The United States Code is a consolidation and codification by subject matter of the general and permanent laws of the United States. It is prepared by the Office of the Law Revision Counsel of the United States House of Representatives. VPN router setup differs a lot based on your router’s firmware, which is why we don’t have a one-size-fits-all tutorial. You could, however, try setting up a virtual router on your laptop and connecting your Roku and iPad to that, which should route everything through the VPN that your laptop is connected to. VPN router setup options; Why most VPN routers are slow; How to get the best speeds with a VPN router; So let’s dive in to the topic of VPN routers. VPN router setup options. You basically have three different options if you want to use a VPN on a router: Get a pre-configured VPN router. This is an ideal solution that minimizes hassle.
Apple iOS devices (iPhone, iPad, and iPod Touch) and macOS 10.6 and higher devices include a native Cisco IPSec VPN client. You can use this client to make an IPSec VPN connection to a Firebox. To use the native IPSec VPN client to make a connection to your Firebox, you must configure the VPN settings on your Firebox to match those on the iOS or macOS device.
For IPSec VPN connections from a macOS device, you can also use the WatchGuard IPSec VPN Client for macOS. For more information, see Install the IPSec Mobile VPN Client Software.
Supported Phase 1 and 2 Settings
For devices with iOS 9.3 and higher or macOS 10.11.4 and higher, these combinations of Phase 1 and 2 settings are supported.
If Diffie-Hellman Group 14 is selected in the Phase 1 settings:
- Phase 1 Authentication — MD5, SHA1, SHA2-256, SHA2-512
- Phase 1 Encryption — AES256
- Phase 2 Authentication — MD5, SHA1
- Phase 2 Encryption — 3DES, AES128, AES256
- Perfect Forward Secrecy — No
If Diffie-Hellman Group 2 is selected in the Phase 1 settings:
- Phase 1 Authentication — MD5, SHA1
- Phase 1 Encryption — DES, 3DES, AES128, AES256
- Phase 2 Authentication — SHA1, MD5
- Phase 2 Encryption — 3DES, AES128, AES256
- Phase 2 PFS — No
For devices with versions of iOS lower than 9.3, these Phase 1 and 2 settings are supported. Os x versions by year.
- Diffie-Hellman Group 2
- Phase 1 Authentication — MD5 , SHA1
- Phase 1 Encryption — DES, 3DES, AES128, AES256
- Phase 2 Authentication — MD5 , SHA1
- Phase 2 Encryption — 3DES, AES128, AES256
- Phase 2 PFS — No
Diffie-Hellman Group 5 is not supported on Apple devices for aggressive mode. Mobile VPN with IPSec only supports aggressive mode.
Configure the Firebox
Many of the VPN tunnel configuration settings in the VPN client on the macOS or iOS device are not configurable by the user. It is very important to configure the settings on your Firebox to match the settings required by the VPN client on the macOS or iOS device.
To configure the Firebox, from Fireware Web UI:- (Fireware v12.3 or higher) Select VPN > Mobile VPN.
- In the IPSec section, select Configure.
The Mobile VPN with IPSec page appears. - (Fireware v12.2.1 or lower) Select VPN > Mobile VPN with IPSec.
The Mobile VPN with IPSec page appears. - Click Add.
The Mobile VPN with IPSec Settings page appears.
- In the Name text box, type the name of the authentication group your macOS or iOS VPN users belong to.
You can type the name of an existing group, or the name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and VPN tunnel names.
- From the Authentication Server drop-down list, select an authentication server.
You can authenticate users to the Firebox (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that the method of authentication you select is enabled.
If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.
- Type and confirm the Passphrase to use for this tunnel.
- In the Firebox IP Addresses section, type the primary external IP address or domain name to which Mobile VPN users in this group can connect.
- Select the IPSec Tunnel tab.
The IPSec Tunnel settings appear.
- Select Use the passphrase of the end user profile as the pre-shared key.
