[22/05/2015: The content of this post is very very very out of date.]
[17/08/2020: Kext-deprecation note and comment added]
Due to deprecation of kernel extensions in MacOS (10.12 and newer) OpenVPN seems to be defunct on macOS (at least for private servers), please see my comment. I sincerely hope the TunnelBlick development team will take the time and effort to rebuild the client to use the new KPIs in macOS Big Sur, but latest response suggest they have no interest to do so :(
An OpenVPN Client is easy, just download Tunnelblick. But to connect to your own Mac or maybe a server you own or are the maintainer for at work, you will need an OpenVPN Server set-up. This is how you do it.
IMPORTANT NOTE: Jon Bullard (developer of TunnelBlick) has commented that with recent (beta) versions, much of this article is no longer needed. Please read his comment on the bottom of the article before doing all this :)
1. Install TunTap;
Download and install the package. This will allow your system to create virtual network devices. After install open the Terminal and type
sudo kextload /Library/Extensions/tun.kext
sudo kextload /Library/Extensions/tap.kext
2. Install XCODE if you haven’t already.
3. Install MacPorts if you haven’t already (http://macports.org)
4. Install openvpn
sudo port install openvpn2
5. Switch to SuperUser mode. Be careful here, you can ruin a lot.
6. Duplicate the installed files to a more common and safe-from-overwrite location.
cp -r /opt/local/share/doc/openvpn2 /etc/openvpn
7. Edit the bottom 8 or so lines (of the vars file) to match your setup
8. Initialize the PKI (Public Key Infrastructure)
9. Now build a server-key
10. And create a key for your first client
Ofcourse, pinocchio is a sample username.
11. Create some other file I don’t know what it does but apparently is needed (Diffie Hellman parameters);
Certificates are created in the subfolder keys (full path /etc/openvpn/easy-rsa/2.0/keys)
12. Copy the files ca.crt, pinnochio.key and pinnochio.crt to a USB stick or very securely to the client machine. We’ll get to those in a different post.
13. Configure the server. Copy the server configuration file to a suitable location.
cp /etc/openvpn/sample-config-files/server.conf /etc/openvpn/
14 Edit the configuration.
Change the line
Change the lines
And change the line
Change the lines
And finally, if you want to allow VPN-connected machines to see each other, change the line
15. Last step; making the server run on boot;
cat > /Library/LaunchDaemons/org.openvpn.plist
and copy/past this into the terminal;
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
Terminate input with CTRL+D
16. Fire up the server
launchctl load -w /Library/LaunchDaemons/org.openvpn.plist
17. Exit Super User mode
next post; setting up the client machine.
9 thoughts on “Set-up an OpenVPN Server on your Mac”
I’m the Tunnelblick developer. Thanks for this article — it is an easy step-by-step guide.
However, recent beta versions of Tunnelblick make much of this unnecessary.
Steps 1-5 can be skipped, because Tunnelblick includes tun/tap drivers and easy-rsa. (easy-rsa is accessed via the “Utilities” tab in Tunnelblick’s “VPN Details…” window.)
In step 14, I recommend leaving “;user nobody” and “;group nobody” lines intact. They can (even when using the “openvpn-down-root” plugin) cause problems if transmission errors make it necessary for OpenVPN to restart a connection to the server and routing is done by OpenVPN (which is often the case).
Instead of steps 15-17, just set up Tunnelblick to start the configuration “When computer starts”. (Note that it must be a shared configuration, and that shared configurations must be “Tunnelblick VPN Configurations”, which package together the configuration file and key and certificate files. See Creating and Installing a Tunnelblick VPN Configuration for details.
Thank you very much for keeping me informed. I will update the article when I find the time.
Thanks for the link-back! @Everyone; this is a great post by Astojanov about traffic routing with OpenVPN
What’s Goinbg down i’m new to this, I stumbled upon this I’ve discovered
It positively useful and it has helped me out loads.I’m hoping to give a contribution & assist other customers like its aided me.
I’ve added the Generating an HMAC Signature page to the Tunnelblick documentation that describes how to use a copy of OpenVPN included in Tunnelblick to generate an HMAC signature for use with OpenVPN’s “tls-auth” option for additional security.
Good article. I definitely appreciate this site. Thanks!
Can you update this for 2020 please?
Why not, you ask?
Well, since macOS 10.13 (or was it 12?) the use of kernel extensions (.kext) is discouraged, and in 10.15, due to all the warnings, nearly unusable. TunnelBlick (the openVPN client for Mac) is still using kexts to create a tunnel. Apple said that “future OS releases will no longer load system extensions that use deprecated KPIs”, and when asked (by me) “The message about this deprecation has been present for 3 versions of macOS now. Why is TunnelBlick still using deprecated KPIs?”, the answer of one of the maintainers was “The main reason is that nobody involved in Tunnelblick’s development has been interested in doing the work to use Apple’s replacement mechanism.”. In other words; TunnelBlick will stop functioning party or completely in macOS Big Sur (macOS 11). And seeing TunnelBlick really was the only OpenVPN client not limited to a specific service, there really is no future for OpenVPN (with private servers) on macOS.
The OpenVPN server (as described above) uses two kernel extensions that no longer exist in macOS 10.15 (at least) and if they were available, they will no longer load in Big Sur anyways.
“But is there nothing we can do about this?”
No, yes, no… You CAN load kexts in Big Sur but only if you disable SIP. In other words; you will need to make your system INSECURE to use a secure tunnel … That said, this will not restore the tun.kext and tap.kext files needed to run the server, you could copy them from an old installation, but you will probably run in to version-mismatch for libraries.
“So what is the next step?”
I haven’t tested it as I use a RaspberryPi as WireGuard server (PiVPN.io) but it looks like running a wireguard server on macOS is possible; https://barrowclift.me/post/wireguard-server-on-macos https://www.reddit.com/r/WireGuard/comments/c1lczj/anyway_of_installing_wireguard_on_a_mac_as_a/