Apple OS X Server: How to configure a VPN service

Jesus Vigo walks you through the steps of configuring VPN services in Apple's OS X Server.


Apple VPN

The VPN service included in OS X Server is a lightweight, easy-to-setup server component that allows end-users remote access to corporate data. By utilizing public networks, such as the Internet, VPN creates a secure tunnel that encrypts two-way communications between two end-points.

VPN is a must-have tool for employees working off-site or users who wish to access data on their home computers securely. It can also be used as a means to safely browse online when connected to public Wi-Fi.

Configure a VPN service

Here are the requirements for configuring VPN services in OS X Server:

  • Apple computer with OS X Server installed (1.0+)
  • Static IP address assigned to OS X Server *
  • Broadband Internet access (Wi-Fi or Ethernet)
  • Host name registered with 3rd-party name service **
  • DNS entries registered with 3rd-party service and/or ISP **
  • Firewall configuration to allow TCP/UDP ports ***

Follow these steps to configure a VPN service:

  1. Launch from the Applications folder, and select the server you wish to manage
  2. Login with administrative credentials
  3. Click VPN from the Services pane
  4. If running OS X Server 3.0, please note the known software bug (Figure A) that prevents clients from connecting to VPN servers (this issue was addressed by Apple and should be installed prior to proceeding with configuration)
    Figure A
    Figure A
  5. Click the Restart VPN button for the changes to take effect
  6. Set Configure VPN for: L2TP (PPTP is considered cryptographically less secure and not recommended)
  7. Set VPN Host Name to either the static IP assigned to OS X Server or the hostname if configured through 3rd-party DNS entries or domain name registration (the latter allows access to the VPN server through a URL)
  8. Next, create a Shared Secret (Figure B). This passphrase will be used by the client end-point to authenticate with the VPN. Due to the secure nature of VPN access, the Shared Secret accepts alphanumeric characters and symbols. Like a password, it should be complex and not easy to guess. 
    Figure B
    Figure B
  9. Client Addresses (Figure C) are accessible by clicking the appropriate Edit… button. This menu configures the IP addresses assigned to VPN clients upon successfully establishing a connection. To avoid conflicts, the external range should be different from the internal range used by the server. Use the arrows to set the maximum number of concurrent connections the service will host. Click OK to save the settings. 
    Figure C
    Figure C
  10. The DNS Settings menu (Figure D), accessible by clicking its Edit… button, allows the configuration of name servers and search domains. Specified by IP address or hostname, these settings are passed onto the clients dynamically. Click OK to save the settings. 
    Figure D
    Figure D
  11. Routes are an optional configuration step (Figure E). Static routing routes data across multiple subnets. This allows only certain segments to become accessible vs. allowing access to the entire network. Click OK to save settings. 
    Figure E
    Figure E
  12. Once the settings have been configured, click the ON button to start the service (Figure F). Pay close attention to the status lights, as a solid green sphere indicates all settings are correct and the VPN server is ready to accept connections. 
    Figure F
    Figure F

The ability to work on sensitive company data from remote locations, just as if one were sitting at the corporate office, is invaluable to mobile professionals. In addition to providing secure file access, VPN services act as a proxy, encrypting web traffic in both directions. These safeguards add a layer of protection for enterprise and end-users alike, while complying with data integrity best practices and network security policies.

* Static IP address is recommended to prevent changes in dynamic addressing from rendering the server unreachable.

** Optional, unless necessary to communicate with the VPN server via URL. By registering a domain name with a 3rd-party registrar, that host name can now be assigned to the VPN server, ensuring that it can be reached on the web. Conversely, Dynamic DNS services may be used to map the dynamic IP used to a host name in lieu of static IP or domain registration.

*** Apple OS X’s VPN server relies on several ports for communication. If these ports are blocked or filtered by a firewall, VPN access may not work at all. A listing of well-known TCP and UDP ports used by Apple services may be used to open specific ports, as needed.

Do you have additional tips and tricks for configuring VPN services in OS X Server? Share your knowledge and expertise in the discussion thread below.