VPN server for LAN?

Rather than renew my VPN service, I’d like to run a server that would let me connect to my LAN from wherever.
Seems like that would give me enough security.
How can I do it?

There are a few options.

The cheapest and simplest is that you can enable SSH-based logins on one of your computers (e.g. a Mac or Linux box) and configure your LAN router’s port forwarding to direct one port (doesn’t have to be the SSH-default) to it. Then when you’re away from home, you just use SSH to connect to that computer and from there go access what you want on your LAN.

Without any special configuration, this will give you shell/terminal access, file transfer (via the scp and sftp commands) and the ability to tunnel X11 GUI sessions. I think you can set up screen sharing over SSH as well, although I’ve never tried it.

See also Allow a remote computer to access your Mac - Apple Support

I did this on my own LAN for several years. The upside is that it’s free and easy to set up. The downside is that it can be awkward if you want more complicated access (e.g. direct access to every device on your LAN, file sharing, etc.) Additionally, if you don’t have a static IP address from your ISP, you’ll need a way to know the correct address for connection (e.g. a dynamic DNS service).


Another popular option is to use a remote access service.

Once upon a time, Apple had their “Back To My Mac” service, but they have since discontinued it. I did find an article (from 2019) discussing alternatives: How to replace Back to My Mac now that Apple has killed it | Computerworld

There are a variety of commercial offerings listed in the article that you may want to consider.


Use open source VPN server software. One popular one is OpenVPN. OpenVPN is a commercial package based on open source software. You can use the commercial server (free for up to two simultaneous client connections) or you can install the open source code yourself.

Here’s an article about setting up an OpenVPN server on a Raspberry Pi, which is probably sufficient unless you plan on hammering the connection with a lot of network traffic.


In the past, you could have used the Apple Mac OS Server app to set up and configure a VPN server, but that capability was removed several years ago (in High Sierra). Which means you can only do this if you have an older Mac running macOS Sierra or older. I strongly recommend you do not do this because older versions of macOS have known security vulnerabilities which is completely unacceptable on a computer that is going to be running Internet-accessible server software.

3 Likes

Works perfectly. Used to do it all the time. Just forward the VNC port through an SSH tunnel, eg.

ssh -L 5901:remoteMac.com:5900 userName@remoteMac.com

If you then open Screen Sharing (or your favorite VNC client) and connect to localhost:5901 you’ll be connected to the remote Mac’s screen sharing.

More elegant is through ~/.ssh/config with something like

Host remoteMac
User userName
Hostname remoteMac.com
LocalForward 5901 remoteMac.com:5900

From then on just do a

ssh remoteMac

and you’ll have opened the ssh tunnel for VNC to the remote Mac.

Works very well and once set up it’s super simple. The only issue is if you have frequently changing IP addresses. In that case, it would probably make sense to purchase a DNS forwarding service. Those used to go for a few bucks a month. Run the forwarding daemon on the remote Mac so that you’ll always be able to call it by a host name, regardless of what its current IP address is.

1 Like

Thank you, this is tremendously valuable to me.
Dave

I have a dyndns account grandfathered free for life I think, but I haven’t used it since moving to my retirement home.
I don’t know if my new IP address actually changes in my new setup (att uverse fiber) but I can start noticing.

I recently added a Raspberry Pi 4 to my network to run an Octopi server for a 3D printer, with some flavor of Linux. Someone suggested such a machine would make a good VPN server too.

I am grateful for your replies.

@dbg
The way I do it is to have my own broadband router rather than the castrated products given ‘free’ by Internet providers. It has a built-in VPN server which supports L2TP which is still supported natively by Apple’s own built-in VPN client.

I then also have the router setup to use a Dynamic DNS address so I can access the VPN using a domain name. This is because the majority of Internet providers do not give you the option of static IP addresses.

Finally, I set the DHCP server in the router to ‘remember’ and allocate the same internal IP address to each device, each time. This means that remotely via the VPN I can be confident that say 192.168.1.12 is the same specific device on my home network each time.

(On a totally different topic, by using my own router I have also been able to setup an IPv6 tunnel for my entire home network as sadly again the majority of Internet providers still do not offer IPv6 connectivity. I use a free Hurricane Electric tunnel for this.)

I use a Draytek 2860 router currently connected to a VDSL ‘Fibre to the Cabinet’ connection. However it can also be used with cable modems, ordinary ADSL, USB 4G dongles or to route from another Ethernet device e.g. cable modem.

I specifically chose a model that does not have WiFi built-in so I can also use dedicated WiFi access points and upgrade/replace those as desired without affecting the router. The WiFi is bridged to the home Ethernet.

Linux fans might choose instead to run a software VPN server e.g. PFSense or StrongSwan but would have to setup port forwarding from the basic ISP provided router to the Linux server. This could be run as a virtual machine on a Mac. (Even the castrated routers given free do port forwarding.)

1 Like