1

I'm configuring a Mac as a server with a VPN service. So, I opened the ports listed as used by VPN in Apple documentation:

  • UDP 500 -> 500 (+ESP and AH)
  • UDP 4500 -> 4500
  • Any UDP -> 1701

(I got to these configs setup by the router wizard to setup the VPN ports)

Now, problem number 1: I cannot connect to my VPN. However, but if I set a new rule of Any UDP -> Any UDP (so, every connection to my IP) I can successfully connect to the network. For obvious reasons, I don't want to have all ports available.

Problem number 2: Even though with the Any UDP -> Any UDP rule I can connect to the VPN, the OS X server says "Reachability unknown". But if I setup a rule Any TCP -> Any TCP then it says properly that the VPN is reachable. For obvious reasons, I don't want to have this ruler either.

So, my question is: what ports or configuration am I missing?

For what its worth: I'm using an Hitron BVW3653 (provided by my ISP).

UPDATE

I now setup the port forwarding to:

  • UDP 500 -> 500 (+ESP and AH)
  • UDP 4500 -> 4500
  • UDP 1701 -> 1701

But the issue remains. As a side note, I can connect to the VPN if I'm in my local network so the server setup seems to be correct, it is just the port forwarding that is not working. Here's the current configuration I have so far (server is with static ip 192.168.1.200):

Port forwarding

Miguel Ribeiro
  • 129
  • 1
  • 1
  • 5

1 Answers1

2

First off, what protocol of VPN are you using? OS X Server offers both L2TP (over IPSEC) and PPTP protocols, both of which use different ports.

For L2TP you need ports 500 (UDP), 1701 (UDP), and 4500 (UDP). Forward these ports to the same ports internally. For PPTP, it would be ports 500, 1723 (TCP), and 4500, also forward the same internally. I don't know where it said to forward any UDP port to 1701, so I'm pretty sure that's your issue. Make sure all your forwarding matches both internally and externally, unless it is necessary for some reason (such as using Apache on port 8080).

Do the VPN logs show anything regarding any connections at all when you are only forwarding the three/four necessary ports? OS X Server's "Reachability" function is not always accurate, so do take it with a grain of salt.

Felix Jen
  • 403
  • 5
  • 18
  • I'm using L2TP, has the title says. Maybe it goes a bit unnoticed. I followed your suggestion and defined those ports to be mapped to the same incoming port but with no success. The logs do not say nothing, unless I connect to the VPN while in my local network; would these help? I'll update my question, please check the UPDATE section. – Miguel Ribeiro Dec 29 '15 at 10:22
  • Is there any way you could try it out with a different router, as this seems to be a router issue, as opposed to a server issue. Can you try other OS X Services such as Web (forward 80) and see if those work? – Felix Jen Dec 29 '15 at 23:55