User profile for user: cymbal
cymbal Author
User level: Level 1
0 points

Ports for VPN not open

I've configured VPN service on Mac OS Server 5.0 but the VPN ports (UDP 500, 1701, 4500 and TCP 1723) are not reachable over internet or local network. My firewall is deactivated. The port forwarding is working on my router. Dynamic DNS is working. My server's websites are reachable over intenret (port 80 and 443).


Shouldn't port 500,1701, 1723, 4500 be visible in internal portscan or external site check (www.canyouseeme.org)?


Every time I try to connect VPN from my iPhone on 4G-network, the server log shows something like:


2015-10-23 08:05:38 CESTLoading plugin /System/Library/Extensions/L2TP.ppp
2015-10-23 08:05:38 CESTListening for connections...
2015-10-23 08:06:05 CESTIncoming call... Address given to client = 192.168.1.121
2015-10-23 08:06:06 CEST --> Client with address = 192.168.1.121 has hungup
2015-10-23 08:06:06 CESTIncoming call... Address given to client = 192.168.1.122
2015-10-23 08:06:06 CEST --> Client with address = 192.168.1.122 has hungup


Any idea about where to start?


regards

Emil Rimsby

Mac mini, OS X Server, null

Posted on Oct 22, 2015 11:37 PM

Reply
15 replies
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,739 points

Oct 24, 2015 12:31 PM in response to cymbal

To run a public VPN server behind an NAT gateway, you need to do the following:

1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.

2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)

3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server. The Server app can set this up for you if you have an Apple router.

If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked

Allow incoming IPSec authentication

if it's not already checked, and save the change.

There may be a similar setting on a third-party router.

4. Configure any firewall in use to pass this traffic.

If you've taken all the above steps, the Server app should show that the VPN service is accessible from the Internet at your external IP address. Otherwise, something in the network is blocking some of the required traffic. Some residential ISP's block incoming UDP packets statefully. If yours is doing that, you won't be able to set up a VPN.

5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.

6. "Back to My Mac" is incompatible with the VPN service. It must be disabled both on the server and on an AirPort router, if applicable.

7. Bonjour will not work over an L2TP or PPTP VPN. To make services accessible through the tunnel, you need a working DNS service.

Where applicable, services such as Mail must be configured to listen on the netblock assigned to VPN clients.

8. If the server is directly connected to the Internet, rather than being behind NAT, see this blog post.

Reply
User profile for user: cymbal
cymbal Author
User level: Level 1
0 points

Oct 25, 2015 3:39 PM in response to Linc Davis

1. I registred at free dynamic hostname at dtdns.com and my router runs an app that updates dtdns with correct IP adress.

2. The server has a static IP adress on my home network and hostname not in domain "local".

3. All ports are forwarded to corresponding ports on server, and my router is not by Apple.

4. Firewall on server is not active.


When i do a portcheck on www.canyouseeme.org all vpn ports are invisible. The ports for websites are visible. If I activate SSH on server, port 22 turns visible. If I change port forwarding setting so port 1723 goes to port 80 on server, www.canyouseemee.org says port 1723 is visible. My ISP can't be blocking 1723, right?


5. The address range for VPN connections does not overlap other users on network.

6. Back to my mac is deactivated.


The VPN ports should be visible from internet, right? Otherwise all connections will be refused?

Reply
User profile for user: cymbal
cymbal Author
User level: Level 1
0 points

Oct 28, 2015 12:28 AM in response to Linc Davis

No, I can't connect from inside. The VPN logs look the same:


2015-10-28 08:27:10 CETIncoming call... Address given to client = 192.168.1.127
2015-10-28 08:27:10 CET --> Client with address = 192.168.1.127 has hungup
2015-10-28 08:27:14 CETIncoming call... Address given to client = 192.168.1.128
2015-10-28 08:27:14 CET --> Client with address = 192.168.1.128 has hungup
2015-10-28 08:27:18 CETIncoming call... Address given to client = 192.168.1.129
2015-10-28 08:27:18 CET --> Client with address = 192.168.1.129 has hungup
Reply
User profile for user: cymbal
cymbal Author
User level: Level 1
0 points

Oct 28, 2015 7:30 AM in response to Linc Davis

vpn:vpnHost = ”******.******.dtdns.net"

vpn:Servers:com.apple.ppp.pptp:DNS:OfferedSearchDomains = _empty_array

vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.1.120"

vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:1 = "195.67.199.30"

vpn:Servers:com.apple.ppp.pptp:Server:Logfile = "/var/log/ppp/vpnd.log"

vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging = 1

vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 128

vpn:Servers:com.apple.ppp.pptp:enabled = no

vpn:Servers:com.apple.ppp.pptp:IPv4:ConfigMethod = "Manual"

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "192.168.1.131"

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "192.168.1.130"

vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteAddresses = _empty_array

vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteTypes = _empty_array

vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteMasks = _empty_array

vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoFailure = 5

vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging = 1

vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoInterval = 60

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"

vpn:Servers:com.apple.ppp.pptp:PPP:CCPEnabled = 1

vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = "/var/log/ppp/vpnd.log"

vpn:Servers:com.apple.ppp.pptp:PPP:CCPProtocols:_array_index:0 = "MPPE"

vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoEnabled = 1

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0

vpn:Servers:com.apple.ppp.pptp:Interface:SubType = "PPTP"

vpn:Servers:com.apple.ppp.pptp:Interface:Type = "PPP"

vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log"

vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1

vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128

vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains = _empty_array

vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.1.120"

vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:1 = "195.67.199.30"

vpn:Servers:com.apple.ppp.l2tp:enabled = yes

vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP"

vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP"

vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60

vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"

vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log"

vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1

vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1

vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "*************"

vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual"

vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = "192.168.1.121"

vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = "192.168.1.130"

vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array

vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array

vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array

vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecret = "g"

vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec"

vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "*************"

server:~ ******$

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Ports for VPN not open

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up