Migrated VPN Service Broken with Catalina

My Mac mini has been working just fine with macOS Mojave as a VPN server following the migration method described in https://developer.apple.com/support/downloads/macOS-Server-Service-Migration-Guide.pdf , but after upgrading to macOS Catalina there is trouble:

The VPN clients connect just fine on the internal network, but not on an external network; which makes the VPN server a bit pointless! I can confirm that all was working well with the server running macOS Mojave, and my iOS 13 and iPadOS 13 clients have been connecting just fine; it is the upgrade to macOS Catalina on the server that has caused this problem.

Here are the log entries for a failed connection:

vpnd.log

Posted on Oct 11, 2019 9:42 AM

Top-ranking reply

Grahamh51

Level 1

4 points

Posted on Nov 15, 2019 1:54 AM

I have tried VPN Enabler mention by lcrooks earlier and have managed to get the connection working back to my Catalina OS Mac Mini. I have done this locally from another desktop and remotely from my iphone. The later needed the OpenVPN app installed.

I also needed to edit the config file created by VPN Enabler as it didn't want to work by default. This was a bit of trial and error really as I am certainly no expert on this, but noticed when using the client part of VPN Enabler that the config file didn't seem to reference my server url but the port number instead. I simply replaced the port number with my url and it worked. The lines I changed are below

<key>RemoteAddress</key>

<string>xxx.ddns.net</string> This simply contained "REMOTE"

<key>remote</key>

<string>xxx.ddns.net</string> Note: this is where the port number 1194 was

View in context

Similar questions

120 replies

Mar 17, 2020 12:55 PM in response to TrainsAndWellbeing

My VPN app wasn't working on upgrade, but I fixed it by checking the option "App Store and Identified developers" in Security & Privacy -> Allow apps downloaded from. Worked instantly.

Oct 21, 2019 3:58 AM in response to sahid1

Virtual machines have become essential with the mess Apple has made of recent Server releases, and you could also use a macOS Mojave virtual machine connected to Open Directory on the upgraded server. I did something similar when Apple messed up named with Mojave but with the host connected to a Virtual machine running Open Directory in the background with Parallels Desktop Pro.

I wish Apple would just abandon Server and release the code so that a third party can take over and bring macOS Server back to the way it was a few major releases ago because for a very short period of time, Server.app became of age and worked well.

I have a feeling that Apple are not going to fix our broken VPN’s given how inaccurate some of the information provided was in the migration guide.

Oct 29, 2019 12:09 PM in response to Louis Muhammad

I’ve just discovered something interesting: I can use my VPN from a friends AirPort network, but nowhere else outside of my own network. I assume it is something to do with IP address ranges because my network os 10.0.1.x and so is the AirPort network in my friends house where I am able to connect.

Apr 14, 2020 1:24 PM in response to lcrooks

Although I started this thread I'm not trying to get this working anymore but I would like to add why I was initially determined to get vpnd working on a current version of macOS: I wanted to be using the most secure versions of services I connect to via the internet.

Using the Mojave version of vpnd sounds like a good solution because it is quite new, however that means that we are indefinitely using the same version which could at some point in the future compromise security; hopefully the very distant future.

I personally recommend either compiling a recent vpnd from source, or using something like MacPorts to install an easily updatable version.

In POSIX it is convention when installing custom software that it goes into the /usr/local directory for example /usr/local/sbin/vpnd

...so with that you would change your vpnd.plist file to reference /usr/local/sbin/vpnd and that won't interact with the included macOS /usr/sbin/vpnd binary; basically what has just been said for using the Mojave included version.

Good luck everyone.

VDalto

Level 1

4 points

Dec 2, 2019 4:41 AM in response to TrainsAndWellbeing

I just discovered how to fix the bug.

Here I marked the certificate option, selected Apple, conected (fail, obvious), than changed again to shared secret/password. Doing it 3 times and worked.

wa1oui

Level 1

39 points

Dec 2, 2019 3:00 PM in response to RadioChuck

I ended up restoring a backup of my Mojave into Parallels. VPN works fine as do my Adobe 32 bit programs

sahid1

Level 1

13 points

Oct 21, 2019 1:21 AM in response to TrainsAndWellbeing

I have this issue too, very frustrating.

As a workaround, I have installed Ubuntu on VMware and using that as a VPN server, not ideal but at least its a workaround.

