OS X Mountain Lion as a free VPN Server

VPN Tunnels are a great way to hide your network traffic from the WiFi network you happen to be on. Whilst out an about, I can VPN into my home network with my laptop, iPhone, or iPad, and not worry about what information my device might be leaking to the WiFi provider.

This outlines how I built a VPN server for free using only a plain-vanilla Mac OS X laptop.

Updated the original post from May 2013 on July 21st 2014 for OS X Mavericks to get CHAP authentication working.

I first thought I needed to pay for this when I perused Apple’s OS X Server features. Then, searching for cheaper server client bundles, I came across an article that said OS X already has all you need to run it as a VPN server. There was a handy graphical user interface tool that would configure and activate vpnd for you.

Since this was an exercise in being stingy and do-it-yourself, I sought out the changes I needed to make on the command line myself. Two great articles by Ognjen Antonič and Robin Breathe gave me what I needed.

The instructions mirrored here, slightly modified to allow for my preferences.

Open a shell and switch to root:

sudo -s

Create the shared secret password and store it in the key chain.

In the example we will use YourPassword as the secret password. This is not the user’s password, but the group or shared secret for VPN access.

Passwords that are long and complex are good, but remember that you will need to enter this on an iPhone or iPad screen keyboard later.

security add-generic-password -a com.apple.ppp.l2tp -s com.apple.net.racoon -T /usr/sbin/racoon -p "YourPassword" /Library/Keychains/System.keychain

Create the vpnd configuration file, which is stored here:

/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

Use an editor, such as vi, to create this file.

vi /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

Download a sample configuration file and copy and paste into your vi.

Edit Addresses = ("192.168.1.9"); to be the IP address of your vpnd server. Most likely you will want to use the IP address that is assigned to the interface en0 of your Mac.

Change OfferedServerAddresses = ("12.12.12.12"); to propose the DNS server addresses that your Mac uses.

Each client will be assigned their own local IP for the duration of their session. So change DestAddressRanges = ("192.168.1.10", "192.168.1.19"); so to name the first available address to be assigned to VPN clients, and the last possible address.

Set the default gateway address by adjusting: OfferedRouteAddresses = ("192.168.1.254");

Specify the subnet mask for this local network by changing OfferedRouteMasks = ("255.255.255.0");

Other examples have been using CHAP to authenticate users. I found that on Max OS X 10.8.3 this no longer works and got user authentication working by following suggestions made on Robin Breathe’s page to use PAP instead.

Correctly set the ownership and permissions of the plist file.

chown root:admin /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

chmod u+w,a+r,a-x /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

On the default Mountain Lion and Mavericks install, I could only get PAP to work, since it sent passwords in clear-text. The idea though is to use CHAP (i.e. MSCHAP2) for encrypted challenge response. To do this, you need to adjust the way hashing is done so that the client and server agree on the same method.

If you keep getting this error: CHAP peer authentication failed for <user>

Then what you need is the following: SALTED-SHA1,SMB-NT,SMB-LAN-MANAGER

First, get your current/active setting from the directory services:

dscl . read /Users/<user> AuthenticationAuthority

On Mavericks, this will likely give you:
AuthenticationAuthority: ;ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2> ;Kerberosv5; … (lots of text we don’t care about here)

Note the part between the lesser-than and greater-than signs:
SALTED-SHA1,SMB-NT,SMB-LAN-MANAGER
… which we need to copy and paste to specify exactly what we want to change with dscl

dscl . change /users/<user> AuthenticationAuthority ";ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2>" ";ShadowHash;HASHLIST:<SALTED-SHA1,SMB-NT,SMB-LAN-MANAGER>"

Other examples now configured the system so that vpnd starts automatically on boot. I’m not a fan of this and prefer to (re-)start things manually.

Start the vpnd service

vpnd

You can now inspect what is happening with tail on the log file.

tail -f /var/log/ppp/vpnd.log

Most likely you will have set this up on a Mac behind a firewall. This means that the ports needed to be reached to open a tunnel need to be opened on the firewall.

Configure your firewall/router/modem to pass-through or NAT the UDP ports 500, 1701, and 4500 from the Internet to your internal Mac.

Configure your iPhone or iPad to access your VPN server.

Credits and References:

• Make use of the built-in VPN service in OS X
• vpnd man page
• Ogo’s Blog
• 10.4: Configure a secure L2TP VPN
• VPN Server Configurator for Mac OS X 10.5 – 10.8
• OS X Server