Provide secure remote access with VPN

To set up VPN for the first time, you need to coordinate with the network administrator responsible for your local network subnets, IP address allocation, firewall settings and port forwarding, and user account creation.

1. Create local network or Open Directory users that will log in to your network.

   See Create a user account and Define service access by users.

2. Click the “Configure VPN for” pop-up menu, then choose “L2TP” or “L2TP and PPTP.”

   Choose “L2TP and PPTP” for a VPN network that supports both tunneling protocols.

3. In the Client Addresses field, enter the total number of client addresses to assign for VPN, then enter a starting IP address.

   If you chose “L2TP and PPTP,” slide the bar to adjust the number of client addresses to assign between L2TP and PPTP clients.

   Note:  Make sure the address range isn’t managed by some other gateway or DHCP server. Additionally, make sure the address range isn’t a LAN IP address range that’s used by the computers connecting through your VPN from the Internet. For more information, see Provide VPN service through an Internet router.

4. Verify that the VPN host name resolves to the VPN server from the internet.

   The VPN host name shouldn’t end in “.local” or “.private.” It should be an Internet-accessible, fully-qualified domain name.

5. Change or customize any other VPN settings you choose.

   You can change client addresses, DNS settings for name servers and search domains, and additional network routes to VPN clients when they make a VPN connection to the server.

6. Verify that your network firewall or network gateway port forwarding allows VPN traffic to pass to the VPN server.

   If you use and administer an AirPort Extreme Base Station with Server app, it offers to configure the port forwarding settings on the base station.

   Otherwise, make sure the following ports are forwarded:

   • UDP 500 for ISAKMP/IKE

   • UDP 1701 for L2TP

   • UDP 4500 for IPsec NAT Traversal

   • TCP 1723 for PPTP, if used

   For the official list of port numbers used, see the Apple Support article Well known TCP and UDP ports used by Apple software products.

7. Start VPN service.

8. While VPN service is turned on, make sure the iCloud feature Back to My Mac is turned off in iCloud preferences.

   VPN service and Back to My Mac conflict because both need to use UDP port 4500. OS X Server doesn’t use Back to My Mac unless it’s signed in to an iCloud account and Back to My Mac is turned on in iCloud preferences.

By using network routing definitions, you can choose whether to route data from VPN clients to an address group through the VPN tunnel (referred to as private) or over the VPN user’s ISP connection (referred to as public).

If the remote tunnel endpoint can’t be reached through the default gateway, create extra routes for the remote network so that it’s reachable through that remote tunnel endpoint.

If you add routes, any routes you specify as private go over the VPN connection, and any you specify as public don’t. Unspecified routes don’t go over the VPN connection.

1. Select VPN in the Server app sidebar.

2. In the Routes option, click Add  to add a network route.

3. Enter an IP address and a subnet mask, then designate the network type as Private or Public.

Use the Server app to create a configuration profile that sets up iOS devices and Mac computers for your VPN service. You must create a separate configuration profile for each protocol you use.

1. Make sure VPN service is fully configured.

2. Click Save Configuration Profile.

3. Specify a filename and location for the configuration profile, then click Save.

After you create a profile, distribute it to users through email or a website, so they can install it on their devices (users are prompted to begin installation when they open the email attachment or download the profile). When users open the profile, they can make a VPN connection to your server and intranet over the Internet.

You can also distribute profiles over the network directly to iOS devices and Mac computers by using Profile Manager. For information, see Navigate Profile Manager.

Use the Server app to change the shared secret that the server and a client computer use for authentication when making a VPN connection. Periodically changing the shared secret improves VPN security, but it’s inconvenient because users must also change the shared secret on computers they use for VPN connections.

1. Select VPN in the Server app sidebar.

2. Edit the shared secret.

   The shared secret should be at least 8 characters (preferably 20 or more) and can include any character you can type. However, iOS devices don’t support shared secrets that contain quotation marks. Initially, the shared secret is 20 random characters. The maximum length is 256 UTF-8 characters, and surplus characters are ignored.

3. If you want to verify the secret, select “Show shared secret.”

After you change the secret on the server, all VPN users must make the same change in their VPN configurations.