Please let us know once you have it working.

Thanks

Nov 20, 2019 2:45 PM in response to TrainsAndWellbeing

It does not look like this is going to be fixed in the next release of macOS 10.15.

Please submit a bug report to Apple via http://feedbackassistant.apple.com and post your feedback number here. This is the only way to get attention from Apple. It is not enough to just rant about it on the forums.

Nov 20, 2019 3:52 PM in response to TrainsAndWellbeing

Been running with ZyXEL ZYWALL USG series firewalls and the embedded VPN server, FWIW.

There are other similar options, from other vendors.

Not a huge fan of host-based VPN servers, and for various reasons.

But been migrating off of Server for a while too, with the Mojave Server release having discontinued the interesting bits.

Nov 30, 2019 4:20 PM in response to lcrooks

I migrated to a firewall-based VPN server a decade ago, and that’s just been vastly easier than wrestling with a host-based VPN server and host-based IP routing.

Even back when Mac OS X Server cost a thousand dollars, and had a VPN server.

No need to deal with NAT-passthrough, and the firewall can be accessible when the target server (and VPN server) isn’t.

Using a Mac as an expensive IP router just isn’t “fun”. Never has been.

Dec 3, 2019 1:45 PM in response to lcrooks

The first link looks like what we've done following Apple's migration guide and it does work, but in Catalina it only works with clients inside the same network as the server; in other words it works but is completely useless due to a fault with Catalina.

I've now given up on this issue and I bought a 2011 Mac mini on eBay and I've setup High Sierra with Server.app and connected it to the upgraded directory on my Catalina server for user authentication. I've changed the port mapping on my AirPort router to point the VPN ports to my new old Mac mini, and that's me fully functional again. In addition it turns out that my old Mac OS X Clients can't connect to AFP shares on Catalina so there's something else that Apple has broken: I now use my new old Mac mini with High Sierra to host my AFP share points too.

Good luck to everyone holding out for a fix, and although I doubt Apple will fix the issue, I suggest keep using the feedback page and contacting support.

Machist

Level 3

645 points

Jan 7, 2020 12:15 PM in response to lcrooks

Bug reported also.

I use iVPN (https://macserve.org.uk)

I also test to connect directly to ip in my local network and then VPN connect.

If I use my VPN host name xxxxx.com "Server not responding" but I see "hits" in my VPN log.

2020-01-07 14:09:40 EET Incoming call... Address given to client = 10.0.xx.xx

Tue Jan 7 14:09:40 2020 : publish_entry SCDSet() failed: Success!

Tue Jan 7 14:09:40 2020 : L2TP incoming call in progress from '85.xx.xxx.xxx'...

Tue Jan 7 14:09:40 2020 : L2TP received SCCRQ

Tue Jan 7 14:09:40 2020 : L2TP sent SCCRP

2020-01-07 14:09:41 EET --> Client with address = 10.0.1.70 has hungup

2020-01-07 14:09:42 EET --> Client with address = 10.0.1.71 has hungup

2020-01-07 14:09:44 EET --> Client with address = 10.0.1.72 has hungup

Jan 20, 2020 6:18 PM in response to ElKoeppe10

Great, thank you. We just need a few more feedback report numbers, after that I can send them all to Apple and hopefully this will make things go faster.

Apple Engineers often say that they rely of the number of bug reports as an indication of how critical a bug is. If we can get multiple bug reports tied together, this could get us some traction.

Mar 13, 2020 7:32 AM in response to TrainsAndWellbeing

Somewhere I read that PPP is no longer supported in Catalina, and somewhere else that it was the PPTP.ppp kernel extension. Either way, I suspect that PPP somehow explains the VPN problem in Catalina.

When I set up a new iMac under Catalina 10.15 from a Carbon Copy Cloner clone of my Mojave Mac Mini, CCC reported a folder /private/var/run/vpnd-L2TP.pid as a “previously relocated item,” which seems to mean it could not install it.

Mar 13, 2020 3:27 PM in response to Gib Henry

This is not related.

You can connect from macOS 10.15 to a vpnd server running in macOS 10.14 just fine, meaning that there is no missing kernel extension for that type of connection.

Moreover, you can connect from macOS 10.15 client to macOS 10.15 server running vpnd within the same local network, it just does not work for external connection (probably a NAT issue).

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Migrated VPN Service Broken with Catalina