The VPN service included in OS X Server
is a lightweight, easy-to-setup server component that allows end-users remote access to
corporate data. By utilizing public networks, such as the Internet, VPN
creates a secure tunnel that encrypts two-way communications between two
end-points.

VPN is a must-have tool for employees working off-site or users
who wish to access data on their home computers securely. It can also be used as a means to safely browse online when connected to public Wi-Fi.

Configure a VPN service

Here are the requirements for configuring VPN services in OS
X Server:

  • Apple computer with OS X Server installed (1.0+)
  • Static IP address assigned to OS X Server *
  • Broadband Internet access (Wi-Fi or Ethernet)
  • Host name registered with 3rd-party
    name service **
  • DNS entries registered with 3rd-party
    service and/or ISP **
  • Firewall configuration to allow TCP/UDP ports ***

Follow these steps to configure a VPN service:

  1. Launch Server.app from the Applications folder, and select the server you wish to manage
  2. Login with administrative credentials
  3. Click VPN from the Services pane
  4. If running OS X Server 3.0, please note the known software bug (Figure A) that prevents
    clients from connecting to VPN servers (this issue was addressed by Apple and should be installed prior to proceeding with configuration)
    Figure A
     
  5. Click the Restart VPN button for the changes to
    take effect
  6. Set Configure VPN for: L2TP (PPTP is considered
    cryptographically less secure and not recommended)
  7. Set VPN Host Name to either the static IP
    assigned to OS X Server or the hostname if configured through 3rd-party
    DNS entries or domain name registration (the latter allows access to the VPN
    server through a URL)
  8. Next, create a Shared Secret (Figure B). This passphrase
    will be used by the client end-point to authenticate with the VPN. Due to the
    secure nature of VPN access, the Shared Secret accepts alphanumeric characters
    and symbols. Like a password, it should be complex and not easy to guess. 
    Figure B
     
  9. Client Addresses (Figure C) are accessible by clicking the appropriate Edit… button. This menu configures the IP addresses assigned to VPN clients
    upon successfully establishing a connection. To avoid conflicts, the external range
    should be different from the internal range used by the server. Use the arrows
    to set the maximum number of concurrent connections the service will host. Click
    OK to save the settings. 
    Figure C
     
  10. The
    DNS Settings menu (Figure D), accessible by clicking its Edit… button, allows the configuration of name servers and search domains. Specified by IP address or hostname,
    these settings are passed onto the clients dynamically. Click OK to save the
    settings. 
    Figure D
     
  11. Routes
    are an optional configuration step (Figure E). Static routing routes data across multiple
    subnets. This allows only certain segments to become accessible vs. allowing
    access to the entire network. Click OK to save settings. 
    Figure E
     
  12. Once
    the settings have been configured, click the ON button to start the service (Figure F).
    Pay close attention to the status lights, as a solid green sphere indicates all
    settings are correct and the VPN server is ready to accept connections. 
    Figure F
     

The ability to work on sensitive
company data from remote locations, just as if one were sitting at the
corporate office, is invaluable to mobile professionals. In addition to providing
secure file access, VPN services act as a proxy, encrypting web traffic in both
directions. These safeguards add a layer of protection for enterprise and
end-users alike, while complying with data integrity best practices and network
security policies.

* Static IP address is recommended
to prevent changes in dynamic addressing from rendering the server unreachable.

** Optional, unless necessary to
communicate with the VPN server via URL. By registering a domain name with a 3rd-party
registrar, that host name can now be assigned to the VPN server, ensuring that
it can be reached on the web. Conversely, Dynamic DNS services may be used to
map the dynamic IP used to a host name in lieu of static IP or domain
registration.

*** Apple OS X’s VPN server relies on
several ports for communication. If these ports are blocked or filtered by a
firewall, VPN access may not work at all. A listing of well-known TCP and UDP ports used by Apple services may be used to open
specific ports, as needed.

Do you have additional tips and tricks for configuring VPN services in OS X Server? Share your knowledge and expertise in the discussion thread below.