PDA

View Full Version : VPN Between Mountain Lion Server VPN Server and Native Mac Client - What's Missing???




19austin85
Sep 10, 2012, 10:07 PM
So I want to setup a VPN between my Snow Leopard Mac at home and my Mountain Lion Server Mac at work. I've enabled the VPN server on the Mountain Lion server, and I've forwarded all VPN ports on the router at work to the OSX Server computer. I have the VPN server set to use L2TP AND PPTP, but no matter what settings I put in the Snow Leopard Mac client at home, I can't get it to connect.

What am I missing here? Can someone please walk me through this? Surely it is NOT as difficult as I am making it out to be...

This seems to be the simplest way to do what I'm trying to do besides using LogMeIn Hamachi, but I don't want to do that.

I have also tried setting up an IPSec VPN through the Linksys RVS4000 router using IPSecuritas, but had no luck.

I have also tried setting up a PPTP VPN from work to home through my home DD-WRT router, using the native Mac PPTP VPN client, also with no luck.

I'm not very smart when it comes to networking, but smart enough to know that I must be missing something important here.

Finally, a slightly unrelated question: Is there any way at all to share a connected network volume via OSX Server file sharing?

The main thing I am trying to do is to access a network share on the Windows 2003 Server network server at work. I forwarded all ports for SMB and AFP, but couldn't connect to it via finder, so it's looking like my next best solution is a VPN to the Mac Server which is connected to the same network as the share I need to access.

Sorry this post is so long. Can anybody help?...please?



switon
Sep 11, 2012, 12:42 PM
Hi,

I do similar VPN-ing in both directions also, from SL to ML and from ML to SL. I found that I needed to open UDP ports 500, 1701, and 4500 on the routers to allow L2TP to work and TCP port 1723 to allow PPTP to operate. You might check your routers to see if any of these ports are being blocked. Do the routers provide the proper DNS services to the VPN clients, or perhaps you have alternative DNS servers that the routers point to? Do the routers direct VPN traffic to the VPN servers properly? (I use wireshark, built using MacPorts, to view the network traffic to make sure that the VPN traffic is being routed correctly.) Instead of using DNS hostnames you might try using the IP addresses for the machines to see if you can connect VPN using the IP addresses - if so, then you have a DNS/router problem. Next you might try using the ML OS X Server VPN pane to save a mobileconfig profile that may be used to setup the VPN connection from the client computer. Make sure that you don't have "Back to My Mac" on in iCloud, as it conflicts with VPN since both use port 4500.

If you still can't get VPN to work, you might then try to get SSH to work first by opening TCP port 22 on the routers and directing port 22 traffic to the appropriate servers. I find that by first getting SSH working through the routers and servers's firewalls/DNS/OD will often help me to get VPN working as it at times shows me what the original problem was...just a suggestion.

I also connect to both a 3TB NAS (Gbps ethernet) as well as a 16TB RAID system attached to a local server on the office's LAN from my home. I do this by first VPN-ing in to the office LAN and then mounting the SMB volume or using "Connect to Server" to connect to the "afp://machine/Volumes/RAID-drive" using AFP (where "machine" and "RAID-drive" are the appropriate names). Unlike when you are on your office LAN, when VPN-ing in to your office from your home you generally won't see the NAS or the connected RAID at work even though you have VPN-ed into the office's LAN. Thus you most likely will have to manually mount these storage units, as mentioned above.

I know how frustrating this can be, but it will be well worth the effort once you get VPN working, as then you can communicate securely (encrypted) from home to work and use all resources at work including storage and printers. I also use VNC/Screen Sharing to administer the office's server as well as administering my home server from the office also with VNC/Screen Sharing.

Good luck,
Switon

P.S. Sorry if this information is redundant or too simplistic ... if you want more specific directions then I would have to know more details about your equipment.