This is the default setting. - From the Authentication drop-down list, select an authentication method.
- From the Encryption drop-down list, select an encryption method.
- In the Phase 1 Settings section, click Advanced.
The Phase 1 Advanced Settings appear.
- Set the SA Life to 1 hour.
The VPN client on the macOS or iOS device is configured to rekey after 1 hour. If this profile is only used for connections by VPN clients on macOS or iOS devices, set the SA Life to 1 hour to match the client setting.
To use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. When the SA Life is set to 8 hours, WatchGuard IPSec Mobile VPN clients rekey after 8 hours, but the VPN client on the macOS or iOS device uses the smaller rekey value of 1 hour.
- From the Key Group drop-down list, select Diffie-Hellman Group 14 or Diffie-Hellman Group 2.Tip!Only Diffie-Hellman Groups 2 and 14 are supported.
- Do not change any of the other Phase 1 advanced settings.
- Click OK.
- In the Phase 2 Settings section, clear the PFS check box.
- In the Phase 2 Settings section, click Advanced.
The Phase 2 Advanced settings appear.
- From the Authentication drop-down list, select SHA1.
SHA2 is not supported for Phase 2 for Mobile VPN with IPSec connections from macOS and iOS devices. - From the Encryption drop-down list, select an encryption method.
- In the Force Key Expiration settings, set the expiration Time to 1 hours.
- In the Force Key Expiration settings, clear the Traffic check box.
- Click OK.
- Select the Resources tab.
- Select the Allow All Traffic Through Tunnel check box.
This configures the tunnel for default-route VPN. The VPN client on the macOS or iOS device does not support split tunneling. - In the Virtual IP Address Pool list, add the internal IP addresses that are used by Mobile VPN users over the tunnel.
To add an IP address or a network IP address to the virtual IP address pool, select Host IP or Network IP, type the address, and click Add.
The number of IP addresses should be the same as the number of Mobile VPN users. The virtual IP addresses do not need to be on the same subnet as the trusted network. If FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.
The IP addresses in the virtual IP address pool cannot be used for anything else on your network.
- Select the Advanced tab.
- (Fireware v12.2.1 or higher) Configure the DNS settings:
Assign the network DNS/WINS settings to mobile clients
If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53as a DNS server.
By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.
Do not assign DNS or WINS settings to mobile clients
If you select this option, clients do not receive DNS or WINS settings from the Firebox.
Best Vpn For Imac
Assign these settings to mobile clients
If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.
![Setup Vpn On Imac Setup Vpn On Imac](https://www.atmarkit.co.jp/flinux/special/ctl_lightlinux/seq_scr/scr01.gif)
You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.
For more information about DNS and WINS server settings for Mobile VPN with IPSec users, see Configure DNS and WINS Servers for Mobile VPN with IPSec.
- Click Save.
Make sure that you add all VPN users to the authentication group you selected.
For information about how to add users to a Firebox user group, see Define a New User for Firebox Authentication.
To configure the Firebox, from Policy Manager:First, use the Mobile VPN with IPSec Wizard to configure the basic settings:
- Select VPN > Mobile VPN > IPSec.
The Mobile VPN with IPSec Configuration dialog box appears. - Click Add.
The Add Mobile VPN with IPSec Wizard appears. - Click Next.
The Select a user authentication server page appears.
- From the Authentication Server drop-down list, select an authentication server.
You can authenticate users to the Firebox (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that the method of authentication you select is enabled.
- In the Group Name text box, type the name of the authentication group your macOS or iOS device users belong to.
You can type the name of a Mobile VPN group you have already created, or type a group name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and tunnel names.
If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.
- Click Next.
The Select a tunnel authentication method page appears.
- Select Use this passphrase. Type and confirm the passphrase.
- Click Next.
The Direct the flow of Internet traffic page appears.
- Select Yes, force all Internet traffic to flow through the tunnel..
