MacOS Server has long had a VPN service to allow client computers to connect to a network even when they're out of the home or office. And as with many a service on macOS Server, this is one of the easiest VPN servers you'll ever setup. The server was once capable of running the two Continue reading Configure The VPN Service In macOS Server 5.4 on High Sierra. Question: Q: macOS Server 5.4 - File Sharing Difficulties Dear Apple, The new ( missing and fundamentally broken ) implementation of SMB/AFP file sharing in macOS Server 5.4 is nothing short of catastrophic for anyone who's found themselves in a similar situation to myself over the past several days.
On a Mac running macOS High Sierra 10.13, update to macOS Server 5.4 from the Updates pane of the Mac App Store. To prevent the interruption of services, macOS Server updates aren't automatically installed, even if you've chosen to install other updates automatically from the Mac App Store.
During installation you might see the message 'Server app replacement detected.' This is a normal part of the update process. All Server settings and data are preserved during the update.
After installation is complete, open Server app to finish setting up your previously configured services.
General changes
- Open Directory and Software Update Service are now hidden by default.
- You can now migrate Server data from a volume with OS X 10.10.5 and Server 5.0.15 and later.
- Caching Server, Time Machine Server, and File Sharing advanced options are now built directly into macOS.
- Caching Server now supports a tiered architecture.
- Xcode Server has been integrated into Xcode.
- Support for APFS volumes.
Profile Manager
Profile Manager now supports new restrictions, payloads and management commands.
For iOS 11
- New supervised-only restriction: Allow VPN creation.
- New supervised-only Classroom restrictions to allow managed class behavior for unmanaged classes on supervised devices: Force unprompted joining of classes, Force unprompted App and Device Lock, Force unprompted Screen Observation and AirPlay.
- New supervised-only AirPrint restrictions: Allow AirPrint, require trusted TLS certificates for AirPrint, Allow iBeacon discovery of AirPrint printers, Allow AirPrint credentials to be stored in keychain.
- AirPrint payload now supports specifying a port and whether connection must be TLS.
- VPN IKEv2 and Wi-Fi payloads now support specifying TLS min/max version.
- New supervised-only payload: DNS Proxy.
- Option to preserve data plan when erasing device.
- Option to install apps and books on iOS devices only when they are USB tethered with Ethernet.
- Software updates can now be installed on all supervised devices even while passcode locked.
- Skip the Watch migration pane in Setup Assistant
For macOS High Sierra
- New macOS payload: Extensions.
- New macOS payload: Smart Card.
- New macOS payload: System Migration.
- VPN IKEv2 and Wi-Fi payloads now support specifying TLS min/max version.
- New macOS MDM commands: User List, Unlock User, Delete User, Shutdown, and Restart.
- New macOS MDM commands and status query for EFI password management.
- Option to apply 802.1X configuration to any Ethernet interface.
- Option to hide Siri setup screen on first log in.
- New macOS FileVault key escrow mechanism.
For tvOS 11
- New supervised-only restriction: Allow modifying device name.
- Wi-Fi payload now supports specifying TLS min/max version.
- Now supports Home Screen Layout payload.
- New tvOS payload: AirPlay Incoming Security.
Setting Up The VPN Service In macOS Server
To setup the VPN service, open the Server app and click on VPN in the Server app sidebar. The VPN Settings screen has a number of options available, as seen here.
The VPN Host Name field is used by administrators leveraging profiles. The setting used becomes the address for the VPN service in the Everyone profile. L2TP requires a shared secret or an SSL certificate. In this example, we'll configure a shared secret by providing a password in the Shared Secret field. Additionally, there are three fields, each with an Edit button that allows for configuration:
- Client Addresses: The dynamic pool of addresses provided when clients connect to the VPN.
- DNS Settings: The name servers used once a VPN client has connected to the server. As well as the Search Domains configuration.
- Routes: Select which interface (VPN or default interface of the client system) that a client connects to each IP address and subnet mask over.
- Save Configuration Profile: Use this button to export configuration profiles to a file, which can then be distributed to client systems (macOS using the profiles command, iOS using Apple Configurator or both using Profile Manager).
- Shared Secret: A passphrase that must be supplied by the client prior to getting a username and password prompt.
