Q: Setting up a vpn with os x server 3, behind a router and a non static IP

Yes it is possible, but without a static IP address it is much more difficult. Since the IP address used to access the internal network from the Internet can change, you need a way to find what it is so that those clients can access it.

This is provided by a 3rd party service such as Dyn. There are others of course. Basically it allows you to name your network for reference by external users and they keep track of the IP address. Note that some ISPs may have a problem with allowing this. Consumer accounts may not be allowed to run certain services. Check first.

Of course the other possibility is to ask your ISP for a static IP address. Usually this comes with a business class account and is more expensive.

Best of luck.

Agree with laundry bleach.

I grabbed a Dyndns.com dynamic DNS account before they stopped giving them out free.There's another free one called no-ip that you might look into.

So, what I use is my Dyndns account and assigned a DNS name (e.g. test.dyndns-server.com). With this domain name, I have all my clients including iPhones using that name instead of an IP address and they can all connect to my Mac Mini server without issue locally as well as outside of my LAN. Since I'm using a dynamic DNS, the host company handles the changing of my ISP's IP address and it's all transparent to me. Once I VPN into my server I'm on that local network and  I can use the following commands within Finder (Connect to Server) to get to the shared files and screen share with my server (LAN IP address of 10.0.1.2).

afp://10.0.1.2

vnc://10.0.1.2

smb://10.0.1.2   (Windows PCs)

keg55 -

Thank you for a better explanation of how Dyndns functions and how the OP would use it. Nice work. If you don't mind, I will quote you (with attribution of course) when explaining this to other users.

Have a great day.

My pleasure and be my guest.

Hi Laundry Bleach -

I am a novice to the OSX Server world, and am trying to get a VPN set up as well - though we have a Static IP to use.

Can you walk me through the steps? I feel silly for asking, but this community has helped me in numerous ways that I cannot even begin to describe.

We have the same setup as ysappdesign above. Our router is a Time Machine. Just purchased the system, so running MBPs with 10.9, Mini (server) running 10.8.5 and server v 2.1.1 (just saw all the bad reviews re server 3.0, don't want to upgrade yet...)

Do we need to upgrade the Mini to Mavericks? Will this require server 3?

Thank you in advance for your knowledge!

Message was edited by: sympatadmin - minor editing

Hi sympatadmin,

To answer just a couple of your easy questions first -

> Do we need to upgrade the Mini to Mavericks?

No. Earlier versions of OS X Server will support VPN just fine, and in fact I understand there are some issues with VPN under the current version (3.0.1.)

> Will this require server 3?

If you DO upgrade to Mavericks, yes, you would have to get Server 3, as the earlier versions do not run under Mavericks. Server 3 is NOT free, but at $20 it's not a huge cost.

I'll come back with answers to the rest later

Thank you for the easy answers first!

Okay sympatadmin, here's the complicated part. Note that there are a lot of things that can vary by the configuration of your server, your AirPort, and the clients that are connecting. The following is a view of how I set mine up, and your circumstances may be quite different.

For general information about VPN you can go here - http://en.wikipedia.org/wiki/Vpn

I am going to presume, for the purposes of this post, that you are trying to set it up so that remote users (such as employees working at home or on job sites) are wanting to connect to devices on your LAN, such as file shares, printers, calendar servers, etc. This post is NOT about connecting two sites together using VPN, which is possible but I have no experience setting this up.

I am also going to assume that you are using a reasonably recent Apple AirPort Base Station, that it's firmware is up to date, and you are accessing it using the most recent version of the AirPort Utility - I am using version 6.3.2. Using different base stations and different software and firmware versions may have differing results.

Wherever I put YourIPAddress in these notes, you should substitute the actual IP address given to you by your ISP, or if you have a domain name registered to that IP address, you may use that instead. Either will work. Note that we will also refer to your VPN server's IP address, which will be different, calling it VPNServerAddress. This address will be on your LAN's subnet, typically 10.0.x.x or 192.168.x.x.

Your server should have a static IP address that you gave it when you set it up. Personally I reserve the higher numbers for the static IPs on my network, say from 200 to 255. This is a personal preference. 10.0.1.200 is the IP address for my VPN server.

