iVPN Logo

How It Works

iVPN uses the built-in VPN capabilities of Mac OS X. The VPN server Mac OS X uses is called vpnd, an open source UNIX application that is very stable. This same application is used in Apple's very own Mac OS X Server. Obviously, Apple have not included the software needed to configure the VPN server in Mac OS X Client because it would give people one less reason to buy Mac OS X Server.

Settings Files

After you click 'ON', iVPN takes all the settings you entered and puts them into the appropriate files. These files are the only change that iVPN makes to your system.

  • All the configuration goes into a file called 'com.apple.RemoteAccessServers.plist'. This file tells how the VPN server should operate. This file is found at /Library/Preferences/SystemConfiguration.
  • Your Usernames and Passwords get put into a file called 'chap-secrets', which is accessed every time someone tries to connect to the server. This file is found at /private/etc/ppp.
  • iVPN will place two files in the /Library/LaunchDaemons folder. Theses files are accessed when you start your computer.
  • If you use L2TP IPSec and store the shared secret in the Keychain, iVPN will create a keychain item in the System keychain that is accessed by a UNIX app called 'racoon' that handles IPSec authentication.

General Help

Starting the server

  1. Click on 'Edit Accounts' and add at least one user account; the clients connecting to the server will use these. Click 'Done'.
  2. Enter an IP address range (e.g. From: 192.168.1.100, To: 192.168.1.200). This will determine what IP addresses are given to your clients.
  3. Choose at least one VPN type, PPTP or L2TP IPSec. If you choose L2TP, enter a shared secret and choose whether or not to store it in the keychain (to store it in the keychain, iVPN must be located in the Applications folder on your hard drive).
  4. Leave the other settings as default unless you know of any specific reason for you to change them.
  5. Click 'ON'

Stopping the server

  1. Open iVPN and click 'OFF' - you will be asked for an administrator password.

Starting the server at boot time

You don't need to do anything to make the VPN server start at boot time. Once you turn it on, it will stay on until you turn it off, even across reboots.

Uninstalling iVPN

Use the "Uninstall iVPN..." menu item in the iVPN main menu. If you don't have a copy of iVPN running on your Mac, you can delete the following items manually (if they exist):-

  • /Applications/iVPN.app
  • ~/Library/Preferences/com.MacServe.iVPN.plist
  • /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
  • /Library/LaunchDaemons/com.macserve.ppp.l2tp.plist
  • /Library/LaunchDaemons/com.macserve.ppp.pptp.plist
  • /private/etc/ppp/
  • A keychain item called 'com.apple.net.racoon' in the System keychain

Server Settings

VPN Type

Choose at least one VPN type, PPTP or L2TP to determine which type of VPN server to run. L2TP is typically more secure so it is advised to use this. But, PPTP is sometimes more compatible with routers, especially when using Windows clients. You may find it useful to run both.

User Accounts

To authenticate your VPN clients, they must connect using a username and password. In iVPN, there are two methods of authentication; using a directory server or using custom accounts. Custom accounts are the easiest to set up as they do not have to correspond with your computer's user accounts; these are completely separate. All you have to do is add at least one username and password and you're done. You can also import and export custom user accounts with the choice of encrypting them for security. Using directory authentication is slightly more complicated. First you must have a directory server already set up such as Mac OS X Server's Directory Service. Once you have confirmed this, you must join that directory server from the Mac that iVPN is running on to add your directory server to the list of available directory servers. You can then use the "Manage Directories" button in iVPN to choose which directories to use for authentication. If you're not exactly sure how to use a directory server for authentication, I would strongly advise you use custom accounts.

Shared Secret

You have to enter this if you chose to use L2TP IPSec. This secret is just a password that is used to encrypt your connections. Make sure you use something complex but memorable. E.g. Smith1+john2@ivpn.maC. The shared secret can be stored in the keychain (recommended).

IP Address Range

This section allows you to designate a range of IP address for all of your clients. This can be any valid IP range ( e.g. 192.168.1.100 to 192.168.1.200 ). In this case, when the first client connects, they would get the first available IP address, which would be 192.168.1.100. When the next client connects they would get 192.168.1.101, etc.

Primary and Secondary DNS Servers

Unless you have specific DNS servers you would like to assign to your clients, leave these at their defaults (208.67.222.222, 208.67.220.220). If you have several DNS servers you would like to use, or you would like to provide custom search domains to your connected clients, you can do this in the Advanced DNS panel.