Using The Command Line
I know, I've described ways to manage these services from the command line before. The serveradmin command can be used to manage the service as well as the Server app. The serveradmin command can start the service, using the default settings, with no further configuration being required:
sudo serveradmin start vpn
And to stop the service:
sudo serveradmin stop vpn
And to list the available options: sudo serveradmin settings vpn
The output of which shows all of the VPN settings available via serveradmin (which is many more than what you see in the Server app:
vpn:vpnHost = 'odr.krypted.com' vpn:Servers:com.apple.ppp.pptp:Server:Logfile = '/var/log/ppp/vpnd.log' vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging = 1 vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 128 vpn:Servers:com.apple.ppp.pptp:DNS:OfferedSearchDomains:_array_index:0 = 'jamfsw.corp' vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:0 = '10.10.16.200' vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:1 = '10.1.16.20' vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:2 = '8.8.8.8' vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = '1' vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = '1.1.1.1' vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:SharedSecret = '2' vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:Address = '2.2.2.2' vpn:Servers:com.apple.ppp.pptp:EAP:KerberosServicePrincipalName = 'vpn/odr.krypted.com@OSXSERVER.KRYPTED.COM' vpn:Servers:com.apple.ppp.pptp:enabled = no vpn:Servers:com.apple.ppp.pptp:Interface:SubType = 'PPTP' vpn:Servers:com.apple.ppp.pptp:Interface:Type = 'PPP' vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoFailure = 5 vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle = 1 vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index:0 = 'EAP-RSA' vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorACLPlugins:_array_index:0 = 'DSACL' vpn:Servers:com.apple.ppp.pptp:PPP:CCPEnabled = 1 vpn:Servers:com.apple.ppp.pptp:PPP:IPCPCompressionVJ = 0 vpn:Servers:com.apple.ppp.pptp:PPP:ACSPEnabled = 1 vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoEnabled = 1 vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoInterval = 60 vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1 vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = 'MSCHAP2' vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0 vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = 'DSAuth' vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = '/var/log/ppp/vpnd.log' vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging = 1 vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer = 7200 vpn:Servers:com.apple.ppp.pptp:PPP:CCPProtocols:_array_index:0 = 'MPPE' vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteMasks = _empty_array vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = '10.10.23.255' vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = '10.10.23.254' vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteAddresses = _empty_array vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteTypes = _empty_array vpn:Servers:com.apple.ppp.pptp:IPv4:ConfigMethod = 'Manual' vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = '1.2.3.4' vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128 vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0 vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = '/var/log/ppp/vpnd.log' vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1 vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains:_array_index:0 = 'jamfsw.corp' vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = '10.10.16.200' vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:1 = '10.1.16.20' vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:2 = '8.8.8.8' vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:SharedSecret = '1' vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:Address = '1.1.1.1' vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:SharedSecret = '2' vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:Address = '2.2.2.2' vpn:Servers:com.apple.ppp.l2tp:EAP:KerberosServicePrincipalName = 'vpn/odr.krypted.com@OSXSERVER.KRYPTED.COM' vpn:Servers:com.apple.ppp.l2tp:enabled = yes vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = 'L2TP' vpn:Servers:com.apple.ppp.l2tp:Interface:Type = 'PPP' vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5 vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = 'EAP-KRB' vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = 'DSACL' vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0 vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60 vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = 'MSCHAP2' vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = 'DSAuth' vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = '/var/log/ppp/vpnd.log' vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200 vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = 'Keychain' vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = ' vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = 'com.apple.ppp.l2tp' vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = 'SharedSecret' vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = ' vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = 'None' vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = <> vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = '10.10.23.128' vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = '10.10.23.254' vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = 'Manual' vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = 'IPSec' vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = 'Yq!XdGsVyAY?o;9jnj
To disable L2TP, set vpn:Servers:com.apple.ppp.l2tp:enabled to no:
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:enabled = no
To configure how long a client can be idle prior to being disconnected:
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 10
By default, each protocol has a maximum of 128 sessions, configureable using vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions:
sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 200
To see the state of the service, the pid, the time the service was configured, the path to the log files, the number of clients and other information, use the fullstatus option:
sudo serveradmin fullstatus vpn
Which returns output similar to the following:
vpn:servicePortsAreRestricted = 'NO' vpn:readWriteSettingsVersion = 1 vpn:servers:com.apple.ppp.pptp:AuthenticationProtocol = 'MSCHAP2' vpn:servers:com.apple.ppp.pptp:CurrentConnections = 0 vpn:servers:com.apple.ppp.pptp:enabled = yes vpn:servers:com.apple.ppp.pptp:MPPEKeySize = 'MPPEKeySize128' vpn:servers:com.apple.ppp.pptp:Type = 'PPP' vpn:servers:com.apple.ppp.pptp:SubType = 'PPTP' vpn:servers:com.apple.ppp.pptp:AuthenticatorPlugins = 'DSAuth' vpn:servers:com.apple.ppp.l2tp:AuthenticationProtocol = 'MSCHAP2' vpn:servers:com.apple.ppp.l2tp:Type = 'PPP' vpn:servers:com.apple.ppp.l2tp:enabled = yes vpn:servers:com.apple.ppp.l2tp:CurrentConnections = 0 vpn:servers:com.apple.ppp.l2tp:SubType = 'L2TP' vpn:servers:com.apple.ppp.l2tp:AuthenticatorPlugins = 'DSAuth' vpn:servicePortsRestrictionInfo = _empty_array vpn:health = _empty_dictionary vpn:logPaths:vpnLog = '/var/log/ppp/vpnd.log' vpn:configured = yes vpn:state = 'STOPPED' vpn:setStateVersion = 1
Security folk will be stoked to see that the shared secret is shown in the clear using:
vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue
Configuring Users For VPN Access
Each account that accesses the VPN server needs a valid account to do so. To configure existing users to use the service, click on Users in the Server app sidebar.
At the list of users, click on a user and then click on the cog wheel icon, selecting Edit Access to Services.
At the Service Access screen will be a list of services that could be hosted on the server; verify the checkbox for VPN is highlighted for the user. If not, click Manage Service Access, click Manage and then check the VPN box.
Setting Up Client Computers
As you can see, configuring the VPN service in macOS Server 5.4 (running on High Sierra) is a simple and straight-forward process – much easier than eating your cereal with a fork and doing your homework in the dark.. Configuring clients is as simple as importing the profile generated by the service. However, you can also configure clients manually. To do so on a Mac, open the Network System Preference pane.
From here, click on the plus sign ('+') to add a new network service.
At the prompt, select VPN in the Interface field and then either PPTP or L2TP over IPSec in the VPN Type. Then provide a name for the connection in the Service Name field and click on Create.
At the list of network interfaces in the Network System Preference pane, provide the hostname or address of the server in the Server Address field and the username that will be connecting to the VPN service in the Account Name field. If using L2TP, click on Authentication Settings.
At the prompt, provide the password entered into the Shared Secret field earlier in this article in the Machine Authentication Shared Secret field and the user's password in the User Authentication Password field. When you're done, click OK and then provided you're outside the network and routeable to the server, click on Connect to test the connection.
Conclusion