macos-vpn-server (net/macos-vpn-server) Add to my watchlist

macOS VPN (L2TP-IPSec-PSK) Server.

macOS VPN (L2TP-IPSec-PSK) Server. Native macOS VPN Server L2TP-IPSec-PSK configuration using vpnd. This configuration is based upon macOS's VPN server prior to its deprecation in version 5.7. See `man 5 vpnd` and /Library/Preferences/SystemConfiguration/ for details.

Version: 10.14.5 License: BSD GitHub
Maintainers essandess
Categories net
Platforms darwin
Variants -

"macos-vpn-server" depends on

build (1)

Ports that depend on "macos-vpn-server"

No ports

Port notes

The macOS VPN Server's initial configuration uses installation-time network settings to provide a basic, working VPN server.

Users must reconfigure the installation for their own network specifics by editing the files:


See `man 5 vpnd` for details.

The VPN Pre-Shared Secret is stored in the System Keychain item, available within Keychain or /usr/bin/security.

Post Installation:

1. It is necessary to configure local accounts for CHAP authentication by adding ',SMB-NT,CRAM-MD5,RECOVERABLE' to the account's AuthenticationAuthority ShadowHash list of methods.

dscl . read /Users/username AuthenticationAuthority
sudo dscl . change /Users/username AuthenticationAuthority \
";ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2>" \

The `passwd` command or re-login may be necessary to populate macOS's user shadow hash database. Note that MS-CHAPv2 is compromised, and the only secure component of this VPN is a strong random PSK.

2. The router and firewall must be configured to forward and pass UDP ports 500, 1701, and 4500. A startup item has been generated that will aid in starting macos-vpn-server with launchd. It is disabled by default. Execute the following command to start it, and to cause it to launch at startup:

sudo port load macos-vpn-server

Port Health:

Loading Port Health

Installations (30 days)


Requested Installations (30 days)