HT200069: OS X Server (Mavericks): Clients cannot connect to VPN service using L2TP

Learn about OS X Server (Mavericks): Clients cannot connect to VPN service using L2TP
J. Scott Anderson

Q: VPN Connection now works - but no network visibility

The Mavericks (Server 3) update (10.9.1 & VPN update) no works enough that I can actually connect – per the Menu item's status. However, I cannot see any of the file structure on the server. I'm logging in as the system's administrator account, so I should be able to see everything connected to the system. What am I doing wrong? If nothing, then is there a known fix coming from Apple? If not, is there a workaround?

OS X Mavericks (10.9.1)

Posted on Dec 23, 2013 2:03 PM

Close

Q: VPN Connection now works - but no network visibility

  • All replies
  • Helpful answers

  • by Strontium90,

    Strontium90 Strontium90 Dec 23, 2013 2:14 PM in response to J. Scott Anderson
    Level 5 (4,077 points)
    Servers Enterprise
    Dec 23, 2013 2:14 PM in response to J. Scott Anderson

    My gut reaction is to ask what subnets are on both ends of the connection?  Remember, if your corporate network is on 192.168.0.0/24 and your home is 192.168.0.0/24 then you will not be able to reach remote devices are there is no way to tell which network stack to go to.

     

    If your corporate and home are different, can you ping the far side?

  • by J. Scott Anderson,

    J. Scott Anderson J. Scott Anderson Dec 23, 2013 8:53 PM in response to Strontium90
    Level 1 (0 points)
    Dec 23, 2013 8:53 PM in response to Strontium90

    Thank you for the quick response. Yes, I can ping the OS X server on the far side. I can ping the router at the server site.

  • by Strontium90,Helpful

    Strontium90 Strontium90 Dec 24, 2013 4:17 AM in response to J. Scott Anderson
    Level 5 (4,077 points)
    Servers Enterprise
    Dec 24, 2013 4:17 AM in response to J. Scott Anderson

    So you the issue arises when you connect to file services?  Or when you use a remote desktop connection?  From the technical perspective, once you port forward your VPN ports through a firewall/router and you are able to connect from a remote system, you are sending all ports and traffic to the remote network over that tunnel.  Unless you configured the server's local firewall to allow/deny specific ports, or you've added incorrect routes to the VPN configuration, you should have access to the entire remote LAN.

     

    Does your router have a web interface?  Are you able to hit that?  Based on your reply, it sounds like the tunnel is formed properly and you are seeing the remote network.

  • by J. Scott Anderson,

    J. Scott Anderson J. Scott Anderson Dec 24, 2013 2:05 PM in response to Strontium90
    Level 1 (0 points)
    Dec 24, 2013 2:05 PM in response to Strontium90

    Yes, I can access the remote router's web interface successfully. So…I am able to access some services, but still unable to see the actual available file structure. Is it possible that there is some port that I need to forward that I'm missing from my list?

     

    I've got the following forwarded to my server:

    - 5900

    - 311

    - 625

    - 389

    - 686

    - 22

    - 500

    - 1701

    - 4500

  • by Strontium90,Solvedanswer

    Strontium90 Strontium90 Dec 24, 2013 7:36 PM in response to J. Scott Anderson
    Level 5 (4,077 points)
    Servers Enterprise
    Dec 24, 2013 7:36 PM in response to J. Scott Anderson

    Ah!  Gasp!  Not good.  You probably should shut down 5900, 311, 625, 389, and 686.  There are very few reasons I can imagine in which these ports need to be open to the world.  Plus, 5900 and 389 are unencrypted so you are sending everything in the plain.  Oh, it pains me.  If you are opening ssh (port 22), you better be using a hosts.allow file or some other mechanism to secure the port from bot attacks.  And 686?!  Holy smoke, the last time I recall that port was back in the pre-10.4 days for NetInfo?  What is this used for today?  You have me stumped on that one.

     

    Best practice is to only open the ports that you need to get inside or the ports required for customer access to services.  By this list, it looks like you are using L2TP as your VPN.  Those should be the only ones you want to have open.  This will require all connections to first establish a VPN connection and then send traffic securely over the VPN tunnel.

     

    No, why you are not seeing the entire file structure of you share, I am not sure.  I assume you mean that when you connect to a share point, you can not see all the data inside the share.  If this is the case, this could be a restriction of how you implemented your permissions.

  • by J. Scott Anderson,

    J. Scott Anderson J. Scott Anderson Dec 26, 2013 10:49 PM in response to J. Scott Anderson
    Level 1 (0 points)
    Dec 26, 2013 10:49 PM in response to J. Scott Anderson

    I must be doing something very wrong. My expectation is that when I set up the VPN, I should have been able to connect to it with the administrator account, from Mac on the outside of the server's network, and then see all of the same drives attached to the server, in the Finder, just as I would had I been sitting there. Am I wrong?

  • by Antonio Rocco,

    Antonio Rocco Antonio Rocco Dec 26, 2013 11:03 PM in response to J. Scott Anderson
    Level 6 (10,606 points)
    Desktops
    Dec 26, 2013 11:03 PM in response to J. Scott Anderson

    Hi

     

    " . . . and then see all of the same drives attached to the server in the Finder . . ."

     

    I've underlined 'see' and 'Finder' because I'm wondering if that's the root of your problem which might actually be a non-problem? You can't expect the  Finder sidebar to show you anything over a VPN tunnel as it's populated using mDNS (Bonjour) which does not work over a VPN. Not easily in any case and then maybe.

     

    FWIW I would heed Strontium90's summation of your network but it's your server/network and you can do what you like with it.

     

    My 2p

     

    Tony

  • by Strontium90,

    Strontium90 Strontium90 Dec 27, 2013 4:25 AM in response to Antonio Rocco
    Level 5 (4,077 points)
    Servers Enterprise
    Dec 27, 2013 4:25 AM in response to Antonio Rocco

    Antonio has hit in on the head.  Bonjour does not broadcast over VPN.  You would need to create a bonjour bridge.  If you connect via VPN and then do a Connect to Server... you will be able to "see" your server.  But you must route by IP or hostname, not bonjour broadcast name.

     

    OpenVPN can be used to manually build a bonjour bridge or you can look at products from Aerohive, Meraki, and others.  It is possible, but you must augment your environment to support it.