Port Forwarding

To allow clients to connect to your VPN server certain ports need to be open to the Internet. If you have any sort of firewall such as a router, or other software firewall including Mac OS X's built in firewall you will need to specifically tell the firewall to accept incoming connections on these ports.

For PPTP connections, TCP port 1723 needs to be opened.

For L2TP connections, UDP ports 1701, 4500 and 500 need to be opened.

So, on your router, tell it to forward the relevant ports to the IP address of your computer running iVPN. Also, some routers have an option to allow a VPN pass-through. If your router has this functionality, make sure you enable the relevant pass-through.

In some cases, you will have to enable the appropriate VPN pass-through on the client-side's router also, otherwise negotiation will fail or hang on the client.

For specific help on forwarding ports on your router, refer to your routers instruction manual.

PPTP Client Settings

Configuring the PPTP VPN Client on Mac

  1. Open 'System Preferences'
  2. Click on 'Network'
  3. Click the '+' button
  4. Choose 'VPN' as the interface
  5. Choose 'PPTP' as the VPN type and name the service whatever you like
  6. Click 'Create'
  7. Enter the 'Server Address' of your computer running iVPN (this is either the public IP or hostname of your remote network)
  8. Enter the username you entered in iVPN in the 'Account Name' field
  9. Choose 'Maximum (128 bit only)' for the Encryption
  10. Click on 'Authentication Settings…'
  11. Make sure 'Password' is chosen and enter the password you entered in iVPN then click 'OK'
  12. Choose whatever options you want in 'Advanced…'
  13. Click 'Apply'
  14. Click 'Connect'

Configuring the PPTP VPN Client on iPhone

  1. From the home screen, tap on 'Settings', then 'General'
  2. Tap on 'VPN'
  3. Tap on 'Add VPN Configuration...'
  4. Choose 'PPTP'
  5. Enter a description for the VPN connection in the 'Description' field
  6. Enter the address of your computer running iVPN in the 'Server' field (this is either the public IP or hostname of your remote network)
  7. Enter the username you entered in iVPN in the 'Account' field
  8. Make sure 'RSA SecurID' is turned 'OFF'
  9. Enter the password you entered in iVPN in the 'Password' field
  10. Choose 'Maximum' for the 'Encryption Level'
  11. Decide if you want to 'Send all traffic' over the VPN connection
  12. Tap 'Save'
  13. Make sure the new configuration has a tick by it
  14. Use the ON/OFF slider to control the VPN connection

Configuring the PPTP VPN Client on Windows XP

  1. Click on 'Start' then 'Control Panel'
  2. Double click on 'Network Connections'
  3. Click on 'Create a new connection'
  4. Click 'Next'
  5. Choose 'Connect to the network at my workplace' then click 'Next'
  6. Choose 'Virtual Private Network connection' then click 'Next'
  7. Choose a name for the connection and click 'Next'
  8. Enter the address of your computer running iVPN then click 'Next'
  9. Choose 'Anyone's use' then click 'Next'
  10. Click 'Finish'
  11. Right click on the connection you just made and choose 'Properties'
  12. In the 'Networking' tab, choose 'PPTP' from the 'Type of VPN' drop down box
  13. Click 'OK'
  14. Double click on the connection you made
  15. Enter the username you entered in iVPN in the 'User name' field
  16. Enter the password you entered in iVPN in the 'Password' field
  17. Choose to save this user name and password
  18. Click 'Connect'

L2TP Client Settings

Configuring the L2TP VPN Client on Mac

  1. Open 'System Preferences'
  2. Click on 'Network'
  3. Click the '+' button
  4. Choose 'VPN' as the interface
  5. Choose 'L2TP over IPSec' as the VPN type and name the service whatever you like
  6. Click 'Create'
  7. Enter the 'Server Address' of your computer running iVPN (this is either the public IP or hostname of your remote network)
  8. Enter the username you entered in iVPN in the 'Account Name' field
  9. Click on 'Authentication Settings…'
  10. Make sure 'Password' is chosen for User Authentication and enter the password you entered in iVPN
  11. Make sure 'Shared secret' is chosen for Machine Authentication and enter the shared secret you entered in iVPN then click 'OK'
  12. Choose whatever options you want in 'Advanced…'
  13. Click 'Apply'
  14. Click 'Connect'

