Solved: Problems connecting to VPN externally

[KevinHaze22]

Hi there!

I'm setting up a small office network for my brother and he wants to be able to access it from home. He has a Mac Mini Server setup in his office with VPN service running. When connected directly to the network, I can enter in the servers IP 192.168.100.150 for the host address and connect to VPN without any issues. When I try to connect from home, it times out and can not reach the server. Currently the setup is: SMC Comcast business class modem --> Netgear WGR614v9 router --> Server/Cleints. I have set the comcast modem to forwarded the ports 500,1701,4500 UDP and 1723 TCP to the Netgears static IP. Then, I have those same ports being forwarded from the Netgear router to the Mac mini servers static IP. From home, when I enter in the static external IP for the office, the VPN will not connect and times out. I did a scan with NMap on the external IP of the office and it showed that port 1723 was being filtered and wasn't closed or anything, which I think should be correct. Does anyone have any suggestions as to how to get this working? Thanks for your time!

 

[dannyn]

Hello,

What is the VPN service? It is possible that you have missed some ports.

Also filtered according to http://nmap.org/book/man.html means "Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed." So that does not necessarily mean that it is open, but also does not mean that it is closed either.

Some things to think about:
1) Depending on what software you are using the VPN not connecting and timing out could mean a multitude of different things. It could mean something simple such as wrong password(unlikely) or the policy is not configured correctly.
2) If the place has a dynamic IP you are going to need to use a service such as Dyn DNS. I would normally suggest running this on the router, but you will not be able to because the updater will think the address to be pushed in the update is the internal address.
3) If you could get the "modem/router" turned to bridge modem essentially get the router,firewalling, and DHCP portion of the modem turned off so you only have one router could help with trouble shooting. Comcast is something picky about this, and usually will only do it if you have a static IP. I have had varying results depending on the tech support person's knowledge level of the equipment.
4) What is the subnet of your house? Is it the same as the remote subnet?
5) One thing you could do if the software has a logging portion is use something such as logmein and initiate the connection and watch the logs to see if you can view which portion of the connection establishment it is failing at.

Sorry I do not have a golden bullet for you, but hopefully that will enable more information to be obtained and get close to a solution.

 

[KevinHaze22]

Thanks for getting back to me so quick! We are using a Mac Mini Server running 10.8.2 server for the VPN. I know that I have the right username/password and shared secret since I'm able to log in from within the network, however externally is when I get the timeout so i know it's not that. We are planning on going with DynDNS so that we never lose the connection to the server, however for testing purposes shouldn't I be able to still get in if I knew the dynamic IP we were currently on? I had the modem set up so that DHCP and Firewall are disabled, the wireless router is set to a static IP 10.1.10.XX which shows on the comcast modem, and I have the ports being forwarded there. For testing purposes, I set the router into DMZ on the comcast modem and DMZ for the servers address on the router, and still was not able to get access. I spoke with 2 different people at comcast that told me different things lol. The first one had no idea what I was talking about and turned dhcp back on. The second one knew what I was talking about and said that they weren't blocking any ports or anything, so I'm not sure if it's something with the router we are using. I'm going to see if I can check the log on my router to see if its getting the request for those ports. Thanks for all of your time and help, it is much appreciated!

 

[KevinHaze22]

Just a quick update, I plugged the server directly into the comcast modem, set everything up, and eliminated the router from the equation. I still had it setup to DMZ to the server so none of the ports would be blocked, just for testing purposes. It still did not work. So we called comcast and they are setting up a static IP for us. With all of the ports being forwarded to the server there should be no reason why I can't enter our static IP for the host name and connect, is that correct? I think the way comcast does dynamic IP is preventing the connection. Were were going to use dynamic dns, but i figured the static IP would be better and easier. I read somewhere that the IP I am seeing is not correct since we are using dynamic IP and that the correct IP would be 1 less than the number that is showing ex. 123.123.123.123 to 123.123.123.122 . Not sure if this is true or not, but we already are getting the static IP set up. To test the connection, I'm going to leave the server plugged into the comcast modem and set up to DMZ, so there should be no issues when connecting with our static IP? Thanks for your time!

 

[dannyn]

Ok, I am not 100% sure all your settings are correct, but I have nothing to indicate they are not correct either. Here is a few links for your perusal to just verify that you have everything correct.

Try these links first:
http://krypted.com/mac-os-x/installing-the-mountain-lion-server-vpn-server/ (I would skip the command line, and do it the GUI way)
http://support.apple.com/kb/TS1629 (Ports)

More info:
http://macminicolo.net/mountainlionvpn (I would skip part 2) (Also on the client do not check to send all traffic over the VPN)
https://discussions.apple.com/thread/3142791?start=0&tstart=0 (There is a lot of good info in this one. The last post by Mr.Hoffman is kind of what I have been suspicious of, but I am not a pro in how OSX server handles this. But we might still be able to make it work)


A lot of info in your messages let me try and tackle that, if you are going to send that much info again please number them as I do so I can reference those numbers.

