Set-up an OpenVPN Server on your Mac

[22/05/2015: The content of this post is very very very out of date.]
[17/08/2020: Kext-deprecation note and comment added]

Due to deprecation of kernel extensions in MacOS (10.12 and newer) OpenVPN seems to be defunct on macOS (at least for private servers), please see my comment. I sincerely hope the TunnelBlick development team will take the time and effort to rebuild the client to use the new KPIs in macOS Big Sur, but latest response suggest they have no interest to do so :(


An OpenVPN Client is easy, just download Tunnelblick. But to connect to your own Mac or maybe a server you own or are the maintainer for at work, you will need an OpenVPN Server set-up. This is how you do it.

IMPORTANT NOTE: Jon Bullard (developer of TunnelBlick) has commented that with recent (beta) versions, much of this article is no longer needed. Please read his comment on the bottom of the article before doing all this :)

1. Install TunTap;

Download and install the package. This will allow your system to create virtual network devices. After install open the Terminal and type

Shell commandsudo kextload /Library/Extensions/tun.kext
sudo kextload /Library/Extensions/tap.kext

2. Install XCODE if you haven’t already.

3. Install MacPorts if you haven’t already (http://macports.org)

4. Install openvpn

Shell commandsudo port install openvpn2

5. Switch to SuperUser mode. Be careful here, you can ruin a lot.

Shell commandsudo -s

6. Duplicate the installed files to a more common and safe-from-overwrite location.

Shell commandcp -r /opt/local/share/doc/openvpn2 /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0

7. Edit the bottom 8 or so lines (of the vars file) to match your setup

Shell commandnano vars

8. Initialize the PKI (Public Key Infrastructure)

Shell-Script. ./vars
./clean-all
./build-ca

9. Now build a server-key

Shell command./build-key-server server

10. And create a key for your first client

Shell command./build-key pinocchio

Ofcourse, pinocchio is a sample username.

11. Create some other file I don’t know what it does but apparently is needed (Diffie Hellman parameters);

Shell command./build-dh

Certificates are created in the subfolder keys (full path /etc/openvpn/easy-rsa/2.0/keys)

12. Copy the files ca.crt, pinnochio.key and pinnochio.crt to a USB stick or very securely to the client machine. We’ll get to those in a different post.

13. Configure the server. Copy the server configuration file to a suitable location.

Shell commandcp /etc/openvpn/sample-config-files/server.conf /etc/openvpn/

14 Edit the configuration.

Shell commandnano /etc/openvpn/server.conf

Change the line

;local a.b.c.d
if you want to specify a certain IP-address the VPN server must respond to. Useful if you have multiple IP-addresses on your server and only a few are allowed to be used for VPN.

Change the lines

Editor contentca ca.crt
cert server.crt
key server.key
to match your set-up;
Editor contentca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key

And change the line

Editor contentdh dh1024.pem
to 
Editor contentdh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

Change the lines 

Editor content;user nobody
;group nobody
to 
Editor contentuser nobody
group nobody

And finally, if you want to allow VPN-connected machines to see each other, change the line

Editor content;client-to-client
to
Editor contentclient-to-client

15. Last step; making the server run on boot;

Shell commandcat > /Library/LaunchDaemons/org.openvpn.plist

and copy/past this into the terminal;

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.openvpn</string>
<key>OnDemand</key>
<false/>
<key>Program</key>
<string>/opt/local/sbin/openvpn2</string>
<key>ProgramArguments</key>
<array>
<string>openvpn</string>
<string>--config</string>
<string>/etc/openvpn/server.conf</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>TimeOut</key>
<integer>90</integer>
<key>WorkingDirectory</key>
<string>/etc/openvpn</string>
</dict>
</plist>

Terminate input with CTRL+D

16. Fire up the server

Shell commandlaunchctl load -w /Library/LaunchDaemons/org.openvpn.plist

17. Exit Super User mode

Shell commandexit

next post; setting up the client machine.

Author: Remon Pel

WebDeveloper though not WebDesigner

9 thoughts on “Set-up an OpenVPN Server on your Mac”

  1. I’m the Tunnelblick developer. Thanks for this article — it is an easy step-by-step guide.

    However, recent beta versions of Tunnelblick make much of this unnecessary.

    Steps 1-5 can be skipped, because Tunnelblick includes tun/tap drivers and easy-rsa. (easy-rsa is accessed via the “Utilities” tab in Tunnelblick’s “VPN Details…” window.)

    In step 14, I recommend leaving “;user nobody” and “;group nobody” lines intact. They can (even when using the “openvpn-down-root” plugin) cause problems if transmission errors make it necessary for OpenVPN to restart a connection to the server and routing is done by OpenVPN (which is often the case).

    Instead of steps 15-17, just set up Tunnelblick to start the configuration “When computer starts”. (Note that it must be a shared configuration, and that shared configurations must be “Tunnelblick VPN Configurations”, which package together the configuration file and key and certificate files. See Creating and Installing a Tunnelblick VPN Configuration for details.

    1. Sorry, no.

      Why not, you ask?

      Well, since macOS 10.13 (or was it 12?) the use of kernel extensions (.kext) is discouraged, and in 10.15, due to all the warnings, nearly unusable. TunnelBlick (the openVPN client for Mac) is still using kexts to create a tunnel. Apple said that “future OS releases will no longer load system extensions that use deprecated KPIs”, and when asked (by me) “The message about this deprecation has been present for 3 versions of macOS now. Why is TunnelBlick still using deprecated KPIs?”, the answer of one of the maintainers was “The main reason is that nobody involved in Tunnelblick’s development has been interested in doing the work to use Apple’s replacement mechanism.”. In other words; TunnelBlick will stop functioning party or completely in macOS Big Sur (macOS 11). And seeing TunnelBlick really was the only OpenVPN client not limited to a specific service, there really is no future for OpenVPN (with private servers) on macOS.

      The OpenVPN server (as described above) uses two kernel extensions that no longer exist in macOS 10.15 (at least) and if they were available, they will no longer load in Big Sur anyways.

      “But is there nothing we can do about this?”

      No, yes, no… You CAN load kexts in Big Sur but only if you disable SIP. In other words; you will need to make your system INSECURE to use a secure tunnel … That said, this will not restore the tun.kext and tap.kext files needed to run the server, you could copy them from an old installation, but you will probably run in to version-mismatch for libraries.

      “So what is the next step?”

      Use WireGuard!
      I haven’t tested it as I use a RaspberryPi as WireGuard server (PiVPN.io) but it looks like running a wireguard server on macOS is possible; https://barrowclift.me/post/wireguard-server-on-macos https://www.reddit.com/r/WireGuard/comments/c1lczj/anyway_of_installing_wireguard_on_a_mac_as_a/

      Remon.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Confidental Infomation
stop spam mail