Managing VPN Service
Use the VPN pane to turn VPN remote access service on or off, inspect or change the
VPN secret, set the IP address range for VPN users, or save a VPN configuration file for
Mac OS X users.
About VPN Service
VPN (virtual private network) service lets users connect to your network from home
or other remote locations over the Internet. Users make a secure VPN connection to
access services such as file sharing, address book, mail, iChat, iCal, and web.
To ensure confidentiality, authentication, and communications integrity, VPN service
uses the L2TP protocol with a shared secret.
A secure shared secret is generated automatically when you set up your server.
The shared secret isn’t used to authenticate client computer users for a VPN
connection. Instead, it allows the server to trust client computers that have the
shared secret, and it allows client computers to trust the server that has the secret.
Both server and client computers must have the shared secret. A computer with
Mac OS X v10.6 Snow Leopard can automatically get the shared secret and be set
up to make connections to the server’s VPN service. See “Setting Up Users’ Macs
Automatically” on page 105.
Other Mac and Windows computers can be configured in different ways to connect to
the VPN service. See “Setting Up a Mac User’s VPN Connection” on page 115 and “Setting
Up a User’s VPN Connection Manually” on page 117.
VPN service and your server’s firewall can both allow access to services from outside
your local network. The difference is that VPN service requires authentication for access,
but allowing access through the firewall doesn’t require authentication. If VPN service
is on, you may not need some services exposed to the Internet through your firewall.
For example, you might set the firewall to expose only your web services to the
Internet so that the public can view your wikis and custom websites (subject to
authentication and access restrictions you impose). Your server’s users can access other
services—file sharing, Address Book, iCal, iChat, and mail—through a VPN connection.
If you want to allow access to VPN service on the Internet and you have a cable router,
DSL router, or other network router:
Your router must have port forwarding (port mapping) configured for VPN service.
For more information, see “Protecting a Small Network” on page 35.
Your router and VPN users’ routers must be configured so that they don’t assign
conflicting IP addresses. For more information, see “Providing VPN Service Through
an Internet Router” on page 150.
If you want to allow access to VPN service outside your local network and your
local network has a separate firewall device, ask the firewall administrator to open
the firewall for the ports and protocols that VPN service uses. For a list of ports,
see “Services and Ports” on page 175.
Changing the VPN Shared Secret
You can use Server Preferences to change the shared secret that the server and a client
computer use for authentication when making a VPN connection. Periodically changing
the shared secret improves VPN security, but is inconvenient because users must also
change the shared secret on computers they use for VPN connections.
To change the VPN shared secret:
In the VPN pane of Server Preferences, click Edit.
Select “Show shared secret” so you can read the secret, and then enter a new secret
and click OK.
The shared secret should be at least 8 characters (preferably 12 or more) including
letters, digits, and symbols, but without spaces. Initially, the shared secret is 32 random
You can use Password Assistant to help you compose a new shared secret. Temporarily
switch to the Users pane, click Account, click Reset Password, click the Key button to
the right of the New Password field, and then click Cancel and return to the VPN pane.
Password Assistant remains open, and you can use it to generate a new shared secret
that you copy from the Suggestion field and paste into the Shared Secret field.
After you change the secret here, all VPN users must make the same change in their
VPN configurations. For information about making this change, see “Setting Up a User’s
VPN Connection Manually” on page 117.
Creating a VPN Configuration File
You can use Server Preferences to generate a file that Mac users can open to create a
VPN configuration automatically. After creating the VPN configuration, a user can make
a VPN connection to the server and its network via the Internet. The configuration file
works with Mac OS X v10.3 or later.
To generate a VPN configuration file:
In the VPN pane of Server Preferences, click Save As, select a location for the VPN
configuration file, and click Save.
Distribute the saved configuration file to users who need to set up a VPN configuration
on their Macs.
To set up a Mac, a user simply opens the VPN configuration file you generated. Opening
this file opens either the Network pane of System Preferences or Internet Connect
(depending on the Mac OS X version), and then imports a VPN configuration with all
information necessary to make a VPN connection except the name and password of a
user account on the server. If Internet Connect asks the user where to put the imported
configuration, the user should select VPN (L2TP). The user should not select VPN (PPTP)
or any other option.
