Setting up VPN on a Lion Server

We have a lot of customers who use their Mac mini as a VPN server.This works great when you need an IP address in the US, or a secure internet connection on the road, or a number of other reasons. When Apple released Lion, they changed the setup a bit. By default, Lion Server VPN will distribute IP addresses in the same range the Mac itself uses. This doesn't work well in a facility like Macminicolo where each Mac mini has a static WAN IP address.


This tutorial will show how to make the Mac mini an internet gateway that assigns a LAN IP range to connected VPN clients. This tutorial was created on Lion 10.7.1, and proven to continue working when upgraded to 10.7.2. Read over the steps below, and then follow each one closely.


Server:


Before we start the process, be sure you have downloaded and installed the Server Admin Tools for Lion. Those can be found on the Apple Support site here.


Open the network settings on the Mac mini and add a virtual interface:


imageimage

Once the interface is created as "LAN" then set the settings as below (ie, 10.0.0.1):


image

Open Server Admin and check the following services so they are available. The dots will remain grey as they are not yet active.:


image

Choose the "NAT" service, be sure you are on the "Overview" tab and click "Gateway Setup Assistant":


image

It will warn that you are going to overwrite the DHCP subnets. This is fine:


image

Select Ethernet for the WAN interface:


image

Check "LAN" as the LAN Interface (this is the virtual interface you setup earlier):


image

Next we will enable the VPN server. Your Shared Secret will be shared with any of the clients that you allow to connect:


image

Next will be a window where you can confirm the settings and continue. When it's done, it will be reported as complete:


image
image

The Gateway Setup should now be done and the four services should be enabled with green dots. First, go to the Firewall setting and be sure your proper ports are open. This would include the ARD ports so you can access the machine remotely and check all the VPN L2TP ports so you can connect to the new VPN server you are setting up. Or, you can choose to allow all traffic. Then Save:


image

Go to the DNS service in Server Admin and set the Forwarder IP Addresses to the DNS addresses that your Mac mini uses. (For Macminicolo customers, that is 66.209.64.20 and 66.209.64.21):


image

You can now close Server Admin. Next, open up Server.app and go to the VPN service. The service will be running already but we need to make two changes. First, we will need to change the subnet. It will default to 192.168.1.x, but it must be 192.168.2.x. Next, you can decide the range of IPs that you want to assign. For instance, if you anticipate 50 users, you would use a range of fifty. (ie, 192.168.2.100 - 192.168.2.150) Below are two screenshots of how it will look at first, and then how it will look after you change it.


image
image

At this point, disable the VPN Server, wait 20 seconds, and enable it again.


Next, open up terminal so we can we can run one command. You'll be prompted for your admin password. This is the command:


sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.2.1"

image

Finally, return to the VPN service, disable it, wait 20 seconds, and enable it again. After that, your VPN server should be active and ready for connections.


A couple notes:


If you go back to your network settings, you'll see that the IP address has changed from what you originally set. Also, you'll see that it's 192.168.1.x and not 192.168.2.x. Both of these are correct changes. Don't alter them.


image

If it doesn't connect right away, you may try the Terminal command again, and disabling/enabling the VPN service. Sometimes it takes a couple tries to rewrite the plist.


This tutorial was done on a Mac mini with a clean install of the operating system. As you set it up, be sure it doesn't conflict with other services you may already have running.


If you try to connect from behing an Apple router (Airport Extreme or Airport Express) it may report that the server is unreachable. I wish I could give you a fix for this, but it looks to be a bug with the way the AE handles NAT, Back to my Mac, VPNs, and the mix of them. Hoping this will be fixed with an AE firmeware update.)


Mac OS X Client Configuration:


Setting up the client in OS X is just like any other VPN, but here are a couple tips. First, it will be done in the Network Settings. Create a new VPN interface with the "+" button and put in your settings. (this will include your server address and VPN account name:


image

In Authenication Settings, provide your account password, and the Shared Secret. Hit OK.


image

Under Advanced, you'll be able to set for all traffic to be sent thru the VPN. There are other settings as well so you can connect in a way that works best in your situation.


image

Finally, you just hit connect.


This tutorial got a lot of help from Rusty Ross, a great consultant that works with some customers here at Macminicolo. (Let us know if you'd like to be referred.) If you have questions, you can find us on Twitter @macminicolo. And if you're looking for somewhere safe and connected to place a VPN server, checkout our prices to host a Mac mini with us.


imageAbout Macminicolo.net
Macminicolo.net, a Las Vegas colocation company, has been hosting Mac minis since their introduction in January 2005. They are the leaders in this niche market and are known for their personal service. They currently host hundreds of Mac minis for satisfied customers located in 31 different countries around the world. Get more info on our frequently asked questions page.