1)Yes you should be able to connect with the current dynamic IP.
2)I am trying to follow your discussion on the DMZ that you are talking about but having a little issue. So let me try and dissect. Just because you turn off the firewall, and DHCP server, does not mean that it does not act like a router anymore. The device is still performing routing functions (such as NAT) and you can notice that by the fact that you are still using an internal address behind it, in your case 10.1.10.XX. You want bridge mode which does not have any router anymore and all the functions associated with it are disabled so it only preforms the function of a modem. This step is not a requirement, it was just something that if you knew how to do it or if Comcast was willing to do it then you could do that to potentially alleviate one of the many variables that you are facing. (This only applies to dynamic, seeing you now have a static mentioned in your second post you can ignore this seeing your static is wide open to the net.)

So now to your second post:
1) Yes if you are using a static IP on the computer then yes you should be able to connect, this really points to something being wrong with the server configuration. Now if you are using a static IP you can see the issue that you are going to run into. If you are using just one NIC and using one static IP you should be able to connect to the server, but you will no longer be able to connect to the remote local network seeing that the server can no longer communicate with this network.
2) In my experience with the Comcast business class, when Comcast sets up the static IP it is wide open. Your modem will still have the routing features enabled and you can still use your dynamic IP, but if the modem sees anything coming from that static IP, it does not route it as an internal address with firewalling, it treats it as an external address completely and is wide open to the internet, which is what you want, except for the problem mentioned above.

I am going to stop there with the network config portion. Does the 4 numbers above make sense to you?

Now to the config portion. Seeing you now have a static IP, I would probably go ahead and hook up the router to the Comcast modem and configure the router with the STATIC IP details that you have now gotten(your static External). This will remove one of the routers. Then I would go ahead and forward your ports to the Mac mini server(Using a static internal). At this point what you have done is punched the wholes through all your devices so on those specific ports, your server now has full communication with the internet on the ports
Next I would try to see if you can connect. I think more than likely you might have the wrong ports configured for the type of VPN you are using(not sure if you are using PPTP or L2TP) or something similar.

Long post, but hopefully this can get you started.

 

[KevinHaze22]

Thanks for the quick and detailed response! After reading up on the links you left me, I'm starting to think the server just isn't set up properly. I had the idea that I would turn on VPN on the server, connect the server to the internal network, open the ports on router, then type in the IP, sharde secret, and username/password.

Currently the only connection to the server is the internal one which is 10.1.10.XX, so if I'm able to connect internally (from say 10.1.10.YY client), does that mean I need to setup a VLAN or do anything like that to connect externally? I know as far as the routing goes, I am forwarding the ports correctly and I can ping our external IP, so it has to be the way the VPN server is set up.

I'm sorry if I'm being a bit confusing, I'm still trying to grasp how the VPN connection is made. I felt like I had a great understanding of it, but apparently I've embedded incorrect information into my brain lol.

I'm going to see if I can find any articles on how to set up a VPN server on a mac mini from scratch. Only VPN is turned on, on the server so perhaps I need to enable other services

We just got the static IP in, I'll be testing everything out tomorrow, and let you know how everything goes.

 

[dannyn]

Please, if you can, could you number your responses. You are asking many different questions in one post, which is fine, but I have a hard time addressing all of it in an efficient manner.

The fact that you can connect internally seems to me to point to you having the proper configuration for connection details and server status etc.

1) No you do not need to have a different VLAN. Just because you can ping really does not tell you much about the port forwarding or routing. All that says is there is in some form a valid path between your remote external and your local external. It could still mean you have a firewall issue, or one of the ports is not forwarded properly to the server.

2) No worries we are here to help. Why don't you look at my links in post #5 and see if any of those can help get you going. Take a look at the little hints that I left next to them. Those are very important.

3) With your static IP you could try to set it up directly to the server if you wanted, but you will not be able to access the network. You will just be able to verify that you can connect. If you do that, it could help in determine that you are able to access it across the net, but not the whole thing. So you might want to set it up with the router so you can test the whole thing. Up to you, but be sure to let me know what you end up doing.

The issue here really seems to be that you have some sort of firewalling or routing issue.

Another link that might help:
http://birdchan.com/home/2012/11/06/setting-up-a-vpn-server-on-a-mountain-lion-server/

 

[KevinHaze22]

Ok, I think we have figured everything out. Apparently, my phone is an old POS and has software issues so VPN isn't working even to known good locations, not to mention the person with the IPhone I had testing out the connection was automatically connecting to the internal network when testing it out with the external number. Between the two, I was convinced there was something wrong with the server, when in fact the server was running without any issues. After 3 days of this, I feel pretty stupid. I was sure I had everything setup right, and I did, the testing is where I went wrong.

Thank you for all of the help and time spend solving this issue, it is much appreciated! BTW sorry for not numbering, thanks for reading and responding even though my posts were sloppy.

The Solution for anyone else who might run into this issue...
Make sure you are not trying to connect to the external IP from within the same internal network that the server is on. You will be able to connect to it's internal IP (ex. 10.1.10.XX or 192.168.1.XX) but when attempting to connect to the external (ex. 69.123.111.XX) you will not be able to.

 

[dannyn]

No worries! Glad to hear its working.

Kinda of funny that was the issue, as you can see I edited post above before you posted, and I took out the portion that talked about this. I did this because I did not want to confuse you!

Glad to see you got it figured out. You can mark the thread solved by clicking the mark solved button at the top of this thread.