MATT’S PHOTOGRAPHY
2008/1
How to setup a VPN server:
There are many articles and even software installers which rely on third-party software or on the use of ssh to create a VPN. Other articles claim that PPTP or MS-CHAP need to used. None of this is true.
NOTE: This guide assumes that you do not have a free IP range on your network which you can use for the client connections to your VPN server.
TERMINOLOGY: The term server is used for the OSX workstation (I use a MacMini with normal client-OSX); where the VPN software is running all the time waiting for incoming connections.
Client is used for the OSX workstation(s) (this is my Mac desktop or laptop with normal client-OSX); where you create the VPN connection on demand from the “Internet Connect” menu.
1.1a) create a login shell for VPN users:
This is the user-ID used to establish the secure VPN tunnel. You create this account on the server and then use it on the client to establish the connection to the server. This account and password are called a shared secret. OSX also allows to use a certificate, but that is a different configuration.
On a real server, “Server Admin” under ACL (access control list) we can define which users can/cannot use the VPN service.
sudo ln -s /sbin/nologin /sbin/vpnlogin
sudo vi /etc/shells
### add a line with “ vpnlogin” at the end
1.1b) Create the VPN user:
Open NetInfo manager: Make sure the lock is open (enter password if needed). Check what the highest used userID is, in my case it is 502. Start a new series for ftp users starting at 701.
1.In the lefthand column, select "/"
2.In the middle column select "users"
3.Click the "New" icon at the top of the pane. This creates a new user called "new_directory".
NOTE: The VPN account is specified in the “com.apple.RemoteAccessServers.plist” file.
Set the properties as following (add new properties if needed):
Property Value(s)
home /Users/vpn_100200
shell /sbin/vpnlogin
change 0
expire 0
gid 20 (this is the staff group)
uid 701
name vpn_100200
realname vpn_100200
sudo passwd vpn_100200
### enter a new password for vpn_100200
1.2) Copy the VPN setup files:
Copy the following files onto your server. Once the files are copied; you need to customize them for your network (I have created them with ServerAdmin on a real Xserve).
/System/Library/LaunchDaemons/com.apple.ppp.l2tp.plist
/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
/etc/ppp (empty)
/etc/nat/natd.plist
/etc/racoon/racoon.conf
/etc/ipfilter/ip_address_groups.plist
/etc/ipfilter/ipfw.conf
NOTE: The detailed network setup is discussed in part 2 sections 2.1) ,2.2), 2.3) and 2.4).
sudo chmod 644 /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
sudo chown root:wheel /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
1.3) Startup the VPN services:
Once you have copied the files as described above, all you need to do is restart your server. After the restart you will notice the racoon daemon running in “Activity Monitor”.
The automatic startup is achieved using the [com.apple.ppp.l2tp.plist] file; which specifies the same options as the manual command shown below.
To manually start racoon, you can use this command (I prefer to just restart):
#!/bin/sh
vpnd ## this will start “vpnd -i com.apple.ppp.l2tp” and also racoon
1.4) Setup IP routing:
With the VPN setup you can reach the VPN server itself, but none of the other computers at the other end of the VPN tunnel. In order to have IP forwarding you need to enable the NAT service (IP forwarding is done by the NAT daemon). To manually enable IP routing (just as a UNIX reference):
sysctl -w net.inet.ip.forwarding=1
#same as /etc/hostconfig set IPFORWARDING=-YES-
#check forwarding using this command:
sysctl net.inet.ip.forwarding.
1.5) VPN client setup:
For the VPN client setup; refer to this page which contains detailed screen shots for OSX and Windows.
1.6) More Info:
Useful Links
Kerberizing the OSX VPN server (developer.apple.com)
Ports to open in the Firewall (docs.info.apple.com)
VPNd how to configure (very confusing and not updated for 10.4)
OSX 10.2 acting as a NAT router
vpnd -- Mac OS X VPN service daemon (developer.apple.com)
pppd - Point-to-Point Protocol Daemon (developer.apple.com)
ipfw - IP firewall and traffic shaper control program (developer.apple.com)
natd -Network Address Translation daemon (developer.apple.com)
racoon - IKE (ISAKMP/Oakley) key management daemon (developer.apple.com)
racoon.conf (developer.apple.com)
Discussion of Link local addresses (developer.apple.com QA1357)
Establish a VPN connection manually
Useful commands
ipfw show
ipfw set show
ipfw list
ipfw disable
ipfw -q add deny src-ip 10.0.0.0/24,127.0.0.1/8
ifconfig -a
sysctl -w net.inet.ip.forwarding=1 ### enable IP forwarding
sysctl -w net.inet.ip.forwarding=0 ### disable IP forwarding
natd -interface en0 ### start natd on interface en0
netstat
ping
traceroute
natd -n en0 -redirect_port tcp 192.168.2.1:80 80
natd -alias_address xxx.yyy.zzz.aaa -interface en0 -use_sockets -same_ports -unregistered_only -dynamic -clamp_mss
where xxx.yyy.zzz.aaa is your external ip, en0 is your external interface (that interface that is connected to the internet)
sysctl -w net.inet.ip.forwarding=1 > /dev/null
/usr/sbin/natd -interface en0 -use_sockets -same_ports -unregistered_only
/sbin/ipfw -f flush
/sbin/ipfw add 10 divert natd all from any to any via en0
Server: VPN setup/Part1
1/11/08
The following guide describes how I have setup the VPN server service on my MacMini running OSX client OS. The connection will use the secure L2TP (layer 2 transport protocol, which is PPP authentication over IPSec). L2TP clients are built-into OSX 10.4 and Windows/2000.