Decide which VPN protocol you are going to use. I am using L2TP. Note that Mavericks server is currently having a problem using L2TP. I'm pretty sure they are working on it but I do not have any experience using PPTP successfully so we will stick with L2TP.

To access the server that does the actual VPN work, a port on your AirPort base station needs to be forwarded to it. For L2TP we need to forward ports 500, 1701 and 4500. Open AirPort Utility (in /Applications/Utilities) and select your base station. Click the Edit button. Go to the tab labeled Network. Look for Port Settings. Below it, click on the "+" button to add a new one. Description can be anything you like - I call it VPN Service (L2TP). Next to Public TCP Ports put 500,1701,4500, and next to Private TCP Ports put 500,1701,4500. For Private IP Address put your VPNServerAddress. Click the Save button. Then click the Update button. Once the base station restarts it will be ready to go. Note that some versions of OS X server will actually do this for you when you set up VPN.

Note that the ports used for various services to be forwarded can be found in this Apple article - http://support.apple.com/kb/TS1629.

Next we need to set up VPN service on your internal server. Launch the Server application. You will need a User account that allows access to VPN. If the users you want to use VPN already have accounts on this server, you can use those. If not you can create user account(s). By default, standard users have access to VPN. If your users do not you will need to edit services for them, allowing VPN. For the purposes of this post I am calling my user VPN User, account name vpnuser, with a password vpnpassword.

Having created the user (or using one already in existance) we next go to Services and select VPN. VPN service should be set to OFF at this time. Under settings, Configure VPN for: set to L2TP. The host name should already be set. There should already be a default Shared Secret which you can display by checking the Show shared secret box. You can use the one there or enter your own. To the right of Client Addresses, click the Edit button. Make sure there us a sufficient number of addresses available for your VPN users. Also make sure the Starting at: IP address is on the same subnet you wish to use. Example, my AirPort uses the private subnet of 10.0.1.x, and I reserve the highest 30 IP addresses, starting at 10.0.1.225 for VPN users.

Start the VPN service by changing the switch from OFF to ON. If I remember correctly, when I first set this up I actually had to restart the server itself to get things going correctly.

Next step is to set up the devices - computers, iPads, iPhones, iPod touches, PCs, etc, to use VPN. I'll show you how to do it for a Mac running Mac OS X 10.8.5, but the methods are similar for other Apple devices. PCs I am not sure of, consult the manuals or a Windows help site.

On the Mac, go to System Preferences > Network and look in the column on the left for VPN (L2TP). If you do not see it you can create it by clicking on the "+" button, selecting Interface: VPN, VPN Type: L2TP over IPSec, and Service Name: VPN (L2TP). Once the connection is created you must configure it. Leave it named Default unless you have another VPN configuration you need to leave on the computer, in which case you will create a new configuration. You can name it whatever you want. Server Address: YourIPAddress (this is the one given by your ISP) Account Name: the name of the user account on the VPN server, and check the Show VPN status in menu bar checkbox.

Now click the Authentication Settings... button. Enter the user account's password under User Authentication:, and the Shared Secret under Machine Authentication.

Click the OK button, and back in the Configuration click the Apply button. The Mac is now ready to connect. You can actually test the settings while you are still in the LAN. Just click the Connect button in the Configuration window, or look for the VPN menu in the main menu bar and select Connect VPN (L2TP) from it. Once connected it will show you how long you have been connected. Be sure to disconnect when you are done using the VPN services.

Once connected, you can treat your computer as if it is actually on your office LAN. You can connect to file sharing, networked printers, and other servers on the network as if you were right there.

Obviously it should be noted that this does carry a security risk. If you have proprietary materials on the LAN, someone who can get onto that network can access them. Be aware of this and act accordingly. There are more secure methods than simple password security, for instance. If you need them, hire somebody who knows about this stuff and have them set it up.

Best of luck.

Hi laundry bleach - Thank you for the detailed instructions. I haven't gotten to getting it all ironed out yet, but I did want to say thank you!

(And I may have more questions!)