Setting up VPN on the iMac (OSX Snow leopard 10.6.8)

Previously I had tried to setup a VPN on my iMac but the information I found throughout the web was very mis-mashed and most of them were either for Linux or Windows. There were very few clear guides on how to setup a VPN server on an iMac though I did find a great starting guide.

The only problem with this guide is that is doesn’t go far enough in explaining about fixing the CHAP auth problem unless you are up to reading all the comments afterwords like I did and then it’s still not totally clear how to fully resolve it. That’s where this article comes in, I’ll be going through briefly on how to setup a VPN server on Snow leopard 10.6.8 and will include the other details not mentioned in other articles.

Disclaimer: Do this at your own risk. I will not be responsible for anyone who screws up their entire computer or network as a result of this.

Before we go on, many of you will ask why should we bother to setup a VPN? Well there are many reasons though the reasons I have for wanting to setup are:

1.   It’s an excellent way to access your network resource even if you’re not at home such as files servers, printer and  even grab documents from your home computer when you’re off site without exposing your network to outside threats.

2.   Also to feed my security paranoia since I occasional use a lot of outside free wifi unencrypted internet access, this would ensure that no one would be able to spy on me while I’m surfing. :) what am I surfing that would warrant such security measures? Well for example, e-mail, doing my e-banking, buying something online and etc but you get the other and also to not let anyone know of what kind of figures I’m planning to buy next~~~~!

So let’s get started. The reason why it can be very hard to find a guide on how to setup a VPN server on OSX 10.6.8 AKA Snow leopard is because the feature is supposedly only found on OSX server.

This is not true, the software used to setup a VPN server can also be found on OSX non-server version. What the OSX server version has is a nice looking GUI interface that makes it very easy to setup. So if you have that version right now then go look for it. It’s in there somewhere under System preferences and there are a lot of guides on how to use the GUI interface out there.

The software to setup a VPN server on OSX is called vpnd. Note, if you find it daunting to open even terminal in apple then don’t go any further because it requires you know basic Linux system administration skill.

You’re better off hiring someone to do it or better yet subscribe to third party VPN service. One example is strongVPN but there are others as well so shop around. The only reason I’m doing this instead is because I’m a cheapskate and why should I pay for something I can setup myself?

So let’s started, open up a terminal:

1. sudo -s and enter your apple password
(This will execute another shell with proper permission rights to do system level changes)

2. sudo security add-generic-password -a com.apple.ppp.l2tp -s com.apple.net.racoon -T /usr/sbin/racoon -p “whatever_you_like” /Library/Keychains/System.keychain
(replace the whatever_you_like part with a shared network password. It’s acts like the WPA password for a wireless network, this command will set the password for com.apple.ppp.l2tp to whatever you set it. Like WPA, you should set it to something VERY hard to guess! Maximum length is 64 characters but remember, you will have to enter this everytime in order to connect. You could use this link to generate one but BOY! It’s going to be very hard to enter on your notebook and even harder on any handheld device you want to use to connect to the VPN).

3.  Edit  /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist with whatever editor you are comfortable with and add the following or replace all together. This defines the setting for the VPN so if later on you are having problems starting up VPN, look back into this file and try to figure it out.

{
   ActiveServers = (“com.apple.ppp.l2tp”);
   Servers = {
       “com.apple.ppp.l2tp” = {
           Addresses = (“XXX.XXX.XXX.XXX”);
           DNS = {OfferedSearchDomains = (); OfferedServerAddresses = (); };
           IPv4 = {
               ConfigMethod = Manual;
               DestAddressRanges = (“YYY.YYY.YYY.YYY”, “ZZZ.ZZZ.ZZZ.ZZZ”);
               OfferedRouteAddresses = ();
               OfferedRouteMasks = ();
               OfferedRouteTypes = ();
           };
           Interface = {SubType = L2TP; Type = PPP; };
           L2TP = {
               IPSecSharedSecret = “com.apple.ppp.l2tp”;
               IPSecSharedSecretEncryption = Keychain;
               Transport = IPSec;
           };
           PPP = {
               AuthenticatorPlugins = (DSAuth);
               AuthenticatorProtocol = (MSCHAP2);
               IPCPCompressionVJ = 0;
               LCPEchoEnabled = 1;
               LCPEchoFailure = 5;
               LCPEchoInterval = 60;
               VerboseLogging = 1;
               DSACLEnabled = 1;
               Logfile = “/var/log/ppp/vpnd.log”;
           };
           Server = {
               Logfile = “/var/log/ppp/vpnd.log”;
               MaximumSessions = 128;
               VerboseLogging = 1;
           };
       };
   };
}

Explanation:

Addresses = (“XXX.XXX.XXX.XXX”);
xxx here is your VPN server’s IP address on the network. Enter it here.

