Server VPN connects, but client "sends" data and receives none

Question

Level 1

4 points

Server VPN connects, but client "sends" data and receives none

Hello,

I have a VPN server running on my OS X Server. Both it and the client (my MBP) are running the latest OS X and Server.app, and I have my router set up to forward ports 500, 1701, 1723 and 4500 to the server. After struggling with the normal shared secret setup which despite everything I do does not work (connection drops after IPSec authentication), I'm using a signed .mobileconfig to get my computers to connect.

I have Little Snitch monitoring all network connections on both server and client. With the .mobileconfig profile, both machines show that authentication and connection are both working as intended in the logs. However, when I check off the "Send all traffic over VPN" box on the client, nothing connects.

Looking at the LS3 network monitor, I see that pppd and mDNSResponder are sending data to the server. However, the server neither receives nor sends any data back to the client, and as a result the client cannot connect to anything beyond the VPN authentication. System logs on both machines show nothing at all. LS3 is currently configured to open any traffic on the specified ports, so it can't be the filter. Authentication is completed without issue, so it can't be a password or shared secret issue either.

Back to My Mac has been disabled as it is known to interfere with the VPN service (port 4500 conflict).

Any ideas on how to fix this? I'd like to make this work before October so I have a working VPN while overseas.

EDIT: It's definitely a server issue. I've installed the same profile to my iPhone and the VPN server does not respond to it either. I will test it on a Windows machine by tomorrow, as well.

MacBook Pro (15-inch Early 2011), OS X Yosemite (10.10.4), 2011 15" 2.2Ghz Quad Core, 16GB RAM

Posted on Jul 2, 2015 6:14 AM

Reply

Answer 1

Linc Davis

Level 10

209,547 points

Jul 2, 2015 8:17 AM in response to Prodo123

Get rid of "Little Snitch." That sort of crapware doesn't belong on a server, or on any Mac in my opinion.

Reply

Answer 2

Prodo123 Author

Level 1

4 points

Jul 2, 2015 10:03 AM in response to Linc Davis

I need help on making VPN work, not what I should install on my computer.

Your opinion doesn't belong in a software that has blocked thousands of brute force attacks from almost 200 IP addresses ranging from Mongolia, Russia, China and about 20 other countries on one of my computers alone. The other two have their own separate lists of these attacks (mind you these are normal Mac clients). Most of them are SSH attempts, but I've seen SMTP, VNC, VPN, NFS and other creative (?) ways to attack servers. Mostly these are brute force, a dozen DoS, and are automatically blocked by LS3.

Maybe for the casual Mac user you don't need LS3, but once you have a domain registered to your name, zombies and hackers will come at you like there's no tomorrow.

Attached is a hilarious list of IP addresses that I have personally checked via reverse DNS, contacted the registrar (if necessary) and blacklisted one by one in the past 2 weeks only. You can check them yourself. The list grows by 20-40 every week now that the main culprits have been blocked.

Reply

Answer 3

Linc Davis

Level 10

209,547 points

Jul 2, 2015 10:17 AM in response to Prodo123

I run my own server, and like every other server in the world it's under constant cracking attack. I have no trouble dealing with that problem without using amateurish hacks like "Little Snitch," which I wouldn't trust even if there were any reason to use it, and there isn't. I suggest you try an experiment. Remove "Little Snitch" and see whether the problem goes away. If it does, and you still want to keep it, refer to the developer for support. Otherwise you can easily reinstall it.

Reply

Answer 4

Prodo123 Author

Level 1

4 points

Jul 2, 2015 10:51 AM in response to Linc Davis

Good for you, but LS3 is here to stay. You have your preference of dealing with things, and I have mine. I like LS3 in that it's proactive and gives one less thing to worry about.

Nmap scan shows the ports are closed. Forwarding and whatnot is not going through. The router has a built-in PPTP VPN, which is less secure, and when that's enabled, port 1723 does open.

Playing around with the port forward settings, I tried routing other external ports to the necessary internal ports (500, 1701, 4500 for L2TP). While these forwards work for other services (e.g. 1701 forwards to port 80 correctly), none of the L2TP ports show as open. This isolates the issue to OS X Server, since neither the router nor ISP port blocking are at fault here.

Starting services with unorthodox port assignments (e.g. HTTP on port 500, 1701 and 4500) work fine, which means my current LS3 configuration is also not at fault. And since I can access ports 500, 1701, and 4500 from a known external open port, and access known working services from external ports 500, 1701 and 4500, it is reasonable to conclude that it's not the network nor the filter that's causing the issue but rather the service itself.

I have tried everything in my capacity to solve it myself, and I cannot, so I ask the forum.

This includes fiddling with LS3. Disabling and uninstalling LS3 do nothing. If it did then I would not be posting here, would I?

Reply

Answer 5

Prodo123 Author

Level 1

4 points

Jul 2, 2015 11:42 AM in response to Prodo123

And to clarify, all my tests up to now have been on the local network. Both directing the connection at the domain name (www.foo.com, routed to my external IP address) as well as the subdomain ID (192.168.1.3) have the same effect. Moreover, LS3 accepts all connections from the local subnet, if you still have doubts about this.

Attached are the pppd/vpnd logs from both client and server during an L2TP session. I ended the session after a request for the Google homepage timed out. Other than the authentication, zero data moved between these two computers, but to me the logs look okay. DNS has been configured to use Google's.

Reply