Mac OS 10.7 Lion Server Part 12: VPN Server

buddy this is toddle tough from toddle tough calm coming back at you with another screencast and today we're going to continue our series in lyon server and we're going to talk about VPN now VPN is a virtual private network that's what it stands for and what it does is it allows you the ability to log into your server from a remote location and appear as if you're on your server so what it does is it creates a secure connection between your remote machine through the internet tunnels into your server on your computer and that's a secure connection that no one can get in on and no one can you know take the packets and things that are sent back and forth so it creates kind of a security protocol and like I said it also makes it appear as if you're on your local network so instead of having to use maybe AFP or some of these other things to get to files and things on your server your server stuff will actually show in the finder on the sidebar and you can log into your server you can use the folders and files from there it works out really well and you don't have to go with an AFP connect to server setting to get into those things so it really works works out nicely it works not only with your Mac's but it'll also work with your iOS devices as well so let's talk about what it looks like to set that up so you get a feel for it so if you see here we're in the VPN pane I've already got this running so I'll walk you through how I got that set up you'll notice again the green bar and the side over here means that that service is up and running now in the Settings area here again the big on/off button and you can see we have configure VPN for and you notice these two different protocols you can do l2tp by itself or you can do l2tp and PPTP now I know I'm saying a lot of letters there let me just explain what each of those are the l2tp stands for layer 2 tunneling protocol that's what that stands for and that's the more up-to-date modern version of VPN and it's more secure than the older protocol which is the PPTP which stands for point-to-point tunneling protocol and so both of these you can have them function together or you can just use the newer protocol it's up to you I've just have them functioning together for the purposes of trying this out but you really if you want to use l2 T that's probably plenty for a home user you don't need the other protocol at all but now they're available in older versions of Lion server you only have the one to choose from but now you can use both of them so they're there for you it's up to you on how you want to configure it but like I said L to TT TP should be plenty for you now you'll also notice below here we have a shared secret all right now the shared secret basically is an extra layer of protection that tells the server and the device you're connecting to that yes that is the device I want to connect to and they're safe to talk to one another now as you set up this shared secret and you'll notice we have a box here that's that that allows you to show your shared secret and all of that but as you type your shared secret in what you want to make sure is this it comes with a default shared secret when you launch Lion server but that default shared secret causes problems because the VPN connection doesn't like things like punctuation and those kinds of things so if you have quotes or you've got apostrophes and things like that in there it has some problems with that and doesn't work so well so you want to create your own shared secret and type something in there now because these shared secrets are stored in encrypted files you know one file is on your server and one file is on your remote device you're not going to have to keep putting these in over and over again so this isn't one you necessarily are going to have to remember when you log into your VPN so if it's something that's more complex or whatever that's fine you will have to put it in once but after that you won't have to do it again now there are various things where people have had problems with VPN where it tweaks a little bit and they're wondering some people say well you got to have a shared secret that's somewhere between five and eight characters and that works for them or they'll say no more than 11 characters somewhere in that range you want to try to keep it within that range in terms of characters you can try others but VPN can be a little finicky so if you're finding it's not working right away for you you might want to try some of those things just to adjust it for you all right so that's the shared secret piece that you put in now this part is kind of an important part to take a look at and that your client addresses now what happens with VPN is you get two IP numbers when you log in with VPN you get your local network number because again it sees that remote device as if it's on your local network and you also get a VPN IP address because it's got to have that to connect to the Internet and through to your server so what we have to make sure is that the IP addresses don't overlap with one another or otherwise now the server doesn't know which one's VPN and which ones your local server so let me show you what I mean by that I'm gonna click this edit button here and you'll see a drop-down that allows you to assign a certain number of VPN addresses now mine says 31 on here that's probably a little high the reason it says 31 is because I've got you know these two services functioning at the same time together and I can slide this and allocate how many addresses I want for each one you probably don't need something that high you can go with a lower number but this really doesn't matter it's not going to mess you up too much one way or the other