This is a fast guide on configuring OS X to act as an L2TP VPN Server. This can be accomplished with Apple’s Server App, but if you don’t mind running a few Terminal commands and adding a couple configuration files manually, you can save yourself $20 and go out to eat instead.
This guide also includes a workaround for a known bug in the general release of OS X 10.9 Mavericks in its implementation of racoon that prevents remote clients from being able to connect to your VPN server.
## Preamble
Estimated Time Required: 10-15 minutes
Tested on: OS X 10.8 Mountain Lion, OS X 10.9 Mavericks
## Setup port forwarding
If your future server is behind a router, you’ll most likely need to setup port forwarding for the following ports:
* UDP 500 for ISAKMP/IKE
* UDP 1701 for L2TP
* UDP 4500 for IPsec NAT Traversal
* Optional: TCP 1723 for PPTP
[Apple has more information](http://support.apple.com/kb/TS1629?viewlocale=en_US&locale=en_US) on common ports used.
## OS X 10.9 Mavericks fix
This step is only required on OS X 10.9 Mavericks
In OS X Mavericks, there was a change to the /usr/sbin/racoon program which breaks L2TP access from remote clients when traversing NAT. This is a known bug and I have filed a bug report with Apple. This also breaks Apple’s own Server App since it simply automates what we’re doing manually here. There are two known solutions.
__Solution 1:__ Use a modified variation of the official fix . This modified installer does not check for the existence of the Apple Server.app. Download the modified package MavericksVPNUpdateServerAppLess.pkg.
Also checkout the official Apple KB article on this problem and their fix for users who have the Server.app installed on their systems.
__Solution 2:__ Replace /usr/sbin/racoon with a version from Mountain Lion. If you don’t have your own backup available, you can [download my backup of racoon from Mountain Lion](https://jonsview.com/wp-content/uploads/2013/11/Mountain-Lion-Racoon.zip). Simply unzip, move the executable into /usr/sbin, and reboot your Mac [or kill and restart racoon].
For example:
sudo mv /usr/sbin/racoon ~/Desktop/racoon.bak sudo mv ~/Downloads/racoon /usr/sbin/racoon sudo killall racoon
## Add a shared secret to your keychain
Run the following command in Terminal after replacing SHARED-SECRET-PHRASE with your own secret phrase. When you login to your VPN server from a client, both an account password and secret phrase will be needed.
sudo security add-generic-password -a com.apple.ppp.l2tp -s com.apple.net.racoon -T /usr/sbin/racoon -p "SHARED-SECRET-PHRASE" /Library/Keychains/System.keychain
## Configure Apple’s vpnd Service
[Download Example configuration files (and racoon binary from Mountain Lion)](https://jonsview.com/wp-content/uploads/2013/11/Example-VPN-Configuration-Files-and-Racoon-2013-11-17.zip)
Modify the configuration file _com.apple.RemoteAccessServers.plist_ below and save it to the following location. Set ownership to root:wheel and chmod 644.
/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
You need to modify the following lines with your own information:
* Lines 19-20 under “OfferedServerAddresses”
> These two lines should be changed to the DNS domains you want your VPN clients to use. In this example, I’m providing my local router (10.0.1.1) and a Google DNS domain as a secondary (8.8.4.4).
* Lines 29-30 under “DestAddressRanges”
> These two lines specify the start and end IP address range that will be given to clients when they login. In this example, my clients are given an IP address between 10.0.1.250 and 10.0.1.254. Ideally, you should choose a range that is outside of the range that your router will assign so that you avoid IP address conflicts. For example, my router is configured with a DHCP range of 10.0.1.2 to 10.0.249.
This configuration file also enables PPTP in addition to L2TP. If you wish to enable this as well, modify lines 84-85 and 94-95.
