How does the VPN security of the OS X Server compare to a VPN router?

A gateway-firewall-router-NAT box with an embedded VPN server avoids the VPN having to traverse NAT, which can be an advantage in various circumstances. (VPNs and NAT work at cross purposes here; VPNs try to keep track of the end-points of the connection, while NAT tries to obfuscate those and "hide" everything behind one connection. If I'm running multiple VPN connections in parallel, having this all happen "outside" of the NAT is very handy.)

A box with an embedded VPN server means you're not dependent on the OS X Server box running the VPN server to be operational. The box can allow incoming connections to connect directly to any network host or device.

If you're looking at a higher-end VPN server box, those can offload rather more of the VPN overhead, which means more users or higher-grade encryption can be feasible.

A box with a VPN server can have unencrypted connections traversing between the VPN server box and the target host, if you happen to be running telnet or ftp or other unencrypted protocols.

If you're comparing the security of the VPN itself, that depends on the type of VPN (L2TP, PPTP, etc) and the local configuration setup of the particular VPN server(s) in use, among other details.

If you have more specific questions or concerns about this stuff, some more details of these and some general idea of your requirements might help...

Actually while I normally bow down and worship at the alter of MrHoffman, in this case his reply does not really address how well Apple's own VPN server compares from a security point of view. The fact that Apple's VPN server might usually be behind a NAT link makes no real difference, in any case it is possible if one wants to setup a Mac server with Apple's VPN service using two Ethernet interfaces like a hardware VPN gateway so it is directly accessible via a public IP address with no NAT involved. (I have done this before myself.)

So, as a more specific answer to is the Apple one any different from a security point of view. The answer is yes, the Apple VPN server has a number of limitations that can make it less secure than a dedicated VPN solution.

1. Apple's VPN service supports only PPTP and L2TP and only with a pre-shared-key, other VPN solutions may support Cisco IPSec or SSL VPN and with these may also support using Certificate based authentication which is much more secure than a pre-shared-key
2. Since Apple only support PPTP or L2TP they cannot be used to setup VPN on Demand
3. Apple only support IKE v1 negotiation which these days is considered out of date and 'weak' from a security point of view, other VPN solutions may now support IKE v2 negotiation which is considered much more secure

To summarise Apple's own VPN service is nowhere near secure enough to be considered suitable for Government use and likewise most Enterprise organisations would also reject it. This does not mean you have to use a hardware VPN gateway, there are other software solutions which are more advanced than Apple's e.g. StrongSwan and OpenVPN.

Note: Despite the above issues, Apple's VPN service would be fine for a small business or personal home use where security is less of an issue.

I use Apple's Server VPN solution because as of now, its easy to setup and manage and it works with my iDevices. Until I find affordable hardware vpn/routers that iDevices can connect to, I'll be using the software VPN.

I'm hoping when connected to the VPN on my iPhone or iPad, that all data is going over the VPN connection. I did not see an option to enable/disable this. I use public WiFi a lot and want to make sure my data is sent securely.

CCSMG wrote:

Thanks John,

Do you know if either the Apple OS X Server, Strongswan or OpenVPN provide encription of the data during transfer? I'm not that knowledgable on the subject so may be an obvious answer to those in the know.

All VPN servers no matter what type provide encryption of data during transfer, it is pretty much their sole reason for existing. The differences are how strong the encryption is and perhaps even more importantly how secure the initial connection negotiation is. It is therefore the case that StrongSwan and OpenVPN can be configured in such a way that is more secure than Apple's VPN server.

Note: You will also typically need to use an alternative VPN client to Apple's in order to benefit from the stronger VPN server capabilities of StrongSwan and OpenVPN. There is a free OpenVPN client available for OS X and iOS and if you go for a commercial VPN solution like Cisco you would use their Cisco AnyConnect client. You can use the built-in Cisco IPSec client to connect to StrongSwan but you then only get some of the benefits, you do get to use Certificates but not IKE v2.

CCSMG wrote:

Do you know if either the Apple OS X Server, Strongswan or OpenVPN provide encription of the data during transfer?

Yes, all properly-configured VPNs encrypt all network traffic — that's inherent in the Virtual Private Network name, after all.

It's possible for a VPN to leak information (DNS or other traffic can sometimes be configured to bypass the tunnel), and it's also possible for an attacker can find attacks against various aspects of a VPN or a VPN end-point, and the end-points of the tunnel are usually known.

Of what is available with OS X, use of L2TP is preferred, as PPTP is increasingly insecure.

Unlike John Lockwood's experience here, I've chased around various VPN problems involving NAT.

VPNs can range from trivial to configure and connect, to utter monstrousities of options and settings within some clients and some servers.

I'm not that knowledgable on the subject so may be an obvious answer to those in the know.

Please consider providing some general information on the problem you're solving, and who you believe would be your likely attacker(s)? Security is like insurance — it's easy to have too much (and wasteful) or too little, and it's easy for a VPN to be easy to use or a pain in the rump. It's also possible that you'll do fine with a low-grade VPN if you're not a particular target, and there are cases where you'll need a higher-grade VPN because you're a target (financial data, credit card data, politics, public persona, healthcare information, or any number of other factors). If you're a potential target for a nation state or similarly funded security entity, you're probably already toast.

The general principal is that you should not make IT systems accessible directly via the Internet but only on your internal network. There are some exception to this, a web site you want to make visible to the entire Internet obviously needs to be accessible, a mail server also needs to be visible in order to exchange emails with other servers, however as examples your file server, your accounts system, your payroll system, etc. should not be directly accessible via the Internet. Instead these systems should only be accessible on your internal network and if someone is working outside the office they would use a VPN connection to connect back to your internal network.

As previously discussed the VPN connection is encrypted so naughty people on the Internet cannot evesdrop on your activity.

In your case Devon Think Pro Office does not need to be accessible by the entire world so it should be limited to your internal network and if people at home or on the road need to access it they should use a VPN connection to the office to do this.

Thank you for raising this issue. I really appreciate both responses from MrHoffman and John Lockwood as I am currently deploying VPN services and know first-hand how the "utter monstrosities of options and settings" it brings. I was surprised that my upgraded Mavericks (10.9.2 - client) still have the VPN issues as if it were never patched. So, after reading the thread, I downloaded OpenVPN client, and am seriously thinking of getting a used Cisco's four ports gigabit VPN router for my home office.

Ralston Champagnie wrote:

...am seriously thinking of getting a used Cisco's four ports gigabit VPN router for my home office.

FWIW, I've had success with the ZyXEL ZyWALL USG series, FWIW. These are not "introductory" devices — ZyXEL definitely expects the user to understand networking, VPNs and related in some detail — but the UIs are clear and consistent.

TeamViewer would let one person remotely control one computer, it is not as scaleable as using a VPN system which can support dozens or even hundreds of users.

In theory encrypting files before sending them via an (encrypted) VPN would be more secure but this is a lot of pain for no real gain. However if you plan to transfer say a password file or a file containing customer credit card data then these should always be stored in encrypted files even when used in the main office.

Thank you MrHoffman for the recommendation; however, I ended up getting a used Cisco/Linksys RVS4000 VPN router for $20 on Ebay. I'll see whether that will work with my Mikrotik RB450G.