Friday, May 27, 2016

How to Setup L2TP VPN Server on Mac OS X El Capitan (non-server version)

In this post, I will go over how to setup L2TP VPN server on your Mac OS X El Capitan (non-server version). It will be based on the excellent post from Jon but with slight modifications.

Before you start doing this, make sure the following ports are not blocked by your router or ISP.
UDP 500 for ISAKMP/IKE
UDP 1701 for L2TP
UDP 4500 for IPsec NAT Traversal

Usually, you should be able to configure your router to enable these ports for designated IP address. Therefore, you would probably need to assign static IP address for your to-be-server machine first, based on the physical address, and then open up the ports necessary.

Now, let us dive into the setup. First, create /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist file with the following content
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>ActiveServers</key>
  <array>
    <string>com.apple.ppp.l2tp</string>
  </array>
  <key>Servers</key>
  <dict>
    <key>com.apple.ppp.l2tp</key>
    <dict>
      <key>DNS</key>
      <dict>
        <key>OfferedSearchDomains</key>
        <array/>
        <key>OfferedServerAddresses</key>
        <array>
          <string>168.126.63.1</string>
          <string>8.8.4.4</string>
        </array>
      </dict>
      <key>IPv4</key>
      <dict>
        <key>ConfigMethod</key>
        <string>Manual</string>
        <key>DestAddressRanges</key>
        <array>
          <string>192.168.0.201</string>
          <string>192.168.0.255</string>
        </array>
      </dict>
      <key>Interface</key>
      <dict>
        <key>SubType</key>
        <string>L2TP</string>
        <key>Type</key>
        <string>PPP</string>
      </dict>
      <key>L2TP</key>
      <dict>
        <key>IPSecSharedSecret</key>
        <string>com.apple.ppp.l2tp</string>
        <key>IPSecSharedSecretEncryption</key>
        <string>Keychain</string>
        <key>Transport</key>
        <string>IPSec</string>
      </dict>
      <key>PPP</key>
      <dict>
        <key>AuthenticatorACLPlugins</key>
        <array>
          <string>DSACL</string>
        </array>
        <key>AuthenticatorPlugins</key>
        <array>
          <string>DSAuth</string>
        </array>
        <key>AuthenticatorProtocol</key>
        <array>
          <string>PAP</string>
        </array>
        <key>LCPEchoEnabled</key>
        <integer>1</integer>
        <key>LCPEchoFailure</key>
        <integer>5</integer>
        <key>LCPEchoInterval</key>
        <integer>60</integer>
        <key>Logfile</key>
        <string>/var/log/ppp/vpnd.log</string>
        <key>VerboseLogging</key>
        <integer>1</integer>
      </dict>
      <key>Server</key>
      <dict>
        <key>Logfile</key>
        <string>/var/log/ppp/vpnd.log</string>
        <key>MaximumSessions</key>
        <integer>128</integer>
        <key>VerboseLogging</key>
        <integer>1</integer>
      </dict>
    </dict>
  </dict>
</dict>
</plist>
Make modifications in line 19-20 and 29-30. Lines 19-20 will be your DNS addresses whereas lines 29-30 will be the start and end client addresses to be assigned by the server. Make sure that these addresses do not overlap with your router's assignment. 

Next, change the owner of the file by
$ sudo chown root:wheel /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

and change the access control by
$ sudo chmod 644 /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

Now you will need to provide the L2TP secret phrase. Run the following command where you replace SHARED-SECRET-PHRASE with your own.
$ sudo security add-generic-password -a com.apple.ppp.l2tp -s com.apple.net.racoon -T /usr/sbin/racoon -p "SHARED-SECRET-PHRASE" /Library/Keychains/System.keychain

Create /Library/LaunchDaemons/com.apple.ppp.l2tp.plist with the following content
 <?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN”
“http://www.apple.com/DTDs/PropertyList-1.0.dtd“>
<plist version=”1.0″>
    <dict>
        <key>Label</key>
        <string>com.apple.ppp.l2tp</string>
        <key>ProgramArguments</key>
        <array>
            <string>/usr/sbin/vpnd</string>
            <string>-x</string>
            <string>-i</string>
            <string>com.apple.ppp.l2tp</string>
        </array>
        <key>OnDemand</key>
        <false/>
    </dict>
</plist>

Finally, you need to load the launchd config and start the daemon after reboot:
$ sudo launchctl load -w /Library/LaunchDaemons/com.apple.ppp.l2tp.plist

If you want to disable VPN service and not start the daemon after reboot, run
$ sudo launchctl unload -w /Library/LaunchDaemons/com.apple.ppp.l2tp.plist

Now, you  should be able to connect to your VPN server! To login, use your Mac OS X's username and password.

1 comment: