Setting up a Mac OS X VPN

At 6:41 AM -0800 2004/04/02, rick tait wrote:
>I'm in the process of designing/putting together a VPN over the
>public internet that will link our main facility to a satellite
>facility. I was considering using proprietary devices (Linksys etc)
>but it struck me that an OSX box would probably do the trick just
>nicely.
>
>HQ OSX Server:
>en0: 192.168.1.x (internal LAN)
>en1: 65.x.x.x (public internet, T1)
>
>Satellite OSX Server:
>en0: 192.168.2.x (internal LAN)
>en1: 66.x.x.x (public internet, SDSL)
>
>Once the two OSX servers can correctly route traffic to/from their
>own respective LANs (and would be appropriately firewalled I might
>add), what options do I have for an OSX to OSX VPN?
>
>The result that I want is that the 192.168.2.x LAN can route to the
>192.168.1.x LAN and vice-versa. This will be a full-time VPN, and
>I'd love to use OSX for a million and one reasons.
>
>Ideas? Thoughts? Is this so easy that I'm going to kick myself?

        One can hope. Mac OS X Server includes a VPN server for the
VPN client built into Mac OS X (both Server and non-Server). The first
thing to do is try it, and see if Apple's made VPN easy. If not, then
you proceed from there.

--
Chris Pepper: <http://www.reppep.com/~pepper/>
Rockefeller University: <http://www.rockefeller.edu/>

On 4/2/04 9:41 AM, "rick tait" <ricktrickt.org> wrote:

>
> I'm in the process of designing/putting together a VPN over the public
> internet that will link our main facility to a satellite facility. I
> was considering using proprietary devices (Linksys etc) but it struck
> me that an OSX box would probably do the trick just nicely.

"Proprietary" usually means products which only work with products from a
single manufacturer. My understanding is VPN products from Linksys and the
like use open standards like PPTP and L2TP/IPSec which would allow one to
have one brand on one end and another brand on the other.

> HQ OSX Server:
> en0: 192.168.1.x (internal LAN)
> en1: 65.x.x.x (public internet, T1)
>
> Satellite OSX Server:
> en0: 192.168.2.x (internal LAN)
> en1: 66.x.x.x (public internet, SDSL)
>
> Once the two OSX servers can correctly route traffic to/from their own
> respective LANs (and would be appropriately firewalled I might add),
> what options do I have for an OSX to OSX VPN?
>
> The result that I want is that the 192.168.2.x LAN can route to the
> 192.168.1.x LAN and vice-versa. This will be a full-time VPN, and I'd
> love to use OSX for a million and one reasons.
>
> Ideas? Thoughts? Is this so easy that I'm going to kick myself?

It looks like OS X 10.3 Server makes creating a VPN server easy.

<http://www.apple.com/server/macosx/networking_and_vpn.html>

The trickier part may be making the client auto-connect (and it looks like
both computers would have to run a VPN server and be the client of the
other). You would want it to re-establish the connection on boot but I think
the only native VPN client is the Internet Connection app that would require
having a user account auto-login then a VPN connection auto-login, both
making your server less secure. It may be possible, through shell scripting
and maybe some additional command line programs to have the Satellite
computer create the VPN connection on boot. There may already be a recipe
out there to follow but if it didn't work quite right, troubleshooting it
would be no easy task. Keyword searches in the Fink package list and OS X
section of freshmeat.net did not turn up anything.

It's usually considered a better practice to separate networking
infrastructure (including routing, site-to-site VPN, firewall) from other
services (Web, file & print, directory service, authentication, etc.). OS X
is stable but it still requires rebooting for patches and downtime for
maintenance unrelated to their routing/VPN capability. Just looking one
online store, I found VPN routers for less than $100 and VPN/Firewall
routers for less than $200. I would look for reviews and users' experiences
of specific VPN routers, particularly for site-to-site use as you're
planning, and go with cheap, simple, dedicated boxes.

If you do use OS X for routing & VPN, search macosxhints.com for "vpn,"
there are some hints on split routing so that the only traffic going over
the VPN connection is what has to go over it.

OpenVPN (openvpn.sf.net) is incredibly simple to set up, requires only a single TCP/UDP port so it works great through firewalls, handles mobile machines and dynamic IP addresses, and runs on every imaginable OS. I love it, and have set up three VPNs with it between Mac OS X, OpenBSD, and Linux.

Perhaps because I am a router guy, I would suggest using a pair of Cisco 1712 routers with the vpn cards. This will allow you to set up a gre tunnel running ipsec with 3des or aes encryption. This is a great solution for site to site vpn. It has 5 ethernet ports, it can do pppoe if your isp requires. The mac vpn software is based on racoon. If you want to go with that, google racoon vpn.

