Lesson 1: Configure VPN service

In this lesson, you’ll learn how to set up a computer as a VPN server.

You’ll configure a server named “myserver.example.com” to accept encrypted connections from Mac clients, allowing them to access the local network.

Along the way, you’ll learn about:

  • Domain names, host names, and fully-qualified domain names

  • Domain name service (DNS), both static and dynamic

  • Public and private IP addresses

  • IP address subnets

  • IP traffic port forwarding

Step 1. Get a public, static IP address

Your server needs an IP address that the public Internet can count on as the location of your web server. A static IP address is assigned to you from your ISP.

  • If you’re part of a large organization, consult with the person who controls the addressing, the router, gateway, or firewall that connects your network to your ISP.

    The IP address is used by the domain name system to establish a link between the human-readable domain name and the machine-readable IP address.

Step 2. Get your host name and fully-qualified domain name

Here’s some important Internet naming terminology you need to know:

  • The Domain Name System (DNS) is the way the Internet links machine-readable static IP addresses to human-readable domain names.

    Dynamic DNS is a way to use human-readable naming with IP addresses that change regularly and are periodically reassigned. If you didn’t get a public, static IP address, you’ll have to use Dynamic DNS rather than normal DNS.

  • The host name is the name your server is known by on your local network. For example, you could name your server “myserver” or whatever else would uniquely identify it on your network.

  • The domain name is the name that designates a large organization rather than an individual member. For example, Apple’s domain name is “apple.com.” Documentation about Internet services sometimes uses “example.com” as a domain name. Domain names are leased from a Domain Name Registrar (a company that keeps track of domain names and makes sure they’re unique).

  • A fully-qualified domain name includes the host name and the complete domain name.

  • A DNS provider keeps a record of the domain name and the fully-qualified domain name, and the static IP address they’re associated with.

  • If you’re on your own for this lesson, you need a domain name and a host name. You can pick out your own host name, but you need to lease a domain name.

    If you’re part of an existing organization, there’s a good chance you already have a domain name (like example.com) and some system for picking host names. Your organization should also have a DNS host to link your static IP address and domain name to each other.

    For this lesson, you’ll see the following placeholder names:


    Placeholder name

    Domain name




    Fully-qualified domain name


    WARNING: Don’t use the placeholder settings in this tutorial. The name “example.com” is reserved for use in documents like this, and won’t work in real software configurations. Use your own settings.

Step 3. Configure VPN address settings

  • Open the Server app to see the list of services available in OS X Server. Select VPN.

    Use the following settings:




    Configure VPN for


    L2TP is natively supported by Mac computers.

    VPN Host Name


    The fully-qualified domain name linked with the public, static IP address.

    Shared Secret

    Leave as is

    An automatically generated string that acts as the “password” to the VPN service.

    Client addresses, Routes

    Leave as is

    Changes aren’t needed for this lesson.

    DNS settings

    Leave as is

    You only need to change this if your ISP or organization has specific settings for you.

    WARNING: To prevent network conflicts, the addresses provided by the VPN service should not be the same as the addresses provided by the network administrator via DHCP. Work with your network administrator, or make sure your own router isn’t trying to distribute the same addresses as the VPN service.

    VPN with settings

Step 4. Open the necessary Internet ports at the gateway

  • Port forwarding can be done automatically if you’re using an AirPort Base Station that’s configured using Server app. Click “Allow” when Server offers Internet access for VPN.

    AirPort Extreme selection

    If you’re part of an organization, there’s probably a firewall that needs to be adjusted to let VPN connections through. Similarly, if you’re setting this up using an Internet router or Wi-Fi access point, you’ll need to set port forwarding.

    Firewalls and NAT routers (gateways) block unwanted external connection attempts, and need to be explicitly told to allow unsolicited external connections. These connections (called “ports”) are numbered. Think of these ports as tunnels or holes in a wall that connect the outside to a specific place inside, handled by the service.

    In your router’s configuration software, open or forward the following ports for VPN:



    For use with









    IPsec NAT Traversal

Step 5. Save the VPN profile

  • After checking all the settings, turn on VPN service.

    VPN service on switch

    Click Save Configuration Profile, then save the document (remember where you save it—you’ll use it to test the settings later).

    The profile file looks like this:

    Configuration profile icon

Step 6. Prepare the test Mac

  • Copy the configuration profile to the external Mac, then double-click it to install it. During installation, provide the login name of the test user.

    Profile installation confirmation

Step 7. Test your configuration

  • Using the test Mac on an external network, choose Apple menu > System Preferences, then click Network. Select VPN, then click Connect.

    When the connection is successful, it’s reflected in the preference pane, and you’ll see an IP address from the range of addresses for VPN connections.

    Network Preference pane with VPN selected

Go to Lesson 2: Make a service accessible over the Internet.