VPN and OS-X 10.x
I just tied into a company from my MAC using VPN instead of iChat or logmein. I was shown "every step of the way" and I was the client.
Could someone please tell me (in simple lingo) how to setup a VPN on the server side, so I can remotely connect using the built in VPN that is built into OS-X 10.5.x and OS-X 10.6. Server would be a MAC product, and NO, there is no Cisco anything involved. Just cheap stuff. Connection should be via L2TP or PPTP, so NOTHING should have to be downloaded ( I think - but what the hell do I know !).
Bob is the server a simple server or advanced?
ie with vpn setup do you get a box like sys prefs time machine or do you have the full admin application ?
make a big diff.
Will run through steps when in office for an advanced server install.
It's all pretty simple.
the server is not even a server. It's a dedicated MAC Pro that acts as a server for one of these shared storage systems. I want to know how to set it up for VPN, so I can "break thru" firewalls in offices that won't let me use iChat to remote into a computer. The client side is easy (System Preferences>Nework>+>VPN, and the couple of settings. Now, what do you do on the server side ?
Ours is a macpro also.
What I meant was are you running OSX Server ?
We have a macpro running osx server. setup is easy for vpn through the admin app.
on the non osx server side I think you'l be installing something extra such as below.
lemme know if you need any more help
You may want to try using Open VPN. http://www.openvpn.net/
We have that here in our office, use it to connect to Mac and Windows systems.
It's very easy to configure on the client, and I'm sure the implementation on the server is fairly simple as well.
You sorted Bob ?
no, I am not sorted out. I need a FREE server application - let me explain. We currently use Apple iChat, which is free, and works quite well. RealVNC is a free download for server AND client, but free only for Win XP servers - not MAC (it's about $50 US). If you use OS-X Server, this includes a free VNC server, but I do not use OS-X server, I just use regular OS-X (non server) for these simple servers. So far, the easy answer is "well, just spend the 50 bucks, and shut up already" - but I would have to tack this onto the cost of every system - and since iChat is free, and works on all systems except where I have secure locations (that block things like AIM, and iChat) - I am looking for a VNC solution. So my real question is what is a FREE VNC server application that I can load, if I DONT have OS-X Server on the MAC computer that is acting as a server.
As I write this, it is sounding very stupid (because I would be the very person who would write back SPEND THE 50 bucks and SHUT UP).
What! you want something for free!.. with no support!.. There's a reason why... etc..etc.. ;)
ok so iVpn is £14.99 whats that.. 30 bucks?
Surely you can tack that on the quote?
If someones spending 5>30k on a appliance from you whats 30 bucks?
also if the purchased serial is for you, and for your uses on installs then dont see anything about a per computer license.
I think there is some confusion here from using the terms "VPN" and "VNC" interchangeably. They are definitely not synonymous.
VPN is Virtual Private Network, which allows remote computers to connect to a host and then have access to the host's network as if the remote computer were part of the host's local network. This is what Bob's original post was referring to (L2TP, no Cisco, etc.) so I'll assume that's the kind of access he's after here.
VNC is Virtual Network Computing. It's essentially a remote access protocol for viewing and interacting with remote computers as if one had physical access to the computer. To most, it is simply another screen sharing protocol (which is mostly true).
Every version of OS X (client or server) has shipped with a VNC server since, I believe, Tiger (10.4). It might have even been present in 10.3 but I'm not certain. Doesn't matter. All you need to know is that every modern Mac has VNC capability already built-in by Apple and it is only a check-box away to enable it (10.5 Leopard: System Preferences > Sharing > Remote Management). This enables a VNC server that you can use most VNC clients to connect to and control the Mac's screen. That VNC client software can be running on another Mac, Linux or Windows as long as it supports the protocol.
VPN, on the other hand, is bundled with every Mac client, but only as client software (i.e. the software portion that lets you connect to VPN hosts/servers). To host a VPN server, you need additional software for OS X client (like the aforementioned iVPN) or you can use OS X Server, which has a VPN server built-in and works quite well. And it is very secure, which is important when dealing with remote access.