This configures the tunnel for default-route VPN. The VPN client on the macOS or iOS device does not support split tunneling. - Click Next.
The Identify the resources accessible through the tunnel page appears.
For a default-route VPN configuration, the configuration automatically allows access to all network IP addresses and the Any-External alias.
- Click Next.
The Create the virtual IP address pool page appears.
- To add one IP address or an IP address range, click Add.
To add more virtual IP addresses, repeat this step.
Mobile VPN users are assigned an IP address from the virtual IP address pool when they connect to your network. The number of IP addresses in the virtual IP address pool should be the same as the number of Mobile VPN users. If a FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.
The virtual IP addresses must be on a different subnet than the local networks. The virtual IP addresses cannot be used for anything else on your network.
- Click Next.
- To add users to the new Mobile VPN with IPSec group, select the Add users check box.
- Click Finish.
The Mobile VPN configuration you created appears in the Mobile VPN with IPSec Configuration dialog box.
Next, you must edit the VPN Phase 1 and Phase 2 settings to match the settings for the VPN client on the macOS or iOS device.
- In the Mobile VPN with IPSec Configuration dialog box, select the configuration you just added.
- Click Edit.
The Edit Mobile VPN with IPSec dialog box appears. - Select the IPsec Tunnel tab.
- From the Authentication drop-down list, select an authentication method.
- From the Encryption drop-down list, select an encryption method.
- Click the Advanced button in the Phase 1 Settings section.
The Phase1 Advanced Settings dialog box appears.
- Set the SA Life to 1 hour.
The VPN client on the macOS or iOS device is configured to rekey after 1 hour. If this profile is only used for connections by VPN clients on macOS or iOS devices, set the SA Life to 1 hour to match the client setting.
To use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. Chrome download linux 32 bit. When the SA Life is set to 8 hours, WatchGuard IPSec Mobile VPN clients rekey after 8 hours, but the VPN client on the macOS or iOS device uses the smaller rekey value of 1 hour.
- From the Key Group drop-down list, select Diffie-Hellman Group 14 or Diffie-Hellman Group 2.
- Do not change any of the other Phase 1 Advanced Settings.
- Click OK.
- In the Phase 2 Settings section, click Proposal.
- From the Authentication drop-down list, select MD5 or SHA1.
SHA2 is not supported for Phase 2 for Mobile VPN with IPSec connections from macOS and iOS devices. - From the Encryption drop-down list, select an encryption method.
- Set the Force Key Expiration to 1 hour and 0 kilobytes.
- In the Force Key Expiration settings, set the expiration Time to 1 hours.
- In the Force Key Expiration settings, clear the Traffic check box.
- Click OK.
- In the Edit Mobile VPN with IPSec dialog box, clear the PFS check box.
Perfect Forward Secrecy is not supported by the VPN client on the iOS device.
- Click the Advanced tab.
- (Fireware v12.2.1 or higher) Configure the DNS settings:
Assign the network DNS/WINS settings to mobile clients
If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53as a DNS server.
By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.
Do not assign DNS or WINS settings to mobile clients
If you select this option, clients do not receive DNS or WINS settings from the Firebox.
Assign these settings to mobile clients
If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.
You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.
For more information about DNS and WINS server settings for Mobile VPN with IPSec users, see Configure DNS and WINS Servers for Mobile VPN with IPSec.
- Click OK.
- Save the configuration file to your Firebox.
Make sure that the macOS or iOS users are members of the authentication group you selected.
Next, you add the settings you configured on your Firebox to the VPN client settings on the macOS or iOS device.
Configure the VPN Client on an iOS Device
To manually configure the VPN client settings on the iOS device:
- Select Settings > General > VPN > Add VPN Configuration.
