How to Setup a L2TP VPN Server on OS X

This is a fast guide on configuring OS X to act as an L2TP VPN Server. This can be accomplished with Apple’s Server App, but if you don’t mind running a few Terminal commands and adding a couple configuration files manually, you can save yourself $20 and go out to eat instead.

This guide also includes a workaround for a known bug in the general release of OS X 10.9 Mavericks in its implementation of racoon that prevents remote clients from being able to connect to your VPN server.


## Preamble

Estimated Time Required: 10-15 minutes
Tested on: OS X 10.8 Mountain Lion, OS X 10.9 Mavericks

## Setup port forwarding

If your future server is behind a router, you’ll most likely need to setup port forwarding for the following ports:

* UDP 500 for ISAKMP/IKE
* UDP 1701 for L2TP
* UDP 4500 for IPsec NAT Traversal
* Optional: TCP 1723 for PPTP

[Apple has more information](http://support.apple.com/kb/TS1629?viewlocale=en_US&locale=en_US) on common ports used.

## OS X 10.9 Mavericks fix

This step is only required on OS X 10.9 Mavericks

In OS X Mavericks, there was a change to the /usr/sbin/racoon program which breaks L2TP access from remote clients when traversing NAT. This is a known bug and I have filed a bug report with Apple. This also breaks Apple’s own Server App since it simply automates what we’re doing manually here. There are two known solutions.

__Solution 1:__ Use a modified variation of the official fix . This modified installer does not check for the existence of the Apple Server.app. Download the modified package MavericksVPNUpdateServerAppLess.pkg.

Also checkout the official Apple KB article on this problem and their fix for users who have the Server.app installed on their systems.

__Solution 2:__ Replace /usr/sbin/racoon with a version from Mountain Lion. If you don’t have your own backup available, you can [download my backup of racoon from Mountain Lion](https://jonsview.com/wp-content/uploads/2013/11/Mountain-Lion-Racoon.zip). Simply unzip, move the executable into /usr/sbin, and reboot your Mac [or kill and restart racoon].

For example:

sudo mv /usr/sbin/racoon ~/Desktop/racoon.bak
sudo mv ~/Downloads/racoon /usr/sbin/racoon
sudo killall racoon

## Add a shared secret to your keychain

Run the following command in Terminal after replacing SHARED-SECRET-PHRASE with your own secret phrase. When you login to your VPN server from a client, both an account password and secret phrase will be needed.

sudo security add-generic-password -a com.apple.ppp.l2tp -s com.apple.net.racoon -T /usr/sbin/racoon -p "SHARED-SECRET-PHRASE" /Library/Keychains/System.keychain

## Configure Apple’s vpnd Service

[Download Example configuration files (and racoon binary from Mountain Lion)](https://jonsview.com/wp-content/uploads/2013/11/Example-VPN-Configuration-Files-and-Racoon-2013-11-17.zip)

Modify the configuration file _com.apple.RemoteAccessServers.plist_ below and save it to the following location. Set ownership to root:wheel and chmod 644.

/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

You need to modify the following lines with your own information:

* Lines 19-20 under “OfferedServerAddresses”

> These two lines should be changed to the DNS domains you want your VPN clients to use. In this example, I’m providing my local router (10.0.1.1) and a Google DNS domain as a secondary (8.8.4.4).

* Lines 29-30 under “DestAddressRanges”

> These two lines specify the start and end IP address range that will be given to clients when they login. In this example, my clients are given an IP address between 10.0.1.250 and 10.0.1.254. Ideally, you should choose a range that is outside of the range that your router will assign so that you avoid IP address conflicts. For example, my router is configured with a DHCP range of 10.0.1.2 to 10.0.249.

This configuration file also enables PPTP in addition to L2TP. If you wish to enable this as well, modify lines 84-85 and 94-95.





