[CentOS] CentOS VPN server for iPhone

Thu Mar 26 20:02:25 UTC 2009
Florin Andrei <florin at andrei.myip.org>

Les Mikesell wrote:
> 
> If you have a decent password (on all accounts) I wouldn't worry about 
> about it too much.  Move it to an odd port or even require a client 
> certificate if your client software supports it.

The non-standard port is a good trick, but even assuming the iPhone does 
support it (which is far from certain, the interface is very simple and 
terse), I'm still a bit uncomfortable. All it takes is a stupid buffer 
overflow, and a script kiddie with patience and a portscanner - even if 
you send packets to DROP, it's still scannable, it just takes much 
longer. Port knocking is probably not doable (or not easily) from the 
iPhone.

Maybe I don't trust the IMAP server enough to expose it. Maybe I should.

> The usual problem with IPSec is trying to make it work through a NAT 
> router.   Does your server have a public address of its own?   SSL and 
> OpenVPN can work through port-forwarding routers.

I'm aware of the NAT issues. I've a decent amount of experience with 
IPSec in the enterprise actually, just not with Linux as a concentrator. 
The usual trick is to enable some sort of UDP tunneling, and then a good 
part of those issues is alleviated. The question is whether the Linux 
IPSec server supports UDP encapsulation (and whether the iPhone client 
does too).

The machine has a public interface exposed directly to the Internet, so 
that simplifies things a bit.

-- 
Florin Andrei

http://florin.myip.org/