now this is the most important part right here and that's what is your starting IP address number going to be notice if I hover over that it it it'll tell me which numbers are going to be for l2tp and which ones will be for the PPTP and so that shows how it's going to allocate these numbers so that they don't overlap with one another one will start and one will end at the other point but what this number is is important because you want to make sure this is a number that no other item in your network is going to be given by your DHCP protocol so let me show you what I mean by that what I'm going to do is I'm going to pull up airport utility here for a second and if you remember when we configured airport utility one of the things we did was we said DHCP and net and we had the DHCP range that we set up and if you'll notice here I've got it set up for point two two point two one ninety one right that's where I've got that set up well what you want to do is make sure that whatever you put in here as a number is not overlapping with this range right here so it's got to be higher than 191 if it's going to work it can't be within that so setting it at 224 is a safe range that's like way outside the range there's no way I'm going to confuse that was it 92 was it 91 it gives me a safe range in which to do this and get this set up alright so when you're setting that up you want to go ahead and put a starting point there Lion server a lot of times will help you by filling some of that out for you but just so that you got it there it's a good idea to take a look at it I'm just gonna move this down here for a second so let's go back to the server I'm gonna leave that alone okay I'm just gonna cancel and just leave it alone the way that I have it now you'll notice the next setting is client DNS information okay now let me just click Edit on that to show you that what happens is is these are the name servers and search domains that will be applied to your clients and so the name servers that you want is whatever's giving out your addresses your DHCP and so here I've got my the IP address of my server which is the one that's handling out handling the DNS put in there and like I said it should put that in by default for you based on the configuration we had done before on airport utility where we configured your server address right here and we also did the DNS when we did it on the internet piece right where we said your primary DNS server was this alright so that will allow you to have that set up properly you can also come in here and you can put in any domain search domains that you want to have two connected clients if you want to add any particulars in there or other name servers again the name servers are just what hands out an IP address to the clients on your network so pretty much if you just have this up here you're probably good to go this is a little bit more advanced if you want to control it but for home users you just want to make sure that it's getting the right DNS so that everybody connects okay all right so I'm gonna cancel that and leave that alone and then you'll notice finally on here we've got save configuration profile now what this does is if I click this what this is going to do is it's going to allow me to save a file right and you can see it says VPN mobile config and what that's going to do is that's going to give me a file that connects to whatever my server host is that I can take that file and I can just install it on all of my client machines you know I can email it to somebody they can just click on it to install it and it will automatically configure their VPN on their machines alright that's what that does now what I'm going to do is I'm not going to do this I just wanted to show that you could do this because I'm going to show you how to do it manually just so you understand everything that it's putting into the machine so that when you configure your VPN if you have to troubleshoot you know where to go to get things and where to go to set those things up all right so that's how that works for us on the server and so once you get this set up you toggle the on switch wait for the spinning gear to finish wait for the green light to show up on the side and you know now that you have your VPN service active okay one more thing that we want to make sure that we have set up so that our VPN can work we've got everything running it was set is we want to check to make sure that we have the right ports opened on our router so that the service can operate and work so remember if you have an airport Extreme Base Station its connected to your server and its operating it it will probably come up and tell you hey okay you got the service started I need to open these ports if it doesn't for some reason if you don't have VPN in public services if it doesn't offer to do it just come in here and click the plus button look on the drop-down for VPN which I've already done because it's on there and then just click on it to add it click Add and then what'll happen is is the router will restart and add the service and open up the port's that you need now for those of you that aren't using an airport extreme you're wondering okay well which ports do I use let me just come back here to the airport utility and come on here to your network tab and if we go down if I go down here on the port mapping I just want to show you what those particular areas are here so that you can see these are the port's you need to open so for l2tp you need to open five hundred seventeen hundred and forty five hundred all right open those up with your IP address it gives you an idea the configuration right here and let me cancel that and if you're using P PPTP you need to open port 17 23 all right so that just