- Configure these settings in the VPN client:
- Type — IPSec
- Server — The external IP address of the Firebox
- Account — The user name on the authentication server
Specify the user name only. Do not preface the user name with a domain name and do not specify an email address. - Password — The password for the user on the authentication server
- Use Certificate — Set this option to OFF
- Group Name — The group name you chose in the Firebox Mobile VPN with IPSec configuration
- Secret — The tunnel passphrase you set in the Firebox Mobile VPN with IPSec configuration
After you add the VPN configuration, a VPN switch appears in the Settings menu on the iOS device.
To enable or disable the VPN client, click the VPN switch. When a VPN connection is established, the VPN icon appears in the status bar.
The VPN client on the iOS device stays connected to the VPN only while the iOS device is in use. If the iOS device locks itself, the VPN client might disconnect. Users can manually reconnect their VPN clients. If users save their passwords, they do not have to retype the password each time the VPN client reconnects. If users do not save their passwords, they must type the password each time the client reconnects.
The WatchGuard Mobile VPN app for iOS is no longer available in the Apple Store.
Configure the VPN Client on a macOS Device
The Firebox does not generate a client configuration file for the VPN client on the macOS device. The user must manually configure the VPN client settings to match the settings configured on the Firebox.
To configure the VPN settings on the macOS device:
- Open System Preferences and select Network.
- Click + at the bottom of the list to add a new interface. Configure these settings:
- Interface — VPN
- VPN Type — Cisco IPSec
- Service Name — Type the name to use for this connection
- Click Create.
The new VPN interface appears in the list of network interfaces. - Select the new interface in the list. Edit these settings:
- Server Address — The external IP address of the Firebox
- Account Name — The user name on the authentication server
Specify the user name only. Do not preface the user name with a domain name and do not specify an email address. - Password — The password for the user on the authentication server
- Click Authentication Settings. Configure these settings:
- Shared Secret — The tunnel passphrase you set in the Firebox Mobile VPN with IPSec configuration
- Group Name — The group name you chose in the Firebox Mobile VPN with IPSec configuration
- To add the VPN status icon to the macOS menu bar, select the Show VPN status in menu bar check box .
- Click Connect to start the VPN tunnel.
After you apply these settings, a VPN status icon appears in the menu bar of the macOS device.
To start or stop the VPN client connection, click the VPN status icon.
See Also
Most VPN providers feature detailed Mac setup guides on their websites, but this article provides a general overview of how to install a VPN for Mac.
Use a VPN’s custom Mac software
macOS is not quite as well supported by custom VPN clients as Windows is, but most VPNs offer dedicated Mac software. As we shall see in a bit, manually configuring a VPN in MacOS is not hard, but using a custom VPN is just insanely easy.
Because of the custom nature of the software, setup details can vary a little from VPN to VPN. However, in general:
- Register to a VPN, see our best VPNs guide for more information.
- Download its Mac software.
- Install the app. This usually just involves double-clicking on the downloaded .dmg file and following instructions.
- Run the app. You’ll likely be prompted to enter your account details on the first run. Note that it is normal for VPN apps to require admin privileges to run.
Once in the app, simply select a VPN server you wish to connect to, and hit “Connect.” It is worth, however, going through the app’s options. Important settings such as DNS leak protection and kill switches are often optional and must be manually enabled. I have no idea why, but there you go.
ExpressVPN’s “Network Lock feature provides a firewall-based kill switch and DNS leak protection. So do be sure it is turned on.
You may also want to check that the app is using the OpenVPN protocol, as many default to less secure (but possibly faster) VPN protocols. Pleases see here for more information on VPN protocols.
Tunnelblick
Apple Vpn Mac
Tunnelblick is an open source free to download OpenVPN client that can be configured to work with either special Tunnelblick configuration files (.tblk), or any standard OpenVPN configuration files (.ovpn and .conf).
It now includes full DNS leak and Web Real-Time Communication (WebRTC) leak protection. The latest beta client also features a firewall-based kill switch.
