Migrated VPN Service Broken with Catalina

Anyone currently on Catalina - does the 10.15.1 update released today fix this problem? There is nothing within the support notes in regards to VPN, but still have my fingers crossed. I cannot update to Catalina until this issue is resolved. Tks.

https://support.apple.com/en-ca/HT210642

Has anyone tried this guide? It says that it has been tested on Catalina. Unfortunately, I am unwilling to upgrade to test as loss of VPN tremendously affects my workflow:

https://robintiwari.com/post/how-to-set-up-vpn-server-on-macos

BTW - there is another thread of angry users with the same issue:

https://discussions.apple.com/thread/250719946?page=1

I thought I had solved the problem, but not quite. I can get the Mojave vpnd to work fine on Catalina *IF* I connect from my local network which is not much use. If I connect from the Internet I get 7 incoming calls, and then 7 hangups. I assumed there might have been a port forwarding problem, so I tried forwarding to the Mojave Parallels client I had been using to get around this problem and that worked fine. If I forwarded back to Catalina... NG. VPN Log extracts follow.

Here's what I see:

• Catalina vpnd works on the LAN, as noted by the OP
• On the LAN, a successful connection in /var/log/ppp/vpnd.log looks like:

L2TP incoming call in progress from '10.0.1.14'...

L2TP received SCCRQ

L2TP sent SCCRP

L2TP received SCCCN

L2TP received ICRQ

L2TP sent ICRP

L2TP received ICCN

L2TP connection established.

• Catalina vpnd doesn't connect from many external networks, as noted by the OP
• An unsuccessful connection in /var/log/ppp/vpnd.log looks like:

L2TP incoming call in progress from '199.199.199.199'...

L2TP received SCCRQ

L2TP sent SCCRP

Incoming call... Address given to client = 10.0.1.50

• Note that "L2TP received SCCCN" never happens
• Bizarrely, my ISP is Comcast, and external connections from Xfinity WiFi hotspots work , and the logs look the same as on the LAN
• I tried using the Mojave vpnd binary, with the same results, so it's a system problem with Catalina, not the binary

I don't know what the issue is, but it's not a simple network block, and it's not the Catalina vpnd binary.

macOS vpnd L2TP configuration uses four things:

1. macOS networking and firewall (pf, application) infrastructure
2. The /usr/sbin/vpnd binary
3. The config file /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
4. The PSK in the System Keychain in the entry com.apple.net.racoon

MacPorts uses an example config file (based on the old Server.app one), here: https://github.com/macports/macports-ports/blob/master/net/macos-vpn-server/files/com.apple.RemoteAccessServers.plist.macports

The Portfile shows how to add the PSK to the Keychain, here: https://github.com/macports/macports-ports/blob/f16847defa1b99199baf0a569d2fbeb36a8f908f/net/macos-vpn-server/Portfile#L56

/usr/bin/security add-generic-password -a org.macports.ppp.l2tp -s com.apple.net.racoon -T /usr/sbin/racoon -w ${vpn_pre_shared_secret} -U /Library/Keychains/System.keychain

I'm running through these myself now, but thought I'd post for visibility.

1. Obtain `vpnd` binary from Mojave.
2. If you want to overwrite the bad vpnd binary in `/usr/sbin`. Note, future OS updates may result in overwriting this file.
   1. You can't just copy to `/usr/sbin` due to security enhacements (e.g. rootless) introduced in El Capitan (I think).
   2. To disable this security feature you have to reboot your computer and hold `CMD+R` at start to boot into OS X Recovery Mode.
   3. Then OS X Utilities => Terminal => `csrutil disable; reboot`.
   4. Once you've reboot, mv the `vpnd` binary to `/usr/sbin`, `sudo mv vpnd /usr/sbin`.
   5. Note, you'll want to repeat this process to reenable later using `csrutil enable; reboot`.
3. If you don't want to mess with the OS version of `vpnd`, simply copy the binary into somewhere like `/usr/local/bin`.
   1. If you went this route, update your vpnd plist file to point to the new location.
   2. `sudo launchctl -w unload /Library/LaunchDaemons/vpnd.plist`.
   3. `sudo vim /Library/LaunchDaemons/vpnd.plist`.

vpnd.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" “http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
     <key>Label</key>
     <string>vpn.ppp.l2tp</string>
     <key>KeepAlive</key>
     <true/>
     <key>Program</key>
     <string>/usr/sbin/vpnd</string> <!-- Update Here -->
     <key>ProgramArguments</key>
     <array>
       <string>vpnd</string>
       <string>-x</string>
       <string>-i</string>
       <string>com.apple.ppp.l2tp</string>
     </array>
  </dict>
</plist>

4. `sudo launchctl -w load /Library/LaunchDaemons/vpnd.plist`.

Hello All- just stumbled upon this thread after experiencing the same issues still in (2020 June)- unfortunately I'm not a networking /IT expert. I am using both the Sophos connect and OpenVPN connect to connect remotely to our company's VPN. These are my 'lay-person' experiences for both clients-

1. Unable to connect to work VPN after upgrading to Catalina.
2. All devices unable to connect following Catalina Update (Macbook 12", MacBookPro 15" (2013), MacbookPro16" (2019)
3. However - iPadPro2018 appears to connect just fine
4. Home setup comprises of a Router (provided by service provider) and a AirPort Extreme in another bedroom as wifi extender.
   1. Somehow - I managed to get it to 'sort-of'* work after forcing my MacBook to 'forget' the wifi extender (Apple AirPort Extreme)
   2. *sort-of > connection stutters about about 10-15mins but doesn't connection does not drop.

Hopefully there is a solution for this- hopefully will be addressed soon with WWDC coming up!

I have the exact same issue since upgrading to OS X Catalina with the exact same log file. I can connect no problem from the local network but can't connect from outside. Almost like Catalina is blocking outbound connections.

I apologize that this reply is not helpful to find a solution. It is SUPER frustrating that Apple keeps rolling back functionality with "upgrades". This is totally unacceptable and Apple needs to get their heads out of their *****.

I have the exact same issue as well. Worked fine prior to Catalina update. Same sort of log entries. Works when connecting to local IP which is not useful. Does not work when connected to NAT'd external IP.

I have this issue too, very frustrating.

As a workaround, I have installed Ubuntu on VMware and using that as a VPN server, not ideal but at least its a workaround.

Please let us know once you have it working.

Thanks

MacOS Server App had become an incredibly functional/useful/outstanding app. Does anyone know why Apple decided to completely dismantle the app and render it virtually useless? I don't understand why Apple chose to do this, particularly as Windows Server is so functional?