Apr 21

Previous to my switching over to a Mac Mini for my Apple servers I used Xserves which had dual Ethernet ports. This allowed for a external public IP and an internal private IP address. This of course if the optimal setup for creating a VPN when using Mac OS X Server.

Initially I had thought I had setup my VPN correctly, as I was able to connect to it, although after looking at some websites and AFP shares from the server, I wasn’t getting the results I had wanted.

Unfortunately after checking my IP when I was on the web, I noticed it was still using my non-VPN IP which meant all my web traffic was not going through the VPN. I then tried to connect to some AFP shares, and they worked, but after looking in Server Admin, I was still connecting with my Verizon IP address, and not the IP from the VPN.

Speaking with my good friend we figured out that the IP blocks couldn’t be the same. I was dishing out 192.168.1.x from the VPN and my local network was also dishing out that same block. I also had to make sure I had “Send all traffic through VPN” was switched on. This parameter can be found in System Preferences >> Network >> VPN Connection’s Advanced button >> and under the Session section. It’s turned off by default but make sure it’s turned on.

Now for the IP block that the VPN dishes out, I changed that to something a bit more secure, something that normal home routers don’t dish out. I chose 192.168.10.x, which I’ve yet to see a DHCP/home router dish out. I would think you might find that block in a bigger organization, but it should be safe to use. Saved that setting and then I tried to connect. Unfortunately, it didn’t work right just yet.

Then I added a virtual interface to the single Ethernet port and assigned it an IP address within the range that the VPN server was handing out. I gave it the router address of my public IP and then tried to connect again.

It worked! So in summary, when you’ve got a server with a single Ethernet port and an external IP address, it’s a good idea to:

  1. Give it a virtual interface
  2. Change the block range of IPs your VPN hands out
  3. Give your virtual interface an IP from that range
  4. Make sure your client(s) have the “Send all traffic through VPN” turned on. Security is good :)
  5. Verify that it’s working correctly by visiting FindMyIP.com and looking in Server Admin

I’ve also allowed people to connect to the AFP service ONLY if they’re coming from the VPN IP range, which is much more secure then letting everyone connect to it.

Apr 1

Server Assistant is a wonderful tool that allows OS X Server administrators to install and configure their
server(s) remotely. I personally have used the tool multiple times in setting up servers, but not to install OS X Server to a machine.

Finally this past week I got the chance to do it. Despite being incredibly easy to do, there was one drawback that will definitely make me think twice about using it in that fashion again.

It will not allow you to choose which packages to install and which to leave out. Because of this I had to install all 11.4GBs instead of the 5-6GBs that I usually do. I tend to leave out the languages, printer drivers and fonts.

If there’s one thing I hope Apple fixes, it’s being able to select which packages to install and which not to when using Server Assistant to do a remote server install.

Just a heads up for people interested in doing remote OS X Server installs, keep in mind you won’t be able to choose the software that gets installed and make sure you can afford to spend ~11GBs of drive space!