OS X Server includes a VPN service. It is very easy to setup VPN, but if you Google fu, you might find different methods, which can be confusing. This post will show you one method, that clears the confusion and should have you up and running in quick time.
In this example, we are going to use a Mac Mini with OS X Server 5.0.x that has already been setup as a .local server. We will be configuring the server using the L2TP/IPSec tunnelling protocol. This isn’t as secure as OpenVPN, but IPSec encryption/decryption occurs at the kernel level with added advantage of multi-threading over OpenVPN. So, it’s a secure enough starting point.
Note: OS X Server 5.0.x supports OS X Yosemite v10.10.5 or OS X El Capitan v10.11.1.
Follow my instructions below, and you will be up and running in about 15 minutes.
Change .local server to .private to use VPN (if you haven’t already):
- Launch Server.app > Edit host name
- Click > Next then Check option > Local Network and VPN > Next
- Edit Host Name: example.private (edit the ‘example’ server name)
- Click > Finish
Now we need to configure the VPN service on the Mac Mini OS X Server:
- Click DNS from Services pane
- Click > Permissions: All Networks (options – ‘private’ or ‘only some’)
- Forwarding Servers: IP address is automatically assigned
- Lookups: Check > Perform lookups for: ‘only some clients’
- Edit Lookup Clients… Check “The server itself”
- Status Toggle > ON
- Status: DNS settings will be Server IP address (green symbol)
- Click VPN from Services pane
- Settings: Configure VPN for L2TP/IPsec
- VPN Host Name: “Use your public IP address” Type ‘my ip address’ in Google address bar
- Shared Secret: don’t use the default or special characters. Use 16 characters for this Pre-Shared Key (PSK)
- Client Addresses: Assign an IP address that is outside the internal range of your server. You can also choose to assign x number of addresses for VPN
- DNS Settings: use your Server IP address
Next we now need to configure the router:
Never “open” your ports!! You will also need to consult your router User Guide. You will now need to enable port forwarding on your router for the following ports. Note: Add the ports below to ‘Port from’ and ‘Port to’ port forwarding boxes, using the Server IP address as the ‘IP address’ for each port listed below:
UDP 500 – for use with ISAKMP/IKE
UDP 1701 – for use with L2TP
UDP 4500 – for use with IPsec Nat Traversal (this handles the encryption)
You will also need to set the Primary DNS – use Google’s 184.108.40.206 and 220.127.116.11 for your LAN.
Lastly, we can now configure the VPN client on your Mac OS X:
- System Preferences > Network
- Click + > Interface (click dropdown) > VPN
- Configuration: Default
- Server Address: Use your public IP address (VPN Host Name)
- Account Name: see Accounts > Users on OS X Server
- Click > Authentication Settings
- Add Account > User > Password
- Add Shared Secret (PSK) > click > OK
- Click > Advanced
- Options tab – Uncheck > Send all traffic over VPN connection
- DNS tab – click + and add your Server IP
- Check > Show VPN status in menu bar, then click > Apply
Now you have completed the VPN setup for both the server and client, you can now connect to your VPN server.