Lion Server and VPN – Episode 3

Return of the Jedi PPTP!

February 1st 2012. The day PPTP graced the GUI for the first time.

For those who have no idea what I’m on about (which is most people generally) this blog post is a hark back to my Lion: 6 Months on and Lion Server and VPN  posts.

Almost as if by magic, on the 1st of February Apple released the 10.7.3 combo update for both Server and Client. Included in both are a number of updates but I want to concentrate on Lion Server and the VPN updates.



However, one unclear, yet necessary step is to enable your Lion Server as an Open Directory Server “Lion Server: Configuring and enabling PPTP”.  As a general rule of thumb, I do not like to enable and use a directory service unless required as you can’t get a more stable user database then standalone local accounts!

So just a word of advice: Make sure you back up, and do so regularly!


To test out the updated VPN server I created ten test users. Five were created in the Open Directory (via Workgroup Manager) and were called ‘PPTP1’ through to ‘PPTP5’. The remaining five were created in the local directory (again, using Workgroup Manager) and were called ‘L2TP1’ though to ‘L2TP5’. These were then allocated out to the Amsys best and brightest to test.


Overall, both L2TP and PPTP seem to be back to their more robust Snow Leopard incarnation. Both protocols accept connections and created the required tunnels without failures. Additionally, these tunnels seem to be very stable. Well, as stable as you can get running tunnels over the Internet.

However a strange…’feature’… was found. The L2TP users, created in the local directory, would fail with an authentication error. Upon further investigation by the Amsys team, the PPTP users worked fine on both protocols, not just PPTP. It would seem that to run a PPTP and L2TP VPN service; all users must be Open Directory users. Not a deal breaker, but certainly good to know.


It seems Apple Server VPN is back and working as well as ever (despite a change in requirements). We have now taken the steps of reintroducing Lion Server as a viable SOHO VPN solution with our clients.

And now, over to you guys! Have you tired Lion Server 10.7.3? Any successes? Any problems?
Would you like a more step-by-step guide on how we set it up?
As always, let us know in the comments.


Apple Lion Server

Apple Lion Server download

Apple Lion Server 10.7.3 Combo download

About the Lion Server 10.7.3 update

Apple Knowledge Base article HT4748: Lion Server: Configuring and enabling PPTP

Looking for Server Support? Why not check out our Server Support Service.

5 Replies to "Lion Server and VPN – Episode 3"

  • Nick

    Its a start, but OD should not be required in my opinion. They need to amend that.

  • Hi Nick, Thanks for the comment.

    I 100 % agree with you. You never know, Apple seems to be added (read as ‘restoring’) features as they go so I’d keep an eye on the OS updates.


  • agentx

    Overall since 10.7.3 things have been good with VPN server less authentication errors/drops etc but still get process spikes now and again. Have to stop/restart VPN which I have scripted daily now.

    I only use L2TP/IPSec no PPTP think this is the way to go.
    Have 5 sites which use it and have had up to 25 clients connected without issues apart from the woeful upload in UK !

    I would also point to this knowledge base as I have had to correct the pwpolicy with a couple of my deployments to get everything working with new OD users.

  • agentx

    Has anyone tried adding a local user (Non OD) to the VPN ACL group ( GID 502. I only have OD setups so not able to test.

  • Thanks again for the comments.

    Personally, I’ve only had to use the pwpolicy command once as we try not to use ODMs over local databases!

    I’ve found L2TP is better then previous, but with real world testing PPTP seems to be back to be pretty reliable.

    You never know, this may improve again with 10.7.4…..if not Mountain Lion is only a year away!


Leave a Reply

Your email address will not be published. Required fields are marked *

I accept the Privacy Policy * for Click to select the duration you give consent until.