So, I think what you really want here, Bob, is to have a combination of both. You want VPN to allow you access to your client's network and then you want to use VNC to control their screens (very Orwellian!). However, if they are blocking iChat/AIM with a firewall then I highly doubt they are going to let VPN traffic through, either. And yes, setting up a VPN behind a firewall requires certain ports to be forwarded to get through the firewall, which probably involves getting their IT people involved. Opening up a VNC port directly to a computer is a very bad idea as VNC is not encrypted by itself, so it would be unsafe. However, using VPN in conjunction with VNC should make you safe but, like I mentioned, it does take more work that just installing something and pressing the big green GO button.
There are other things you can do as well, such as ssh tunnels. The ssh protocol is very, very flexible and allows you to get into all sorts of situations that drive network administrators nuts. SSH on your client's side can even be used to circumvent their firewall, which would be good for you but would freak out any competent network admin (the idea of bypassing a security device such as a firewall by making an outgoing tunnel to some person on the Internet should be a cause for concern, if not a full-on geek tantrum).
So, I guess what I'm saying is that you tried a VPN setup once and liked it. It apparently worked pretty seamlessly for you BECAUSE someone on the other end made it easy to use. It just didn't fall out of the box that way. VPNs require setup, but if it is something you need then it is worth the investment in time and money. Getting your clients to cooperate and share your vision in needing this kind of access to their networks is probably a bigger challenge than setting up the software.
PS--OpenVPN might help, but unless I'm mistaken I didn't see an OS X binary for it. A server running OpenVPN would, I believe, require a different VPN client than what is built into OS X, so that's another piece of the puzzle to deal with if you go that route.
I have secure firewall in the office.
I VPN in
run ScreenShare built into osx but hidden in /System/Library/CoreServices
type in the ip of the remote machine and voila. controlling from internally just like you do via finder.
I actually ad a list of ips to host file so fore the server in the office in screenshare i just type officeserver , hate numbers.
Nice post btw Matt.
Thanks for clearing that all up!
I checked and OpenVPN doesn't have a OSX download for Server. It's only a Client VPN OSX download that I'm using.
I guess we have OpenVPN installed on our firewall, and that's what allows us access to the Apple's once inside our network.
Bob - Not sure how that differs from what you want to do?
Thanks all -- just doing my part to try and help out :)
Hey Matt, this is a great summary of the whole VPN / VNC issue. Nice work!
There is one free, fairly easy to use and low-configuration VPN application for OS X that I've played with called HamachiX. Some decent tutorials about it can be found here:
Unfortunately, this easy to use OS X software package is not being updated anymore -- either it works or it doesn't and there's no support. But, when it works, it's very easy. And, it's based on the Hamachi command-line utility that is pretty solid and effective cross-platform. http://en.wikipedia.org/wiki/Hamachi
Here's an outline of how it can be used from a Mac to connect to and control remote Macs (sorry if this is rudimentary for most):
1. Download HamachiX for Mac to your computer: http://www.freemacware.com/freemacware-downloads/877
2. Drag the application to your computer once it downloads. Open it up. Accept the user agreement and install the underlying software.
3. Once it's running, click the "Add" button at the top of the main HamachiX window. This will allow you to create a new Virtual Private Network of your very own.
4. In the "Assistant" window that comes up, give your new network a cryptic name that nobody will guess. Also a strong password that nobody would guess. These two things separate your computers from the world. Make them good.
5. Still in this "Assistant" window, generally you want "Create Network on Demand" checked. This allows your Virtual Private Network to be created whenever a computer using this software (and having your name and password) starts up.
6. Click "Add" to create the network.
7. Close the "Assistant" window after you click Add (if it doesn't close automatically).
8. Go to the "HamachiX" pull-down menu at the top of the screen, select preferences, and give this computer a nickname if you want. Makes it easier to figure out which computer is which later on.
9. Leave HamachiX running on your computer for a while, and continue on. This ensures your VPN stays active so you can test it soon.
10. Install HamachiX on another computer (like a computer in your client's office) by downloading it, dragging it to the computer, launching it, and accepting agreements and installing the background stuff when asked.
11. Once HamachiX is running on this second computer, click the "Add" button like above from the main window, and enter the same network name and password and make sure the "Create Network on Demand" radio button is selected in the "Assistant" window that pops up. Click "Add," then close the "Assistant" window if it doesn't automatically.
