macOS Networking

Configure VPN on macOS

Practical Mac guide: configure VPN on macOS without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
macOS library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

Configure macOS built-in VPN (L2TP, IKEv2, Cisco IPSec where supported) or import profiles from your provider.

macOS includes IKEv2, L2TP, and Cisco IPSec VPN types in System Settings without third-party clients for many enterprise profiles. Personal WireGuard or OpenVPN usually needs a separate app. Built-in VPN integrates with keychain and on-demand rules when profiles allow.

1) Add a VPN configuration

  1. System Settings → VPN (or Network → VPN on older macOS).
  2. Click Add VPN Configuration and choose type your provider specifies — IKEv2 is preferred for modern setups.
  3. Enter server, remote ID, username/password or certificate.

2) IKEv2 example fields

  • Server address — hostname from IT or VPN vendor.
  • Remote ID — often same as server or a specific identity string.
  • Local ID — usually your username or left blank.
  • Enable Use certificate if IT issued a .p12 profile.

3) Connect and test

  1. Toggle VPN on from menu bar or System Settings.
  2. Visit an IP-check site to confirm egress location.
  3. Test internal resources (file servers, intranet) required for work.

4) Third-party clients

OpenVPN and WireGuard often need apps from Tunnelblick, OpenVPN Connect, or vendor clients (Nord, Mullvad). macOS built-in does not cover all protocols.

5) Split tunnel and DNS leaks

Enterprise profiles may route all traffic. If DNS leaks, ask IT for a profile with correct DNS search domains. Personal VPNs usually handle this in their app.

6) Import configuration profiles

IT often emails .mobileconfig — double-click to install under Device Management or Profiles. Profiles can include VPN, Wi‑Fi, and certificate trust in one payload. Remove obsolete profiles before adding conflicting VPN types.

7) On-demand vs always-on

IKEv2 supports Connect on demand for trusted SSIDs exclusion — configure in profile or third-party app. Split tunnel routes only corporate subnets; full tunnel sends all traffic through HQ and slows video calls.

8) Sleep and reconnect

Mac sleep drops IPsec sometimes — enable Wake for network access in Battery if you need persistent VPN to home lab. If VPN connects but DNS fails, add internal DNS servers to VPN interface Advanced settings.

Verify

VPN connects without error; public IP changes; work resources reachable; disconnect restores normal browsing.

Additional troubleshooting notes

If steps above do not resolve the issue on the first attempt, reboot once, confirm System Settings → General → Software Update is current, and retry with a second administrator account to rule out profile or keychain corruption in your daily user. Document exact error text from Console.app with timestamp — vague “it still fails” without logs wastes support time. On Apple Silicon, re-test after full shutdown (not just restart) because firmware and Thunderbolt controllers reset only on cold boot. Intel Macs should repeat test in Safe Mode to bypass third-party login items. Before erase or keychain reset, verify Time Machine or clone backup completed — batch 3 guides assume Monterey/Ventura/Sonoma/Sequoia paths in System Settings; search Spotlight for renamed panes if your macOS version labels differ slightly.

Related guides

built in macos vpn

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Networking
Diagnose slow network on Mac
Practical Mac guide: diagnose slow network on Mac without the usual guesswork.
Read guide
Networking
Share files on the local network
Practical Mac guide: share files on the local network without the usual guesswork.
Read guide