Assigning static IP address to VPN clients

The Apple VPN server in Server.app is very simple to set up but is extremely limited in what it can do. Therefore if you are going to use the Apple VPN server the answer is usually no and in this case categorically no.

What you want to do might be possible using an alternative VPN server solution with the consequence of it being more complicated to set up. I believe for example that it might be possible using StrongSwan5. The Apple VPN server requires you to use a block of IP addresses that is not part of your normal DHCP block, this means the addresses are then issued by the VPN server itself and due to its simplicity it gives you no control over this process. With StrongSwan5 however you can chose to have your real DHCP server issue the IP addresses for the VPN clients and then in theory you should be able to get the real DHCP server to do DHCP reservations aka. static DHCP maps for the clients.

I have not done this myself with StrongSwan5 but I believe the configuration lines you would need would be as follows

First in /etc/strongswan.conf you need something like the following

strongswan.conf:

charon {  
        dns1=xxx.xxx.xxx.xxx                    # IP address of the DNS server that you want your client to use  
        load=charon nonce pem openssl random attr kernel-netlink socket-default farp stroke updown xauth-generic xauth-noauth dhcp  
          # The above line loads necessary modules for strongswan, if you want DHCP to work you must load dhcp  
          # and farp modules  
  
        plugins {  
                dhcp {  
                        server = xxx.xxx.xxx.xxx    # IP address of DHCP server to request for IP address.  
                }  
        }  
}

Then in /etc/ipsec.conf you need something like the following (and other bits)

conn vpn  
.............
        rightsubnet=yyy.yyy.yyy.0/24     # This points to the subnet of your linux box.  
        rightsourceip=%dhcp          # Thiss ask DHCP server to assign address for you.

Why do you need static addresses?

John Lockwood wrote:

The Apple VPN server in Server.app is very simple to set up but is extremely limited in what it can do. Therefore if you are going to use the Apple VPN server the answer is usually no and in this case categorically no.

What you want to do might be possible using an alternative VPN server solution with the consequence of it being more complicated to set up....

Ayup, a firewall-based VPN server is the usual preference for small networks. That for various reasons, too.

I used Apple Remote Desktop to support VPN users for years although it maybe harder now. With older Apple server software the VPN module used to list active connections along with the IP address assigned to them (the current version does not). It was then possible to in ARD define a scanner for that single IP address, find the client, and connect to it. In theory the same approach by searching the VPN log for the connection and its assigned IP address should work. You can always ask the user to go to System Preferences -> Networking to find and read out to you the VPN client address as well.

It may also be possible to define a scanner in ARD that scans the entire range of IP addresses reserved for VPN clients. Remember that with Apple's VPN server you are supposed to use a block that does not overlap any block assigned by your DHCP server. ARD can scan via Bonjour (local only as you are aware), via individual IP address, or by a range of IP addresses.

Finally, once a Mac has previously been found and added to the ARD database then it will auto-update the IP address of that client in the computer list in ARD, however I do believe this is not as successful for VPN clients in this manner, it does work fine for remote site-to-site VPN connected clients.

I have the same problem. Does any one know a solution for that?