Configuring the L2TP VPN Client on iPhone

  1. From the home screen, tap on 'Settings', then 'General'
  2. Tap on 'VPN'
  3. Tap on 'Add VPN Configuration...'
  4. Choose 'L2TP'
  5. Enter a description for the VPN connection in the 'Description' field
  6. Enter the address of your computer running iVPN in the 'Server' field (this is either the public IP or hostname of your remote network)
  7. Enter the username you entered in iVPN in the 'Account' field
  8. Make sure 'RSA SecurID' is turned 'OFF'
  9. Enter the password you entered in iVPN in the 'Password' field
  10. Enter the shared secret you entered in iVPN in the 'Secret' field
  11. Decide if you want to 'Send All Traffic' over the VPN connection
  12. Tap 'Save'
  13. Make sure the new configuration has a tick by it
  14. Use the ON/OFF slider to control the VPN connection

Configuring the L2TP VPN Client on Windows XP

  1. Click on 'Start' then 'Control Panel'
  2. Double click on 'Network Connections'
  3. Click on 'Create a new connection'
  4. Click 'Next'
  5. Choose 'Connect to the network at my workplace' then click 'Next'
  6. Choose 'Virtual Private Network connection' then click 'Next'
  7. Choose a name for the connection and click 'Next'
  8. Enter the address of your computer running iVPN then click 'Next'
  9. Choose 'Anyone's use' then click 'Next'
  10. Click 'Finish'
  11. Right click on the connection you just made and choose 'Properties'
  12. In the 'Networking' tab, choose 'L2TP IPSec' from the 'Type of VPN' drop down box
  13. In the 'Security' tab, click on 'IPSec Settings…', make sure the 'Use pre-shared key for authentication' is checked and enter the shared secret you entered in iVPN then click 'OK'.
  14. Click 'OK'
  15. Double click on the connection you made
  16. Enter the username you entered in iVPN in the 'User name' field
  17. Enter the password you entered in iVPN in the 'Password' field
  18. Choose to save this user name and password
  19. Click 'Connect'

Troubleshooting

I can't connect

If you cannot connect to the server running iVPN from your client make sure you have done the following:

  • Forwarded TCP port 1723 for PPTP, or UDP port 4500 and 500 for L2TP IPSec, through any firewalls you may have, this includes Mac OS X's built-in software firewall and any NATs or routers you may have. Please read your router's manual on how to forward ports. Also, some routers have a VPN pass-through feature; if you have this, make sure you enable PPTP or L2TP and IPSec pass-through on both the client-side router and server-side router. To check that ports are open, search Google for an open port checker.
  • Make sure Back To My Mac is not enabled on your Mac as this can interfere with IPSec negotiation. You must restart you router after enabling or disabling Back To My Mac to reset any ports that Back To My Mac had automatically forwarded.
  • Check that 'Activity Monitor' lists the process 'vpnd' (and 'racoon' if L2TP IPSec was chosen) To be able to see these processes, the 'Show' menu must be set to 'All Processes'. If not they are not listed, email me with your situation.
  • Check that you do not have any other software or hardware that could interfere with the VPN server. Little Snitch is a common cause for any network related problems.
  • Make sure you have entered the settings correctly in your client.

I can't access the remote network's resources

If you can't connect to any network resources from the connected client such as computers, servers, printers, NAS or the Internet, check the following:

  • Make sure that the VPN connection on the client is at the top of the network services list. To do this, open System Preferences and go to Network. Then, click on the settings button below the list on the left and choose 'Set Service Order...'. Drag the VPN service to the top of the list and click OK and then Apply.
  • Check that Internet Sharing is not turned on; this can interfere with the NAT provided to VPN clients.
  • Make sure you have entered the IP settings correctly in iVPN.

I can't register iVPN

If you are having trouble registering iVPN, please try to use the online tool to fix your license. You must have a MacServe account for this to be available to you. There are some cases in which invalid serials are being generated. Also, if PayPal's record of your name includes a middle name or any non-standard characters (e.g. Japanese characters or accents), your serial may be invalid. If this is affecting you, the online tool should fix this for you. If you still have problems after using this tool, please contact me and I will issue you with a new serial.