	ActiveServers
	
		com.apple.ppp.l2tp
	
	Servers
	
		com.apple.ppp.l2tp
		
			DNS
			
				OfferedSearchDomains
				
				OfferedServerAddresses
				
					10.0.1.1
					8.8.4.4
				
			
			IPv4
			
				ConfigMethod
				Manual
				DestAddressRanges
				
					10.0.1.250
					10.0.1.254
				
			
			Interface
			
				SubType
				L2TP
				Type
				PPP
			
			L2TP
			
				IPSecSharedSecret
				com.apple.ppp.l2tp
				IPSecSharedSecretEncryption
				Keychain
				Transport
				IPSec
			
			PPP
			
				AuthenticatorACLPlugins
				
				    DSACL
				
				LCPEchoEnabled
				1
				LCPEchoFailure
				5
				LCPEchoInterval
				60
				Logfile
				/var/log/ppp/vpnd.log
				VerboseLogging
				1
			
			Server
			
				Logfile
				/var/log/ppp/vpnd.log
				MaximumSessions
				128
				VerboseLogging
				1
			
		
		com.apple.ppp.pptp
		
			DNS
			
				OfferedSearchDomains
				
				OfferedServerAddresses
				
					10.0.1.1
					8.8.4.4
				
			
			IPv4
			
				ConfigMethod
				Manual
				DestAddressRanges
				
					10.0.1.250
					10.0.1.254
				
			
			Interface
			
				SubType
				PPTP
				Type
				PPP
			
			PPP
			
				AuthenticatorACLPlugins
				
				    DSACL
				
				CCPEnabled
				1
				CCPProtocols
				
					MPPE
				
				LCPEchoEnabled
				1
				LCPEchoFailure
				5
				LCPEchoInterval
				60
				Logfile
				/var/log/ppp/vpnd.log
				MPPEKeySize128
				0
				MPPEKeySize40
				1
				VerboseLogging
				1
			
			Server
			
				Logfile
				/var/log/ppp/vpnd.log
				MaximumSessions
				128
				VerboseLogging
				1
			
		
	


## Create a Launchd profile

Take the _com.apple.ppp.l2tp.plist_ plist configuration file below and save it to the following location. Set ownership to root:wheel and chmod 644.

/Library/LaunchDaemons/com.apple.ppp.l2tp.plist
 


    
        Label
        com.apple.ppp.l2tp
        ProgramArguments
        
            /usr/sbin/vpnd
            -x
            -i
            com.apple.ppp.l2tp
        
        OnDemand
        
    

## Launchd Loading and Unloading

This command will load the launchd configuration and start the vpnd service. The VPN service will automatically start when you reboot your computer.

sudo launchctl load -w /Library/LaunchDaemons/com.apple.ppp.l2tp.plist

This command will unload the launchd configuration and stop the vpnd service. This will also stop VPN services from starting when you reboot.

sudo launchctl unload -w /Library/LaunchDaemons/com.apple.ppp.l2tp.plist

## Troubleshooting

If things just aren’t working, take a look in Console to see what errors vpnd is reporting.

95 comments… add one
  • mindsnare Jul 8, 2017 Link Reply

    does this still work on sierra?

  • TLGeek Nov 9, 2015 Link Reply

    How do I set up users? Or do I use the ones on my Mac?

    • Amro El-Jaroudi Nov 18, 2015 Link Reply

      Just use the ones on the Mac. You can always create one VPN user with a username and password on your Mac, that way you do not have to create multiple accounts for people for the sole purpose of giving them access to VPN.

  • Seekoei Nov 5, 2015 Link Reply

    Followed your instructions on El Cap (10.11). Worked perfectly first time. (I removed the PPTP stanza from the config plist, as I only wanted to offer the more secure L2TP [to myself :-)] )

    Thanks again!

  • GT Sep 24, 2015 Link Reply

    Trying to do the same thing but using a product called iVPN http://macserve.org.uk/projects/ivpn/. My client is connecting but I getting “CHAP peer authentication failed for ” connection error. Your writeup doesn’t mention setting up users, specifically network users. How do you set up the users?

  • SLG Sep 18, 2015 Link Reply

    IS there any way to set up VPN without using the Server App?

  • Amro El-Jaroudi Aug 15, 2015 Link Reply

    Here it is again with the delimiters replaced by descriptors. Replace the descriptors back with the delimiters before you type the lines in.

                        StartKey AuthenticatorPlugins EndKey
                         StartArray
                              StartString DSAuth EndString
                         EndArray
                         StartKey AuthenticatorProtocol EndKey
                         StartArray
                              StartString PAP EndString
                         EndArray
    
  • MrDarthman Jul 21, 2015 Link Reply

    Wow! This is really freakin’ awesome.
    Works like a charm on Snow Leopard. Fantastic!

  • Eric May 9, 2015 Link Reply

    Excellent, thanks a lot! Works like a charm on Yosemite (10.10.3).

  • Taj Mar 10, 2015 Link Reply

    Thanks for posting these instructions! I was able to configure everything and can establish a VPN connection to a server at home. However, I can only address the resources back home via ip, ip addresses cannot get resolved, and none of my resources show up in the ‘network’ panel… Wondering where the issue might lie?

    • Jon Stacey Mar 12, 2015 Link Reply

      I’ve only attempted to access directly via IP. Are you sending all traffic over the VPN? Are the client and VPN side gateways on the same subnet? That might cause some confusion that might be causing the issue. Broadcasts should traverse layer 2 like that. Having said that, I haven’t tried to access by name or look for network advertisements since I know the destination IPs by memory.

  • jack Jan 23, 2015 Link Reply

    com.apple.xpc.launchd[1]: (com.apple.ppp.l2tp[91440]) Service exited with abnormal code: 3
    I only get this error when I follow this tutorial. I am running 10.10. What does this mean?

  • chris Dec 19, 2014 Link Reply

    The problem I am having is regarding the port forwarding… I have setup the L2TP ports in my Bell Home Hub 2000 (canadian isp), but the traffic is not getting through. Error on iOS device: the L2TP-VPN server did not respond.

    • Jon Stacey Dec 20, 2014 Link Reply

      If the router is setup with all of the port forwarding, maybe Bell is blocking some on their end. Can the iOS device connect when it’s on the same network at home?

  • van Nov 22, 2014 Link Reply

    I have the same problem like Matt ist only authenticates the SHARED-SECRET-PHRASE. Not the given username and password.

    Any idea ?

  • Terri Phenn Nov 20, 2014 Link Reply

    The plist created by the Snow Leopard Server GUI is as follows:

    http://pastebin.com/mEJZm6FP

  • Terri Phenn Nov 20, 2014 Link Reply

    The configuration from Snow Leopard server is at

  • Jeff Nov 20, 2014 Link Reply

    Fantastic and dead simple to setup! Only one issue I need pointers on – I can connect my Android phone to the VPN when I point it at my server’s local IP (while on the same LAN) but it seems to timeout if I try to connect from the public internet IP. Any ideas?

    2014-11-20 23:39:53 EST Incoming call… Address given to client = 192.168.5.152
    Thu Nov 20 23:39:53 2014 : Directory Services Authorization plugin initialized
    Thu Nov 20 23:39:53 2014 : publish_entry SCDSet() failed: Success!
    Thu Nov 20 23:39:53 2014 : publish_entry SCDSet() failed: Success!
    Thu Nov 20 23:39:53 2014 : publish_entry SCDSet() failed: Success!
    Thu Nov 20 23:39:53 2014 : L2TP incoming call in progress from ‘Public IP‘…
    Thu Nov 20 23:39:53 2014 : L2TP received SCCRQ
    Thu Nov 20 23:39:53 2014 : L2TP sent SCCRP
    2014-11-20 23:40:13 EST –> Client with address = 192.168.5.152 has hungup

    • viktor Oct 20, 2015 Link Reply

      same problem here

  • Jon Nov 13, 2014 Link Reply

    This was great, thank!
    Any plans to do an update for Yosemite?

    • Jon Stacey Nov 17, 2014 Link Reply

      This should work in Yosemite as well. i didn’t have to make any changes when I upgraded from Mavericks.

  • Nick Cresswell Nov 7, 2014 Link Reply

    Thanks – got this working with my MacBook Air as client and my MacMini as the VPS server…happy days.

    Trying to configure my Samsung Galaxy S4 as a client and it needs a pre-shared-key. Can’t see how to configure the VPN server to have such a key. Is this possible using Racoon on MacOS X?

    Thx, NICK

  • Lyle Nov 1, 2014 Link Reply

    Thanks for this!!! So I got L2TP to work but for some reason can’t get PPTP. I’d like to use PPTP since the port fwd for it won’t conflict with Back to My Mac. I used the com.apple.RemoteAccessServers above.

    • Amro El-Jaroudi Aug 16, 2015 Link Reply

      The only way I managed to get pptp working was to disable encryption which to me seemed like a very bad idea. Look for CCPEnable in the plist file and set it to zero. Also make sure you add PAP authentication (see my other comment) otherwise anyone would be able to login with any random username and password.

