Currently Being ModeratedOct 12, 2013 1:55 PM (in response to mackiemesser)
In no particular order...
I'm assuming NAT and a private address space is in use here.
Your VPN server can be embedded at the firewall, or can — via port-forwarding at your current firewall — operate on a particular OS X system on your network.
VPNs and NAT work at cross-purposes. VPNs are based on IP networking and strive to identify and maintain connections to the end-points of the connection, where NAT uses IP networking to intentionally obfuscate the end-points of the network connection. Various NAT implementations can disrupt various VPN connections, and particularly L2TP/IPSec connections. In general, PPTP works better around NAT, though it's also less secure than L2TP/IPSec.
Local preference is a firewall-based VPN server, as this avoids having the VPN traverse NAT.
Additionally, local preference selects VPNs that use a stock operating system vendor-provided client and not an add-on or third-party client, and additionally implementing a "standard" VPN, as this hopefully avoids having the third-party VPN client provider decide to no longer support the software. Open source VPN clients are an option here, but few (none) of the open source clients are integrated with the OS; they're not as easy for the end-users.
Both iOS and OS X include integrated support for L2TP/IPSec and PPTP, as well as for a Cisco VPN, and there are third-party VPN clients and VPN servers available.
The target network for the VPN should not be in 192.168.0.0/24 nor 192.168.1.0/24, as these are common choices at many locations, and VPNs are based on IP routing and IP routing doesn't necessarily route the way you might want when the same subnet is in use on both ends of the VPN connection.
There are various discussions of VPN routing around the forums here, and also around the 'net, as well. Given you're going to be supporting this configuration for your customer, I'd encourage doing some research and some reading.
Apple is releasing Mavericks "this fall", which will put that old Snow Leopard 10.6.8 system even further back into history and further back from any fixes or security patches, and as good as 10.6.8 is, it's also very old and falling off of support. This given Apple usually supports the current and previous releases. Building a new infrastructure on Snow Leopard wouldn't be my choice. (Locating the VPN server on a server-grade firewall also avoids dependencies on Snow Leopard, obviously.)
I generally prefer to run the AirPort and Time Capsule devices as access points, not as WiFi routers. This particularly helps when there is or will be more than one WiFi widget (router, AP) on the network. Network services are then provided by the gateway device and/or by OS X Server systems or other systems on the network, and not by the AirPort or Time Capsule devices.
4 GB isn't very much memory these days. According to MacTracker, both the 21.5" and 27" models of the Late 2009 iMac systems can support up to 16 GB DDR3 RAM. (Though getting at the memory slots can be somewhat of a projects on some of the recent-vintage smaller iMac systems.)
Currently Being ModeratedOct 12, 2013 4:09 PM (in response to MrHoffman)
tx for the info. guess i'm over my head here. probably also explains why the pos says providing a remote secure connection is my job, not theirs.
i figured that, at least, because the vpn connection would be between os x and ios, i wouldn't have to worry about incompatibilies or third-party issues.
currently there is a firewall in the isp's modem/router which provides minimal functionality including "vpn passthrough" (i assume means port forwarding), and the airport (does the same). both are nat'ting at this point tho' i'm considering setting the modem/router to bridged mode.
i would prefer a new imac (after mavericks is released) so as to avoid the snow leopard / upgrade to mountain lion issue, but i don't think i can convince the owners to put out the cash, i'm kinda stuck with the current hardware. however, point taken, i could probably get them to cover adding memory.
btw, i tried originally using the airport as an ap for the isp's modem/router. the macs were fine with that, but visiting windows/android devices had problems getting lan dhcp addresses.
i must have been bad in my past life. :-)
Currently Being ModeratedOct 12, 2013 6:12 PM (in response to mackiemesser)
In no particular order....
VPN pass-through is a form of port forwarding, yes.
Double NAT doesn't work, or doesn't work reliably. You'll need to determine whether the ISP box is providing NAT or not; some of those are routers, and some are bridges.
I use TIme Capsule and AirPort Extreme devices as APs for various devices and do have WIndows 7 boxes successfully using those configurations via WPA2. DHCP on that network is provided by OS X Server. I have seen issues with some Windows XP boxes, though old Windows versions could be very problematic with networking and with WiFi.
If you get to single NAT, and if you enable pass-through, you can probably get an iOS or OS X VPN to connect through to OS X Server with your existing hardware. Beware the subnet mess mentioned earlier; subnet routing will cause VPN connections to silently fail.
One common reason for OS X Server configurations to run sluggishly involves local DNS server configuration problems. OS X Server and most other servers increasingly require local DNS services for authentication, and ISP and upstream DNS providers cannot provide translations for NAT'd networks. To verify that, launch Terminal.app on the server and issue the following diagnostic command:
sudo changeip -checkhostname
sudo requires an administrative password. This command will detect most of the network problems that can arise with an OS X Server network configuration, and will report some configuration data and an indication that no changes are required, or that there are DNS or networking errors requiring attention. If this is the first time sudo has been used, you'll get a one-time warning about the power of the command.
Currently Being ModeratedOct 13, 2013 7:57 AM (in response to MrHoffman)
at&t only provides modem/routers in this area; this one is currently nat/dhcp server for the one device (airport extreme) attached to it. haven't had any problems with the previous airport but as the lan is becoming more complex, i plan to bridge the isp router just so there's no confusion.
when using the new airport as an ap, i had problems getting a vista pc and an asus transformer to connect the second time. that is, they were fine for the first connect to the airport via wifi, but if i disconnected/reconnected them they were not getting an ip address the second time. and since there is no os x server currently, i set the airport to do everything (dhcp, firewall, public/private lan). after that, vista and android were always successful getting reconnected.
tx for the link. info was helpful for me, but probably won't convince the owners because they aren't technically-oriented.
will try changeip diagnostic next visit to the store. does this only exist in os x server?
final answer to my original query i guess is to push owner for new imac. if not successful, upgrade old one to mountain lion and os x server; if the older machine can't handle it, then owner will have to get a new one anyway :-).
Currently Being ModeratedOct 13, 2013 10:05 AM (in response to mackiemesser)
The changeip command is a component of OS X Server and not of OS X client; correct.
I run a DHCP server on the network "behind" the AP (and common across all of the APs in use, when there are multiple APs), and haven't combined the AP with that function.
If you don't have any local servers, then DNS could well still be an issue (as DNS errors and DNS timeouts can and do cause substantial delays), but that'll require using dig commands and poking around to determine if the local DNS resolver configuration is correct, and if the referenced DNS servers are working.