VPN with SLS?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by j2048b, May 4, 2010.

  1. j2048b macrumors 6502a

    Feb 18, 2009
    I was wondering if it were possible to set up a nice vpn that could be accessed by other family members from across the usa to share music/movies and photos?

    If so how could one set this up so that other family members without mac computer were able to access the vpn and watch the movies i have and even transfer the music and stuff like that?

    IS that possible to do?

  2. j2048b thread starter macrumors 6502a

    Feb 18, 2009
    I know a few people have set up vpn's with sls, but i ama bit lost as to the questions i had posed, hopefully someone with more knowledge and mac experience can chime in to answer them?

  3. Hoodman macrumors newbie

    Feb 20, 2009
    Yes it can be done!

    The problem is that it needs a little bit of configuration, in the Server and in the router.

    You have to obtain a domain, link it with the router. Then configure the port fowarding to the machine's ip.

    In the server you must create accounts and configure the VPN service (thats the easiest!)
  4. calderone macrumors 68040


    Aug 28, 2009
    The previous poster is correct, but some details are missing.

    Making your server accessible across the internet

    I am going to assume that you are on a residential internet service, and that you do not have a static IP.

    1. Get a domain
    a. This can be done by using a service like DynDNS
    b. Or, if you have a domain name with a webhost or purchased through a registrar and they offer DNS, you can add an A record for your home IP.

    2. Keeping the domain in sync with your dynamic IP
    a. DynDNS offers a widget that will update your IP in the background.
    b. If you are using your own hosting service, they may offer tools but chances are you will just have to update it yourself. Sometimes, you can hold an IP for months be other times you drop it every week. Some webhosts offer web APIs, like DreamHost. With that, you could write a script (I did) to update it.
    c. Another option is to combine the two. Say you have a domain you purchased j2048b.com, the host doesn't offer any tools for updating the IP, so grab a domain at DynDNS and you add an alias on your host. So people could use your custom domain, but behind the scenes the IP is grabbed through DynDNS.

    3. Port Forwarding
    a. Now people can find your server across the internet. But, at this point, all they will be doing is hitting the router. If you have a router that offers VPN, you could use that. But it sounds like you want to use your server. To do this, you have to forward ports. It works like this:

    Interner User is looking for VPN services --> Router sees requests and checks forwarding rules --> Forward exists for requested port (VPN) --> Router forwards the traffic to the local IP and port of the server.

    If you have an Airport router, you can actually have the server automatically setup these forwards for you.

    1. Open Server Preferences
    2. Select Security
    3. It should already see your Airport and name it at the top: "Expose the services on airport_name."
    4. Click the "+" and the services you want available. Be selective here, putting all the services out there isn't a good idea if you want to use VPN for security. But, obviously VPN and even Web would be a good idea. If you plan on using iCal or Mail, it may be a good idea to have those accessible without VPN.

    If you don't have an Airport router, add this page to your bookmarks "Well known" TCP and UDP ports used by Apple software products

    This is a useful KB when you need to forward and aren't sure of the ports, especially for services that don't offer port configuration via Server Admin.

    The ports you need to forward for L2TP are: 500, 1701, 4500. All routers are different, so I would take a look here: http://portforward.com/

    Find your router and click on any settings guide, all that is important is you see where and how to enter the data. Here are the details:

    Public Ports, all UDP: 500, 1701, 4500
    Private IP: This is the IP address of your server
    Private Ports: 500, 1701, 4500

    Once you have this in place, move on to configured the VPN Server.

    Configuring the VPN Server
    Unless you need to serve clients that do not support it, I would turn on L2TP over IPsec. Configure start and ending addresses, I typically use the same IP range as my local network but bump it up 100. For example if I was using, I would take my VPN addresses to

    Configure authentication. I would use the Directory Service and MS-CHAPv2.

    Now, add your shared secret.

    Click on the Client Information tab, add your server IP as a DNS Server (assuming you are running DNS). This way, the VPN clients will be able to do lookups for shares and other services.

    Configure the client
    I would start locally.

    1. Open the Network Preference Pane in System Preferences.
    2. Click the "+" to add a new service (you may need to authenticate and unlock it first)
    3. In the Interface drop down menu, select VPN
    4. For VPN Type, select L2TP over IPSec
    5. Give the service a name, maybe something that is descriptive like "Family VPN" or something.
    6. Enter server's hostname in the Server Address field
    7. Enter your Open Directory user name in the Account Name field
    8. Click on Authentication Settings
    9. Enter your password
    10. Enter the shared secret at the bottom

    At this point you should be able to connect. If it works, you can export this configuration to give to others.

    This is done by highlighting the Service on the left and click the gear at the bottom and selecting "Export Configurations."

    That is pretty much it. If you have any questions, please feel free to ask.

Share This Page