  • Terri Phenn Oct 9, 2014 Link Reply

    I have the results. But, if I try to post the entire plist, it won’t accept the CAPTCHA.

  • MacDevGuy Oct 8, 2014 Link Reply

    Hey sorry to be a noodge but I have 10.9.5 which I assume means I don’t need any replacement config files. So what are the steps to get this going? I have been away from the command line for a bit and want to get going again.

    • Jon Stacey Oct 9, 2014 Link Reply

      MacDevGuy, you won’t need to replace replace racoon because Apple finally fixed the problem in 10.9.2, but you will still need to edit and add the plist configuration files to enable the service.

  • Adam Sep 30, 2014 Link Reply

    Just trying to implement this on 10.9.3 but I don’t have a file at this location:

    /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

    Any thoughts?

    • Jon Stacey Sep 30, 2014 Link Reply

      Adam, you may have to create the file using the sample provided above. Don’t forget to make your customizations to OfferedServerAddresses and DestAddressRanges.

  • Terri Phenn Sep 13, 2014 Link Reply

    Offer– I have a copy of 10.6.8 server. I could configure the VPN through Apple’s Server Admin utility GUI, then send you a copy of the config files. Would that be helpful?

    How would you like it configured. And what files should I post here?

    • Matt Sep 16, 2014 Link Reply

      Thanks for the offer – that’s great. I’m not sure what the configuration options are in Server but I just want to have the L2TP server only configured. Internal IP address range would be 192.168.1.150 – 192.168.1.151 (2 addresses).

      DNS would be 192.168.1.1.

      For the config file, not sure if there are more than what’s referenced above in the original post. At least this one:

      /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

      I appreciate the help.

  • Matt Sep 1, 2014 Link Reply

    I set everything up and it worked. The issue I have (Snow Leopard – I know – untested) is that I can log in with any account and password, even an account that doesn’t exist on the Mac. Any ideas?

    • Jon Stacey Sep 2, 2014 Link Reply

      Huh, that’s a new one. I assume l2tp, and it doesn’t ask for a shared secret? You might try man vpnd to see if there are any differences in the configuration parameters between 10.6 and 10.8+ around the authentication mechanism. Some digging would be needed. Why not upgrade?

      • Matt Sep 3, 2014 Link Reply

        Yes – l2tp. The shared secret does work. When I take that out of the connecting client I get denied access. But as long as the shared secret is in the connecting client, the server lets me in regardless of what I put as the username and password.

        I ran a man vpnd on both my Snow Leopard box and my Mavericks box. Exact same output (except Mavericks adds “vpnd(5)” to the SEE ALSO section). Both are dated 21 August 2003.

        The reason I’m not upgrading is just because the Snow Leopard machine is an old Mac mini. Would love to figure out how to make it work.

    • Morten Pedersen Sep 25, 2014 Link Reply

      I have the same issue with Lion (10.7.3) only the shared secret is checked before succesful login :-/
      Also thank you so much for a great article… spent last night down the winding openVPN-road without satisfacotry results… this really was only 15 minutes thanks! 🙂

    • Tony Aug 13, 2015 Link Reply

      I’m actually getting this same issue. I can log in with any account/pass (even a blank pass) once the shared secret is correct. Anyone figure out why this is happening?

      • Amro El-Jaroudi Aug 15, 2015 Link Reply

        I ran into the same issue and was able to resolve it by adding a few lines to the configuration file after reading the VPN2 manual. Add the following lines after line 54 (for L2TP) and after the corresponding line in the PPTP section (if you want that section).
        AuthenticatorPlugins

        DSAuth

        AuthenticatorProtocol

        PAP

        • Amro El-Jaroudi Aug 15, 2015 Link

          Sorry, the html ate all the keys and brackets:

          AuthenticatorPlugins

          DSAuth

          AuthenticatorProtocol

          PAP

  • Spike Lightfoot Aug 27, 2014 Link Reply

    Thanks for doing this!!

  • Terri Phenn Jul 29, 2014 Link Reply

    For an all Apple L2TP VPN configuration, might you know what the “Shared Secret” requirements are for:

    Length (minimum and maximum permitted)

    Character Set (which characters are permitted and which are not?)

    Thanks in advance for any help, I’ve been searching all over for this, and there seem to be no answers to be found.

Leave a Comment

Time limit is exhausted. Please reload CAPTCHA.