Q: OS X Server 5.0+ > VPN Host Name

DNS should stand for Do Not Skip.  DNS is the foundation of your server and I've been screaming for years against the use of private top level domains when setting up a server.  Bite the bullet and use split horizon DNS.  Today you may say that the server will run Wiki and VPN.  But tomorrow it may run Profile Manager, Open Directory, or Calendar.  You don't know what the future holds so why design with a limitation that you may need to over come?

Ok, that being said, if this system was always going to be a VPN server that provided access to Wiki content and users only accessed it from remote locations, then you still would have a challenge.  Let's walk through it.

You have a server on a LAN at address 192.168.0.2.  It is given a name of server.berndt.local and a Bonjour name of server.local.  Neither of these are routable and are only in context on your LAN.  The double use of .local confuses Bonjour and only makes setup of other services more difficult.  But ok, this is what you have.  Now, you have a fixed public address of 17.18.19.20 and you are port forwarding your VPN ports to allow users to access the server from anywhere in the world.  They configure the VPN client using vpn.berndt.com and now if your ISP alters your IPs you make a public DNS change and no clients need to be altered.  VPN is a port.  It does not care if your host name matches.  So with a public identify of vpn.berndt.com and a private identity of server.berndt.local, the client still connects.  But, aha... What stack do you deliver when the VPN connection is made?

Connecting via VPN provided the client device with a DHCP lease.  These lease will include an IP address, a subnet mask, a router address, and ideally DNS and search domain information.  This data is delivered to give the client the experience of "being on the LAN."  Ok, so what URL do you envision the user's using to connect to your Wiki?  They can not use vpn.berndt.com because that is a public record that terminates at your firewall.  And since you should not be port forwarding http/https they will need to rely on your LAN DNS to route to the resource. 

If this is the logic, then just build proper LAN DNS.  Use a routable domain and TLD.  You don't need to use it, but should you in the future, you will not need to forklift the existing deployment to change course.  Here is an example.  Similar to before.

You have a server on a LAN at address 192.168.0.2.  It is given a name of wiki.berndt.com on your local DNS.  Publicly, you assign vpn.berndt.com to your firewall's public address 17.18.19.20.  Clients on the outside can use vpn.berndt.com to connect to the environment and when they do they are server a LAN stack that includes the DNS server address of your LAN DNS.  Now when the client asked for wiki.berdnt.com they are delivered to the internal server and can input wiki content safely and securely over the VPN connection.

And ah, 6 months down the road your users are requested calendar service and they want it on all devices and don't want to VPN in first.  Now that the LAN DNS is routable, you can define cal.berndt.com on your LAN DNS pointing to a private address and cal.berndt.com on the public DNS pointing to your public address.  Now devices moving between LAN and WAN just work and don't need to be reconfigured due to inconsistent naming.

Probably too much info.  Sorry.  I get on rants with DNS.  Start smart.  Stay away from private domains.  Stay away from .local.  That is for Bonjour.

Reid

Apple Consultants Network

Author "El Capitan Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "El Capitan Server – Control & Collaboration" :: Exclusively available in Apple's iBooks Store

Author of Yosemite Server and Mavericks Server books

net-plus-ultra wrote:

My server is configured as an Intranet which will provide (native) Wiki services to (future) registered users who will connect through VPN from outside my LAN boundaries.

If you want users to be able to connect from outside your LAN, then you have to specify how those users are going to connect to your Server, that's what the "VPN Host Name" is for. You can keep your host name as "keyword.host-name.private", but you need some way to point your users that are connecting over the Internet back to your server.

One way you could do this would be to set your VPN Host Name to the static IP address of your server, though as Strontium90 suggested, you'll still need to set up DNS (and configure your VPN to use your server for DNS) assuming you want your users to be able to type "keyword.host-name.private" into Safari to access your wiki after the connect over VPN. If you're running behind a NAT (typically a router), you'll also need to configure port forwarding for the necessary VPN ports (TCP 1723, UDP 500, UDP 1701, UDP 4500).

..And I am gonna get your books, Reid. You're very helpful!

Bill

The DNS is already provided for, that’s even quite automatic (as far as my installation is concerned). Since the address that the users will see in their browser after the VPN connection has to be a fully qualified domain name which can’t end with .local or .private, as the server help manual indicates, I am missing something here.

Can you clarify what you mean here? Having your host name set is not the same as setting up DNS (there is a service in Server.app under the "Advanced" section called DNS that needs to be on, assuming you want to use Server for DNS). Also, you can definitely use a .private address with a VPN.

As a matter of fact, if you step through the "Edit Host Name…" assistant in Server.app, it will actually recommend a .private address if your users will access your server over "Local Network and VPN".

To address your latest question specifically, this is certainly an option:

I have to create a new domain name with my registrar (OVH), which I would use as the new VPN Host Name (point 3).

Your VPN Host Name just needs to be set to a host name or IP address that will resolve to your server. A registered domain is the best way to do this (really the only way if you don't have a static IP address). If you're going to go that route, I recommend following Strontium90's advice and "build proper LAN DNS.  Use a routable domain and TLD.".