Need your iOS devops in the cloud? We can help.
Set Up a VPN With Mac OS X Server 10.4

Set up a VPN in Tiger Server 10.4

A step by step guide





This tutorial is for an old version of the Mac OS X Operating system. If you'd like an updated look at Snow Leopard Server then find it here.



******************



Here we will show how to set up Mac X 10.4 Server to function as a VPN server. We will also look at the client configuration needed to connect to that server from Mac OS X 10.4 client.


Server:

The server must be running Mac OS X Server (10.4.3 as of this writing). The VPN server capabilities are not built-in to the client version of the OS.


Open Server Admin, located in: /Applications/Server. Connect to the server using its IP address and the proper username and password. Once you do, you will see a list of services available on that machine. Click on VPN and the VPN settings will appear on the right.



 


Select the L2TP tab and use the image above as an example. Note that the IP addresses used in the image are for example only.


When a remote user connects to the internet, they receive an IP address from their service provider. When the VPN tunnel is negotiated with the VPN server, the server assigns the client an IP address from the corporate network. When the client accepts that address as part of the VPN negotiation, it adds it to the network interface in addition to the IP address from the internet service provider (ISP). This means that the VPN client actually has 2 addresses bound to it. One from the ISP, and one from the corporate network.


The VPN server needs to dynamically assign clients IP addresses from a pool of possible addresses. That is what we are specifying in this screen. You must specify both the starting and ending addresses of the IP pool that the VPN server is allowed to hand out to connect clients. Note that when a client disconnects from the VPN, his IP address is freed up and put back in the pool to be used by future clients. It is also essential to be sure that the addresses that are used in this pool are not used by any other computers on the corporate network. If they are, conflicts will occur and neither user will be able to access the network.


Set PPP Authentication to MS-CHAPv2 and specify a Shared Secret. This Shared Secret should be the strongest possible password you can come up with. Make sure it is not a dictionary word. And, the more digits in the Shared Secret, the better. The 3 weakest parts of the VPN are the username and password the user uses to connect, and the Shared Secret. If you use weak passwords or secrets, a tunnel could be established by anyone who might be able to guess that information.



Next, select the PPTP tab. Just as before, you must specify a pool of addresses that can be used by VPN users who connect using PPTP.


Under Mac OS X Server, Mac clients generally connect to the VPN server using L2TP. Windows XP users connect using PPTP. L2TP is considered more cryptographically sound, but since Microsoft did not conform to IPSec based standards when they wrote XP’s VPN client, Windows users are forced to use PPTP.



Finally, select the Client Information tab.


Here we specify the DNS servers the client should use once they have connected to the VPN. Since many corporations use internal DNS servers, the servers specified here will be used on any traffic that is traveling through the VPN.


Under Network Routing Definition we set the rules for the VPN routing. In my example, the corporate network is a Class C or addresses ranging from 66.62.25.1 – 66.62.25.255. In this example, the Network Address is entered as 66.62.25.22, but it might more appropriately be entered as 66.62.25.0 since the Network Mask of 255.255.255.0 details the assignment of the entire Class C. The final key value here is the Network Type. It is set to Private. This means that any traffic to or from the client that is destined for the 66.62.25.x network is considered internal and should remain on the secure VPN. Any addresses not listed as private here are not secure and the VPN client will route that traffic over the normal internet connection rather than sending it down the VPN tunnel to the corporate network. This is why the VPN client maintains a connection to the ISP assigned IP address in addition to the address that is assigned to it by the VPN server.


Lastly, a user account must be created on the server. This is done through the Workgroup Manager, and application located in the same directory as the Server Admin. When you create the account, be sure to set a strong password for the account. The username and password created here will be the credentials that the remote user will use when they log into the VPN.



Mac OS X VPN Client Configuration:

The Mac VPN client is much easier to configure than the Window XP based equivalent.



Select New VPN Connection from the file menu, then choose L2TP over IPSec and continue.



A new profile will open. Don’t fill in the information in this screen. If you do, you will miss one vital piece of information. There is no place to specify the Shared Secret for the connection. Without it, the tunnel will never establish. Select Edit Configurations from the Configuration menu.



Fill in the fields with the appropriate information. The description can be anything you want it to be. The Server Address is the IP address of the Mac VPN server. The Account Name and Password is the login that you created for the user in the Workgroup Manager. Be sure to enter the same Shared Secret that you used when setup L2TP on the VPN server.


VPN On Demand is a new feature in 10.4. When you enable this feature, you are required to list domains that will trigger activation of the VPN tunnel when you try to access them.


When you click OK, your client is all set.


It is worth looking at some of the advanced options available under the Connect menu and then Options. There is an option to send all traffic over the VPN. This can be a powerful option. Normally you would not want to do this as it will increase traffic on the corporate end of the network. But, if you are a user on the road and using a hotspot or public wireless network, it might be a good idea to enable this option. In doing that, all of the traffic becomes protected from other users who might be sniffing traffic on the wireless network.


(Note: This page is mostly a reproduction of a great article at MacLive.net titled "Setup Mac OS X VPN Server for Mac & XP Clients." This was done to secure a copy for our customers. For more info, updates and comments, visit the article here.)




About Macminicolo
Macminicolo, a Las Vegas colocation company, has been hosting Mac minis since their introduction in January 2005. They are the leaders in this niche market and are known for their personal service. They currently host hundreds of Mac minis for satisfied customers located in 36 different countries around the world. Get more info on our frequently asked questions page.


More Information
Contact Macminicolo.net
Pricing and Options