Changing VPN DNS in Lion Server

By On · 4 Comments · In Tech Journal

Hey kids — here's fun.

Say — purely for the sake of argu­ment, you under­stand — that you'd set up a cou­ple of OS X v10.7 servers for a client, and had con­fig­ured VPN via the Server.app (very sim­ple, neat, alarm­ingly sparse in detail), and then dis­cov­ered that a hith­erto unknown device on the net­work had seized the sta­tic address you'd assigned to the server.

Were this to hap­pen, it would be time to reach into the bag o' DNS tricks and break­out "sudo changeip" to switch the server sta­tic IP from the incom­pat­i­ble IP (192.168.0.254) to the new and improved IP (192.168.0.250). All pretty straight­for­ward, and every­thing would seem to be per­fectly happy with this new state of affairs. All would be right with the world, the sun would shine, and small blue­birds would alight upon your shoul­der to pipe their minia­ture, joy­ous odes to your firm jaw and care­free brow. No? No.

The beauty of hav­ing VPN ser­vice snagged by Server.app is that it makes it ter­ri­bly sim­ple to set up VPN. And the curse of hav­ing VPN ser­vice snagged by Server.app is the same thing, but with an empha­sis on "ter­ri­ble" and "sim­ple". Other than a spot to plug in a shared secret and a giant on/off switch, there's not a hell of a lot else there to help you out with fine tun­ing — unlike Snow Leop­ard Server which, by com­par­i­son, gave you a lot more to think about. What to do?

Well, for starters, I'd rec­om­mend using the server­ad­min com­mand line tool to take a look at what's going on. Thank­fully, the server­ad­min tool still main­tains con­trol of a huge swathe of what your server is actu­ally boil­ing away on under the GUI, so plug­ging in this:

sudo server­ad­min set­tings vpn

…returns this:

vpn:vpnHost = ""
vpn:Servers:com.apple.ppp.pptp:Server:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging = 1
vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 128
vpn:Servers:com.apple.ppp.pptp:DNS:OfferedSearchDomains:_array_index:0 = "mysteryclientname.net"
vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.0.254"
vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:1 = "192.168.0.254"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "1"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "1.1.1.1"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:SharedSecret = "2"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:Address = "2.2.2.2"
vpn:Servers:com.apple.ppp.pptp:EAP:KerberosServicePrincipalName = "vpn/server1.mysteryclientname.net@server1.mysteryclientname.net"
vpn:Servers:com.apple.ppp.pptp:enabled = no
vpn:Servers:com.apple.ppp.pptp:Interface:SubType = "PPTP"
vpn:Servers:com.apple.ppp.pptp:Interface:Type = "PPP"
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoFailure = 5
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle = 1
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-RSA"
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"
vpn:Servers:com.apple.ppp.pptp:PPP:CCPEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:IPCPCompressionVJ = 0
vpn:Servers:com.apple.ppp.pptp:PPP:ACSPEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoInterval = 60
vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"
vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"
vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging = 1
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer = 7200
vpn:Servers:com.apple.ppp.pptp:PPP:CCPProtocols:_array_index:0 = "MPPE"
vpn:Servers:com.apple.ppp.pptp:IPv4:ConfigMethod = "Manual"
vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "192.168.0.224"
vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "192.168.0.254"
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteAddresses = _empty_array
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteTypes = _empty_array
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteMasks = _empty_array
vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = "1.2.3.4"
vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128
vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0
vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1
vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains:_array_index:0 = "mysteryclientname.net"
vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.0.254"
vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:1 = "192.168.0.254"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:SharedSecret = "1"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:Address = "1.1.1.1"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:SharedSecret = "2"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:Address = "2.2.2.2"
vpn:Servers:com.apple.ppp.l2tp:EAP:KerberosServicePrincipalName = "vpn/server1.mysterclientname.net@server1.mysteryclientname.net""
vpn:Servers:com.apple.ppp.l2tp:enabled = yes
vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP"
vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP"
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5
vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB"
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"
vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0
vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"
vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200
vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = "Keychain"
vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = ""
vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "com.apple.ppp.l2tp"
vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = "SharedSecret"
vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = ""
vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = "None"
vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = <>
vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual"
vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = "192.168.0.201"
vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = "192.168.0.240"
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array
vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec"
vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "pencil123"
server1:~ ladmin$