19austin85
Sep 11, 2012, 02:23 PM
Thank you so much for your reply. It was apparently exactly what I needed to get my VPN up and working, although in not as many words as you might expect. I actually gave a half-hearted shot at your port-forwarding advice in like the first two sentences of your reply, and low and behold, it worked. (I had previously forwarded all VPN ports on my work router, but I didn't even think to forward the ports on my home router.) Once I forwarded the PPTP port on my home router, I was able to connect no problem to the DD-WRT PPTP VPN server running on that router.

HOWEVER...I still can't connect to any network shares. As you suspected, I am not able to see them, even though I'm connected to the network. I also can't connect in Finder via AFP or SMB. I type the share name (smb://dasNAS), but apparently I'm missing something. Do I need to forward the SMB and AFP ports on my home router to be able to access my home network shares from work, even though I'm connected to my home network over VPN???

Also, I now that I forwarded the right port, I'm going to try connecting my Snow Leopard Mac to the Mountain Lion VPN Server once I get home tonight and see if that makes any difference. I wouldn't think it should; a VPN is a VPN no matter how you slice it, right?

woodlandtrek
Sep 11, 2012, 02:37 PM
Bonjour doesn't work over VPN by default, so you will have to connect directly, you won't see it in the Finder. Try connecting to the NAS using its IP address instead of its name. Remember that your Snow Leopard mac is operating in two networks simultaneously, so if your IP address range is the same for both networks, you're going to have conflicts. (IE if both networks have addresses starting at 192.168.1.xxx, your computer won't know where to find the nas).

If you can connect to the NAS via the IP address, then the problem lies with DNS. You need to make sure that your computer at home is using the work's DNS server when you are connected to the VPN. Then it would know how to find dasNAS

19austin85
Sep 11, 2012, 03:00 PM
Thanks, I was discovering the exact same thing. I couldn't find the NAS by its local IP, so I knew there must be conflicts because I was on the same subnet <-- correct term?

I changed my router's subnet to 192.168.2.1, but then I lost remote access to the router from work, even though it's setup on Dynamic DNS. A scenario like this happened yesterday, and all I had to do was hook up to the router via ethernet and restart it, so all should be fine, but I can't get in touch with my wife to walk her through it right now while I'm at work :/

Hopefully, once I restart the router on 192.168.2.1 and access work on 192.168.1.1, everything will work as expected.

Oh yeah, so from what I've been reading, it appears that network shares can be visible over L2TP VPNs. Is this true? Would I be able to see the shares over L2TP, as opposed to PPTP???

woodlandtrek
Sep 11, 2012, 03:53 PM
I don't think there is a noticeable difference in PPTP and L2TP as far as functionality is concerned. I've not used PPTP, and have never seen bonjour shares over the VPN. There may be ways of forwarding that traffic to VPN clients, but I'm not sure how.
For your router at home, I would either change it to the 10.x.x.x range, or make sure your subnet mask is set correctly. If it's set to 255.0.0.0, then all addresses starting with 192 (in your case) will be in the same subnet. You would need to set it to 255.255.255.0 so that 192.168.1.x is a different subnet than 192.168.2.x

19austin85
Sep 11, 2012, 08:20 PM
Okay...here is my current setup. This might be completely wrong, but here goes: my home network is set to 192.168.2.1. My work network is set to 192.168.1.1. My Mountain Lion computer at work (VPN Client)'s local IP address is 192.168.1.100. What should I set the work (client) computer's VPN IP as? Currently, it's connected as 192.168.1.49 or something like that, but I can't access any shares. It can also connect at like 172.160.10.10, but logically thinking, it should be on the same local network as the shares I want to access -- is that thinking incorrect? That's the reason I have it setup on 192.168.1.xxx.

Home subnet mask is set to 255.255.255.0, and so is remote (work) subnet mask. I set the client's DNS server as one of the three DNS servers specified in my work's router settings (192.168.1.5 -- the other two are static DNS servers provided by our ISP, I assume). Should the DNS server be set as my home (remote) router's address -- 192.168.2.1? I seem to recall that it wouldn't connect with those settings, but I could be mistaken. I've tried so much that I'm starting to forget what works and what doesn't.

