Recently a good friend of mine gave me a call and asked if I could stop by his shop and help him set up a VPN using Lion Server. He had been trying to set one up for days to no avail. I realized right then what his issue was over the phone, and I also realized that this would be a great opportunity to share some networking concepts required to get VPN up and running in a small business environment. I want to point out I will not be providing a guide to setting up the service on Lion Server since, really, it is as simple as enabling a couple of services, and Apple provides plenty of great documentation to achieve this task. Instead this will be more of an overview of what to expect and how to plan for it.
First, lets take into account the type of network that you’re working with and consider when Lion Server is a good choice. I won’t argue that Lion Server is appropriate for an enterprise-class network. Where Lion Server shines is in a small organization with fewer than 50 computers, preferably Macs. For small businesses or a home office, Lion Server is a very inexpensive alternative to the array of servers, routers, and switches that an enterprise might require, and since it’s a breeze to configure, it’s also a huge time saver.
Let’s consider a general network setup of a home or small business where we would deploy Lion Server. In most cases you will have a network that consists of a modem, router/firewall/Wi-Fi, and in most cases a switch, plus the computers on the network. Adding a VPN to this type of network changes the dynamic significantly. In this configuration, your router/firewall/Wi-Fi is handling the distribution of IP addresses to the computers on your network (DHCP). In order for a VPN to work in a standard environment such as this, it will need to take over the responsibility of distributing IP addresses.
So connect to the network, flip the switch for DHCP and VPN on Lion Server, and we are good to go, right? Not quite, as you have to do a little planning.
First, only one device on your network can be allowed to distribute IP addresses. If the router and Lion Server are both passing out IP addresses, you will run into all sorts of nasty network issues. In order to correct this issue using the above small network example, you need to do a few things.
- Start by assigning Lion Server a static IP address (See Erik Eckel’s post on “How to configure static IPs in Lion“). This is necessary so that you have IP address to forward your ports to.
- You will need to configure your router to forward all ports related to VPN to the static IP address that you assigned to Lion Server; you will also have to disable DHCP on the router. Depending on the type of router you are using, disabling DHCP and forwarding ports will vary. See your router’s manual to configure these settings or check the router’s corresponding support site. If your using Apple’s AirPort/TimeCapsule you can now manage the router using Lion Server’s Server App. To see how click here.
- Now, assuming you have your Lion Server plugged into your router or a switch, open the new Lion Server App located within the Applications folder and enable the services that you’re going to run including VPN and DHCP. To enable the DHCP server and additional information about the DHCP service click here and for greater detail on setting up VPN click here.
So what’s the best method for deploying a VPN? Well, again I don’t want to get into detail about configuration and setup as it can be an overwhelming topic. Instead what I want you to walk away with here is an understanding as to what services VPN is reliant on and what issues may prevent VPN services from working correctly which could be; (1) your Lion Server hasn’t taken on the role of DHCP server, (2) you’re not forwarding the associated ports for VPN through your router, or (3) Directory Services are not running on or bound to your server.
For more information see Apple’s online documentation found here.