Posted on 5 Comments

IceFloor Configuration for OS X Server VPN

One of the most important and most requested service for our clients has been secure remote access to their office or server. With more and more contractors and employees working remotely VPN has become a staple service of OS X Server. The alternative to VPN is far quicker and easier solution of opening up access into your office network by poking holes in your firewall or router. The quicker and easier path comes at the price of security not something worth compromising. Unfortunately many small business owners take their chances because they never had reason for concern before, or they feel that larger companies are the focus not the small ones. They couldn’t be more wrong as hackers simply exploit weakness, and they have more recently focused more to attacking small businesses because it’s easier. In fact PC World and Entrepreneur Magazines both have articles out explaining the shift in focus. Before diving into VPN setup let’s first review what should be done.

In order to help protect you and your business online Start On Technology recommends the follow:

  1. Ensure you are using a hardware firewall to protect your network on your router. For those unsure, looking for an extra layer, or interested in this tutorial should install Ice Floor a software firewall for free on their Mac. Please remember this tool is from a donation funded project, so please do as we have and donate to ensure it will stay available for everyone.
  2. Use two factor authentication when possible. An example is for users of Google Apps downloading the Google Authenticator app on their device and enabling two factor authentication to their Google Account. This can prevent unauthorized access by requiring a secondary code or pin to gain access just like the PIN on your debit card.
  3. Don’t use the same password for everything and consider using a password generator and storage solution to make this easier to manage. Changing passwords often places the odds back in your favor at the very least.
  4. Be aware of odd emails alerting you to login to your account. Make sure the address bar makes sense to the company contacting you. It’s very easy for anyone to replicate a site and capture your username and password by using misdirection.
  5. Be aware what information is being put in the cloud or on your devices and the level of security provided. Features such as passcodes, remote wipe, and encryption can help reduce the risk of theft.
  6. Contact us for a full network evaluation and explanation of your current setup.

Using Haynet’s IceFloor v2.0.1 software helps us manage the software firewalls on a server that helps prevents unauthorized access and allows VPN on OS X Server to work in many different environments by using NAT. In this example we will setup the server in a colocation environment or data center hosted with our friends at a typical situation where you would want to manage remote access and setup a VPN.

  1. Create a VLAN in the Network pane of System Preferences ( > System Preferences > Network) by clicking on the gear next to the plus and minus symbols and selecting “Manage Virtual Interfaces…” then + add a New VLAN. Give it a name, ID, and make sure the interface is Ethernet.
  2. Go to your newly created VLAN and select manual IPv4 Configuration then assign an IP address, subnet, and Router (same as IP address). See graphic below and make sure to click Apply to save. vlan
  3. Launch IceFloor 2.0.1 and navigate to the NAT section. Select to share your Internet connection from your WAN port (i.e. Ethernet en0) to computers using the VLAN (vlan0). Also check the Redirect DNS box as shown below. NAT_IceFloor
  4. Now you can set up your VPN service. Be sure to set up your client addresses to match your new VLAN. In this example we would set the VPN to start at and add as many addresses as we need. Then move to DNS settings and make sure your machine’s IP is one of the DNS servers. Be sure to set your host name and type then you are all set to switch the service on. vpn-settings-os-x-server

Now you should be able to set up clients to use your VPN service to your colocated or office Mac Mini. Of course you will need adjust your firewall to allow the VPN traffic into the network from the outside. Otherwise have smooth secure surfing my friend and give us a ring or shoot us an email if you need our services in setting up this IceFloor configuration for OS X Server VPN.

5 thoughts on “IceFloor Configuration for OS X Server VPN

  1. This solution is under investigation since the last security update the procedure has stopped fully functioning. We will update the article once we have more information.

  2. Version 2.0.1 has been publically released and fixes the issue under investigation. I updated the article to reflect the new version. Be sure to activate the new NAT setting to share VPN connections.

  3. IceFloor is not compatible with Yosemite. A new version is in the works.

  4. I have a Mac mini with Server 3.2.2 and dual Ethernet (1x Thunderbolt adaptor plus Built-in). The former is the WAN, latter is the LAN. IceFloor is doing a great job at blocking traffic on the WAN port but I wanted to be able to use a VPN to then see all the server services (AFP/SMB specifically). When I follow these steps the VPN connects but the client gets no subnet and the gateway is the same as their IP and they cannot connect to the server for filesharing. Any ideas? I tried deleting the VPN plist (within /Library/Server…) and re-entering details, and have tried turning off IceFloor to test, no difference. I’ve also added a VLAN to the LAN/Built-in Ethernet as this is DHCP so needed a static IP on the same range as the VPN range (VPN does not complain about the IP since doing this). Reboots have also not worked.

  5. Steve, thanks for the post. Yes, it could also be blocking traffic between VPN and local services too. We do offer remote support services to assist you with your setup and have been able to help others in the past with IceFloor. Otherwise it’s really hard to say what the issue could be without working with you on the setup.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 × one =

This site uses Akismet to reduce spam. Learn how your comment data is processed.