How to Get Your Lion Server Network Ready for VPN
If Lion Server is set up as a private server, a VPN is one way for users outside the building to privately connect to your hosted websites, wikis, and other services. For your users to access the local network from outside through a virtual private network, you may need to configure some other aspects of your network first:
DHCP IP address range: When you configure VPN service, you set a range of IP addresses that is assigned to the remote VPN users. These addresses are on the server’s network.
This range must not contain static IP addresses used on the network and must not overlap ranges provided by a DHCP server, an Internet router, or an AirPort Base Station. Make sure that these devices aren’t assigning IP addresses from ranges that overlap with those that the VPN service is providing to remote users.
The IP address that the VPN service assigns to a remote computer for its VPN connection is in addition to the IP address that the remote computer is already using to connect to the Internet. The VPN IP address is released back to the server when the VPN session concludes.
Port forwarding: If you have an Internet router, including a DSL or cable router, you need to set it up to use port forwarding (also known as port mapping) so as to forward traffic to your server’s IP address.
Firewall VPN ports: If you have a firewall running on the server or on a separate device, the administrator needs to open ports on the firewall to allow VPN traffic. These are TCP port 1723; UDP ports 500, 1701, and 4500; and IP protocol 50. (For PPTP, use TCP port 1723.)
Firewall ports for services: If the only way you’re allowing access from remote users is through an encrypted VPN connection, you don’t have a reason to open the firewall ports for specific services; all the traffic goes through the VPN instead of the firewall. This means you could set the firewall to block those ports for increased security.
You could also have a mixture: Keep open web and e-mail ports on the firewall, but close file sharing and iCal to restrict those types of access to a VPN connection. If you have a firewall between your workgroup and the rest of your organization, you may also want to keep ports open for people in your organization who are outside the workgroup.