at least shows you what the ports are so that if you're not using an airport Extreme Base Station you at least know the ports that you can open on your router to make it happen now what I'm gonna do is show you how to connect to the server from a room from a remote client to use VPN so we're gonna take a look at that right now okay now I'm on my remote machine and I'm going to configure my VPN on this remote client like I said if you did the configuration file and you emailed that to somebody they would just double click on that file and it would do the configuration for them but I want to show you the way to do it manually in case you want to do it that way so because that's the more complicated way of doing it so you come into your system preferences here and you click on network and that will bring up your network stuff with all of your Wi-Fi Ethernet and all those kinds of things you'll notice I've got a couple of VPN clients on the side don't let that mess you up I just got a couple of things I'm connecting to here but what happened what would happen is you would come down here you click the plus button to add a connection and you choose your interface and the interface in this case would be VPN and you would click that and then you can see you have different VPN types to choose from you want to stay with this one at the top here that's l2tp because that's the most modern one you want to make sure that that's the one you're connecting to and then you can name your VPN whatever you want to you can just call it VPN you can call it some name whatever you want to name it it's not really too bad but just something that you know what this is when you set it up I'm gonna cancel this since I've already got a file set up just to show you how you configure it now the configuration here is the default which is fine you want to leave that alone you don't need to add a configuration to it you would type in your server address whatever that is you know server server or whatever you've got is your server address there then you'd want to put in your account name now this would be the short name ok for the account that's going to be connecting to your VPN so if this is your son's laptop you know it would be you know his short name that you'd put in there not the full account name if you put the full account name you're gonna probably have some problems you want to use the short name here because that's what the VPN service uses now let me connect let me show you the authentication settings that you would put in you would then come in here and put in your password because you're going to use a password for authentication that's the password that you use to get into the server right you're open directory password that that that user uses ok not your administrative one but the one that your user uses you put in there so if it's your son who's going to be connecting to it at your son's password that he uses to get into his accounts then down here machine authentication there's your shared secret so you want to type your shared secret in there that we had configured over in the server settings right remember when I told you about that that it had you know make it a particular length don't put in an apostrophes and those kinds of things that's what you would put in right there then you would click OK and you're all set and you're done all right and then you're ready to go ok and now once you're ready to go you've got that set up now it's just matter of connecting to the service you could come into the system preferences and click connect if you wanted to but what I do is I check this little box that says show VPN status in the menu bar right here and it puts this little box in here at the top that if I click on that I don't have to pull up system preferences I can just say hey connect to my VPN server and it will go out then and it will connect it will authenticate and then it connects see you've got the numbers here showing how long I've connected I've got the sent and received information here here's my IP address it shows I'm connected that means everything is good and so now I'm getting a secure connection into my server then all I've got to do is I can again I could disconnect down here if I want to but if I don't have System Preferences up I just come up here click disconnect VPN it disconnects it puts everything back to where it was and now I'm ready to go so that's an easy way to be able to connect to it now the reason I'm showing you this manual way of connecting to it is because there are times when you will use profile manager to sort of push these notifications out to your devices when you change them I'm going to show you how that works when we talk about profile manager now sometimes it doesn't push them out right away or it doesn't seem to work you know in the time that you want it to work so I showed you how to do this manually so that you can come in put in your connection settings and check to see that all of this stuff works so that you know you're on the right track otherwise you'll be frustrated wondering well maybe I did something wrong you'll change settings again they won't get pushed out again and it gets to be a little bit complicated and you think you're doing something wrong when in reality the settings just aren't getting out here in the right way so that's why I showed it to you this way so anyways that's all I have for this week on VPN on Lion server hopefully you enjoyed that if you liked this series please be sure to favorite this and like it so that other people can find it on the Internet and thanks again so much for watching so that's all I have for this week I'll come back at you next week with another screencast to help you learn how to do more things with your Mac

