No traffic over VPN?

"Each connected to the same switch, on the same subnet"

That's part of your problem. Don't connect them to the same switch, i'd rather use a loopbackplug or a second hub/switch (to get "link up") for the "LAN" interface. (If you have enough free IPs (from your ISP) you could use those for VPN clients and alias IP on one interface. Might be easier to setup the firewall this way and NAT isn't necessary).

Don't use "same subnet" IPs like yours on two/different interfaces. They should be in separate subnets for routing to work properly, so:

I would use the second interface with your private IP range like: 10.1.0.1/24 (the server IP 10.1.0.1 and VPN clients in a range from "2 and above"- "something". But you should really setup a bit more seldom used private IP range for your "LAN". 10.1.0.0/24 might be too commonly used.

As I said before the IP-range given to VPN clients must be in a range used by one of the servers interfaces (alias or "real") - in yor case preferably the "LAN" interface. And if you don't setup a routing definition the default gw is through the VPN tunnel when it's "up" (like you want it).

You can use your second (how many do you have?) public IP for an alias on the "WAN" public IP interface if you like. Otherwise the private IP of the server "LAN" interface can be used to get at the server services after the VPN tunnel is "up".

Then if you set it up like (I would) above (and "simple" firewall setting):
Firewall on allowing all traffic from LAN -> WAN/Internet ("allow ip" and "keep-state" rules)
Only allow necessary traffic from Internet/WAN -> server/"LAN":
Like VPN ports/protocols and any public services you use/need, the rest accessible through VPN only.

"I don't really have a private network at the Co-Lo."


Just configure one of the interfaces with any private IP network/subnetmask and use that for your LAN or if you have more public IPs to spare, use just one interface for all connections: main IP, alias IP and VPN IP(s).


"I share a cabinet with an associate. We have a Router connected to a Hardware Firewall, connected to a switch, connected to our various servers."

A router and you have a 255.255.0.0 netmask on your side of the router???
What ports/protocols are open for your IPs in the hardware firewall???


"I have 2 IP addresses on one server, with both interface cards connected to the same subnet."

This is wrong. Use only one interface for this setup (and maybe the other for a private IP LAN).


"I really only need encrypted traffic to and from this one server... "

If you had 3 or more public IPs this would be easier. Otherwise you need to assign a private IP (-network) and NAT and configure the firewall (needed in both scenarios if you want security) in OS X Server.


"It is not like I am trying to access other machines on the "network" through the VPN... Being able to access the internet via the VPN tunnel is just extra... (and I will probably set up a routing definition so that most of this external traffic is not encrypted...)"


A VPN "private" routing definition does one thing: tells your VPN client what IP-packets to put in the VPN tunnel. Traffic is only encrypted between your VPN client computer and the VPN server, then it's unencrypted when leaving the server. It's only encrypted in the tunnel.

A VPN "public" routing definition (default route 0.0.0.0/0.0.0.0) is for allowing for simultaneous local Internet access through the VPN-client local Internet connection a.k.a Split Tunnel setup.

No VPN routing definition(s) - "force" sending the lot through the tunnel, the default is through the tunnel.


"I have just gotta get traffic to the server to be encrypted.

Oh yeah... the other issue is that the colo is in California and I am in Washington... so changing the way the server is connected is not really an easy option... and since all of the IPs we have from the ISP are on the same subnet... well Perhaps this just will not work."

It will work if setup properly, but I don't understand the router, network subnetmask, firewall configuration.


"But... Since my settings changes last night, I am able to encrypt traffic to everything but my server?? Why is this??"

I don't really understand what you have working right now, but you need another IP to conect to the server's services when the tunnel is up. If you try the "main" IP (en0 interface?) the packets will be sent "straight on" - not through the tunnel.


A minimum configuration without the OS X firewall (to explain things???)
------------------------------------------------------------
all PUBLIC IPs on the same subnet:

main IP on en0 (subnetmask, router filed and DNS fileds filled in)

alias IP on en0 (only subnetmask filled in besides IP)
(An alias IP is when you configure a second IP on the same interface.
In Network config you can add a second "alias" interface for en0)

free IP for vpn client (for VPN config)

no routing def. (only DNS IPs)

NAT OFF but ipforwarding ON (this is for accessing Internet through the tunnel, alter /etc/hostconfig to say IPFORWARDING=-YES- , turns it on after a reboot, there are other ways to do this but if NAT and firewall is ON it's automatic).

en1 - disabled


You connect the tunnel to the main IP
The VPN client gets the "free" IP
The alias IP is what you use to connect to the server services through the VPN tunnel.

For protection you have to configure the firewall (if the hardware firewall isn't configured to do this).

If the hardware firewall was configured to let through the ESP protocol and UDP ports 500, 1701, 4500 to the main IP and block the rest, you could get to everything through the VPN tunnel using the server alias IP and access Internet through the tunnel (provided the hardware firewall lets the VPN client IP through -> Internet).

Any questions?

It used to be eaiser (not needing the alias IP) but they changed it - probably because of security reasons.


I belive the "hardest" part is to get the firewall configured right (and not cutting yourself off in the process), that is if you need to use the OS X one because of the eventual need for NAT.

I think Apples "presets" in the firewall setup are not enough. To setup a simple broadband router "work-a-like", setting up your own "advanced" rule like:

allow ip from <"LAN"/VPN clients through to Internet and answers back in. This rule can be entered in the GUI (Server Admin).If you need/want it I can help by telling you how to enter it. Then you only have to allow for traffic from Internet that you want/need the server to be open for.

Do you have the OS X firewall enabled/configured on the server now?


Then there's the router/hardware firewall "thing". You either have to deal with that yourself or tell us more about it.

I haven't considered in the hardware firewall's potential of stopping packets before they reach your server.

"I don't see how any firewall can be an issue in this case..."


I don't know what your hardware firewall is configured to do but It might be configured to let only some traffic through to some IPs.

And if it or the firewall in OS X server isn't setup to prevent direct access to your server's services - without going through the VPN - no VPN tunnel will make your setup safer/more secure.


"It is clear to me that I am successful in opening a tunnel to the server."

The issue is that the only traffic going through the tunnel is internet bound traffic, not server bound traffic."


That's how it works. If you don't have a second/third IP (or the NAT configuration - read the explanation again) to connect to through the VPN to the server's own services, your "out of luck". With your configuration you only get the forwarding to Internet. The traffic to access to the server's services is sent "straight on" (and it succedes if there is no firewall in front of the server).
This should only work through the VPN tunnel when the tunnel is up.


"Server bound traffic goes over the internet unencrypted.

How do I get this traffic encrypted..."


See above, and you must have a firewall in front.


"How is any firewall blocking this if I am able to set up a tunnel to the server?"


It's not. That's part of the problem. Only the VPN traffic should not be blocked most other traffic should be.


"I am so unclear on this"


You have to accept how it works and configure your stuff accordingly.


I've setup several configurations of this with NAT or without NAT.


With NAT (in server) you only need 1 public IP on the server - maybe that's your best bet. But you also need to configure one of your firewalls - hard or soft (OS X) - to get any better security.


You need to go through a firewall, which protects your server from Internet, through your VPN tunnel, to the unprotected inside where the server's services are available (on a separate IP than the main IP).