> Perhaps because I am a router guy, I would suggest using a
> pair of Cisco 1712 routers with the vpn cards. This will

A router guy at an institution that gets deep discounts on Cisco hardware
and seems to pride itself on the quality and "advancedness" of its network.
The Cisco 1712's are almost $1000 each.

While I'm definitely with you on choosing a dedicated network hardware over
using a OS X server for the job, I think this is the "Mercedes" choice when
a "Kia" would do.

rick tait wrote:

> Ideas? Thoughts? Is this so easy that I'm going to kick myself?

I set up an IPSEC VPN from my Mac OS X powerbook to my DLink router using
OS X's built in IPSEC. I do this to my router because I wanted access
to the whole network, not just a single computer.

Currently I use the Equinux's VPN Tracker on the Mac OS X side to
provide a nice GUI front end to the racoon software Mac OS X ships with.

<http://www.equinux.com/us/products/vpntracker/>

Although once I get a chance to test it (my powerbook is currently toast
with a bad harddrive, among other problems) I'll probably switch to
AFT548.com's VaporSec

<http://www.afp548.com/Software/VaporSec/index.html>

I orignally attempted to setup my VPN with a LinkSys VPN end-point
router, but after a firmware update every time an IPSEC packet touched
the router it rebooted itself. I switched to DLink and haven't looked back.

Here are some other issues I ran into:

1) Become familiar with terminology and what it means. If you stick
with OS X on all sides it won't be a big issue, but my DLink router has
different names than VPNTracker has, so I had to figure out what they
were doing so they could be configured the same.

2) I would avoid the 192.168.1.x and 192.168.2.x subnet ranges. If you
ever want to be mobile and connect back to your network(s) via IPSec
they can cause problems. 192.168.0.x and 192.168.1.x are frequently the
default subnets NAT devices use. Many home users and some
hotels/airports/ISPs that use NAT use these ranges. If you happen to be
on such a subnet and setup a VPN to the same network range very weird
things can happen. There are 3 ranges of reserved IP addresses available:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
I used to use sub-nets in the middle of 192.168.x block (i.e.
192.168.128.x). Now I use the 172 range, for example my home wireless
network is on 172.28.x.x. The 10.x.x.x range is usually used by large
companies and segmented down among various offices.

3) DNS resolution can be weird. When on your VPN, you need to be able
to resolve IP addresses on the internal networks. So you either need an
internal DNS server with knowledge of all internal ips (not too
difficult if you have few machines, can be very hard if you want dhcp
machines correctly listed from multiple subnets). For a roving user,
they frequently need both an external DNS server and an internal DNS server.

4) Use at least the 3DES encryption method. My DLINK offers DES
encryption but I just consider that too weak. I've not have speed
problems with 3DES.

Kevin

Okay:

Lots of nice information about setting up a Mac OS X VPN network, but
has anyone connected Mac OS X VPN to a Microsoft Windows system? My
work has VPN software for Windows machines, and if I could get VPN to
work on my Mac, I'd be able to work from home. My work uses PPTP and
apparently standard Microsoft VPN. I have the name of their VPN server,
the domain name, login account, and password, all I need is to get the
whole thing working.

I was thinking about Virtual PC, but according to the box, I need a 500
MHz machine, and my Cube is only 450 MHz. Besides, it sort of silly
to use Virtual PC just to connect my Mac to the network. Almost all of
the software I need is available on my Mac or via X11 to the Unix
servers.

David Weintraub
Support me in the Tour de Cure!
<http://www.weintraubworld.net/tour>
davidweintraubworld.net

>Lots of nice information about setting up a Mac OS X VPN network,
>but has anyone connected Mac OS X VPN to a Microsoft Windows system?
>My work has VPN software for Windows machines, and if I could get
>VPN to work on my Mac, I'd be able to work from home. My work uses
>PPTP and apparently standard Microsoft VPN. I have the name of their
>VPN server, the domain name, login account, and password, all I need
>is to get the whole thing working.

My wife uses her PowerBook G4 to connect to her office's network
using VPN. Her office is all Microsoft Technology and getting the PB
to connect was simple. All she needs to do is to be connected to the
Internet and click on a VPN menu in her menubar. This is using what
is built into Mac OS X 10.3 (Panther).

