Getting your iPhones to connect into your internal/DMZ network can be quite a challenge.
Say you host a secure web server that should only be accessible to users inside your organization.
Users on the road need access it but you cant make it publicly available ?
Or say your corporate policy says that email is for internal devices only ?
VPN may be your only option.
Here is a quick and easy VPN solution that will work with iPhones and many other devices.(I am only covering iPhones here)
Firstly you will need:
1x PC with 2 nics (I used a VMWARE machine). An old machine would work.
1x Stable internet (Mainly so your IP address doesn’t change)
1x iPhone for testing
1x managed switch (or you could just use 2 dumb switches ) with 2 vlans
PFSense (link to site)
1x Linux webserver (I used centos minimal with httpd installed.)
Here’s a picture of what we will be creating:
Ste 1: Installing PFSense.
Installing PFSense is easier than walking down the road. Really! It does most of it itself! (If your hardware is supported. NOTE!: PFSense does not play well with HyperV)
Get your machine with 2 network cards (Important). Pop in a PFSense CD, and turn it on. Make sure the pc boots from the CD .
That’s it OS is installed. See Easy!
Once you get the following screen your basically ready to kick over to the web client:
If you don’t have a DHCP server on your network then you can use option 2 to setup the IP addresses for the interfaces. If you need to configure the LAN IP on the correct range.
I suggest that now you give your WAN Interface a Static IP:
Hover over “interfaces, Select WAN”.
IP=”xxx.xxx.xxx.xxx”/24 is the most common and equals 255.255.255.0 (google Slash notation if you don’t know this)
If your using internal IP ranged you need to uncheck the 2 boxes below “Block private networks” and “Block bogon networks”
Click save and then apply the settings.
Then we need to setup a default Gateway for the server.
Hover over “System, select Routing” on the Gateways TAB click the plus box
Gateway=IP of your Router to the internet
Hit save and Apply.
There after you can setup your DNS servers:
Hover over “System, Select General Setup”
Fill in the options as required.
Save and Apply.
Now go back to the WAN interface and make sure that under the IP address a gateway is set.
If not go to the drop down box and select the correct one and save and apply.
Step2: Configuring IPSec.
Hover over “VPN” and Select “IPSec” then select the “Mobile Clients” tab.
Fill in the Blocks are required see the example:
Click Save, and you will get a box asking you to create a Phase 1.
Again see the example:
Save that and lets create Phase 2 now.
Click the + block under the Phase 1 we just created and then click the add button.
Under Phase 2 you only need to take away some check boxes and select 128bit encryption for AES.
Make a mental note of the mode and local Network. I’ll explain why shortly.
Now Enable IPSec under the tunnels tab.
Save and Apply.
Now its created we can make user accounts to use it.
Hover over “System” then “User Manager”
There is a Gotcha to this part. You have to first create the user save it and then go into it again to assign permissions.
You can create group save it and go in again and assign permissions to it like that.
So lets create a Group:
Click the + button for add and then fill in the details.
Now save and re-open it with edit.
The one you need add is “User – VPN – IPsec xauth Dialin”
so lets create a user and add them to the VPN Group.
So lets review what was done and what really matters.
(All the settings that aren’t self explanatory)
Under Mobile Clients:
Virtual Address Pool: This is the IP address pool that your clients will use once connected. Think DHCP for your VPN clients. It’s important that you have enough for the amount of users that are going to connect.
Interface: This is the listening interface for the vpn connections. Make sure this interface is available from the internet.
Authentication Method: Mutual PSK + Xauth = Preshared keys are used instead of certificates and users are identified by usernames and passwords. (You could use certificates if you want to)
NAT Traversal = Force: This wraps the packets in a udp packet so that the ipsec encryption is not broken by NAT. Google this if you want to know more if quite complicated.
Mode = Tunnel: Makes the device use split mode vpn. The internet will be accessed directly and vpn is only used for networks advertised by it.
Local Network: This is where your VPN users can get to. This would be considered your DMZ for VPN users. You could do some routing magic to make it get to all networks, but thats outside the scope of this article.
If you are going to use NAT (Port Forwarding) to publish the VPN server you will need to use ports 500 and 4500.
Step 3: Firewall rules
You need to allow the connections on the firewall of the PFSense server.
This is really easy so im just going to wiz past it.
Hover over “Firewall” and Select “Rules”
Under WAN Add 2 rules.
One to allow TCP/UDP port 500 to the WAN IP.
One to Allow TCP/UDP port 4500 to the WAN IP
Under LAN i just allowed everything.
Select the add button and change protocol to TCP/UDP and Destination port range to any. Save and Apply
Under IPSec do the same as on LAN.
If you are going to use this in production i suggest that you play with the rules and make sure they are secure before publishing this.
Step 4: Configuring iPhone
Setup on the iPhone is pretty straight forward.
Settings > General > VPN > Add VPN > IPSec
Server=Public IP of the server. (If port forwarding your Routers internet IP)
Account=Username setup under user manager
Group Name=This is the value of Peer Identifier under Phase 1
Secret=Pre-Shared Key under Phase 1
Hit save and you should now be able to connect.
Step 5: TEST TEST TEST!
I used a centos web server to make sure that i could see “internal” servers resources from the iphone/ipad. if you do decide to do this remember to make sure iptables is either off or allowing the connection.
You can use this on a windows/linux machine with the free shrew client. see below link.
If you can also watch a pretty good video on how to do this (Not in English). (FYI This isnt me)
Now that you have the basics down. dont be afraid to break it.
This whole process once you know how to do it will take no more than 20 mins to setup.
Or use a vm and make a snapshot once you are happy with your base config and work from there.
Remember also that PFSense has many more applications than just VPN. If you hover over “System” and select “Packages” then “Available Packages” you will see all the add on packages you can use.
(FYI: BandwidthD and IPSec seem to cause the CPU to stay at 100%)
(FYI: If you are using VMWare you can install Open-VM-Tools package)