 

Whoa. Trawl­ing through this reveals a cou­ple of inter­est­ing things. Firstly, the IPSec shared secret is stored unen­crypted in plain text, which seems like a bit of a secu­rity grey area to me, but hey, what do I know? Sec­ondly, the DNS set­tings for both L2TP and PPTP are both set to

DNS:OfferedServerAddresses:_array_index:0 = "192.168.0.254"

Aha. With that in hand, you'd roll up your sleeves and screw your think­ing cap firmly into place, then go hunt­ing for the con­fig plist for the VPN ser­vice. To save you time, I'll tell you where it is. Aren't I nice? It's at:

/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

Edit­ing it with su per­mis­sions, all you have to do is scroll through and replace the old, bro­ken DNS set­tings with the new and improved ones.

Old and busted:

<key>DNS</key>
                        <dict>
                                <key>OfferedSearchDomains</key>
                                <array>
                                        <string>mysteryclientname.net</string>
                                </array>
                                <key>OfferedServerAddresses</key>
                                <array>
                                        <string>192.168.0.254</string>
                                        <string>192.168.0.254</string>
                                </array>

New hot­ness:

<key>DNS</key>
                        <dict>
                                <key>OfferedSearchDomains</key>
                                <array>
                                        <string>mysteryclientname.net</string>
                                </array>
                                <key>OfferedServerAddresses</key>
                                <array>
                                        <string>192.168.0.250</string>
                                        <string>192.168.0.251</string>
                                </array>

 

Once you've saved the file out, sim­ply stop and start the VPN ser­vice, and the new DNS info should repli­cate out to VPN clients. In the exam­ples above, I've included 192.168.0.251, which is the sec­ondary DNS we set up.



 


Tagged with →  





        

            

                

                    Share →                

                

                    		

					
			
                


                

            

        

    







	

				
4 Responses to Changing VPN DNS in Lion Server


			
    
						
  1. 
				
    
				
    
				Sylvan Korvus says:		
    

		
    
			January 24, 2012 at 10:10 pm		
    

		
    FYI, there's a thread at the Apple Dis­cus­sion forums on this topic, which points out a way to use the server­ad­min tool to change those con­fig set­tings directly, instead of hav­ing to edit the plist.:
    


    
sudo serveradmin settings
    
vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = "172.28.1.101"
    
vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:0 = "172.28.1.101"
    
[ctrl+d]
    

    

		
    
		Reply		
    
				
    
		

    2. 
		
  2. 
				
    
				
    
				michael lim says:		
    

		
    
			January 25, 2012 at 2:40 am		
    

		
    hi!,
    
    i have a big prob­lem since im not really a techy guy. i would like to setup my vpn.i have server admin tool and server app uploaded.can you help me setup all of these? a sim­ple step by step tuto­r­ial would be great.i have come acrossed alot of tuto­ri­als already but  i got stucked one way or another.specially enter­ing my pass­word to the TERMINAL and i cant find a vpn ser­vice in my server admin.pls help me…
    

		
    
		Reply		
    
				
    
		
      
		
    • 
				
      
				
      
				Dave says:		
      

		
      
			January 25, 2012 at 11:03 am		
      

		
      If you're not a big techy guy, that's per­fectly fine. Work­ing with VPN on Lion server is an uphill climb for every­one, so if you'd pre­fer to keep your san­ity and you don't feel com­fort­able with the Ter­mi­nal, I'd sug­gest skip­ping the whole mis­er­able expe­ri­ence and using a VPN server app like iVPN instead.
      

      iVPN is actu­ally really sim­ple and nice and does it all for you. I haven't worked with it much, but Seth rates it highly (and will prob­a­bly be writ­ing a more in-depth arti­cle about it soon).
      

      Good luck!
      

		
      
		Reply		
      
				
      
		
      • 

    

    3. 
			

			

								

				
Leave a Reply 

									

																			
Your email address will not be published. Required fields are marked *
							
 




												
						
You may use these HTML tags and attributes:  <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> 
						

							
							

						

						
					

							

							


					

				


							

			
		
			


				

								

					









Archives
		

Visit our friends!
A few highly recommended friends...
Archives
All entries, chronologically...