12. Go set a nickname (like step 8 above) for this new computer.
13. In theory, in the main HamachiX window, if you click the name of the network you created on the left, you should see a list of all computers on your network along with the "fake" network address that each computer has assigned (probably starts with 5.something). Hopefully all computers show green lights next to them. The "fake" network address of the computer you're sitting at is listed after "Hamachi ID" in the top bar of the main window.
14. Assuming the light is green next to a computer in the list, you can connect to it through a variety of methods including VNC, screen sharing and Apple Remote Desktop. I've had the most luck with Screen Sharing, so the rest of the instructions here assume you want to connect to the second computer using screen sharing (with all running OS X Leopard).
15. Make sure screen sharing is enabled on the computer you want to connect to -- probably the second computer at the client's location. (Apple System Preferences, Sharing) Make sure you're happy with the security settings on which user accounts are able to connect using screen sharing, and if you allow things like VNC connections. (You don't have to enable VNC for this to work from a Leopard machine, but would if you wanted to be able to connect from an older Mac using VNC client software like Chicken of the VNC.)
16. From another computer using HamachiX and connected to your Virtual Private Network (probably the first computer you set up), launch the screen sharing application that's kinda hidden (like Simon said) in the System -> Library -> Core Services folder.
17. When prompted for a "Host," type in the "fake" address for the computer you want to control (again, probably the second computer) from the HamachiX list (that probably starts with 5.something).
18. Hopefully you're prompted for a username and password (this is for the computer you're connecting to - probably the second computer you setup), and then you're able to control the remote computer.
You can also do some other things with the remote computer like share files. If file sharing is enabled on the remote computer, just "Go" and "Connect to Server" like normal on the computer you're connecting from, but type in the fake Hamachi address for the computer you're connecting to when prompted for the server address. Anything that the remote computer is configured to share should be accessible to you.
Now, HamachiX has some limitations. It doesn't go through every firewall. It isn't 100% stable (crashes occasionally). If you're out at a hotel or somewhere that blocks VPN access ports, you won't be able to connect. Some information about your network is stored on a remote server (called a mediation server, that takes care of making the connection). And, there's nobody to call for help -- except Mr. Google.
But, when it works, it's great. It could be the kind of thing you could have a client click on to fire up when you need access, then quit when you're done. I'm not sure how I'd feel about keeping it running all the time on a SAN controller (ethernet or fibre channel based). (That's a lie. I know how I'd feel about it. Bad.)
If you want a VPN service that goes through more firewalls and is more stable, you're going to need to pay. And, like Matt said, there's no way around getting IT folks involved in certain situations where your client's network and firewall are heavily managed. But, using the combo of HamachiX and Apple's built-in Screen Sharing capabilities might do the trick for some situations -- for free.
Let me know if you have questions, and good luck!
now THAT is a GREAT post.
Thanks Dave Klee !
Just to add on to the post about hamachi, which I love and adore, you can also setup a script that will autolaunch a hamachi daemon on start up. This way you can access the machines remotely without someone having to start hamachi for you manually.
This is a tutorial for the process of doing that.
Obviously, this set of scripts requires that you've already installed both Hamachi and the tun/tap drivers.
To install the hamachi boot scripts, download this file:
And then enter these commands in Terminal in the directory where you downloaded the file:
sudo cp hamachi-boot-macosx.tar.gz /Library/StartupItems
sudo tar zxvf hamachi-boot-macosx.tar.gz
sudo chown -R root:wheel hamachi
This should result in a directory
Containing the files
Next edit the beginning of hamachi_helper to reflect which account you used to install Hamachi by replacing "hamachi_account" with the appropriate account name.
If you installed Hamachi as root, I believe the script will work if you set HAMACHI_OWNER=root and HAMACHI_DIR=/var/root/.hamachi. Thanks go to one of the users for providing the correct HAMACHI_DIR variable setting. I'd thank them directly but here at freeasinbeer.com we respect your right to enjoy software anonymously!
After hamachi_helper works, change hamachi_networks.conf to contain the names of the networks you would like to sign on to. One network name per line, as many lines as you want. As far as I know there is no hard limit.
This package is designed to be run by SystemStarter during the boot process. However, you can test it manually by entering commands of the form:
sudo SystemStarter start hamachi
sudo SystemStarter restart hamachi
sudo SystemStarter stop hamachi
This post got me thinking and I've written a short article on getting hamachi and VNC running on your edit machines.
you are amazing !