Migrated VPN Service Broken with Catalina

The problem is with the vpnd binary in /usr/sbin. ppp, racoon and kernel work fine. To fix it copy in a version of vpnd from a prior, but recent, macos version. I used the binary from Mojave (10.14) and vpn server now works fine on Catalina for both internal and external connections (I copied the binary to /usr/local/bin and changed the plist to load it).

I'm running through these myself now, but thought I'd post for visibility.

1. Obtain `vpnd` binary from Mojave.
2. If you want to overwrite the bad vpnd binary in `/usr/sbin`. Note, future OS updates may result in overwriting this file.
   1. You can't just copy to `/usr/sbin` due to security enhacements (e.g. rootless) introduced in El Capitan (I think).
   2. To disable this security feature you have to reboot your computer and hold `CMD+R` at start to boot into OS X Recovery Mode.
   3. Then OS X Utilities => Terminal => `csrutil disable; reboot`.
   4. Once you've reboot, mv the `vpnd` binary to `/usr/sbin`, `sudo mv vpnd /usr/sbin`.
   5. Note, you'll want to repeat this process to reenable later using `csrutil enable; reboot`.
3. If you don't want to mess with the OS version of `vpnd`, simply copy the binary into somewhere like `/usr/local/bin`.
   1. If you went this route, update your vpnd plist file to point to the new location.
   2. `sudo launchctl -w unload /Library/LaunchDaemons/vpnd.plist`.
   3. `sudo vim /Library/LaunchDaemons/vpnd.plist`.

vpnd.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" “http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
     <key>Label</key>
     <string>vpn.ppp.l2tp</string>
     <key>KeepAlive</key>
     <true/>
     <key>Program</key>
     <string>/usr/sbin/vpnd</string> <!-- Update Here -->
     <key>ProgramArguments</key>
     <array>
       <string>vpnd</string>
       <string>-x</string>
       <string>-i</string>
       <string>com.apple.ppp.l2tp</string>
     </array>
  </dict>
</plist>

4. `sudo launchctl -w load /Library/LaunchDaemons/vpnd.plist`.

Bernard Tao's VPNEnabler tool for Catalina makes use of OpenVPN. He has a free trial download.

Although other options do exist, inclusive of purchasing a VPN-enabled router, it is just so incredibly inconvenient and frustrating that Apple has taken an existing tool that has worked well for years and suddenly disabled functionality for no apparent reason (disrupting the workflow for so many of us). I think many of us are still hopeful that Apple will resolve this problem. I hope everyone on this chain has submitted to Apple's Feedback Assistant for Catalina.

I’ll repeat my previous post for those who haven’t read far back:

I have very successfully set up on Catalina, a Parallels Mojave client running the native VPN I was using before Catalina ruined it. Works great! And was “ free” since I already had Parallels to use with Windows. Also let’s me run Acrobat 32 bit as well!

Yes, configure your own OpenVPN certificate-based server: https://github.com/essandess/macos-openvpn-server. This has been a rock-solid alternative to a vpnd-based server.

The MacPorts port macos-vpn-server is based on vpnd and therefore has the same issue discussed in this thread.

FWIW, certificate-based OpenVPN is more secure, flexible, and reliable than macOS’s L2TP/CHAP/PSK-based VPN.

It’s worthwhile having a couple different options available in case the external network has various tcp/upd blocks.

It’s straightforward to stand up an OpenVPN Server on macOS along with iOS clients that aren’t affected by any design decisions or mistakes that affect vpnd.

See https://github.com/essandess/macos-openvpn-server.

I'm not convinced that the problem would be at the client/user end, since in my case, only the server changed, not the clients (iPhone and MacBook Pro).

I copied all my server's information into my router's VPN server set-up, turned off port forwarding, and voilà! It worked instantly with both clients, and with no changes to the client/user setup.

Just saying…

I recently migrated to 10.15 and my MacPorts-based macOS vpnd server is running just fine.

The basic setup is pretty straightforward and shouldn’t be too hard to troubleshoot.

The MacPorts install is:

sudo port install macos-vpn-server

sudo port load macos-vpn-server

Also, see the migration notes in the repo https://github.com/essandess/macOS-Open-Source-Server for details, or see the MacPorts Port file at https://github.com/macports/macports-ports/blob/master/net/macos-vpn-server/Portfile.

Here's what I see:

• Catalina vpnd works on the LAN, as noted by the OP
• On the LAN, a successful connection in /var/log/ppp/vpnd.log looks like:

L2TP incoming call in progress from '10.0.1.14'...

L2TP received SCCRQ

L2TP sent SCCRP

L2TP received SCCCN

L2TP received ICRQ

L2TP sent ICRP

L2TP received ICCN

L2TP connection established.

• Catalina vpnd doesn't connect from many external networks, as noted by the OP
• An unsuccessful connection in /var/log/ppp/vpnd.log looks like:

L2TP incoming call in progress from '199.199.199.199'...

L2TP received SCCRQ

L2TP sent SCCRP

Incoming call... Address given to client = 10.0.1.50

• Note that "L2TP received SCCCN" never happens
• Bizarrely, my ISP is Comcast, and external connections from Xfinity WiFi hotspots work , and the logs look the same as on the LAN
• I tried using the Mojave vpnd binary, with the same results, so it's a system problem with Catalina, not the binary

I don't know what the issue is, but it's not a simple network block, and it's not the Catalina vpnd binary.

I have the same issues on MacMini/Catalina reported under:

FB 15957415

I was able to move to an older MacMini running 10.13.6 (HighSierra).

Here some observations during testing.

It seems from the WAN connection on the server.log that the IPSEC connection is established (6 times) but the L2TP dialog is not successful.

Copying the vpnd configuration from a MacMini 10.15.2 to the MacMini running 10.13.6 gives a successful connection on both LAN and WAN.

As a site note I use a freebsd firewall using pf between the LAN and a ARRIS TG1683G Router/Modem by Xfinity(Comcast).

When I connect the client to the DMZ between the freebsd firewall and the Xfinity router and use the DMZ address as the VPN Server address I get a successful connection to the the MacMini running Catalina.

I've mentioned it before, but it could have gotten lost in this long thread:

I'm successfully using Mojave in a Parallels VM on Catalina running the VPN configuration I used before Catalina broke it.

Use the new Feedback Assistant on Catalina to report this issue, and be sure to add the file /var/log/ppp/vpnd.log to the report.

My VPN app wasn't working on upgrade, but I fixed it by checking the option "App Store and Identified developers" in Security & Privacy -> Allow apps downloaded from. Worked instantly.

Bug reported also.

I use iVPN (https://macserve.org.uk)

I also test to connect directly to ip in my local network and then VPN connect.

If I use my VPN host name xxxxx.com "Server not responding" but I see "hits" in my VPN log.

2020-01-07 14:09:40 EET Incoming call... Address given to client = 10.0.xx.xx

Tue Jan  7 14:09:40 2020 : publish_entry SCDSet() failed: Success!

Tue Jan  7 14:09:40 2020 : publish_entry SCDSet() failed: Success!

Tue Jan  7 14:09:40 2020 : publish_entry SCDSet() failed: Success!

Tue Jan  7 14:09:40 2020 : L2TP incoming call in progress from '85.xx.xxx.xxx'...

Tue Jan  7 14:09:40 2020 : L2TP received SCCRQ

Tue Jan  7 14:09:40 2020 : L2TP sent SCCRP

2020-01-07 14:09:41 EET   --> Client with address = 10.0.1.70 has hungup

2020-01-07 14:09:42 EET   --> Client with address = 10.0.1.71 has hungup

2020-01-07 14:09:44 EET   --> Client with address = 10.0.1.72 has hungup