Next we have this,

DestAddressRanges = (“YYY.YYY.YYY.YYY”, “ZZZ.ZZZ.ZZZ.ZZZ”);
This defines the address range that will be assigned to your connected VPN clients. This is seemingly very straight forward but it’s not, you see a lot of guys simply tell you to set some short range value such as 10.10.10.10 for yyy and 10.10.10.20 for zzz. This is alright if you have a DNS server running in your network, if that is the case then fill in the details for this part

DNS = {OfferedSearchDomains = (); OfferedServerAddresses = (); };

UPDATE: Also I forgot to mentioned:-

               OfferedRouteAddresses = (“Put the ip address for the default gw ip address for your home network”); 
               OfferedRouteMasks = (“Put the netmask for that gw default in here”);

To find out what is your gw default ip address,

netstat -nr

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGSc 52 0 en1
default 192.168.1.91 UGScI 0 0 ppp0
.....
192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 2 en1
The one in red is usually your vpn's gw default ip address

If you don’t then this will lead to a lot of headaches later when you managed to connect to you VPN server but find that you can’t surf  to any websites which defeats the whole purpose of this exercise! Instead you should first determine is the ip address range your router allocates or DHCP server. Let’s say it’s

DHCP is
192.168.1.150 to
192.168.1.200

then I suggest setting the range for YYY and ZZZ to something like this to prevent overlapping the address assigned by your DHCP server.

192.168.1.50 to
192.168.1.80

This will also set a connection limit of 30 for your VPN and ensure that your VPN server can access the internet connection because it’s now using the same routing entry for default gateway on the computer hosting the VPN server (technical stuff, I don’t know how to say it any simpler). But if you have your own DNS server then you can set whatever address range and VPN server will create another network inside your network.

4. Next we set up the permissions on the file so it can be accessed. This copies exactly as the guide mentioned.

    chown root:admin /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

   chmod u+w,a+r,a-x /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

5. Now we’re done, the next step is to ensure the VPND is setup to run every time the computer starts up so you don’t have to manually do it. Edit the file /System/Library/LaunchDaemons/com.apple.ppp.l2tp.plist with whatever you are comfortable with using and add the following lines.

 <?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN”
http://www.apple.com/DTDs/PropertyList-1.0.dtd“>
<plist version=”1.0″>
    <dict>
        <key>Label</key>
        <string>com.apple.ppp.l2tp</string>
        <key>ProgramArguments</key>
        <array>
            <string>/usr/sbin/vpnd</string>
            <string>-x</string>
            <string>-i</string>
            <string>com.apple.ppp.l2tp</string>
        </array>
        <key>OnDemand</key>
        <false/>
    </dict>
</plist>

save it and move on.

6. Again set the permissions for that file.

chown :wheel /System/Library/LaunchDaemons/com.apple.ppp.l2tp.plist

chmod u+w,a+r,a-x /System/Library/LaunchDaemons/com.apple.ppp.l2tp.plist

7. To launch vpnd,

     launchctl load /System/Library/LaunchDaemons/com.apple.ppp.l2tp.plist

    to stop vpnd,

    launchctl unload /System/Library/LaunchDaemons/com.apple.ppp.l2tp.plist

    to check,

     tail -f /var/log/ppp/vpnd.log

8. Now open another terminal and sudo -s again because tail -f will continuing monitoring the file hence why you need to open another terminal to continue

9. For now we need to test whether or not the VPN server works so get any computer that is currently on the same network and setup a vpn connection to the vpn server. There are lot of guides you can find on the internet so I’ll leave that as an exercise for you. Just remember that the pre-shared key is what you had set in step 2 and must be entered for each vpn client. Along with that you must also create a new user or use an existing one on the vpn server because even after setting the pre-shared key, vpn will still asked for an account to log on.

If after setting up the connection and the tail log setup in step 7 shows a CHAP authentication failure then proceed to the next step to rectify.

10. This is where I had problem finalizing the VPN setup because I didn’t know why CHAP auth failed until recently I came across a few article talking about the ShadowHash but even then their solution is not complete. If you get the CHAP auth error, follow these steps.

     dscl . change /users/username AuthenticationAuthority “;ShadowHash;” “;ShadowHash;HASHLIST:<SALTED-SHA1,SMB-NT,SMB-LAN-MANAGER>” 

     substitute username with the user you are trying to log onto the vpn server. REMEMBER the double-quotes! This is what all other guides seem to forget to show and the command WILL NOT WORK without them! Once that is done,

     passwd username

    this will set a new password for the user as the previous commands resets it. You can use back your old password if you like here.

Once that is completed, try the connection again and it should connect successfully.

11. Now that you have the VPN server set up and running and your local machine can connect to it, it’s time to change settings on the router in order to have it port forward all the VPN connection request to VPN server. Unfortunately, this steps varies from system to system, you’re better off looking for a guide specific to you system to complete the setup but what I can tell are the next general steps to follow.

12. Give your VPN server a fixed ip address on the network by having the router reserve it based on the mac address

13. Then set up port forwarding for the following ports 500,1701,1723, and 4500 to the VPN server.

14. Next this step depends on whether or not your router supports dynamic DNS support. This is required because ISP issue different IP address each time a customer is connected to their network unless you purchased a static IP address which is never usually the case unless you are running a business.  For more on how to setup, go here and here.

3 thoughts on “Setting up VPN on the iMac (OSX Snow leopard 10.6.8)

  1. Great post. It’s a pity a didn’t discover your post before I spent I hours setting up my PPTP server.
    Finally I gave up and switched to use the free service from Security KISS.

    • Like I said, there are always better ways to do things. This is one of those things where there are simpler and faster methods.

  2. Pingback: Dubai international airport. « dreaming Artemis

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s