VPN on OS X Server with two networks

Question

Level 1

0 points

VPN on OS X Server with two networks

I have a few static IP addresses from my service provider.

My Mac Mini running OS X server is set to one of these static addresses. An Airport Extreme is set to another. A few computers are connected to the AirPort extreme on a local DHCP network 10.0.1.1/24, serving addresses .20 to .200.

I have also connected the Mac Mini to the Airport Extreme with a USB ethernet dongle, and given it a fixed address on the local network of 10.0.1.10. It can see the computers on the network, and the computers on the network can see it.

I have set up VPN on the Mac Mini to assign addreses 10.0.1.200 to 10.0.1.231.. I can only consummate a connection if the static address network protocol is above the local network protocol. I have used IceFloor to share the internet connection. Computers connecting via the VPN get an encrypted connection, and can use the internet.

But they cannot see the local network computers .20 to .200. I would like them to be able to. I think the issue is the router address assigned by the VPN is the static router, not the AirPort Extreme router. I tried various port forwardings in IceFloor but no success.

Has anyone accomplished what I am trying to do?

To preempt the obvious question, I cannot attach the Mini to the Airport and keep the static IP address for the Mini.

OS X Server

Posted on Apr 14, 2014 10:03 AM

Reply

Answer 1

Camelot

Level 9

54,333 points

Apr 14, 2014 10:34 AM in response to JBB_NY

Please define 'they cannot see the local network computers .20 to .200'

Do you mean/expect/hope for the remote machines to be able to browse the VPN-based network hosts in the Finder? or via other auto-discovery tools? If so, that's not going to happen (at least not without a lot of work).

A VPN client *should* be able to connect to any host in the 10.0.1.x network (e.g. via ping, or a direct connection), but you won't automatically see the server in the Finder, nor see printers when you try to add them (you need to manually specify their address).

Reply

Answer 2

JBB_NY Author

Level 1

0 points

Apr 14, 2014 4:36 PM in response to Camelot

"A VPN client *should* be able to connect to any host in the 10.0.1.x network (e.g. via ping, or a direct connection)".

…unfortunately, not the case with this setup.

Reply

Answer 3

Camelot

Level 9

54,333 points

Apr 15, 2014 11:01 PM in response to JBB_NY

Can the Mac Mini do it itself? in other words, is this a basic network configuration issue? or a VPN issue.

It may be worth taking a deeper look at how your network is setup. You say you have a few static IP addresses from your ISP. I'm inferring that your Mac Mini has one of these, and the base station has another, so both devices have public addresses? and the AirPort Extreme is performing NAT?

In that case, the Mac Mini should be able to plug into one of the LAN ports on the AirPort Extreme, and it should be able to ping any device on the LAN (10.0.1.x).
Note that the Mac Mini should NOT have any router address set on its 10.0.1.x network.

If the Mac Mini can ping other devices then you have a VPN configuration issue. If it can't there's a network issue. Let's start off with that.

Reply

Answer 4

Apr 22, 2014 9:32 AM in response to JBB_NY

The VPN users should be given addresses in a totally different block to the LAN users e.g. 10.1.1.x this is as per Apple's documentation and what worked for me. However it is more complicated than that. The LAN users will (correctly) be configured to route all traffic via the default gateway which will from what you describe be the AirPort Extreme, however the AirPort Extreme will not initially know about the different block for the VPN clients and hence it will not know to route traffic for them via the Mac VPN server. To solve this you need to define a static route in the AirPort Extreme saying all traffic for 10.1.1.x should be forwarded via the Mac VPN servers address.

I found a guide an script which helps set all this up for you - at least on the Mac VPN server, you still need to define the static route.

See http://www.macminivault.com/1-min-vpn/

Note: Ideally you use the built-in Ethernet for the LAN side, and the USB Ethernet for the WAN side as the LAN will then benefit from the faster built-in Ethernet. For VPN only this will not make much difference but if your using this server for something else e.g. a website it helps.

Reply