How to set up macOS Server’s VPN service
If you have Apple’s Server app, you have access to an excellent VPN server that’s simple to set up and easy to use.
Last year we looked at services you could use to secure connections to servers and websites when you were on the public Internet. This week we’re going to take a look at setting up the Server app’s VPN service, which you can use to gain secure access to your private network on the public Internet.
The acronym VPN stands for Virtual Private Network, and VPNs allow users to be anywhere in the world and create a secure connection to private networks. VPNs secure your data using data encryption and tunneling, If you want more information on how VPNs work, take a look here, but in simplest terms, using a VPN is like connecting a very long ethernet cable from a computer anywhere in the world to your private network.
VPN and the Server app
If you have Apple’s Server app, you have access to an excellent VPN server that’s simple to set up and easy to use. Before you begin configuring your server, let’s take a look at the configuration settings for Server’s VPN service.
Open the Server app and select the VPN service in the Server’s sidebar. Unless you’ve already turned this service on, the service should be off and unconfigured.
Let’s take note of the services settings.
Status: Tells you whether the service is on or offline and should be able to determine your public IP address.
Permissions: Manage which users or groups will have access to the VPN service.
Configure VPN for: Lets you set the VPN protocol you’ll be using to allow access to your server.
VPN Host Name: The Fully Qualified Domain Name you can use to access your VPN server. (Requires properly configured DNS.)
Shared Secret: Used as a way for VPN clients and servers to confirm each other’s identities.
Client Addresses: The number and configuration of IP addresses you will provide to VPN clients.
DNS Settings: DNS server information you will provide to clients so they can access network resources.
Routes: Information provided to VPN clients so they know how to talk to computers on your Wide Area Network (WAN), i.e., other offices.
Configuration Profile: Creates a configuration profile you can send to VPN users so they do not need to manually configure VPN settings.
To set the VPN service up we’re going to stick to using the defaults for most of these settings, but we will make a few changes to start the service up. Verify that each of the VPN settings reflect the following:
Permissions: All users, All Networks
VPN: Should be the fully qualified domain name of your server
Shared Secret: You will need to enter information in this field. It can be something you know, such as Apple, potato chips, balderdash, or it can be a series of gibberish characters such as ;lk’puqertln.kadpfu. You do not need to remember or re-enter this information.
Client Addresses: Click the edit addresses button and enter 11 in the Assign: field and enter the IP address you want your VPN server to begin assignments with in the “Starting at” field.
Important: You need to make sure the IP addresses you add here do not conflict with existing IP addresses on your network. If there is a conflict you will create networking issues for either your VPN clients or for other DHCP clients on your network.
DNS Settings: The VPN service will automatically pick up your server’s DNS information. You only need to make changes or add servers here if you need your VPN clients to use different DNS information than your server does.
Routes: Leave these settings at their defaults.
Configure port forwarding
In order for your VPN to work properly port forwarding needs to be configured on your router. We can’t cover this in too much detail here, but if you’re using an Apple AirPort base station in your network the server app can automatically configure those settings.
- Click your AirPort base station in the sidebar of the Server app.
- Click the Enter Password button.
- Enter the configuration password for your AirPort.
The Server app will automatically configure your AirPort to route any external VPN traffic to your VPN server.
Install your VPN on a client computer and connect
The last step in this process is to set up the VPN service on a client computer and then connect to your server.
The Server app makes iOS and Mac configuration easy, all you need to do is click the Save Profile button. You can give the configuration file a unique name, then install it on any client you want to connect to your Server.
On the client:
- Double-click the profile. (If you don’t know what profiles are or how they work, check out our series on Profile Manager.)
- When asked if you want to install the profile, click Continue.
- When asked if you’re sure, click Continue.
- Add a user ID (You can also leave this blank) then click Install.
- Enter an administrator password and click OK.
Connect to your VPN
Installing this configuration profile creates a new network interface in the Network preference in System Preferences.
To make it simpler to connect to your VPN:
- Open the Network preference in System Preferences.
- Select the new VPN network interface.
- Put a check in the box that says, “Show VPN status in menu bar”.
- Close System Preferences.
- Click the VPN menu in the menu bar.
- Select your VPN.
- Log in.
You should now be securely connected to your private network and should be able to access all the computers and printers in your network
Note: If you want to remove the VPN interface, you have to delete the configuration profile.