Repository files navigation

This is a command-line tool written in Swift that can create VPN network configurations on your Mac.

It supportsL2TP over IPSec andCisco IPSec.Integration tests are run as Github Action, to ensure it's working properly.

This open-source code is actively maintained. Should you like to motivate me, you may click on the ✭ in the top-right corner.

Note that the installation via homebrew could fail on previous operating systems, such as High Sierra. In that case, please browse thereleases section to find an earlier build for your operating system.

I.e. youhave to run it with sudo. The passwords of VPN services are exclusively stored in theSystem Keychain.Onlysudo or aHelperTool can write to theSystem Keychain.I don't want you to have to deal with the complexity a HelperTool can entail, so we simply usesudo.

If you haveHomebrew installed, you can simply start a Terminal and run:

# To see which version is installed via homebrew, have a look at:# https://github.com/Homebrew/homebrew-core/search?q=macosvpn&type=Issuesbrew install macosvpn

If not, you can run this curl command to get the compiled executable from Github:

# Make sure first that the directory /usr/local/bin existssudo sh -c"curl -L https://github.com/halo/macosvpn/releases/download/1.0.0/macosvpn > /usr/local/bin/macosvpn"sudo chmod +x /usr/local/bin/macosvpn

As of macOS Catalina you may once have to "accept" that this executable is considered "safe":

xattr -d com.apple.quarantine /usr/local/bin/macosvpn

If that freaks you out (it should), you can compile it yourself if you have a recent Xcode version installed:

git clone https://github.com/halo/macosvpn.gitcd macosvpnbin/build

You can always runmacosvpn --version to see the version currently installed on your systemand compare it tothe latest available version on Github.

Creating a single L2TP over IPSec VPN Service:

sudo macosvpn create --l2tp Atlantic --endpoint example.com --username Alice \                     --password p4ssw0rd --sharedsecret s3same

• Replace--l2tp with--cisco to create a Cisco IPSec instead.
• Groupnames can be specified with--groupname.
• Add--force to overwrite an existing VPN with the same name.

By default, L2TP is created with the "Send all traffic over VPN connection" option, also known as wildcard routing.You can add the--split flag tonot force all traffic over VPN.

The same command shorter (try out--help to see all available arguments):

sudo macosvpn create -l Atlantic -e example.com -u Alice -p p4ssw0rd -s s3same

With L2TP you can

• add--split tonot force all traffic over VPN.
• add--disconnectswitch to disconnect when switching user accounts.
• add--disconnectlogout to disconnect when user logs out.

Repeat the arguments to create multiple Services at once.

sudo macosvpn create -c Atlantic -e atlantic.example.com -u Alice -p p4ssw0rd \                     -l Pacific -e pacific.example.com -u Bob -p s3same

sudo macosvpn delete --name MyVPNsudo macosvpn delete -n AnotherOne -n ThisOneToosudo macosvpn delete --all# Careful!

• If you're stuck, try to add the--debug flag and see if it says something useful.

• It is not possible to add so called "configurations" for L2TP. Seethis issue.

Themaster branch is always edge and may not be ready for production.

There are XCTest units test and integration tests that are run using ruby. Simply look atbin/test to see how to run the tests on your Mac.

Useful commands for debugging:

# Show all current VPN service configurationsopen /Library/Preferences/SystemConfiguration/preferences.plist

# Show all Keychain Items and their access policiessecurity dump-keychain -a /Library/Keychains/System.keychain

Feel free to browse through the code of this application.It's pretty small and straight-forward.

It all began with findingthis page you probably already found.But it was not beforethis practical example that I actually dared to try to implement this.Then, google led me tothis page where I learned how to set the Shared Secret.The last hurdle was to get the "Send all traffic over VPN" flag, which I finallyfound the answer to here.Finally, Ilearned from over here how to add things to the System Keychain.

Thank you for reporting bugs. And thanks to all keencontributors.

Also thanks to "The Eskimo!",whenever I'm deep down in the undocumented macOS VPN stack,I end up finding random forum posts by this remarkably helpful Apple engineer.

These are 3rd-party libraries, which were kindly released under the MIT license:

• Moderator by Kare Morstol
• PrettyColors by J.D. Healy

MIT 2014-2020 halo. SeeLICENSE.md.