Jump to content



Photo

Creating a vpn server on my mac mini


  • Please log in to reply
9 replies to this topic

#1 #Michael

#Michael

    Neowinian Senior

  • Joined: 28-August 01

Posted 02 July 2014 - 20:51

This is just for a learning experience and not really much else.  Not sure though what I am doing wrong.  My comcast account is a dynamic ip so I have a no-ip account which is xxx.ddns.net that points back to my house. 

 

My mac mini is on 10.9.3 and has os x server 3.1.2 running on it.  I set it up to manage the airport extreme base station and setup the vpn server.  The vpn is setup for L2TP and has the last 20 ip set aside for it.  I have the account and pre-shared key setup.

 

But from there I am not sure what else I need.  I want to test this on a computer that is off the network.  If I create a vpn connection on a laptop, the destination should be xxx.ddns.net...correct?  I tried it and it failed to connect.




#2 Brian M.

Brian M.

    Neowinian Senior

  • Tech Issues Solved: 10
  • Joined: 07-January 05
  • Location: London, UK

Posted 02 July 2014 - 21:03

This is just for a learning experience and not really much else.  Not sure though what I am doing wrong.  My comcast account is a dynamic ip so I have a no-ip account which is xxx.ddns.net that points back to my house. 

 

My mac mini is on 10.9.3 and has os x server 3.1.2 running on it.  I set it up to manage the airport extreme base station and setup the vpn server.  The vpn is setup for L2TP and has the last 20 ip set aside for it.  I have the account and pre-shared key setup.

 

But from there I am not sure what else I need.  I want to test this on a computer that is off the network.  If I create a vpn connection on a laptop, the destination should be xxx.ddns.net...correct?  I tried it and it failed to connect.

 

Is your no-ip domain resolving? Given the recent issues, that could be the problem.



#3 OP #Michael

#Michael

    Neowinian Senior

  • Joined: 28-August 01

Posted 02 July 2014 - 21:16

Is your no-ip domain resolving? Given the recent issues, that could be the problem.

 

It is.  I am using one of the domains that has not been seized by microsoft.



#4 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 85
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 02 July 2014 - 21:51

And did you setup the forwards on your router (your airport base station) I would assume? And trying to hit it from inside prob not going to work unless you have nat reflection setup. Your going to want to test from outside your network.

L2TP doesn't do any encryption - do you have it pair with ipsec? Most likely your going to need udp 500 IKE and 4500 NAT-T and prob ESP (protocol 50).

You might be better off playing with something easier like openvpn which would just use 1 port, that you would have to forward and you wouldn't have to deal with protocols like 50, or 47 (GRE), AH (protocol 51)

This might help - guy setup openvpn on his mac mini, so this should be pretty close to what you want to do
http://www.stevesell.com/?p=36

#5 OP #Michael

#Michael

    Neowinian Senior

  • Joined: 28-August 01

Posted 03 July 2014 - 13:43

Sorry about not responding last night...had a few things to take care of.

 

And did you setup the forwards on your router (your airport base station) I would assume? And trying to hit it from inside prob not going to work unless you have nat reflection setup. Your going to want to test from outside your network.

L2TP doesn't do any encryption - do you have it pair with ipsec? Most likely your going to need udp 500 IKE and 4500 NAT-T and prob ESP (protocol 50).

You might be better off playing with something easier like openvpn which would just use 1 port, that you would have to forward and you wouldn't have to deal with protocols like 50, or 47 (GRE), AH (protocol 51)

This might help - guy setup openvpn on his mac mini, so this should be pretty close to what you want to do
http://www.stevesell.com/?p=36

 

Port forwarding is setup.  By letting os x server manage the airport base station it will automatically setup port forwarding during the vpn server setup.

 

L2TP is paired with ipsec.  Again, all ports are forwarded correctly.  This is why I am not sure what I am missing.

 

If I have this correct it should go something like this:

1. On a computer that is on an entirely different network, setup a vpn connection using l2tp which connects to my no-ip address (xxx.ddns.net)

2. That connection goes back to my mac mini

3. The vpn connection should use a username/password that I have setup on the mac mini (otherwise how would it know who to authenticate)

4. The vpn should then connect and assign it one of the ip addresses that I have reserved for it.

 

Anything else?



#6 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 85
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 03 July 2014 - 14:20

Here is the thing - while ports might be forwarded, you have to also forward protocol, which many routers have problems and lack of features with

Example read this thread
https://discussions....message/3526517

You could try putting your server IP in the DMZ of your base station.

#7 OP #Michael

#Michael

    Neowinian Senior

  • Joined: 28-August 01

Posted 03 July 2014 - 14:32

Here is the thing - while ports might be forwarded, you have to also forward protocol, which many routers have problems and lack of features with

Example read this thread
https://discussions....message/3526517

You could try putting your server IP in the DMZ of your base station.

 

That thread is very interesting.  Something that I will need to look at later today.  And while that thread is dated from 2006 I am not entirely sure how relevant it still is.  The abse has gone through a couple of generation upgrades since then and it would be my hope that this would have been solved by now.  I could re-do the vpn setup and switch over to pptp I suppose.



#8 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 85
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 03 July 2014 - 14:38

While I agree its dated - many soho routers, not just apple have issues with forwarding protocols.. They are designed as HOME routers, need to forward VPN protocols inbound normally not a required feature for their userbase. Outbound should not be a problem, just allow vpn passthru.

But inbound can be problematic -- sometimes work around is using dmz feature vs forwarding. Some routers then send ALL traffic into the dmz IP, including the protocols that vpns require.

Other aspect of this is normally you would want your vpn server to be your actual edge device, and not a box inside your nat. Your router/firewall is normal vpn endpoint when you move to a business setup. Which is again why you ability to forward protocols inbound lacking in soho devices.

#9 OP #Michael

#Michael

    Neowinian Senior

  • Joined: 28-August 01

Posted 06 July 2014 - 18:17

So an update on this.  I have been able to fix this by using Budman's suggestion of putting the mac mini in the dmz.  It now works.  So, now my next experiment was to create a vpn connection from my dad's asus rt-66u router back to this.  I noticed though that it doesn't contain a field for the shared secret.  So it won't connect back.  Any idea why?

Attached Images

  • Screen Shot 2014-07-06 at 1.10.38 PM.jpg


#10 OP #Michael

#Michael

    Neowinian Senior

  • Joined: 28-August 01

Posted 10 July 2014 - 21:22

Anyone have any thoughts?





Click here to login or here to register to remove this ad, it's free!