Configure solely as VPN server? (Mac clients)



  • Since Mac OS X Server has been gutted, I want to use pfSense to replace the Apple OS X Server VPN service. And for now, that's -all- I want to do*. How do I configure (from scratch) a Netgate box running pfSense to do this? And then what do I need to do on the Mac client side?

    I'm presuming that I have to (a) connect the NetGate/pfSense appliance standalone to a computer, set the computer's IP to 192.168.1.2, and then I can talk to pfSense. Next, I presume I'll need to configure pfSense (using the web interface) to sit on my LAN (with the appropriate LAN IP Address) ad plug it into the LAN. I'll configure the router/firewall (currently Apple Airport) to send the VPN packets from the WAN to the NetGate/pfSense device, and from there pfSense will put the packets back onto my LAN (with access to my local services, etc.)

    Am I missing anything conceptually? Has someone done this already?

    • I'll tackle the rest of the stuff later.

  • LAYER 8 Netgate

    You would need to configure a pfSense server inside your network with just a WAN interface.

    Whatever is handling your edge networking would need to forward ports UDP/500, UDP/4500, and protocol ESP to that inside host.

    Then you would set up an IKEv2 remote access IPsec server something like this:

    https://docs.netgate.com/pfsense/en/latest/book/ipsec/mobile-ipsec-example-ikev2.html



  • @Derelict , thanks!

    Just the WAN interface, though? Physically plug the WAN port into my LAN, then the packets go from the firewall to the pfSense on WAN port, and back out to the rest of the network on that same port?


  • LAYER 8 Netgate

    Yeah. pfSense can accept IPsec connections on its "WAN".

    When a connected client connects across the tunnel, that connection will logically come into a separate interface on pfSense (IPsec or enc0) and from there it will be routed out its WAN port to the rest of your network.

    No need for two interfaces. it will look like this after the client is connected:

    IPsec client <-> pfSense <-> your LAN (pfSense WAN)

    You can call the interface LAN if you want. Just know that the first interface on a pfSense instance is treated as wan.


  • LAYER 8 Netgate

    So there are two distinct things happening:

    1. Getting the IPsec connections from the remote clients to the IPsec server
    2. The connections they make to your private network after they are connected.

    They are logically completely different things.



  • @Derelict Yeah, I have that much understanding :-) On my OS X Server (Mac Mini), which I think is a pretty conventional VPN setup, there's a single ethernet port. I don't know how things got broken, but that VPN stopped working a couple months ago, about the same time as a Server update that started to break other stuff. That's when I decided to look for alternatives, and stop spending time on the Server instance that broke. Other stuff is still working, so the imperative to replace the other services (either on the Mini running Server or on my Airport router) isn't quite there -yet-.


  • LAYER 8 Netgate

    I, too, am replacing a Mac mini running server because it is essentially useless now - and the second "raid" drive finally failed. :(

    But I did not run their VPN service since I just connect to pfSense on the edge.

    I mainly have to replace LDAP/RADIUS. First choice is FreeIPA. Have FreeNAS authenticating to it now for Time Machine backups. Seems to be working.


  • LAYER 8 Netgate

    Another note: Apple devices behave completely differently when configured manually or via a profile. You might have better luck using a generated profile.


Log in to reply