This is a command-line tool written in Objective-C that can create VPN network configurations on your Mac.
It supports both L2TP over IPSec and Cisco IPSec.
- Mac OS Yosemite or Mavericks (I have not tested it on older versions, it might work)
- Administrator privileges (i.e. you've got to run it with sudo)
Start a Terminal and run this curl command to get the executable:
sudo bash -c "curl -L https://github.com/halo/macosvpn/releases/download/0.1.3/macosvpn > /usr/local/bin/macosvpn"
sudo chmod +x /usr/local/bin/macosvpn
You can always run macosvpn --version
to see the version currently installed on your system
and compare it to the latest available version on Github.
Creating a single L2TP over IPSec VPN Service:
sudo macosvpn create --l2tp Atlantic --endpoint atlantic.example.com --username Alice --password p4ssw0rd --shared-secret s3same
Replace --l2tp
with --cisco
to create a Cisco IPSec instead. A Cisco IPSec groupname can be specified with --groupname
.
By default, enables the option "Send all traffic over VPN connection",
also known as wildcard routing. To disable this option, include the --split
flag to use the VPN Service for specific routes only. Split tunnelling may
require use of /etc/ppp/ip-up
and /etc/ppp/ip-down
scripts.
The same command but shorter:
sudo macosvpn create l2tp Atlantic endpoint atlantic.example.com username Alice password p4ssw0rd shared-secret s3same
The same command even shorter:
sudo macosvpn create -l Atlantic -e atlantic.example.com -u Alice -p p4ssw0rd -s s3same
The same command as short as possible:
sudo macosvpn create -leups Atlantic atlantic.example.com Alice p4ssw0rd s3same
Simular command for Cisco VPN
sudo macosvpn create -c Atlantic -e atlantic.example.com -u Alice -p p4ssw0rd -g EasyVPNGRoup -s s3same
Repeat the arguments for creating multiple Services at once (no matter which short version you use :)
sudo macosvpn create -leups Atlantic atlantic.example.com Alice p4ssw0rd s3same \\
-leups Northpole northpole.example.com Bob s3cret pr1v4te
Assign default values which will be applied to every service. Say you want to create the following VPN services:
no name endpoint user password sharedsecret
--------------------------------------------------------------
1 Australia australia.example.com Alice p4ssw0rd s3same
2 Island island.example.com Alice p4ssw0rd s3same
You could do that with the following command:
sudo macosvpn create --default-username Alice --default-password p4ssw0rd --default-endpoint-suffix .example.com \\
--l2tp Australia --endpoint-prefix australia --shared-secret s3same \\
--l2tp Island --endpoint-prefix island --shared-secret letme1n
The same command a little shorter:
sudo macosvpn create -m Alice -a p4ssw0rd -x .example.com \\
-l Australia -f australia -s s3same \\
-l Island -f island -s letme1n
If you feel adventurous you can find all available flags at the bottom of this file.
- If you get a warning that says "Creating Keychain item failed: write permissions error", you need to run the application with
sudo
. - If you're stuck, try to add the
--debug
flag and see if it says something useful.
- If a VPN with the given name already exists, a new one with an incremental number is created.
In the future there should be a
--force
option to re-create it
Feel free to browse through the code of this application. It's pretty small and straight-forward.
It all began with finding this page you probably already found. But it was not before this practical example that I actually dared to try to implement this. Then, google led me to this page where I learned how to set the Shared Secret. The last hurdle was to get the "Send all traffic over VPN" flag, which I finally found the answer to here. Finally, I learned from over here how to add things to the System Keychain.
Useful commands for debugging:
# Show all current VPN service configurations
open /Library/Preferences/SystemConfiguration/preferences.plist
# Show all Keychain Items and their access policies
security dump-keychain -a /Library/Keychains/System.keychain
To the beautiful 3rd party libraries I was allowed to use:
MIT 2015 halo. See MIT-LICENSE.