Apparently a few weeks ago my home VPN stopped accepting incoming connections. I discovered this last week when I was on vacation and tried to remote into my home network, only to discover that it would not work.
I was understandably confused because I hadn’t changed my configurations at all. And having something like this break is a bit scary, precisely because it is so difficult to get a router set up and configured just the way you want it.
Anyway, when I got home, I decided to begin troubleshooting.
One thing I noticed was that UPnP was mapping ports 4500 and 4501 to computers on my network. But why? I ignored this for a bit and played around with uninstalling and reinstalling openswan (an IPSec implementation). Oddly, it worked after I reinstalled it, but stopped working a few minutes afterwards.
This led me back to try and figure out what was going on with those ports. I eventually figured out with an IP scanner (AngryIP) that the machines mapping the ports were my Mac’s. That nailed it down. I discovered that port 4500, used by IPSec, was getting remapped via UPnP for the Back to My Mac service. I care more about my VPN than I do that feature, so I blocked that port from being remappable on the UPnP side.
I guess Apple isn’t exactly worrying about this sort of scenario for most users, but I think it’s a bit presumptuous to lock down that port when it has a very common alternate usage.