VPN stands for Virtual Private Network. VPN technology relies on a client and server to establish secure connection across the network. VPN Server manages and provides connectivity services to remote and/or local VPN clients. VPN server may utilize one or more protocols for connectivity such as IPSec (Internet Protocol Security), L2TP (Layer 2 Tunneling Protocol), PPTP (Point-to-Point Tunneling Protocol) etc. VPN Client can be installed on your devices to establish connection between it and the VPN Server. Popular platforms including Microsoft Windows, MacOS, iOS and android already comes with pre-installed VPN clients.

Below is the Guide that you can use to set up VPN server on your macOS. This guide has been tested on the following macOS versions:

  • Version 10.13 High Sierra
  • Version 10.14 Mojave
  • Version 10.15 Catalina

Below are the Steps to enable L2TP and PPTP VPN services

  1. Create a configuration file
sudo vi /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
  1. Enter the following configuration in /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>ActiveServers</key>
        <array>
            <string>com.apple.ppp.l2tp</string>
        </array>
        <key>Servers</key>
        <dict>
            <key>com.apple.ppp.l2tp</key>
            <dict>
                <key>DNS</key>
                <dict>
                    <key>OfferedSearchDomains</key>
                    <array />
                    <key>OfferedServerAddresses</key>
                    <array>
                        <string>1.1.1.1</string>
                        <string>192.168.1.1</string>
                    </array>
                </dict>
                <key>IPv4</key>
                <dict>
                    <key>ConfigMethod</key>
                    <string>Manual</string>
                    <key>DestAddressRanges</key>
                    <array>
                        <string>192.168.1.25</string>
                        <string>192.168.1.30</string>
                    </array>
                </dict>
                <key>Interface</key>
                <dict>
                    <key>SubType</key>
                    <string>L2TP</string>
                    <key>Type</key>
                    <string>PPP</string>
                </dict>
                <key>L2TP</key>
                <dict>
                    <key>IPSecSharedSecret</key>
                    <string>com.apple.ppp.l2tp</string>
                    <key>IPSecSharedSecretEncryption</key>
                    <string>Keychain</string>
                    <key>Transport</key>
                    <string>IPSec</string>
                </dict>
                <key>PPP</key>
                <dict>
                    <key>AuthenticatorACLPlugins</key>
                    <array>
                        <string>DSACL</string>
                    </array>
                    <key>LCPEchoEnabled</key>
                    <integer>1</integer>
                    <key>LCPEchoFailure</key>
                    <integer>5</integer>
                    <key>LCPEchoInterval</key>
                    <integer>60</integer>
                    <key>Logfile</key>
                    <string>/var/log/vpnd.log</string>
                    <key>VerboseLogging</key>
                    <integer>1</integer>
                </dict>
                <key>Server</key>
                <dict>
                    <key>Logfile</key>
                    <string>/var/log/vpnd.log</string>
                    <key>MaximumSessions</key>
                    <integer>5</integer>
                    <key>VerboseLogging</key>
                    <integer>1</integer>
                </dict>
            </dict>
            <key>com.apple.ppp.pptp</key>
            <dict>
                <key>DNS</key>
                <dict>
                    <key>OfferedSearchDomains</key>
                    <array />
                    <key>OfferedServerAddresses</key>
                    <array>
                        <string>1.1.1.1</string>
                        <string>192.168.1.1</string>
                    </array>
                </dict>
                <key>IPv4</key>
                <dict>
                    <key>ConfigMethod</key>
                    <string>Manual</string>
                    <key>DestAddressRanges</key>
                    <array>
                        <string>192.168.1.25</string>
                        <string>192.168.1.30</string>
                    </array>
                </dict>
                <key>Interface</key>
                <dict>
                    <key>SubType</key>
                    <string>PPTP</string>
                    <key>Type</key>
                    <string>PPP</string>
                </dict>
                <key>PPP</key>
                <dict>
                    <key>AuthenticatorACLPlugins</key>
                    <array>
                        <string>DSACL</string>
                    </array>
                    <key>CCPEnabled</key>
                    <integer>1</integer>
                    <key>CCPProtocols</key>
                    <array>
                        <string>MPPE</string>
                    </array>
                    <key>LCPEchoEnabled</key>
                    <integer>1</integer>
                    <key>LCPEchoFailure</key>
                    <integer>5</integer>
                    <key>LCPEchoInterval</key>
                    <integer>60</integer>
                    <key>Logfile</key>
                    <string>/var/log/vpnd.log</string>
                    <key>MPPEKeySize128</key>
                    <integer>0</integer>
                    <key>MPPEKeySize40</key>
                    <integer>1</integer>
                    <key>VerboseLogging</key>
                    <integer>1</integer>
                </dict>
                <key>Server</key>
                <dict>
                    <key>Logfile</key>
                    <string>/var/log/vpnd.log</string>
                    <key>MaximumSessions</key>
                    <integer>5</integer>
                    <key>VerboseLogging</key>
                    <integer>1</integer>
                </dict>
            </dict>
        </dict>
    </dict>
</plist>
  1. Change the ownership and permission of the file
sudo chown root:wheel /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
sudo chown chmod 644 /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
  1. Create a Launchd profile
sudo vi /Library/LaunchDaemons/com.apple.ppp.l2tp.plist

add the following content to the file

 <?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd“>
<plist version=”1.0″>
    <dict>
        <key>Label</key>
        <string>com.apple.ppp.l2tp</string>
        <key>ProgramArguments</key>
        <array>
            <string>/usr/sbin/vpnd</string>
            <string>-x</string>
            <string>-i</string>
            <string>com.apple.ppp.l2tp</string>
        </array>
        <key>OnDemand</key>
        <false/>
    </dict>
</plist>
  1. Add the shared secret to your keychain
sudo security add-generic-password -a com.apple.ppp.l2tp -s com.apple.net.racoon -T /usr/sbin/racoon -p "ENTER_YOUR_SHARED-SECRET-PHRASE_HERE" /Library/Keychains/System.keychain
  1. Configure to automatically start VPN services when you reboot your machine.
sudo launchctl load -w /Library/LaunchDaemons/com.apple.ppp.l2tp.plist

The configuration step is done. If your VPN server is behind firewall you will need to set up port forwarding in the router for the following ports:

    UDP 500 for ISAKMP/IKE
    UDP 1701 for L2TP
    UDP 4500 for IPsec NAT Traversal
    TCP 1723 for PPTP

If you want to disable VPN Service after the reboot you run:

sudo launchctl unload -w /Library/LaunchDaemons/com.apple.ppp.l2tp.plist

You can use your macOS username and password to connect to your VPN server.

Below are the steps to configure VPN Client on your iOS device (tested with iOS 13.x):

  1. Go to Settings > General > VPN
  2. Open "Add VPN Configuration"
  3. Select "L2TP" on VPN "Type"
  4. Enter "Description" field
  5. Enter Server's IP Address or Hostname
  6. On "Account", enter your macOS username
  7. Enter password if you do not want to be asked for password when making VPN connection.
  8. Enter the "Secret" that you added to the Keychain on the previous step above.
  9. Optional: you can choose to send all traffic or leave the option off.

Now, you should be able to connect to your VPN server.

For troubleshooting, always look into log file at "/var/log/vpnd.log" for any clues and make sure the service is up and running with the following command:

ps -aux |grep vpnd

If you make any configuration change make sure to restart vpn service by running:

sudo killall -HUP vpnd

Credits and References

https://jonsview.com/how-to-setup-os-x-10-9-as-a-l2tp-vpn-server-without-apples-server-app/comment-page-2

https://support.apple.com/en-us/HT208312