A look at Lion and Screen Sharing

imageApple has released their next version of OS X called Lion, and with it came some big changes in Screen Sharing. 


Screen Sharing is a service built into OS that allows a Mac to be controlled by another device (a PC, iPhone, iPad, etc.) It was officially introduced in Leopard, though the ability to VNC into a machine goes back long before that. It was Leopard that brought the actual Screen Sharing application. 


Until Lion, you would connect to a Mac and see whatever was on the screen of the Mac. So, if someone else was using the machine, you would see what they were doing and you'd each have the ability to controll the mouse and type keyboard commands. 


Lion introduced Per-User screen sharing. This allows you to "remotely log in to a Mac with any user account on that computer and control it, without interrupting someone else who might be using the computer under a different login." 


This change is incredibly useful but there is a slight limitation. As found by AFP548.com in the Lion Eula:



Section 2,H. Remote Desktop Connections.  Subject to the terms and conditions of this License, when remotely connecting from another computer or electronic device (each a “Device”) to an Apple-branded computer that is running the Apple Software (for purposes of this Section, such Apple-branded computer is referred to as the “Home Mac”), whether through the Screen Sharing feature or through any other means:


(i) only one (1) Device may remotely connect at any one time, whether directly or indirectly, to control the graphical desktop session of the Apple Software that is running and being displayed on the Home Mac; and


(ii) a reasonable number of Devices may remotely connect at the same time for the sole purpose of simultaneously observing the same graphical desktop session of the Apple Software that is running and being displayed on the Home Mac, as long as they do not control the Apple Software in any way; but


(iii) only one (1) Apple-branded Device may remotely connect at any one time, whether directly or indirectly, to control a separate graphical desktop session of the Apple Software that is different from the one running and being displayed on the Home Mac, and such connection may only be made through the Screen Sharing feature of the Apple Software.


Except as expressly permitted in this Section 2H, or except as otherwise licensed by Apple, you agree not to use the Apple Software in connection with service bureau, time-sharing, terminal sharing or other similar types of services. You also agree not to use or offer the Apple Software, or any of its functionality, to provide service bureau, time-sharing, terminal sharing or other similar types of services to third parties.



Or in other words, if  someone else needs to control the same Mac that you are using then only one device can do it at a time. That's a letdown but I can understand that it is a move to preserve Mac sales. 


Now that the use limitations are clear, what is the actual process of Screen Sharing?


First, be sure to enable Screen Sharing on the server. It is found in System Preferences -> Sharing


Now from the client end,  just use the Finder menubar Go -> Connect to Server (or Command+K)


image


Then type:



vnc://ip_address



or



vnc://domain.com



When Screen Sharing finds the server, you'll enter the user login for the remote Mac and then you'll see the screen as if it's sitting in front of you. The screen you see will depend on what authentication you use to connect. 


The actual Screen Sharing app is also improved. It now offers " a new toolbar that provides access to useful tools and settings such as screen resolution, Clipboard access, and screen capture." (For a tip, the first time you connect with Screen Sharing, right-click the app in your dock and choose to "Keep In Dock." With it there, you can click on it much quicker without the "Go To Server")


image


image


Lion brought great news for iPhone screen sharing clients because you no longer have to enable the "VNC" option in Screen Sharing.  And even better, you'll be able to log right into your user account (instead of first seeing the OS X login screen which happened with VNC.)


Two of my favorite screen sharing apps are Screens and iTeleport. Both of them have been updated to work with Lion. 


When you setup a new machine in either of these apps. You'll be asked the regular information (machine name, address, etc). Then, as part of the authentication you can choose the new option "Mac" and enter your OS X user and password. This will bring you right to your desktop. 


imageimage


So in summary, the Screen Sharing to Lion has been vastly improved. It's easier to connect from both iOS devices and Macs…even though you can only connect from one at a time. (At least according to the EULA)

An Informative Look at Lion Server

image


Recently, Apple gave a preview of their two upcoming operating systems Lion and iOS 5. They both look great. Along with Lion, they also gave more info on Lion Server. I've noticed a good number of questions about Lion Server, and considering my day job, I thought I'd dig in and get familiar with it. Now that I have installed and cloned and downgraded and cloned for a few hours, I'll share my findings here. I'll answer some questions I've been sent about upgrading, pricing, and the operating system in general. (Though, we can't view it as an "operating system" anymore. More on that later.)


