Maintainers	essandess
Categories	net
Homepage	https://opensource.apple.com/source/ppp/ppp-838/Helpers/vpnd/vpnd.5.auto.html
Platforms	{darwin any}
Variants	-

"macos-vpn-server" depends on

build (1)

Ports that depend on "macos-vpn-server"

No ports

Port notes

The macOS VPN Server's initial configuration uses installation-time network settings to provide a basic, working VPN server.

Users must reconfigure the installation for their own network specifics by editing the files:

/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

See `man 5 vpnd` for details.

The VPN Pre-Shared Secret is stored in the System Keychain item com.apple.net.racoon, available within Keychain Access.app or /usr/bin/security.

Post Installation:

1. It is necessary to configure local accounts for CHAP authentication by adding ',SMB-NT,CRAM-MD5,RECOVERABLE' to the account's AuthenticationAuthority ShadowHash list of methods.

dscl . read /Users/username AuthenticationAuthority
sudo dscl . change /Users/username AuthenticationAuthority \
";ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2>" \
";ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2,SMB-NT,CRAM-MD5,RECOVERABLE>"
passwd

The `passwd` command or re-login may be necessary to populate macOS's user shadow hash database. Note that MS-CHAPv2 is compromised, and the only secure component of this VPN is a strong random PSK.

2. The router and firewall must be configured to forward and pass UDP ports 500, 1701, and 4500. A startup item has been generated that will aid in starting macos-vpn-server with launchd. It is disabled by default. Execute the following command to start it, and to cause it to launch at startup:

sudo port load macos-vpn-server