User profile for user: sc_elle
sc_elle Author
User level: Level 2
156 points

VPN into my home network.... How?

Hello All-


i want to be able to VPN into my home network while I am away. I have tried using Back to my Mac be it is very fussy and not all the computers I want to access are always set to the same iCloud account. Also, it seems some computers that are on the right iCloud account don't seem to appear in the left side of the window b/c maybe they are sleeping?? I don't know. Bottom line is Back to my Mac seems too intermittent for my needs.


That being said.... I have the latest MacMini BTO with all upgrades that only runs PLEX. I have installed OS X Server 4.1.5 on it in the hopes of rinming a VPN Server off of it. I also purchased Remote Access 3.8.1. I have used a Remote Access before, although several years ago, and generally like it and think it is far more powerful than Back tommy Mac.


Now my questions are:


1). What is the best way to setup the VPN Server?

2). Does the MacMini need a static IP address?

3). Is there a way to just tunnel into my AirPort Extreme base station (latest version)? And would that be better To allow me access total the computers on my network?

4). I see in OS X Server on the left side that it makes settings changes in the Airport automatically, is there anything else I need to do?


Basically I just want to be able to,login to my "tunnel" and have whatever device I use the VPN login info act as if it were on my home network...


all help is GREATLY appreciated...

iMac, OS X Yosemite (10.10.3)

Posted on Sep 13, 2015 11:13 AM

Reply
4 replies
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,739 points

Sep 13, 2015 12:29 PM in response to sc_elle

To run a public VPN server behind an NAT gateway, you need to do the following:

1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.

2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)

3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.

If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked

Allow incoming IPSec authentication

if it's not already checked, and save the change.

There may be a similar setting on a third-party router.

4. Configure any firewall in use to pass this traffic.

5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.

6. "Back to My Mac" is incompatible with the VPN service. It must be disabled both on the server and on an AirPort router, if applicable.

7. Bonjour will not work over an L2TP or PPTP VPN. To make services accessible through the tunnel, you need a working DNS service.

Where applicable, services such as Mail must be configured to listen on the netblock assigned to VPN clients.

8. If the server is directly connected to the Internet, rather than being behind NAT, see this blog post.

Reply
User profile for user: sc_elle
sc_elle Author
User level: Level 2
156 points

Sep 13, 2015 1:42 PM in response to Linc Davis

Thanks for the response. That's all a bit high level for me. I am smarter than your average bear, but have several questions regarding your answer. I read your answer on several other posts and that is what has led me down the route of abandoning Back to my Mac altogether. I understand the conflict of the UDP ports 500, 1701, and 4500, another reason to abandon Back to my Mac and try and go the OS X Server route with Remote Desktop.


All products in my setup are Apple except Cisco 2960 switch. The Airport Extreme has a static PUBLIC IP address and that is why I asked if I would be able to somehow tunnel in to it and then leap over to the internal home network somehow that way. The Airport Extreme is using NAT to provide outside access to the internal network. The IP's the Airport is assigningto the internal devices is in the range of 192.168.1.2 to 192.168.1.200...


The MacMini has a static IP and a reservation in the Airport Extreme. The IP on the Mini (what I hope to make the VPN Server) is 192.168.1.xxx


I have questions on two points in your response:


2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)


The server does have a static IP address (not public) of 192.168.1.xxx. What do you mean by give it a hostname that is not a top level domain? Where do I do that? What should I name it, etc...


5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.

I don't know what the **** the above means. Please direct me somewhere where I can learn what you are saying or be a little less tech with your answer....

Again, I am using OS X Server 4.1.5 and that is how I hope to turn the MacMini into a VPN Server. The router is an Airport Extreme. It appears that OS X Server 4.1.5 will talk to the Airport and make the necessary adjustments so that everything plays nice and well with each other.

I really appreciate all your help...

Reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,739 points

Sep 13, 2015 2:39 PM in response to sc_elle

You're essentially asking for a short course on networking and OS X Server, which I don't have time to provide. The hostname is set automatically when you set up Server and the DNS service. You want to assign a netblock that is not likely to be the same as the one you're connecting from. The VPN service defaults should otherwise be fine, including the netmask. See the built-in documentation for more details.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

VPN into my home network.... How?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up