1. Download Tunnelblick or regular OpenVPN configuration files from your chosen VPN service. You will need one file per VPN server location, although it's often possible to download multiple configurations in a single zip file. In this case, you'll need to unzip the files before they can be used.
2. Download, install and launch Tunnelblick. On the Welcome screen, select “I have the configuration files.”
3. Drag the configuration file (or multiples files for multiple server configurations) to the Tunnelblick icon in the menu bar.
Set Up Vpn On Imac
4. Hit “Install,” then choose whether to install just for yourself or all users of your Mac. It will probably ask for your Admin password.
5. And that’s setup done! To connect to a VPN server, click on the Tunnelblick icon in the menu bar and select a VPN server.
The icon will turn a darker shade to indicate that you are connected. If you hover the cursor over it, it will display additional information.
Addendum:
Turn on DNS leak protection
IPv4 and IPv6 DNS leak protection are not enabled by default in Tunnelblick. To enable DNS leak protection go to Configurations -> Settings and tick the boxes next to “Route all IPv4 traffic through the VPN” and “Disable IPv6.”
Note that Tunnelblick does not protect against WebRTC leaks. As such, you'll need to fix the issue manually (Safari is not affected, anyway).
Turning on kill switch on Mac
New to the latest beta version of Tunnelblick is a very welcome kill switch feature. This ensures that your real Internet Protocol (IP) address is not exposed in the event of a VPN dropout.
To enable the kill switch, go to Configurations and click on the individual VPN configuration (the kill switch must be enabled for each configuration). Click on the “On unexpected disconnect” field and select Disable Network Access from the drop-down menu.
Manually Configure VPN for Mac PPTP, L2TP/IPsec, or IKEv2
macOS comes with a built-in VPN client that supports the PPTP, L2TP/IPsec, and IKEv2 VPN protocols. For reasons discussed in detail in VPN Encryption: The Complete Guide, I always recommend using an OpenVPN app instead. But IKEv2 is also a good option.
The big advantage of PPTP, L2TP/IPsec and IKEv2 VPN connection is that they can be setup without the need to download a third party VPN app.
Setup Vpn On Imac
- Go to System Preferences -> Network. Click the + button and select Interface: VPN in the pop-up dialog box.
- Choose a VPN protocol (“VPN Type”) and pick a name for the VPN connection (optional).
- Fill in server details with the settings provided by your chosen VPN service.
The built-in macOS VPN client does not feature any form of WebRTC leak protection, so if using a vulnerable browser you should disable WebRTC manually. Note that Safari does not use WebRTC and is therefore not vulnerable to WebRTC leaks. It is, however, closed source proprietary software.
How to Test a VPN for Mac
No matter what kind of VPN you use, macOS will display an icon in the notification bar whenever the VPN is connected. This lets you know at-a-glance that you are protected.
Clicking on the icon will usually display additional details and options. For further confirmation the VPN is connected and working correctly, you can run an IP leak test…
Check Mac VPN for IP leaks
Once connected to the VPN (using whatever method), it is a good idea check for IP leaks.
The example above shows a bad case of IPv6 leaks. The IPv4 DNS result correctly shows that I am connected to a VPN server in the US, but the website can see my real UK IPv6 address via both a regular DNS leak and WebRTC. Fail!
For more information about staying secure online in the United Kingdom, take a look at our Best VPN UK guide.
Note that Private-Use - [RFCxxxx] IPs are local IPs only. They cannot be used to identify an individual or device, and so do not constitute an IP leak.
Get 3 months free
- Fastest VPN we test
- Servers in 94 countries
- Unblocks Netflix, iPlayer and more
23hours
Setup Vpn On Asus Router
25seconds
Get ExpressVPN Vpn Service For Mac
30-Day Money-Back GuaranteeThe fastest VPN we test, unblocks everything, with amazing service all round
Large brand with very good value, and a budget price
Longtime top ranked VPN, with great price and speeds
One of the largest VPNs, voted best VPN by Reddit