Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Create a masquerading PPTP tunnel Network
If you need to make virtual private network connections (VPN) to allow outside users to use your internal, firewalled network and are IP address poor (ie. you can't assign addresses to the VPN clients as all of your subnet is filled) and you have MacOS X Server, you can use the built in VPN server in Mac OS X. Note, the server needs to be outside the firewall or have the firewall configured to allow PPTP connections through. Explaining how to set up your firewall is outside the scope of this hint.

For this tip you need to be comfortable in the UNIX shell.

[Editor's note: I have not tested this hint, and note that it requires OS X Server.]

First one needs to edit the hostconfig file (/etc/hostconfig). First look for the line that looks like IPFORWARDING=-NO- and change the NO to YES. Next, add the following lines to the file:
The quotes on the preceding line are necessary.

Save the changes and now edit the file /System -> Library -> StartupItems -> VPN -> VPN. After the line that reads /usr/sbin/vpnd ${VPN_ARGS} (there may or may not be curly brackets around the VPN_ARGS), add the lines:
/sbin/ipfw add divert 8668 ip from any to any via en0
/usr/sbin/natd -alias_address -use_sockets
-same_ports -unregistered_only
Enter the last line as one line, not two, and replace with your IP address.

Save your changes and then open the file: /etc -> ppp -> pptp_addresses. In this file, make a list of IP addresses in one of the networks that are reserved for internal use (like 10.x.x.x) that your internal network is NOT using. Populate this file with the number of addresses you wish to have clients connect to. For example, if I didn't use the 10.0.2.x subnet and wanted that reserved for VPN clients, I would put in this file the following:
This would allow 49 clients to connect. One must start at index 2 since the first index is used for the server.

Next open up the file pptp_service and comment out the line that reads nodetach by adding a '#' at the front: #nodetach. Next add the line containing the IP address you are reserving for the server followed by a colon. For example, if I reserved as my server address, I would add the following:

Next create the file /etc -> ppp -> chap-secrets. This is where you store the login information for the connecting clients, the format is: <username> * <password> *.

Finally, reboot your server. When it comes back up, to use your VPN connections from a MOSX 10.2 client, open "Internet Connect" and go to File -> New VPN Connection Window. It will ask if you want to set up your current location for using VPN, click yes. Now you are presented with window that allows you to enter in the following:
  • Server Address: The address of the VPN server
  • User name: The username set in the chap-secrets file
  • Password: The password set in the chap-secrets file
Click connect and the status should show you connecting. You should now be able to access your internal servers.
  • Currently 3.00 / 5
  You rated: 4 / 5 (4 votes cast)

Create a masquerading PPTP tunnel | 4 comments | Create New Account
Click here to return to the 'Create a masquerading PPTP tunnel' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
VPN Connection works but DNS resolution on client fails
Authored by: five4fighting on Dec 04, '02 02:57:57PM

I was able to establish a VPN connection by following the steps outlined in the post. However, once connected, the client machine can connect to other machines via their IP addresses but is unable to resolve DNS addresses. For instance, I am able to get mail over the private LAN by using the IP address to connect to the mail server (192.168.168.x) but not by the machine's address (

Does anyone else have this problem and can you send any suggestions for changes to pptp_service or other files to fix it?


[ Reply to This | # ]
VPN Connection works but DNS resolution on client fails
Authored by: PascalRobert on May 10, '03 06:12:59AM

Add a line like this:

ms-dns 192.168.x.x

to /etc/ppp/pptp_service

[ Reply to This | # ]
Create a masquerading PPTP tunnel
Authored by: player&sons on Mar 13, '03 05:26:58PM

I tried this hint and can now connect to the pptp server. what I cannot do is to ping or connect to any other machine on the remote network.
I chose an address out of the same range as the remote network (, my gateway info in PPTP is shown as the address of the pptp server ( I guess it must have something to do with that box not acting as a router. How can I get my connection routed through to the entire network? I thought that being logged in to the pptp server and provided with an ip address of the remote network would be sufficient to be completely integrated into the network.
Thanks for helping hands.

[ Reply to This | # ]
problems with PPTP from 10.3.9 to 10.2.6
Authored by: Elisabet Frazer on Sep 20, '05 12:58:17AM

I'm not able to connect via PPTP from Panther 10.3.9 client to Mac OS X Server 10.2.6.
I see the vpnd running at the server with "top" and when I try to connect the passwordserver goes to the top of the processes for a while, so some connection is going on, but then nothing.
Is the password really used by the passwordserver in the example here? is the Panther connect process different?
I added the VPN user also as a full user, but no difference.
What am I missing here?

[ Reply to This | # ]