Mountain Lion Server VPN for home use

[irishv]

Can someone help me through the process of setting up a VPN for external access? I currently have a Mac mini serving as an HTPC. I have my own domain with a subdomain pointed to my home IP. My router has a few select ports open, which it forwards traffic to the mini (VNC, SSH, etc). My goal is to close all of that out and just have a VPN connection to get into the network.

I just purchased the mountain lion server app. While I plan to play with some other features (wiki server, profile manager, calendar server), the main goal is VPN so I can securely VNC into the box. I ran the setup and configured the server as private. I turned on the VPN service and was able to connect my iphone to it on the local network. What steps are needed now to connect remotely? Are there specific ports I need to forward from the router? I would assume there are different connection settings I need to make on the client devices as well.

[switon]

Quote:

Originally Posted by irishv

Can someone help me through the process of setting up a VPN for external access? I currently have a Mac mini serving as an HTPC. I have my own domain with a subdomain pointed to my home IP. My router has a few select ports open, which it forwards traffic to the mini (VNC, SSH, etc). My goal is to close all of that out and just have a VPN connection to get into the network.

I just purchased the mountain lion server app. While I plan to play with some other features (wiki server, profile manager, calendar server), the main goal is VPN so I can securely VNC into the box. I ran the setup and configured the server as private. I turned on the VPN service and was able to connect my iphone to it on the local network. What steps are needed now to connect remotely? Are there specific ports I need to forward from the router? I would assume there are different connection settings I need to make on the client devices as well.

Hi irishv,

Depending upon what flavor of VPN you wish to use determines exactly what ports you need to forward through your router. If you are using an Apple router, then the VPN setup should open the appropriate ports for you. If not, then you need to open and forward UDP 1701 for L2TP or TCP 1723 for PPTP, TCP and UDP 3283, 5900 for Remote Management, UDP 4500 if using L2TP IKE NAT, and UDP 500 if using L2TP ISAKMP/IKE. Basically, I'd start with forwarding 1723 if using PPTP or 500, 1701, 4500 if using L2TP. Then you might add 3283 and 5900 if VPN didn't initially work.

Also make sure your firewall is not blocking VPN connections.

Regards,
Switon

P.S. By the way, you can't use both VPN and Back to My Mac at the same time, as they conflict on their use of ports.

[mus0r]

Quote:

Originally Posted by switon

P.S. By the way, you can't use both VPN and Back to My Mac at the same time, as they conflict on their use of ports.

Sorry to hijack, but what about using ARD? Does that interfere? If so, I would have to use the VPN to use ARD over VPN, rather than just connect over the internet?

[switon]

Quote:

Originally Posted by mus0r

Sorry to hijack, but what about using ARD? Does that interfere? If so, I would have to use the VPN to use ARD over VPN, rather than just connect over the internet?

Hi mus0r,

ARD uses some of the same ports as VPN (plus others) and thus will potentially also conflict with the wide-area bonjour (wide-area zeroconf or mDNS-like) that Back to My Mac uses. Since I don't use ARD myself, I can't give any specific examples of this possible conflict (an ARD specialist or the ARD documentation may answer this question). But since ARD is Apple's administration tool, they may have taken special steps for it not to conflict. On the other hand, as you suggest you could VPN to your local network and then ARD or VNC (Screen Share) or even run the Server.app from there.

Good luck,
Switon

[mus0r]

Quote:

Originally Posted by switon

Hi mus0r,

ARD uses some of the same ports as VPN (plus others) and thus will potentially also conflict with the wide-area bonjour (wide-area zeroconf or mDNS-like) that Back to My Mac uses. Since I don't use ARD myself, I can't give any specific examples of this possible conflict (an ARD specialist or the ARD documentation may answer this question). But since ARD is Apple's administration tool, they may have taken special steps for it not to conflict. On the other hand, as you suggest you could VPN to your local network and then ARD or VNC (Screen Share) or even run the Server.app from there.

Good luck,
Switon

Thanks for the reply! There seems to be no conflict with BTMM and ARD, specifically. As a matter of fact, I will often use the Bonjour network scan to find my computer being shared via Apple's BTMM wide-area service. It shows in the scan as an absurdly long MAC address, rather than an IP. Works just fine. I just sometimes want to use either ARD or VPN, but it seems I can't do both. That seems to be due to the conflict you mention earlier. I will have to stop BTMM on my Mini, turn VPN on and use ARD that way.

Thanks!

[irishv]

Quote:

Originally Posted by switon

Hi irishv,

Depending upon what flavor of VPN you wish to use determines exactly what ports you need to forward through your router. If you are using an Apple router, then the VPN setup should open the appropriate ports for you. If not, then you need to open and forward UDP 1701 for L2TP or TCP 1723 for PPTP, TCP and UDP 3283, 5900 for Remote Management, UDP 4500 if using L2TP IKE NAT, and UDP 500 if using L2TP ISAKMP/IKE. Basically, I'd start with forwarding 1723 if using PPTP or 500, 1701, 4500 if using L2TP. Then you might add 3283 and 5900 if VPN didn't initially work.

Also make sure your firewall is not blocking VPN connections.

Regards,
Switon

P.S. By the way, you can't use both VPN and Back to My Mac at the same time, as they conflict on their use of ports.

Thanks for the response. I am using a Time Capsule and set the server to manage it, so I assume that should take care of the port forwarding requirements. I was planning to use L2TP. From an external access perspective, I should be able to just forward my domain to my home IP and then use that address when setting up the client (in this case, my iphone).

[switon]

Quote:

Originally Posted by irishv

Thanks for the response. I am using a Time Capsule and set the server to manage it, so I assume that should take care of the port forwarding requirements. I was planning to use L2TP. From an external access perspective, I should be able to just forward my domain to my home IP and then use that address when setting up the client (in this case, my iphone).

Hi irishv,

Yes, the Server.app will automatically configure your TC to allow VPN through it to your server. The Server.app actually asks if it should do this, and you just answer yes and it will configure your TC for Internet access to your LAN.

Regards,
Switon

----------

Quote:

Originally Posted by mus0r

Thanks for the reply! There seems to be no conflict with BTMM and ARD, specifically. As a matter of fact, I will often use the Bonjour network scan to find my computer being shared via Apple's BTMM wide-area service. It shows in the scan as an absurdly long MAC address, rather than an IP. Works just fine. I just sometimes want to use either ARD or VPN, but it seems I can't do both. That seems to be due to the conflict you mention earlier. I will have to stop BTMM on my Mini, turn VPN on and use ARD that way.

Thanks!

Thanks mus0r for the information. I'm glad that Apple designed ARD so that it didn't conflict with their BTMM service.

Switon

[irishv]

[QUOTE=switon;16790479]Hi irishv,

Yes, the Server.app will automatically configure your TC to allow VPN through it to your server. The Server.app actually asks if it should do this, and you just answer yes and it will configure your TC for Internet access to your LAN.

Regards,
Switon[COLOR="#808080"]


Looks like my issue was at the domain level. Configuring my client to connect via the IP address seems to work fine. The issue seems to be with how my sub-domain redirects to that IP. Thanks for the help.