Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: mfchris
mfchris Author
User level: Level 1
0 points

VPN L2TP

Hi, I'm trying to isolate/trouble shoot problems I'm having with connecting to VPN. I have had all this working in the past but somewhere in an update to OSX Server and a change of ISP it's broken down.


What I'm trying to understand is how best to isolate where the problem is.


I've got an L2TP VPN set up and running in OSX Server 4.1. I've also set up port forwarding on my router (500, 1701, 4500 UPD). I suspect my problem is with my Router as I'm getting mixed results when checking ports but I'm trying to narrow it down to just that.


I can log in to VPN locally from a laptop to the Server with a local network OK. I would assume that means VPN is up and running OK and that if I had my router/ports I should be able to connect. Is that right?


My Server was set up by a colleague who's no longer with us and I have noticed that our 'VPN Host Name' is ends in .private but that's not recommended in the Server Help docs.


4. Verify that the VPN host name resolves to the VPN server from the internet.

The VPN host name shouldn’t end in “.local” or “.private.” It should be an Internet-accessible, fully-qualified domain name.

Is it possible that this is where my problem lies? If so, any advice on what to do here? I'm can't seem to find any info on why this is a problem or how to fix it if it is.

Cheers,

Chris

Mac mini (Late 2012), OS X Yosemite (10.10.3), Server V4.1

Posted on Jun 8, 2015 3:42 AM

Reply
Question marked as Best reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,547 points

Posted on Jun 8, 2015 3:19 PM

To run a public VPN server behind an NAT gateway, you need to do the following:

1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.

2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)

3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.

If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked

Allow incoming IPSec authentication

if it's not already checked, and save the change.

There may be a similar setting on a third-party router.

4. Configure any firewall in use to pass this traffic.

5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.

6. "Back to My Mac" is incompatible with the VPN service. It must be disabled both on the server and on an AirPort router, if applicable.

7. To make services accessible through the tunnel, you need a working DNS service. Where applicable, services such as Mail must be configured to listen on the netblock assigned to VPN clients.

8. If the server is directly connected to the Internet, rather than being behind NAT, see this blog post.

View in context
3 replies
Question marked as Best reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,547 points

Jun 8, 2015 3:19 PM in response to mfchris

To run a public VPN server behind an NAT gateway, you need to do the following:

1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.

2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)

3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.

If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked

Allow incoming IPSec authentication

if it's not already checked, and save the change.

There may be a similar setting on a third-party router.

4. Configure any firewall in use to pass this traffic.

5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.

6. "Back to My Mac" is incompatible with the VPN service. It must be disabled both on the server and on an AirPort router, if applicable.

7. To make services accessible through the tunnel, you need a working DNS service. Where applicable, services such as Mail must be configured to listen on the netblock assigned to VPN clients.

8. If the server is directly connected to the Internet, rather than being behind NAT, see this blog post.

Reply
User profile for user: mistersquid
mistersquid
User level: Level 3
809 points

Nov 28, 2015 6:05 PM in response to Linc Davis

Linc,

Thank you for your detailed instructions on setting up VPN for Mac OS X Server. I'd encountered your list in a couple of other posts in these forums but skimmed their contents because they were headed


To run a public VPN server behind an NAT gateway, you need to do the following:


which was not my issue. Not until I took the sage advice of "Read all the instructions first" did I come across your last item


8. If the server is directly connected to the Internet, rather than being behind NAT, see this blog post.


Which was precisely my issue. Maybe people like myself would have noticed it if it were the 0th item!


Thanks much,


Johnnie Wilcox

Reply

VPN L2TP

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up