Create a masquerading PPTP tunnel

Oct 30, '02 08:50:08AM

Contributed by: n1qfd

If you need to make virtual private network connections (VPN) to allow outside users to use your internal, firewalled network and are IP address poor (ie. you can't assign addresses to the VPN clients as all of your subnet is filled) and you have MacOS X Server, you can use the built in VPN server in Mac OS X. Note, the server needs to be outside the firewall or have the firewall configured to allow PPTP connections through. Explaining how to set up your firewall is outside the scope of this hint.

For this tip you need to be comfortable in the UNIX shell.

[Editor's note: I have not tested this hint, and note that it requires OS X Server.]

First one needs to edit the hostconfig file (/etc/hostconfig). First look for the line that looks like IPFORWARDING=-NO- and change the NO to YES. Next, add the following lines to the file:

VPNSERVER=-YES-
VPN_ARGS=""
The quotes on the preceding line are necessary.

Save the changes and now edit the file /System -> Library -> StartupItems -> VPN -> VPN. After the line that reads /usr/sbin/vpnd ${VPN_ARGS} (there may or may not be curly brackets around the VPN_ARGS), add the lines:
/sbin/ipfw add divert 8668 ip from any to any via en0
/usr/sbin/natd -alias_address 1.2.3.4 -use_sockets
-same_ports -unregistered_only
Enter the last line as one line, not two, and replace 1.2.3.4 with your IP address.

Save your changes and then open the file: /etc -> ppp -> pptp_addresses. In this file, make a list of IP addresses in one of the networks that are reserved for internal use (like 10.x.x.x) that your internal network is NOT using. Populate this file with the number of addresses you wish to have clients connect to. For example, if I didn't use the 10.0.2.x subnet and wanted that reserved for VPN clients, I would put in this file the following:
10.0.2.2
10.0.2.3
...
10.0.2.50
This would allow 49 clients to connect. One must start at index 2 since the first index is used for the server.

Next open up the file pptp_service and comment out the line that reads nodetach by adding a '#' at the front: #nodetach. Next add the line containing the IP address you are reserving for the server followed by a colon. For example, if I reserved 10.0.2.1 as my server address, I would add the following: 10.0.2.1:.

Next create the file /etc -> ppp -> chap-secrets. This is where you store the login information for the connecting clients, the format is: <username> * <password> *.

Finally, reboot your server. When it comes back up, to use your VPN connections from a MOSX 10.2 client, open "Internet Connect" and go to File -> New VPN Connection Window. It will ask if you want to set up your current location for using VPN, click yes. Now you are presented with window that allows you to enter in the following:Click connect and the status should show you connecting. You should now be able to access your internal servers.

Comments (4)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20021030055008917