2 Replies Latest reply: Apr 6, 2011 2:51 AM by Leif Carlsson
Goncalo Proenca Level 1 Level 1 (0 points)
Hi there,

Installed OSx 10.6 server , did the updates, configured pretty much everything, active, firewall,etc...

now I want to configure the VPN for outside access but... can't !

configured everything ( L2PTT ) and works beautifully if I loging from INSIDE the network ( locally ) , not form the outisde.

My thinking is that something is off with port forwarding on the router, so far I opened :

47
500
1700
1732
4500

to no avail; put the server ip on a DMZ and then again to no avail.

ideas ? please go easy on them ( or should I say through ) since I'm new to server stuff

MacPRO, Mac OS X (10.6.6)
  • 1. Re: VPN works internally, not from the outside
    MrHoffman Level 6 Level 6 (12,455 points)
    Welcome to the forums.

    What's your gateway-firewall device?

    If it's an Airport-class or Time Capsule-class device, do you have MobileMe enabled? (If so, shut it off.)

    For L2TP, you need UDP ports 500, 1701 and 4500 forwarded, and protocol 50 (not port 50) for ESP.

    Keep your LAN out of the 192.168.0.0/24 and 192.168.1.0/24 IP address blocks, as having the same block on both ends messes up VPN routing, and given that those blocks are used everywhere.

    Make sure you have one level of NAT here, at most. That's arguably one level too many, but one level tends to be necessary.

    These configurations work better if you have a gateway device that has VPN capabilities, as the port pass-through stuff stinks large.

    [Here is the official Apple well-known ports list (TS1629)|http://support.apple.com/kb/ts1629].

    TCP port 1732 is used for PPTP and not L2TP, and that 47 is likely intended to be a protocol and not a port, and that is IP-GRE support for PPTP (and not L2TP).

    It's usually easier to get PPTP to work.
  • 2. Re: VPN works internally, not from the outside
    Leif Carlsson Level 5 Level 5 (4,950 points)
    If this machine is the Internet gateway/router/firewall and has a public IP on the WAN/Internet interface you might need the ESP protocol open but if it is behind a NAT router you don't.

    If this machine instead is behind the Internet gateway/router/firewall and only has a private IP on the LAN you need, for L2TP, only the UDP ports Mr. Hoffman mentioned forwarded to the server IP.

    For PPTP you always need GRE and TCP port 1723 (1732 must be a typo) open/"VPN passthrough"/forwarded.

    I think it's becoming increasingly harder to get PPTP (incl. GRE) through many firewalls/routers if you try to connect to your VPN from another LAN.