Setting up a VPN with Lion Server
a step by step guide
We have a lot of customers who use their Mac mini as a VPN server.This works great when you need an IP address in the US, or a secure internet connection on the road, or a number of other reasons. When Apple released Lion, they changed the setup a bit. By default, Lion Server VPN will distribute IP addresses in the same range the Mac itself uses. This doesn't work well in a facility like Macminicolo where each Mac mini has a static WAN IP address.
This tutorial will show how to make the Mac mini an internet gateway that assigns a LAN IP range to connected VPN clients. This tutorial was created on Lion 10.7.1, and proven to continue working when upgraded to 10.7.2. Read over the steps below, and then follow each one closely. (Update: Since posting this tutorial, Apple has also put together a similiar approach here. We also create a tutorial for setting up VPN on Mountain Lion Server as well. And here is one for VPN on a Mavericks Server)
Server:
Before we start the process, be sure you have downloaded and installed the Server Admin Tools for Lion. Those can be found on the Apple Support site here.
Open the network settings on the Mac mini and add a virtual interface:
Once the interface is created as "LAN" then set the settings as below (ie, 10.0.0.1):
Open Server Admin and check the following services so they are available. The dots will remain grey as they are not yet active.:
Choose the "NAT" service, be sure you are on the "Overview" tab and click "Gateway Setup Assistant":
It will warn that you are going to overwrite the DHCP subnets. This is fine:
Select Ethernet for the WAN interface:
Check "LAN" as the LAN Interface (this is the virtual interface you setup earlier):
Next we will enable the VPN server. Your Shared Secret will be shared with any of the clients that you allow to connect:
Next will be a window where you can confirm the settings and continue. When it's done, it will be reported as complete:
The Gateway Setup should now be done and the four services should be enabled with green dots. First, go to the Firewall setting and be sure your proper ports are open. This would include the ARD ports so you can access the machine remotely and check all the VPN L2TP ports so you can connect to the new VPN server you are setting up. Or, you can choose to allow all traffic. Then Save:
Go to the DNS service in Server Admin and set the Forwarder IP Addresses to the DNS addresses that your Mac mini uses. (For Macminicolo customers, that is 66.209.64.20 and 66.209.64.21):
You can now close Server Admin. Next, open up Server.app and go to the VPN service. The service will be running already but we need to make two changes. First, we will need to change the subnet. It will default to 192.168.1.x, but it must be 192.168.2.x. Next, you can decide the range of IPs that you want to assign. For instance, if you anticipate 50 users, you would use a range of fifty. (ie, 192.168.2.100 - 192.168.2.150) Below are two screenshots of how it will look at first, and then how it will look after you change it.
At this point, disable the VPN Server, wait 20 seconds, and enable it again.
Next, open up terminal so we can we can run one command. You'll be prompted for your admin password. This is the command:
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.2.1"
Finally, return to the VPN service, disable it, wait 20 seconds, and enable it again. After that, your VPN server should be active and ready for connections.
A couple notes:
If you go back to your network settings, you'll see that the IP address has changed from what you originally set. Also, you'll see that it's 192.168.1.x and not 192.168.2.x. Both of these are correct changes. Don't alter them.
If it doesn't connect right away, you may try the Terminal command again, and disabling/enabling the VPN service. Sometimes it takes a couple tries to rewrite the plist.
This tutorial was done on a Mac mini with a clean install of the operating system. As you set it up, be sure it doesn't conflict with other services you may already have running.
If you try to connect from behing an Apple router (Airport Extreme or Airport Express) it may report that the server is unreachable. I wish I could give you a fix for this, but it looks to be a bug with the way the AE handles NAT, Back to my Mac, VPNs, and the mix of them. Hoping this will be fixed with an AE firmeware update.)
Mac OS X Client Configuration:
Setting up the client in OS X is just like any other VPN, but here are a couple tips. First, it will be done in the Network Settings. Create a new VPN interface with the "+" button and put in your settings. (this will include your server address and VPN account name:
In Authenication Settings, provide your account password, and the Shared Secret. Hit OK.
Under Advanced, you'll be able to set for all traffic to be sent thru the VPN. There are other settings as well so you can connect in a way that works best in your situation.
Finally, you just hit connect.
This tutorial got a lot of help from Rusty Ross, a great consultant that works with some customers here at Macminicolo. (Let us know if you'd like to be referred.) If you have questions, you can find us on Twitter @macminicolo. And if you're looking for somewhere safe and connected to place a VPN server, checkout our prices to host a Mac mini with us.
About Macminicolo
Macminicolo, a Las Vegas colocation company, has been hosting Mac minis since their introduction in January 2005. They are the leaders in this niche market and are known for their personal service. They currently host hundreds of Mac minis for satisfied customers located in 36 different countries around the world. Get more info on our frequently asked questions page.
More Information
Contact Macminicolo.net
Pricing and Options