Apple Wiki
Apple Wiki

A virtual private network (VPN) is used to establish a secure connection between two or more computers. The effect of establishing a VPN is to create the appearance of a local network consisting of a few machines on a larger network. One appplication for a VPN is to provide greater security than the standard security protocols used in wireless connections. Another application is for employees of a company to access the company's network via the Internet while away from the office, while maintaining security so that communications cannot be snooped.

VPNs for Mac[]

Commercial software (e.g. Cisco) is available for maintaining VPNs, but the protocols are already built into Mac OS X and macOS, which can be enabled (with some setup effort) without third-party tools.

A free option that simplifies VPN setup and maintenance on Macs is IPSecuritas.

Manual configuration[]

Configuring a VPN with L2TP can be done through the Network menu of System Preferences. However, L2TP is not supported "out of the box" by some OSes (notably Linux), and L2TP adds unnecessary overhead. The setup for an IPsec VPN without L2TP is more complex, and is described here. (The described setup can also be supported through IPSecuritas).

This article is not intended to be comprehensive. There are many options in setting up a VPN; among these are the transport and tunnel connection modes; and authentication by secret key or certificate. The configuration described below is for a transport connection (a peer-to-peer protocol suitable for wireless security; tunneling is typically used for connecting to corporate networks) and secret key authentication.

The setup is described below. Once the machines that will participate in the VPN have been configured, the VPN is enabled (for Macs) by entering the following commands in Terminal. Substitute the IP address of the Mac for $ip1, and the IP address of the remote machine for $ip2.

  • setkey -c
    • flush;
    • spdflush;
    • spdadd $ip1/32 $ip2/32 any -P out ipsec esp/transport/$ip1-$ip2/require;
    • spdadd $ip2/32 $ip1/32 any -P in ipsec esp/transport/$ip2-$ip1/require;
    • ^D
  • racoon -f /etc/racoon/racoon.conf

Note that the 1st line runs the program "setkey" in command mode; 2nd through 5th lines are commands input to this program. The 6th line indicates that a control-D is entered to exit the program.

The racoon program uses the specified configuration file, which should be present on the system. A configuration file for the remote system should be created in /etc/racoon/remote/system.conf (change the name from "system" to the name of the remote host).

A typical configuration file specifying the remote system looks like this (assuming the remote system is at IP address

       exchange_mode main;
       doi ipsec_doi;
       situation identity_only;
       my_identifier address;
       #peers_identifier address;
       passive off;
       nonce_size 16;
       lifetime time 30 min;   # sec,min,hour
       #lifetime byte 50000 KB;    # B,KB,MB,GB
       initial_contact on;
       support_mip6 on;
       proposal_check obey;    # obey, strict or claim
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key ;
               dh_group 2 ;

sainfo address any address any
       pfs_group 2;
       lifetime time 30 min;
       encryption_algorithm 3des ;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate ;

sainfo address any address any
       pfs_group 2;
       lifetime time 30 min;
       encryption_algorithm 3des ;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate ;

Note that this file specifies authenticaion via a preshared key; certificates are another option for authentication. The preshared key is found in /etc/racoon/psk.txt and lists a key (arbitrary text string not easily guessed by outsiders) next to the remote host's IP address: thisisthesupersecretkeyfortheremotehost

A matching key must be configured on the remote host.

Automating the VPN initialization[]

Once the configuration files have been set up, the initialization of the VPN can be set to start automatatically when the system boots up. This is done by creating a directory in /Library/StartupItems. The directory may be called Ipsec (for the IPSEC protocol used by the VPN), or any other suitable name.

/Library/StartupItems/Ipsec should contain:

  • StartupParameters.plist, with the following contents:
  Description     = "Ipsec";
  Provides        = ("Ipsec");
  Uses        = ("Network");
  OrderPreference = "None";
  Messages =
    start = "Starting ipsec";
    stop  = "Stopping ipsec";
  • ipsec, which must be set to executable and have the following contents:

# Ipsec

. /etc/rc.common

StartService ()
   ip=`ifconfig en1 | grep "inet " | sed 's/.*inet //' | sed 's/ net.*//'`
   setkey -c <<END_SETKEY
   spdadd $ip/32 any -P out ipsec esp/transport/$ip-;
   spdadd $ip/32 any -P in ipsec esp/transport/$ip/require;

   racoon -f /etc/racoon/racoon.conf

StopService ()
   if pid=$(pgrep racoon); then
       echo "Stopping ipsec"
       kill -TERM "${pid}"
       echo "racoon is not running."
   rm -f /var/run/Ipsec.StartupItem

RestartService () { StopService; StartService; }

RunService "$1"

Note that the StartService routine executes the same commands listed at the top of this article, after extracting the local machine's IP address from an ifconfig command, and that this routine assumes that the remote machine's address is fixed at

Once this automatic initialization is set up, not only is the VPN initialized at boot time (assuming the remote machine can be found and authenticated), but it also is possible to start and stop the VPN manually with the simple commands

sudo /Library/StartupItems/Ipsec/ipsec start


sudo /Library/StartupItems/Ipsec/ipsec stop

External links[]