26 thoughts on “Mac OS 10.7 Lion Server Part 12: VPN Server

  1. I have a weird problem. If i choose to save a configuration profile on the vpn server and then load that on a client machine it works to connect with the client with the vpn setup it adds. But if i try to setup a vpn connection manually and even enter everything exactly as the saved profile configured it it wont work. If i check the server logs it doesnt even show that something is trying to connect to it. I thought it might be something with my network so i tried to setup a vpn connection on the server using localhost as adress and that wont even work. Why is it that i have to use the "save configuration profile" for it to work?

  2. Thank-You Todd Olthoff. I will be implementing a VPN server into my business this upcoming week. I appreciate your series on Mac OS Server. It is not only helpful but useful to have a walkthrough if I get lost.


  3. Okay so when I create the VPN network it defaulted my VPN Host name to "my machine name".local.  It's green and says its working, but I can't connect any clients.  Do i literally have to go buy a host name? Is there no way to just use a free one?

  4. Hello and thank you for all your videos!
    I'm confused I don't have the "configure VPN for:" option. Any idea? 

  5. Nick, Thanks for the comment. I'm so glad the tutorials are helpful:). As far as your VPN, were you able to open ports on your router I refer to in the video to allow the VPN through to your network? It sounds like that is your issue. I'm not familiar with the media super hub 2. Is it a modem and router combo?

  6. Hi, thank you for all of your lion server videos they have been very helpful, however when setting up VPN server, my device just says L2TP server not responding. Please can you help. I am using a virgin media super hub 2 if that makes any difference.

  7. Thanks for the comment. You can use a purchased certificate for securing your server. You would set that up in the Certificate section of server and then apply it to any of the services you want to use. Since Radius uses your Open Directory to log users in, just apply it to Open Directory and you should be good. Hope that helps.

  8. Sorry for the one line below. I just want to ask, if I get a certificate from a trusted source like verisign or thawte. Cna this certificate be also use for SSL VPN and for Radius authentication (EAP-TLS)?

  9. Thanks for the comment:). As far as firewall goes, if you are behind a router the router itself is a hardware firewall. That is why you still have to open ports in the router to get services outside your network. So, no you don't need a firewall if you have a router. If are not behind a router and you have your server on the internet (usually through a hosting company or directly connected to a modem) then you will need a software firewall. For that I would recommend using Icefloor.

  10. Todd,looks pretty easy to set up and I'm going to set up my Mac Mini server running Mountain Lion. My main concern is, do I need to set up a firewall? is there one built in to the server? or how are firewalls usually handled with the mac server?

  11. Unfortunately, I'm past Lion now and onto Mountain Lion. If you watch my VPN tutorial for Mountain Lion I believe it will be similar to what you are seeing in 10.7.5 from what I remember.

  12. Josh, Hard to diagnose from a distance but try these: 1. Are you using .private? If so use your public IP address in the server/hostname field on your clients instead of the .private name. 2. Did you enable the service for the user you are trying to login on VPN? 3. Are your ports open on your router for VPN? 4. (obvious but sometimes we forget) did you turn the service on? Hope that helps get it up and running:).

  13. Are you using the most up to date Lion Server update? I know Apple added some features to the interface with each update so that might be the issue for both. You could find more detailed set up options in the server admin app (do a search for it for 10.7) that might help as well. I'm pretty sure there is an update you are missing that is causing you to miss these fields.

  14. See, there must be some difference between my app and yours. Only options I ahve are the shared secret and the ip range. You have more options for web and vpn…

  15. Hi todd, thanks for the time to answer all my question:) any way, i tried to set it up but still can't get in, im stiil trying to resolve it. Is mac server is concentrated only for apple device? if my clients using windows OS, they always need to set up the regedit or do some settings?
    thanks todd.

  16. Perry, I can't post links here but do a web search with the following to get to an Apple article that talks about connecting to VPN with Windows clients. Hope that helps:) : OS X Server: How to connect to VPN service from Windows

  17. Hi Todd, why my windows client can't connect to my mac server. All OS device successfully connected, but on windows can't. Do i need to set up on my router?

  18. I mean making sure you are not logged in on the VPN with the machine that is working and then try to use the same user name and password to try VPN on the second machine. As far as binding the machines, go to users & groups on the client machine, click login options, you will see your server name with a green light and a join button. Click that and click bind on the next screen and that computer will be a part of your server directory. Not sure that will work but worth a try.

Leave a Reply

Your email address will not be published. Required fields are marked *