Two things to keep in mind before we start:


  1. Whether a Macminicolo customer or not, please don't consider this official and absolute advice. This is still beta software and some of it may change before Lion is officially released. For the MMC customers, we'll be sending out an email as we get closer. 

  2. This isn't a tutorial on how to setup Lion Server. We'll be providing that a little later and will make that available free. (Follow @macminicolo to know when it's ready.)

Alright, with that said, let's run thru some items. 


The Upgrade Process


Lion and Lion Server will be offered via the Mac App Store. Naturally you need version 10.6.6 or higher of the OS you are currently running since the Mac App Store was made available with that update. The price will be $30 for Lion and $50 for the Lion Server app. 


I've seen a lot of confusion on what the upgrade process will be from different operating systems, how it will work, and how much it will cost. So, let's run thru it. According to my tests, here is what it will take to get to Lion Server.


  • Snow Leopard - $80 - First you will upgrade to Lion. Once there, you'll be able to run the Server.app and it will walk you thru the setup process of starting services, creating users, setting your hostname, etc. 

  • Snow Leopard Server - $80 - You can not upgrade to Lion directly. If you try to run the Lion installer on Snow Leopard Server, it will first look for the Server.app in the "Application" folder of the Mac. 

image


When you have that in place, the installer will first install Lion. Then, when it restarts, it will walk you thru some very minimal steps for the Server.app (hostname confirmation, admin email, etc). At that point, the Server.app will take your Snow Leopard Server settings and upgrade them. This will include migrating OD to 10.7, updating LDAP, importing data, etc. This can take some time. 


Once it is done, you'll see the new Server.app and the services will be active. For the most part, my testing has shown a smooth transition though I think it will get better with the official release. If you've done a lot of work manually with the CLI, prepare for things to break. They always do. Also, Server.app gives some informative notifications on errors and how you might be able to fix them. 


  • Lion - $50 - If you buy a Mac that comes with Lion, you will download Lion Server from the Mac App Store and run it in place. The initial download will be small, but as you install, the Mac will download additional components of the install. Once installed, you'll walk thru the process of adding users, which services to setup, etc. It's a very, very simple upgrade. 

  • Lion Server - $0 - Since the Lion Server components are now available from the Mac App Store, some people have assumed that all Macs will come with Lion and leave it to customers to upgrade once installed. But, in a confirmed tip to Macminicolo, when Lion is released, there will still be server versions of Mac Pro/mini and will come pre-installed with Lion Server. (So, when you startup, you'll go thru the regular process of creating users, services, etc.)

Other Tidbits


image


 First: Lion and Lion Server can be upgraded remotely. This has always been possible on a LAN, but not remotely. (Just ask our list of customers who tried to upgrade or re-install their Mac minis from afar. We were glad to jump in and help.) But with Lion, you can start the upgrade process, give it about 25 minutes to install offline, then it will come back up ready for the configuration. Also, Lion creates a recovery partition that you can boot into as it will keep the network settings. In a business like ours, this is huge. 


image


Second: OS X really, really doesn't like it when you change the hostname of a machine. It's possible, but certainly not fun with the command line. To do it completely, it usually takes a clean install of the OS. With Lion, it's still not recommended to change after an install, but at least it gives you a GUI to do it now and explains the different options for hostname. 


image


Third: By default, Server Admin is not installed. Right now, it's available as a separate download. And you'll need to install it if you want to access things like DHCP and DNS. Instead, you'll use (and Apple recommends) Server.app. Services like iCal and iChat are only available in Server.app.


It's clear that Apple wants to make Lion Server very simple for the many small business who will run it. For instance, the firewall settings are found in System Preferences rather than Server.app because that is where it's familiar to OS X users. 


This brings me to my final point.


Where is OS X Server headed?


image


Lion Server is not an operating system. Phil Schiller was clear about this in the keynote:



Server isn't another operating system. It's just a bunch of applications you can purchase to run on top of Lion. 



Here is one way to look at it:


When you want to get serious about photography on a Mac, you ditch iPhoto and upgrade to Aperture.


When movies get important to you, you move from iMovie to Final Cut. 


And when System Preference -> Sharing isn't enough, you make the $50 upgrade to the Lion Server app. 