With this additional information, is there anything else you guys can provide that might help? Thank you so much for all of your input by the way!

(EDIT: UPDATE -- I set the remote (work) client VPN address to 192.168.2.xx, and it connected now. No idea why it wouldn't connect before. But I can see my shares from home! Yay!)

Question: does this VPN work both ways??? Will I also be able to access my shares from work at home, or will I need to setup another VPN going in the other direction?

Example: Since my network at home is 192.168.2.1, and work is 192.168.1.1, and my VPN client is setup on 192.168.2.xx, will I be able to access 192.168.1.xx from 192.168.2.xx? Something tells me NO, and that I WILL have to setup another VPN to make this work. I'd just like to know before I go and start experimenting. Thanks!

pdjudd
Sep 11, 2012, 08:39 PM
With this additional information, is there anything else you guys can provide that might help? Thank you so much for all of your input by the way!

Set your router so that it is giving you IP addresses on anything other than 192.168.1.x. Set it to start it's range in the 192.168.y.x where y is any other value other than 1. The X addresses will be addressed by DHCP.

Sounds like you are suffering from IP address conflict. We get those all the time with MI-fi's and out work network with VPN clients. The MI-fi was issuing addresses on the same subnet as our network and caused havoc with IP conflicts on the network. You can't get shares, because the local network can't connect anything because there is nothing there and it cannot find the drives.

tigres
Sep 11, 2012, 08:42 PM
I would set my start ip to 192.168.1.210 and end at 192.168.1.221 on SL server VPN settings, and make sure your DNS settings are correct.

Can you vnc into the SL server? Does it have a static IP address? If you can vnc into it, you are getting though to it, so you may have to tweak some settings.

Also, did you set up a shared secret?

19austin85
Sep 11, 2012, 09:25 PM
(EDIT: UPDATE -- I set the remote (work) client VPN address to 192.168.2.xx, and it connected now. No idea why it wouldn't connect before. But I can see my shares from home! Yay!)

Question: does this VPN work both ways??? Will I also be able to access my shares from work at home, or will I need to setup another VPN going in the other direction?

Example: Since my network at home is 192.168.2.1, and work is 192.168.1.1, and my VPN client is setup on 192.168.2.xx, will I be able to access 192.168.1.xx from 192.168.2.xx? Something tells me NO, and that I WILL have to setup another VPN to make this work. I'd just like to know before I go and start experimenting. Thanks!

I can now access my home shares from work, but I can't access my work shares from home. Do I need another VPN connection going the other way for this? Was I wrong by setting my home router to 192.168.2.1 instead of keeping it 192.168.1.1 (same subnet as work)?

My work VPN client is currently set as 192.168.2.46, so I can finally connect to my NAS at 192.168.2.9 on my home network. But when I'm at home, I need to connect to 192.168.1.5 on the remote (work) network. Did I go about this in the wrong way? Is there a way to get everything on the same local network, or do I need another VPN hosted on my remote (work) OSX Server going to my Snow Leopard Mac client at home?

----------

And just to clarify, my current setup is a PPTP VPN connecting my remote (work) Mac client running Mountain Lion Server to my home router's PPTP VPN server.

The next order of business (if it has to come to this) is setting up the VPN from my home Mac client running regular Snow Leopard to the remote (work) Mountain Lion VPN server.

switon
Sep 11, 2012, 10:53 PM
Hi, and wow! Congrats at getting your work to home VPN operating. Glad you also were able to mount the NAS at home from work. Personally, through VPN I use SMB mounts for mounting a NAS disk (ethernet attached) while I mount a RAID system attached to a server using AFP.

And yes, I believe you will have to run a VPN server on your work server in order to VPN from home to work. Personally, I prefer L2TP over PPTP for security reasons, but it is your choice.

