Previous to my switching over to a Mac Mini for my Apple servers I used Xserves which had dual Ethernet ports. This allowed for a external public IP and an internal private IP address. This of course if the optimal setup for creating a VPN when using Mac OS X Server.
Initially I had thought I had setup my VPN correctly, as I was able to connect to it, although after looking at some websites and AFP shares from the server, I wasn’t getting the results I had wanted.
Unfortunately after checking my IP when I was on the web, I noticed it was still using my non-VPN IP which meant all my web traffic was not going through the VPN. I then tried to connect to some AFP shares, and they worked, but after looking in Server Admin, I was still connecting with my Verizon IP address, and not the IP from the VPN.
Speaking with my good friend we figured out that the IP blocks couldn’t be the same. I was dishing out 192.168.1.x from the VPN and my local network was also dishing out that same block. I also had to make sure I had “Send all traffic through VPN” was switched on. This parameter can be found in System Preferences >> Network >> VPN Connection’s Advanced button >> and under the Session section. It’s turned off by default but make sure it’s turned on.
Now for the IP block that the VPN dishes out, I changed that to something a bit more secure, something that normal home routers don’t dish out. I chose 192.168.10.x, which I’ve yet to see a DHCP/home router dish out. I would think you might find that block in a bigger organization, but it should be safe to use. Saved that setting and then I tried to connect. Unfortunately, it didn’t work right just yet.
Then I added a virtual interface to the single Ethernet port and assigned it an IP address within the range that the VPN server was handing out. I gave it the router address of my public IP and then tried to connect again.
It worked! So in summary, when you’ve got a server with a single Ethernet port and an external IP address, it’s a good idea to:
- Give it a virtual interface
- Change the block range of IPs your VPN hands out
- Give your virtual interface an IP from that range
- Make sure your client(s) have the “Send all traffic through VPN” turned on. Security is good :)
- Verify that it’s working correctly by visiting FindMyIP.com and looking in Server Admin
I’ve also allowed people to connect to the AFP service ONLY if they’re coming from the VPN IP range, which is much more secure then letting everyone connect to it.