Setup VPN on Mac Mini Server running OSX through a BT Hub Router

To run a public VPN server behind an NAT gateway, you need to do the following:

1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.

2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)

3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.

If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked

Allow incoming IPSec authentication

if it's not already checked, and save the change.

With a third-party router, there may be a similar setting.

4. Configure any firewall in use to pass this traffic.

5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.

6. "Back to My Mac" is incompatible with the VPN service. It must be disabled both on the server and on an AirPort router, if applicable.

If the server is directly connected to the Internet, see this blog post.

Can you connect to the VPN with a Mac client?

Can you capture packets on the BT Router WAN interface? Also can you run wireshark on the OSX Server to listen on the ports that Linc mentioned?

Can you connect from inside the network?

If nslookup (or dig) of <myname>.ddns.net matches the WAN IP of the BT Hub Router, then one simple test would be telnet <myname>.ddns.net 1723. It should connect.

One simple way to find your WAN IP is using whatismyip.com

You can download Wireshark from www.wireshark.org for free. It is very nice tool and also has command-line utilities. If you have the ability to port-mirror on the LAN side on your BT Hub, it should make this a bit better to debug.

I am using a Windows laptop, does that affect what I am doing?

Yes. The VPN service doesn't officially support connecting with anything other than an OS X or iOS client. There may be a way to make it work with Windows, but I can't tell you what it is.

You are running telnet (TCP) on a port which is a UDP one. I would not expect a response. A better way is to use something like iPerf which can be configured as a UDP or TCP listener on an arbitrary port. When you run telnet do you see packets cross your BT hub and get to the Lan side? A port-mirror would be really useful at this point.

You want to test the connection from the 'outside' as a check. If you are 'inside' your network, it may be confusing.

In Wireshark, you want to filter for the ports that you have opened, in front of the BT Hub (on the WAN side) and behind it (on your LAN side) and see if packets from your telnet arrive. The Telnet test can be done using Windows. Your phone is 'outside' via the 3g/4g radio, unless you connect to your WiFi AP from 'inside'.

You can look for man pages for the command line utilities of wireshark like tcpdump or tshark and set up an appropriate filter.