Yes, Bonjour (zeroconf, mDNS) does not automatically show your shared disks over VPN. This is why I had mentioned that you need to mount these disks manually. Did you try the "Connect to Server..." under Finder's Go menu? Let's say your disk attached to your server is mounted as /Volumes/Big_disk on the home server. You VPN from from work to your home server. Then open Finder -> Go -> Connect to Server... --> afp://server.dns.name.or.ip.address/Big_disk and this should connect to the Big_disk mounted on the home server via VPN from work.

It sounds like you are having trouble with IP addresses. If I were you, I'd set an entirely different IP network for your home LAN than what you use at work. I do this, and it works well. You have to be certain that the VPN server assigns IP addresses that is on the same network as the local LAN, otherwise you won't necessarily have a route from the VPN assigned IP address of the client to the resources on the LAN of the server (unless, of course, you provide your own gateway router with NAT, etc.). Basically, the LAN's DNS server has to work with the VPN server to assign proper DNS IP addresses to everyone, meaning that the DNS server assigns IP addresses to the local resources, such as local computers, routers, network printers, NASes, while the VPN server must assign IPs to VPN clients that are on the same network but do not conflict with the IPs assigned by the DNS server. Personally, I have my DNS server assign IPs in the range from 10.0.1.20 to 10.0.1.200 with a few of these IP addresses reserved for specific machines so that certain machines always have the same IP addresses, while the VPN server assigns IPs in the range 10.0.1.201 to 10.0.1.240. If your router also does DHCP, then you must make sure that the router assigned IPs match the IPs assigned by your DNS server. So the router assigns an IP address (the xxx.xxx.xxx.xxx) to a particular MAC address (the xx:xx:xx:xx:xx:xx address), and the DNS server assigns a particular hostname, say Laser_Printer.home.private to the specific IP address. The DNS server then translates back-and-forth between the IP address and the DNS hostname on your LAN.

And lastly, are you doing any Active Directory (Windows) or Open Directory (Mac OS X) stuff? OD allows network logins that I find very useful, but it can cause innumerable problems if not setup correctly.

Good luck,
Switon

19austin85
Sep 11, 2012, 11:34 PM
If I have my subnet mask set to 255.255.255.0, does it really matter if I set my home network as an entirely different network? Or could this still cause problems if home is 192.168.2.1 and work is 192.168.1.1?

Also, I'm having a lot of trouble connecting from my Snow Leopard Mac VPN client to my Mountain Lion VPN server at work. It keeps saying "Authentication Failed". I know I have the right username and shared secret. I think I know the cause of the problem though, and if I'm right, I could be in for the long haul:

I currently have port 1723 for PPTP forwarded to my router since my first VPN server is setup via that method. I believe I would need that port forwarded to my computer if I wanted to setup this second VPN in order to access my work shares from home. That's a problem. I foresee only two solutions (maybe 3):

1) I buckle down and figure out how to get a stupid L2TP VPN to work, which has proven itself to be much more complicated for me than PPTP. The reason for this method is that it uses different ports than PPTP, so I'll be able to keep my original PPTP VPN on my home router.

2) Since port 1723 is already forwarded to my router, I could try to figure out a way to get my home DD-WRT router's built-in PPTP VPN client to access my Mountain Lion VPN server at work. (This seems difficult, because I get no feedback from the router whether it's connecting or not and would have to ping over and over again just for necessary feedback. Second of all, I don't even know if this is possible. It might just be for router-to-router VPNs, but seeing as how I got the built-in VPN server to work by connecting to a Mac, logic tells me that the built-in VPN client should also do the same.

[and maybe...]

