why can only one device connect via VPN to my offsite server computer when coming from the same external IP address?
Currently Being ModeratedRe: why can only one device connect via VPN to my offsite server computer when coming from the same external IP address?Jan 6, 2013 5:17 AM (in response to andruz)
This is as designed / a limitation of VPNs, nothing to do with any restriction / fault on the Apple / Apple server side.
I will make some assumptions here that your situation is the same as described below.
The root cause for this is the fact of NAT (Network Address Translation). With NAT every device in a local LAN (Site A / Site B) below has a private IP address which is not routable on the Internet. One of the reasons for having NAT is that the IP version 4 address range is very limited. To get around this NAT devices were invented.
The NAT device, which typically is also the device facing the Internet and acting as a router, has two interfaces: one in the LAN and one in the WAN (Internet).
(because the forum software only has very narrow width my nice text diagram below gets messed up Copy and paste it to a fixed text notepad text editor to see it properly)
Site A NAT Device Internet NAT Device Site B
192.168.1.11---+----192.168.1.1 + 123.456.789<---->987.654.321 + 192.168.2.1---+----192.168.2.21
VPN tunnels (over the Internet) are tunnels established between Internet legal IP addresses, not private address range IP addresses. Now the fact that VPNs can route traffic between two devices that have private addresses is because the NAT device may support VPN passthrough. So you may be device 192.168.1.10 in Site A above and you are going to address 192.168.2.20 on the right (actually you are going to address 987.654.321 on the right) and all is well and good. The VPN tunnel is working fine until device 192.168.1.11 at your site says it wants to VPN to any device in site B. The VPN says the device behind Internet IP 123.456.789 (that my VPN tunnel is built up with) has changed, what do I do? I boot off the original device.
It's the many IPs behind the one IP (NAT) that is the problem.
Of course there is a solution for this, and that is to have combination NAT + VPN devices where the VPN tunnel (over the Internet) is done point-to-point over the external (WAN) interfaces of the devices and the device takes the VPN packet, decrypts it, and sends it the private IP address on the local LAN because it is also managing NAT for the local LAN.
If you have the need to establish VPN traffic between sites then you should look at these sort of products.
There are many, many, products that can perform this function, from the not-very-good to top-of-the-line ($$$). They will have different types of WAN interfaces (xDSL, Ethernet etc.) perhaps with LAN WiFi. One good (I don't work for the company, I do use their products) dedicated device is the Juniper SSG (Secure Services Gateway) range. They have models from small to very large, their small office/teleworker model is this one:
Again, in summary, the problem you are facing is not something wrong with the VPN setup on the OS X Server, it is because when you connect from a NATed address using VPN passthrough.Mac mini, OS X Server