This is not going to make everyone happy. Enterprise will consider it not "Enterprise ready."  Instead, it is very simple for small business.  And Apple likes this because this means they sell a Mac, iPhone and iPad to every employee of the business. In fact, I'll put it this way, the software has been lowered in price because it's availability will sell more hardware. 


Lion Server is going to be a great upgrade. The Profile Manager, Push Notifications, and iPad document sharing will be very popular. I'll have more thoughts/insights on it later as we near the official release of Lion. (And feel free to send me questions @brianstucki.)

How iCloud works with a shared Apple ID

As I was watching the most recent Apple Keynote, it became clear that your Apple ID was going to become more and more important. Among it's many uses, it's used to interact with iCloud, to make purchases at the iTunes music and App Stores, and can even be used to log into a Mac with Screen Sharing if you don't have a local account on the machine. As long as you have a secure password, it's great to have everything so simplified with one login. However, there is one concern I had right away. 


In our house we have 8 iOS devices. I have an iPhone and iPad and an iPod Touch. My wife has an iPhone and an iPad. My two sons have an iPod Touch each. And the family shares an Apple TV. Our family purchase a lot of apps, music and movies from Apple. To keep things simple and usable for everyone, we use one Apple ID to make purchase so that each of us can enjoy the media. My guess is that there are a lot of homes out there similar to ours. 


This setup has worked great, but with the recent iCloud, I was worried that it wouldn't be so simple anymore. I'll want my own calendars, contacts, photo streams, etc. And so will my wife and sons. We can all setup our own Apple IDs, but it would mean we each would have to buy a copy of an app if we wanted the whole family to use it on their devices. Also, my wife and sons wouldn't have access to past purchase. (Come on, you knew I'd be keeping the original Apple ID.)


I installed Lion on a partition of my iMac, and then iOS 5 on my iPod touch so I could find the best way for our family to implement. It turns out, there is a way. 


When you start a new device with iOS 5, you'll see the following screen:


image


If you fill in your Apple ID here, it will set it up everywhere on the phone. That include iCloud, the app store, mail, iBookstore, etc. The key is to "Skip this step" and do each part manually. The downside is that you'll start with just the basic install of apps, and all your past apps won't be placed immediately. 


image


If you tap on Settings, you'll see a place for "iCloud". There, you will login with your personal iCloud Apple ID. (You can use one you have already, or create one there.) I have a me.com address that I use for personal syncing, so I used that Apple ID. Once I logged in, I could choose all the settings I want to use with iCloud. 


imageimageimage


Then further down in Settings, you'll have an option of "Store." In there, you'll have a chance to login and make settings for you iTunes purchases. Here I used our family Apple ID that we use to purchase apps, movies and music. 


imageimageimage


Once it is setup in this way, here are the results:


  • Calendars, contacts, photo streams, reminders, and bookmarks were all my own, personal information. They would sync to my test iPod and my Mac install running Lion. They did not sync to my family iOS Devices. (I took the iPod Touch from my son and installed there for testing also. He is 2 and was not happy, but I distracted him with a box of Nilla Wafers)

  • I purchased an app on my Lion Mac, and it was immediately downloaded to my Mac, my iPod Touch and my son's iPod Touch. This could be a problem because I buy a lot more apps than my family. When we're all up-to-date on software, I think I'll leave mine for Auto-Downloads, but have my family manually downloading. I'm just glad they can still access past purchases and manually download apps I buy in the future

To sum it up, it is still possible to use iCloud for your personal stuff, but a shared Apple ID for you and your family. For me, the key was to skip the automated iCloud setup at the iOS welcome walk-through. 

The Pudgy Mac mini

I see a plethora of Mac minis at Macminicolo everyday so I'm really, really familiar with the dimensions and look. I can easily spot when a Mac mini doesn't look right in an image. So, this is the reason the official Mac mini order page just drives me crazy.


Here is the page with the offending Mac mini circled:


image


Now, if you screenshot just the Mac mini, this is what it looks like:


image


However, if you pull the image from the page and open it in Preview.app, it looks normal:


image


They take an image that should be 146px high and stretch it to 180px. In other words, the mac mini is the same size horizontally, but is stretched vertically. 


image


Yes, I know this is nit-picky. Yes, I think Apple would prefer not to make a sleek Mac look pudgy. And no, I'm not trying to read into it as a rumor of a future tall Mac mini. And no, I don't color coordinate my ties and socks. 


I just figured...it bothers me so I'm going to point it out and make it bother other people as well.