/l2ptns/ip_range a range of IP addresses which will be assigned to VPN clients can be defined. The IP range shall be a subnet of your own internal network.

10.76.1.32/28

/etc/l2tpns/startup-config is the main configuration file for l2tpns. Most of the settings can be left commented out. Only the following lines are active in my setup:

set debug 2
set log_file "/var/log/l2tpns"
set pid_file "/var/run/l2tpns.pid"
set l2tp_secret ""
set primary_dns 10.76.1.2
set secondary_dns 10.76.1.2
set primary_radius 127.0.0.1
set primary_radius_port 1812
set radius_secret "mysecret"
set accounting_dir "/var/run/l2tpns/acct"
set bind_address 10.76.1.2
set send_garp yes
set peer_address 10.76.1.1
set throttle_speed 64
set cluster_interface lo
set cluster_hb_interval 100
set cluster_hb_timeout 20

Make sure you have set peer_address to the IP of your router. The setting primary_radius is set to the the local IP since freeradius is running on the same machine. In my case primary_dns is set to the IP of the Debian machine since I'm running a local DNS server.

openswan

In /etc/ipsec.secrets we add our ipsec secret:

10.76.1.2: PSK "mykey"

The ipsec main configuration file /etc/ipsec.conf is looking like this:

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12:!10.76.1.0/24
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=netkey
        #
        #interfaces="ipsec0=br0"
        uniqueids=no
        

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it, 
#               # at startup, uncomment this.
#               #auto=add

conn road_warrior
        rekey=no
        authby=secret
        pfs=no
        keyingtries=3
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        compress=yes
        #
        left=10.76.1.2
        leftprotoport=17/1701
        leftnexthop=10.76.1.1
        #
        right=%any
        rightprotoport=17/%any
        rightsubnet=vhost:%no,%priv
        #
        auto=add

Make sure you have excluded your entire local IP range in virtual_private using !10.76.1.0/24. The setting left in the connection setup shall be set to the IP of your Debian machine. The setting leftnexthop is set to the IP of your router.

Network configuration

In order to map your VPN subnet to the local network ARP proxying can be used. Enable proxy_arp for your main network interface in /etc/network/interfaces:

iface eth0 inet static
        address 10.76.1.2
        netmask 255.255.255.0
        gateway 10.76.1.1
        up sysctl net.ipv4.conf.eth0.proxy_arp=1