When Network preferences or Internet Connect finishes importing the VPN
configuration, the user must enter an account name and may enter a password,
and whatever the user enters is saved as part of the VPN configuration upon quitting
the application. If the user saves both the name and password as part of the VPN
configuration, anyone using that computer will then be able to log in automatically for
a VPN connection to your server.
For security, you can instruct users to enter their account name but leave the password
blank, and then quit the application (System Preferences or Internet Connect). If users
don’t save a password as part of the VPN configuration on their computers, they will be
asked to log in each time they make a VPN connection to your server.
For information you can give users instructing them how to use the VPN configuration
file, see “Setting Up a Mac User’s VPN Connection” on page 115.
Changing the IP Address Range for VPN
You can use Server Preferences to change the range of addresses you want the server
to reserve for assigning to remote computers when they make a VPN connection to
the server. For example, you might make the range larger to make more IP addresses
available for VPN connections.
These are addresses on the server’s network, and they must not be used by
other computers or devices on the network. This range of addresses must not include
any static IP addresses in use on the network and must not overlap the range of IP
addresses that the DHCP server assigns.
To change the IP address range for VPN service:
In the VPN pane of Server Preferences, change the first IP address in the range, the last
IP address in the range, or both.
The range of addresses needs to be large enough for the maximum number of remote
computers that will have concurrent VPN connections. VPN service assigns an IP
address to a remote computer for the duration of a VPN connection, and reclaims the
address when the remote computer disconnects.
If you have an AirPort Base Station or other Internet router (gateway) that provides
DHCP service, you may need to adjust its IP address range so that the DHCP and VPN
address ranges don’t overlap.
To configure an AirPort Base Station, use AirPort Utility (in /Applications/Utilities/). For
information about changing the settings of an Internet router, see its documentation.
The IP address that VPN service assigns to a remote computer for its VPN connection
doesn’t replace the IP address that the remote computer is already using to connect to
the Internet. The remote computer keeps this IP address and any other IP addresses it’s
using, and adds the IP address assigned to it for VPN.
Providing VPN Service Through an Internet Router
If your server provides VPN service through an AirPort Extreme Base Station, a Time
Capsule, or a network router configured to share an Internet connection, and users’
computers need to make VPN connections through their own base stations or home
routers, your server must be on a different IP subnet than the VPN users’ home
computers. To avoid this conflict, make sure your server’s IP address doesn’t begin with
the same three numbers—such as 10.0.1 or 192.168.1—as IP addresses on VPN users’
By asking users to change their network addresses:
You can ask VPN users to change the IP addresses on their home networks or other
local networks to not begin with the same three numbers as the IP addresses on your
For example, if your local IP addresses begin with 192.168.1, ask VPN users to use IP
addresses beginning with 192.168.2 on their home networks. Private networks can use
addresses beginning with 192.168.0 through 192.168.254, 10.0.0 through 10.254.254,
172.16.0 through 172.31.254. In all cases, use subnet mask 255.255.255.0.
By changing your local network addresses:
Instead of asking VPN users to change their home network addresses, you can change
the IP address of all the devices on your server’s local network. This includes your
AirPort Base Station or other router, server, and other computers.
Change your local IP addresses so your IP subnet is different from the most common
defaults on base stations and other routers: 10.0.1, 192.168.0, and 192.168.1.
You can simply pick a different number between 2 and 254 for the third number of
your local IP addresses. For example, if your local network IP addresses begin with
192.168.1, change them to begin with 192.168.58 or 192.168.177. If your local IP addresses
begin with 10.0.1, change them to begin with 10.0.29 or 10.0.103. You can also use
172.16.0 through 172.31.255. In all cases, use subnet mask 255.255.255.0.
Be sure to change the IP addresses that your AirPort Base Station, other Internet
router, or DHCP server assigns to computers on your network. You make these changes
on an AirPort Base Station using AirPort Utility (located in /Applications/Utilities/).
For instructions, open AirPort Utility and then use the Help menu. For information
about configuring another kind of Internet router or gateway, see its documentation.
For information about changing your server’s IP address, see “Changing Your Server’s IP
Address” on page 157.