One of the coolest features of the iPhone is the way it uses the best data network that it can find. If you’re at home or at work, or even at a coffee shop, it will use the local wifi network. But if you’re out of range of any suitable wifi networks, it will use AT&T’s “3G” (UMTS) network. And if it can’t find a UMTS network, it’ll fall back to EDGE. Phone companies call this hybrid approach “ABC”, or “always best connection”.<\/p>\n
Now that I have an internet device in my pocket, I find myself using public (or otherwise open) wifi connections quite a bit. And this carries with it some unintended consequences. That is… everything I type and everything I read is transmitted in the clear, unencrypted.<\/p>\n
I try to make a habit of encrypting my data traffic whenever possible. My mail server is set up to only allow SSL connections. So no matter where I check my mail from, I am forced to use an encrypted connection. Similarly, banks and commerce web sites usually force you to switch to HTTPS before you start entering information. But there are a lot of applications on the iPhone that do not use encryption at all.<\/p>\n
You might ask yourself why bother to encrypt your Twitter connection, since what you type is going to be blasted out to the world anyway. But the point is…<\/p>\n
If you encrypt everything<\/em>, then nothing is left to chance.<\/p><\/blockquote>\n
So I decided to explore a VPN option on the iPhone. It supports three flavors of VPN: L2TP<\/strong>, PPTP<\/strong> and IPSec<\/strong>. I was disappointed (but not surprised) that “openvpn<\/strong>” was not an option, since I already use this excellent open source SSL-based VPN package.<\/p>\n
So I decided to give PPTP a try.<\/p>\n
Setting up the PPTP server<\/strong><\/p>\n
On my Ubuntu 8.04 LTS server, I installed a PPTP server called, appropriately enough, “pptpd<\/strong>“. Configuration was very easy. Most of the setup was done for me after I did the standard
apt-get install pptpd<\/code>. I simply needed to pick a private subnet that would be used for my VPN clients, and an IP address in that subnet to use for the server. I chose the172.16.4.0\/16<\/code> subnet and172.16.4.1<\/code> for the server (these addresses are part of a private network address space<\/em>, defined by RFC 1918<\/a>, just like 192.168.x.x and 10.x.x.x addresses).<\/p>\nMy
\/etc\/pptp.conf<\/code> configuration file for the pptp daemon looks like this:<\/p>\n\noption \/etc\/ppp\/pptpd-options\nlogwtmp\nlocalip 172.16.4.1\nremoteip 172.16.4.2-250<\/pre>\nI also needed to tell the daemon to give out some DNS addresses when a client connects, so in the
\/etc\/ppp\/pptpd-options<\/code> file, I added the two “ms-dns” lines below:<\/p>\n\nname pptpd\nrefuse-pap\nrefuse-chap\nrefuse-mschap\nrequire-mschap-v2\nrequire-mppe-128\nms-dns 208.67.222.222 # resolver1.opendns.com\nms-dns 208.67.220.220 # resolver2.opendns.com\nproxyarp\nnodefaultroute\nlock\nnobsdcomp<\/pre>\nFinally, I needed to add an entry into the
\/etc\/ppp\/chap-secrets<\/code> file that would contain my password. Mine looks like this:<\/p>\n\nalan pptpd MyHardToGuessPassword *<\/pre>\nAt this point, the PPTP server was completely configured, so I restarted it with
service pptpd restart<\/code>.<\/p>\nSetting up the iPhone<\/strong><\/p>\n
On the iPhone, I needed to set up a VPN client. This is very easy. On the settings screen, go to general \/ network \/ VPN and “Add VPN Configuration…”. Then just fill in the blanks.<\/p>\n
\n
- choose “PPTP”<\/li>\n
- enter a description<\/li>\n
- your server’s IP address<\/li>\n
- the username (from above)<\/li>\n
- RSA SecurID=OFF<\/li>\n
- the password (from above)<\/li>\n
- encryption level = Auto<\/li>\n
- “Send All Traffic” = ON<\/li>\n
- Proxy = OFF<\/li>\n<\/ul>\n
Click on “Save” and you will see a switch in the network tab and also in the main settings tab to turn the VPN on and off.<\/p>\n
For now, I am leaving it off unless I am on a public network. I am not sure, but I think that keeping the VPN alive might use a lot of battery. So I do not use it unless I need it.<\/p>\n
Networking<\/strong><\/p>\n
For me to get this VPN on the internet, I had to do two more things: punch a hole in my firewall for the PPTP traffic, and forward traffic from my VPN out to the rest of the world.<\/p>\n
For my server, both of these tasks were handed by the same tool: shorewall<\/strong>.<\/p>\n
I added a “masquerade” rule to
\/etc\/shorewall\/masq<\/code> to NAT all of the traffic from 172.16.4.x out through my main network interface.<\/p>\n\neth0 172.16.4.0\/24 # OpenVPN and PPTP<\/pre>\nAnd then I added two rules to
\/etc\/shorewall\/rules<\/code> to allow the PPTP traffic in.<\/p>\n\nACCEPT net fw tcp 1723 # PPTP\nACCEPT net fw gre # PPTP<\/pre>\nWhen shorewall starts, it will generate the iptables<\/strong> rules that are used by the kernel to filter packets. If you’re using hand-written iptables rules, then you will need some rules that look something like this:<\/p>\n
\n# accept \"gre\" protocol traffic (PPTP tunnel traffic)\niptables -A INPUT -p gre -j ACCEPT\niptables -A OUTPUT -p gre -j ACCEPT\n# accept PPTP control traffic to TCP port 1723\n# (my server IP is 11.22.33.44)\niptables -A INPUT -p tcp --sport 1723 -s 11.22.33.44 -j ACCEPT\niptables -A OUTPUT -p tcp --dport 1723 -d 11.22.33.44 -j ACCEPT\n# masquerade\/NAT internet traffic out of interface eth0\niptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n# turn on packet forwarding\necho \"1\" > \/proc\/sys\/net\/ipv4\/ip_forward<\/pre>\nConclusion<\/strong><\/p>\n
Now, when I am in a coffee shop, I can turn on the VPN easily by flipping the switch in the iPhone’s main settings screen. It will make a TCP connection to my server, negotiate a few things, and then send all further network traffic through an encrypted tunnel directly to my server, which relays it out to the internet.<\/p>\n