I use hardware to connect to my office's firewall because I can't get
Mac OS X's VPN client to work with my SonicWall Pro. But I prefer the
hardware based VPN solution. The software based solution is better
for my wife because she connects to our home network via Airport, so
when she connects to her office all of the data is encrypted.
--
  Paul Chernoff
  Director of Information Technology
  Washingtonian Magazine
  202-296-3600
  pchernoffwashingtonian.com

On 4/9/04 1:00 PM, "David Weintraub" <davidweintraubworld.net> wrote:

> Lots of nice information about setting up a Mac OS X VPN network, but
> has anyone connected Mac OS X VPN to a Microsoft Windows system? My
> work has VPN software for Windows machines, and if I could get VPN to
> work on my Mac, I'd be able to work from home. My work uses PPTP and
> apparently standard Microsoft VPN. I have the name of their VPN server,
> the domain name, login account, and password, all I need is to get the
> whole thing working.

What version of OS X?

I've got two working, including one with an RSA keyfob

john

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com

Mac OS X 10.3 has built in support for PPTP VPNs. Open the Internet Connect application and add an new VPN connection.

I located part of my problem - it's hardware. I have the original
AirPort (The "Graphite" model) and it simply doesn't support PPTP VPN
if you are using NAT.

So, the first thing I have to do is either get a separate NAT router,
get a new AirPort Extreme base station, or get another wireless router
that will work with the Mac.

> Lots of nice information about setting up a Mac OS X VPN network, but
> has anyone connected Mac OS X VPN to a Microsoft Windows system? My
> work has VPN software for Windows machines, and if I could get VPN to
> work on my Mac, I'd be able to work from home. My work uses PPTP and
> apparently standard Microsoft VPN. I have the name of their
> VPN server, the domain name, login account, and password, all I need is
> to get the whole thing working.

I regularly connect my OS X machine at home to a Windows VPN server at work.

Creating a connection to a VPN server is a lot like creating a dial-up PPP
connection. Therefore it makes sense you use the same program to do both,
Internet Connect.app. The interface changed a bit between 10.2 and 10.3 but
the basics are the same. There's a field for the server address, a field for
your user name and a field for your password. You have the option of saving
this in your Keychain.

The format of the user name is probably just "username." If that doesn't
work, try preceding it with the domain name and a backslash-
"domain\username." If your workplace uses Active Directory,
"usernameworkplace.com" might also be the correct format.

I've never used Internet Connect with IPSec, I'm not sure it can even do it,
but I think as long as the VPN server uses PPTP, it's pretty
straightforward. I've also used it to connect to a Cisco VPN gateway.

I use a VPN connection to a Windows server for work. Apple's built-in
VPN client works nicely with it.

I'm in Florida & my company is in Vancouver. I use SourceOffsite in X11
to access Visual SourceSafe & I can access all of the Windows servers
on the remote network.

On Apr 9, 2004, at 3:42 PM, David Weintraub wrote:

> I located part of my problem - it's hardware. I have the original
> AirPort (The "Graphite" model) and it simply doesn't support PPTP VPN
> if you are using NAT.
>
> So, the first thing I have to do is either get a separate NAT router,
> get a new AirPort Extreme base station, or get another wireless router
> that will work with the Mac.

When I was using my old Graphite base station (RIP), I was able to get
the VPN to work by using the base station in bridge mode with a LinkSys
BEFSR41 as a NAT router.

I'm now using a D-Link 802.11g router which supports VPN.

David Weintraub wrote:

>
> I located part of my problem - it's hardware. I have the original
> AirPort (The "Graphite" model) and it simply doesn't support PPTP VPN
> if you are using NAT.
>
> So, the first thing I have to do is either get a separate NAT router,
> get a new AirPort Extreme base station, or get another wireless router
> that will work with the Mac.
>
Ah, this was one of the things I was going to put in my note on setting
up a VPN. I found the same thing with IPSEC. The original Airport will
only support VPN in bridging mode, not when acting as a NAT device.

The 2 solutions I thought of -- buy a new wireless hub, or buy a cheap
router that does NAT & DHCP and use it to connect to the internet, then
plug the Airport in behind the cheap router in bridging mode for
wireless connections.

Method 2 turned out to be cheaper so I went that way (I think I paid
$30-$40 for that DLink router). You just want to make sure the device
you buy supports VPN Passthru. VPN Endpoint is not necessary, VPN
Endpoints mean you can connect to it using VPN, you just need to talk
THROUGH it with VPN. VPN passthur provides that functionality.

Kevin

Mike Cohen wrote:

>
> I use a VPN connection to a Windows server for work. Apple's built-in
> VPN client works nicely with it.
>
> I'm in Florida & my company is in Vancouver. I use SourceOffsite in
> X11 to access Visual SourceSafe & I can access all of the Windows
> servers on the remote network.
>
Microsoft has a Mac version of Remote Desktop which allows you to remote
control Windows 2000 and Windows XP Professional machines. I use that,
once connected to my work VPN, to remote control my desktop and servers
at work.

<http://www.microsoft.com/mac/otherproducts/otherproducts.aspx?pid=remotedesktopclient>

very handy tool.

Kevin