Virtual Private Network Basics for Lion Server
If you set up Lion Server as a private server (with a .private domain name), not serving to the Internet, a VPN is one way for users outside the building to privately connect to your hosted websites, wikis, and other services.
A virtual private network (VPN) is a secure encrypted connection to a local network from outside it, typically made over the Internet. Remote users connected through a VPN see the local network, including servers and printers, as though they’re connected directly to it. You can also connect two remote local networks through a virtual private network.
In Lion Server, you create virtual private network connections with the Server app. Veteran Mac administrators, take note that you can no longer set up VPN with Server Admin, as in previous versions of Mac OS X Server. You also have fewer options than in the past unless you go to the command line.
If you’re setting up NAT on your server Mac and you’re using the Mac server as an Internet gateway, the Gateway Setup Assistant is another choice for setting up VPN service.
VPN protocols: L2TP/IPSec and PPTP
Lion Server supports two alternative protocols for transporting encrypted data. The one you see in the Server app is Layer Two Tunneling Protocol/Secure Internet Protocol (L2TP/IPSec, or L2TP over IPSec). Lion Server, however, no longer has any way to turn on the second protocol, Point-to-Point Tunneling Protocol (PPTP), except to use the command line.
PPTP is a Microsoft technology that’s long been used in Windows networks. Only older clients, before Windows XP and before Mac OS X 10.3, require PPTP. L2TP/IPSec is newer, with bits coming from Cisco and Microsoft. L2TP/IPSec is the preferred VPN protocol in Lion Server for various reasons, including the fact that it supports Kerberos authentication.
The shared secret
IPSec uses a shared secret, a password stored on the server and clients. The shared secret is not used for authentication or login, and it doesn’t play a role in encryption. The shared secret is a token that’s exchanged between computers to establish trust. If a client doesn’t have the shared secret, it can’t connect. Users don’t type a shared secret; it’s stored on the computers.
The shared secret must be at least 8 characters, but 12 or more is better, and it can include letters, numbers, and punctuation but no spaces. The shared secret shouldn’t be easy to remember; it should be a random string of characters.
The Server app’s VPN pane generates a shared secret for you or lets you use your own.