3) The third and final option that I don't really foresee happening is getting rid of the first router VPN and setting up a VPN server on my Snow Leopard computer and accessing it on the Mountain Lion computer, then setting another one up on Mountain Lion and accessing it on Snow Leopard. The reason I don't see this happening is because I can't for the life of me figure out how to get Snow Leopard Server up and running. I just have Snow Leopard. I installed OSX Server for Snow Leopard, but when it starts, it's nothing like Mountain Lion Server. I can [sort of] remotely access my Mountain Lion Server from Snow Leopard Server, but I can't manage anything. Like all of the options are grayed out. It doesn't even show any options for managing the local computer as a server. Just nothing at all. It shows no servers on the network or anything, so I have pretty much no idea what I'm doing at all with that mess, so I doubt I'll even attempt it unless I exhaust all of my other options. And believe me, I will create more options if I need to, just to avoid option #3.

switon
Sep 11, 2012, 11:58 PM
Hi,

W.R.T. your Snow Leopard Server, on the main page of the Server Admin app under the Settings tab is a button that says "Services". Click it. You have to check all of the services that you wish to use on this server, and, in particular, the AFP, DNS, Firewall, Open Directory, SMB, perhaps NFS if you wish to use NFS to attached to local disk filesystems, and VPN. Once checked, these services will then be "un-grayed" and you can then set them up. To do so, you must next return to the Access tab on the main page, and under this Access tab select all the services that you wish to modify and give yourself (you drag and drop your username or the Administrators group to the Allow pane) access. This will then allow you to setup those services on your SL Server.

Frankly, I like the SL Server Admin much better than the ML Server.app, simply because it is so much more flexible and allows many more options to be specified through the GUI. Under ML Server.app, I find that I have to setup a bunch of options using terminal commands since they can no longer be setup through the Server.app GUI.

Good luck,
Switon

P.S. It still sounds to me like you may be having DNS problems since you are using the VPN server on a router and a DNS server on a computer, there may still be conflicts that arise. Personally, I would pass all VPN traffic through the routers to the computer and run the VPN server on the computer along with the DNS server. But this is just my opinion and what I would do. I'm sure you can get this all to work using the router's VPN server, but you may be more limited by the router's VPN than by your computer's VPN.

switon
Sep 12, 2012, 12:30 AM
Hi,

You also might find that you can remotely manage (VNC/screen sharing) one system from the other, even without VPN working. This will allow you to sit at home and alter the setting of the ML Server at work (you won't need a second person's help, in other words) through Remote Management. To do so you will need to pass both UDP and TCP 3283 and 5900 ports for the ARD and potentially TCP/UDP port 53 for DNS queries through your router to your server. In the System Preferences Sharing pane check the Remote Management button but not the Screen Sharing button (you can't have both active at the same time), and then "Allow access for" yourself. You should then be able to VNC/screen share through your router to your ML server and remotely manage it. By the way, you will also have to make sure that the ML server's Firewall allows incoming connections for Remote Management and Screen Sharing.

...just a thought...

Switon

P.S. I use the Screen Sharing.app that is in the /System/Library/CoreServices/ directory to do remote management from Mac OS X and the VNCviewer program from Ubuntu and Centos (linuxes).

19austin85
Sep 12, 2012, 09:01 AM
I already use screen sharing. The only reason I needed my wife's help was because whenever I reset my network to use a different subnet, my router hangs up, and I get disconnected from remote access and can't connect again until the router is manually restarted.

I use screen sharing instead of remote management, because I could never get the vnc to work with remote management enabled, which is probably why I can't edit any of the settings on the ML Server from the Snow Leopard computer! And based on what you said, the reason I probably couldn't get the VNC to work with remote management is because I didn't have any other ports forwarded besides 5900.

I still can't get any VPN setup between the SL Mac and the ML Server.

Also, are VPNs supposed to be slow...like ungodly slow? Because I got a way faster connection when I used to connect to my NAS remotely over AFP. Unfortunately its version of Netatalk is incompatible with ML, and until I have time to go through the whole upgrade, I am connecting over SMB through VPN. It's just slow. Extremely slow.

switon
Sep 12, 2012, 09:52 AM
Hi,

I, too, get slower throughput from my NAS when connecting via SMB. I don't find that my VPN connections are slow, however; they are just as fast as my ISP allows upload traffic to be for residential service plans. In other words, I don't see any showdowns due to the VPN encryption/decryption, but if you do then you might verify this by not using the VPN encryption and seeing if you find faster speeds. In my personal experience, it is SMB that seems to be the bottleneck to the NAS drive. When I use AFP to an attacked drive, I find VPN throughput speeds limited by my ISP upload speeds.