ActiveServers com.apple.ppp.l2tp Servers com.apple.ppp.l2tp DNS OfferedSearchDomains OfferedServerAddresses 10.0.1.1 8.8.4.4 IPv4 ConfigMethod Manual DestAddressRanges 10.0.1.250 10.0.1.254 Interface SubType L2TP Type PPP L2TP IPSecSharedSecret com.apple.ppp.l2tp IPSecSharedSecretEncryption Keychain Transport IPSec PPP AuthenticatorACLPlugins DSACL LCPEchoEnabled 1 LCPEchoFailure 5 LCPEchoInterval 60 Logfile /var/log/ppp/vpnd.log VerboseLogging 1 Server Logfile /var/log/ppp/vpnd.log MaximumSessions 128 VerboseLogging 1 com.apple.ppp.pptp DNS OfferedSearchDomains OfferedServerAddresses 10.0.1.1 8.8.4.4 IPv4 ConfigMethod Manual DestAddressRanges 10.0.1.250 10.0.1.254 Interface SubType PPTP Type PPP PPP AuthenticatorACLPlugins DSACL CCPEnabled 1 CCPProtocols MPPE LCPEchoEnabled 1 LCPEchoFailure 5 LCPEchoInterval 60 Logfile /var/log/ppp/vpnd.log MPPEKeySize128 0 MPPEKeySize40 1 VerboseLogging 1 Server Logfile /var/log/ppp/vpnd.log MaximumSessions 128 VerboseLogging 1
## Create a Launchd profile
Take the _com.apple.ppp.l2tp.plist_ plist configuration file below and save it to the following location. Set ownership to root:wheel and chmod 644.
/Library/LaunchDaemons/com.apple.ppp.l2tp.plist
Label com.apple.ppp.l2tp ProgramArguments /usr/sbin/vpnd -x -i com.apple.ppp.l2tp OnDemand
## Launchd Loading and Unloading
This command will load the launchd configuration and start the vpnd service. The VPN service will automatically start when you reboot your computer.
sudo launchctl load -w /Library/LaunchDaemons/com.apple.ppp.l2tp.plist
This command will unload the launchd configuration and stop the vpnd service. This will also stop VPN services from starting when you reboot.
sudo launchctl unload -w /Library/LaunchDaemons/com.apple.ppp.l2tp.plist
## Troubleshooting
If things just aren’t working, take a look in Console to see what errors vpnd is reporting.
Hello,
I try to use this guide to run VPN on my 2020 Mac mini with Big Sur.
Does it work on Big Sur?
When I start the .plist file, I see in the console the following error: (I erased the timestamps)
Loading plugin /System/Library/SystemConfiguration/PPPController.bundle/Contents/PlugIns/L2TP.ppp
Unable to load plugin (error = -1)
Initialization of vpnd plugin failed
Any ideas?
I haven’t tried this on Bug Sur so it adjustments might be needed. However, I suggest looking into WireGuard instead. It’s the future of VPN.
Since I have a few users connecting to my current VPN (old iMac), I want to keep those settings in all clients.
I will give another try on an clean install in a vm on my macbook to see if there is some kind of problem with the installation on the mac mini m1.
I will report back.
Unfortunately same errors on my 2015 macbook pro with Big Sur.
Maybe something changed with Big Sur or maybe even earlier.
Thanks Jon.
This was super helpful… even years later! Took me hours of researching to finally fix the issues I was having, mostly related to improper setup. That said, there are a couple updates that need to occur, namely the com.apple.ppp.l2tp.plist script is out of date. Apple tried to update this on their MacOS Server Mitigation pdf released in 2018, but had some typos. Refer to this stackexchange for updated instructions. https://apple.stackexchange.com/questions/342129/server-app-how-to-fix-re-enable-broken-vpn-after-update-to-mojave
VPN is still working great. But I’m wondering if
vpndhas any type of status command? I would like to be able to load a list of all current VPN connections. Ideally with their authentication user, the hosts external IP address, and the age of the connection. Their internal VPN IP address might also be useful. Man vpnd comes up unhelpful.Just set this up on an Xserve running 10.11. Worked perfectly. I set up a new user account on the machine for use just with vpn connections. That user and the vpn shared secret are both absurdly long random string. Connects from native VPN client in OS X perfectly, like a charm.