Secure Remote Access With VPN

When most users think about remote access, what they ask for is VPN. For travel, telecommuting, and satellite offices, virtual private networks have been the defacto method of remote access for the better part of this decade. Though an assortment of VPN solutions are available for the Macintosh platform, many require third-party clients that may not keep pace with operating system changes, and while VPN is a complex system requiring a well-provisioned network, none is more easily configured the VPN service built in to Mac OS X Server.

Configure The VPN Service On Mac OS X Server:

To begin, open Server Admin, selecting the machine that will become your VPN server from the "Available Servers" column. In the "Services" tab, check "VPN" then click "Save". Now select the VPN service from the list on the left, and begin with the "L2TP" pane.

VPN: L2TP Configuration

Check "Enable L2TP over IPsec" and fill in the starting and ending IP addresses for the IP range of your network that can be assigned to VPN clients. In the "PPP Authentication" section click the "Directory Service" option to allow VPN access to users with server or network accounts. In most environments you'll want to choose "MS-CHAPv2" as your method of authentication, as it's simpler to troubleshoot remotely compared to Kerberos ticketing. Under "IPSec Authentication", enter a long and complex password to use as the shared secret for authorizing VPN clients. This password is the basis for all point-to-point encryption, so the greater the number and assortment of characters the better off you'll be.

VPN: Client Information

Next, go to the "Client Information" pane, and fill in the DNS servers and search domains that your VPN clients should be assigned once inside your network. Click the "plus" symbol at the bottom of the window and add your network information, including your network's IP address (likely ending in zero) and subnet mask, and mark the entry as "Private" from the pull-down menu. Then click the "Start VPN" button.

This is all the configuration that's required on the server side, but you'll need to make sure your router or firewall is set up properly as well, configuring it to allow forwarding of ports 500, 1701, and 4500 to your server from your external IP.

Configure VPN Access On Mac OS X Client:

On your VPN client machines, open the "Network" pane in System Preferences. Click the "plus" sign, then select "VPN" from the "Interface" menu that appears, and below it "L2TP over IPSec" from the "VPN Type" menu. Fill in the server address (either by name, if it's referenced in your external DNS, or by external IP) and the account name from the server, then click "Authentication Settings".

VPN: Client Configuration

In the window sheet that appears, enter the password for the user account you're connecting with, and below it enter the shared secret for the VPN installation. Click "OK" to save the settings, then click "Connect". If everything is working properly properly, you'll see a green light next to the padlock graphic on the left, and you should now be able to reach machines inside your protected network from remote locations.

Categories: Mac OS X Leopard, Mac OS X Tiger, OS X Server 
Posted on 5 December 2007 by Ellis Jordan Bojar