Apple

Apple OS X Server: How to configure a VPN service

Jesus Vigo walks you through the steps of configuring VPN services in Apple's OS X Server.

 

Apple VPN
 

The VPN service included in OS X Server is a lightweight, easy-to-setup server component that allows end-users remote access to corporate data. By utilizing public networks, such as the Internet, VPN creates a secure tunnel that encrypts two-way communications between two end-points.

VPN is a must-have tool for employees working off-site or users who wish to access data on their home computers securely. It can also be used as a means to safely browse online when connected to public Wi-Fi.

Configure a VPN service

Here are the requirements for configuring VPN services in OS X Server:

  • Apple computer with OS X Server installed (1.0+)
  • Static IP address assigned to OS X Server *
  • Broadband Internet access (Wi-Fi or Ethernet)
  • Host name registered with 3rd-party name service **
  • DNS entries registered with 3rd-party service and/or ISP **
  • Firewall configuration to allow TCP/UDP ports ***

Follow these steps to configure a VPN service:

  1. Launch Server.app from the Applications folder, and select the server you wish to manage
  2. Login with administrative credentials
  3. Click VPN from the Services pane
  4. If running OS X Server 3.0, please note the known software bug (Figure A) that prevents clients from connecting to VPN servers (this issue was addressed by Apple and should be installed prior to proceeding with configuration)
    Figure A
    Figure A
     
  5. Click the Restart VPN button for the changes to take effect
  6. Set Configure VPN for: L2TP (PPTP is considered cryptographically less secure and not recommended)
  7. Set VPN Host Name to either the static IP assigned to OS X Server or the hostname if configured through 3rd-party DNS entries or domain name registration (the latter allows access to the VPN server through a URL)
  8. Next, create a Shared Secret (Figure B). This passphrase will be used by the client end-point to authenticate with the VPN. Due to the secure nature of VPN access, the Shared Secret accepts alphanumeric characters and symbols. Like a password, it should be complex and not easy to guess. 
    Figure B
    Figure B
     
  9. Client Addresses (Figure C) are accessible by clicking the appropriate Edit… button. This menu configures the IP addresses assigned to VPN clients upon successfully establishing a connection. To avoid conflicts, the external range should be different from the internal range used by the server. Use the arrows to set the maximum number of concurrent connections the service will host. Click OK to save the settings. 
    Figure C
    Figure C
     
  10. The DNS Settings menu (Figure D), accessible by clicking its Edit… button, allows the configuration of name servers and search domains. Specified by IP address or hostname, these settings are passed onto the clients dynamically. Click OK to save the settings. 
    Figure D
    Figure D
     
  11. Routes are an optional configuration step (Figure E). Static routing routes data across multiple subnets. This allows only certain segments to become accessible vs. allowing access to the entire network. Click OK to save settings. 
    Figure E
    Figure E
     
  12. Once the settings have been configured, click the ON button to start the service (Figure F). Pay close attention to the status lights, as a solid green sphere indicates all settings are correct and the VPN server is ready to accept connections. 
    Figure F
    Figure F
     

The ability to work on sensitive company data from remote locations, just as if one were sitting at the corporate office, is invaluable to mobile professionals. In addition to providing secure file access, VPN services act as a proxy, encrypting web traffic in both directions. These safeguards add a layer of protection for enterprise and end-users alike, while complying with data integrity best practices and network security policies.

* Static IP address is recommended to prevent changes in dynamic addressing from rendering the server unreachable.

** Optional, unless necessary to communicate with the VPN server via URL. By registering a domain name with a 3rd-party registrar, that host name can now be assigned to the VPN server, ensuring that it can be reached on the web. Conversely, Dynamic DNS services may be used to map the dynamic IP used to a host name in lieu of static IP or domain registration.

*** Apple OS X’s VPN server relies on several ports for communication. If these ports are blocked or filtered by a firewall, VPN access may not work at all. A listing of well-known TCP and UDP ports used by Apple services may be used to open specific ports, as needed.

Do you have additional tips and tricks for configuring VPN services in OS X Server? Share your knowledge and expertise in the discussion thread below.

 

 

About

Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 15 years of experience and multiple certifications from seve...

5 comments
meedfellow
meedfellow

hi , i have connected the vpn , but how to view and access the server over vpn. I mean on windows i can do with remote desktop connection


adriandb
adriandb

I am running an OS X server machine on my home network and have VPN up and running. My issue is that when I connect to the VPN remotely I can only access the network resources of the server and not any other machines on my network. 


Is this normal? 

MarkSmithM
MarkSmithM

I have setup VPN on my iphone and ipad. Though it is bit difficult to configure at start but if one follow the complete and right process then it is not as difficult as it is appeared to be. Above configure settings are just right to follow. But choosing right VPN service is key to setup and get maximum results from VPN on your IOS device.

Gisabun
Gisabun

Nice to write about it but I wonder how few actually use Mac OS X server.

themacjesus
themacjesus

It's true @Gisabun, the market share favors Windows and Linux servers. One of the great things about OS X Server is that it doesn't incur neither the steep licensing costs nor learning curve involved with deploying either one of those other servers.


OS X Server is both inexpensive ($20 for the software + unlimited user licenses) and it's easy to implement a myriad of services (from file sharing to security to messaging and collaboration), similar to using OS X.


Plus, with the growing BYOD trend, many orgs find themselves deploying OS X Server if only for Profile Manager service to centrally manage mobile devices vs rolling out costly MDM suites or SaaS offerings.


Thanks for your thoughts!

Editor's Picks