Regards,
Switon

P.S. Actually, VPN encryption/decryption could, in theory, actually give faster throughputs depending upon the nature of the data being communicated. If the data is random, such as already compressed JPEG images or H.264 compressed video, then you won't see any speedups. But if the data is not random, such as textual or numerical data, then you could see speedups resulting from encryption --- the reason being that encryption not only encrypts but also compresses, and so the encrypted stream requires less data to be communicated than the unencrypted stream. With less data communicated you actually see what appears to be a faster communication link. In other words, the encryption/decryption is much faster than the communication bandwidth and so it is not a bottleneck, rather it is the actual communication link that is the bottleneck. (Since JPEG and H.264 data is already compressed, you don't get any further data compression from the VPN encryption and thus you won't see any apparent speedups.)

19austin85
Sep 12, 2012, 10:20 AM
Thanks, Switon. You have taught me a lot. How did you get to be so smart? Haha.

I don't know if I'm even going to attempt anymore of this VPN mess going in the other direction for right now. I think I'll just wait until after Saturday when I install a new DD-WRT router at work. Originally I planned to do that in order to create a separate static public IP address on the same network, but it will also provide me with a perfect opportunity to replicate my current work-to-home connection, just going in the opposite direction.

So after Saturday, my setup will probably look like this:
[Home DD-WRT VPN server]-->[Work Mac VPN client]
and
[Home Mac VPN client]<--[Work DD-WRT VPN server]

So much for using Mountain Lion VPN server! What a useless piece of junk for someone as dumb as me...

19austin85
Sep 12, 2012, 10:32 AM
UPDATE: I can only stay connected to the VPN for about 2 hours or so, and then it says something like "You were disconnected by the PPP server". What is the problem?

switon
Sep 12, 2012, 12:16 PM
Hi 19austin85,

Don't give up on the VPN both ways, I'm sure you can work it out. If you need further help after installing your new router, let me know and maybe we can take this discussion offline with more specific advice.

Regards,
Switon

P.S. The 2 hour connection problem is a problem...I don't have this problem with L2TP VPN so I think you can solve this problem too.

19austin85
Sep 12, 2012, 12:25 PM
Wow, Switon. Dos Equis really missed the mark, as far as their casting was concerned. Quantum mechanics? Now you're speaking my language! Not that I know hardly anything about quantum mechanics, but the quantum universe interests me to no end, and I could listen to that kind of talk forever.

I believe I was mistaken about the 2 hour connection issue. I'm fairly certain now that it was just a silly mistake, and that it occurred whenever I experimented with my home router's PPTP client. Whenever I applied the settings and the page refreshed, I think it would reset the PPTP server as well, whose settings happen to be on that same page...and obviously, whenever the server was reset, I would lose my VPN connection on the remote client.

switon
Sep 12, 2012, 12:35 PM
Hi 19austin85,

So are you 27? I can't even remember that far back. I wasn't even married at 27 (too busy in the lab and what-not).

Switon

19austin85
Sep 12, 2012, 12:41 PM
Yep. 27 years old, married for nearly 4 years, with an 8 month old baby boy. Life is good.

switon
Sep 12, 2012, 01:55 PM
(off topic)

19austin85
Sep 12, 2012, 02:07 PM
Extremely off-topic, but I started this thread, and I approve! Haha. This may be a little too edgy for people on your level and of your calibre, but have you ever heard of The Montauk Project? You can email me anytime at jamey at snowmasters dot com (just in case this forum doesn't allow email addresses). That event and book really piqued my interest awhile back and has a lot to do with quantum reality. I've also had my own crazy experience with quantum realities that I might share with you later if you pressure me enough...

switon
Sep 12, 2012, 05:52 PM
Hi 19austin85,

I'm taking this discussion offline...

Switon