Migrated VPN Service Broken with Catalina

I recently migrated to 10.15 and my MacPorts-based macOS vpnd server is running just fine.

The basic setup is pretty straightforward and shouldn’t be too hard to troubleshoot.

The MacPorts install is:

sudo port install macos-vpn-server

sudo port load macos-vpn-server

Also, see the migration notes in the repo https://github.com/essandess/macOS-Open-Source-Server for details, or see the MacPorts Port file at https://github.com/macports/macports-ports/blob/master/net/macos-vpn-server/Portfile.

Good request! I am going through the ropes best I can but not that easy with the info available! Already installed Xcode and MacPorts. That bit was the easy part. Getting it setup and configured (I only need Mail and VPN) is a whole new challenge!

Ugh perhaps I posted too soon, but perhaps not. I’m also seeing the behavior mentioned by the OP on some external networks, but not others.

I’ll follow up in a bit with a few quick technical pointers and try to characterize when/how the issue arises.

Great you reported it! I was getting frustrated not to be able to make a connection from my ISP or any other external networks. So it is not my settings files!

Apple, please fix Catalina. This just doesn't make sense!!!

FWIW, certificate-based OpenVPN is more secure, flexible, and reliable than macOS’s L2TP/CHAP/PSK-based VPN.

It’s worthwhile having a couple different options available in case the external network has various tcp/upd blocks.

It’s straightforward to stand up an OpenVPN Server on macOS along with iOS clients that aren’t affected by any design decisions or mistakes that affect vpnd.

See https://github.com/essandess/macos-openvpn-server.

Bernard Tao's VPNEnabler tool for Catalina makes use of OpenVPN. He has a free trial download.

Although other options do exist, inclusive of purchasing a VPN-enabled router, it is just so incredibly inconvenient and frustrating that Apple has taken an existing tool that has worked well for years and suddenly disabled functionality for no apparent reason (disrupting the workflow for so many of us). I think many of us are still hopeful that Apple will resolve this problem. I hope everyone on this chain has submitted to Apple's Feedback Assistant for Catalina.

Great, thank you. We just need a few more feedback report numbers, after that I can send them all to Apple and hopefully this will make things go faster.

Apple Engineers often say that they rely of the number of bug reports as an indication of how critical a bug is. If we can get multiple bug reports tied together, this could get us some traction.

I have the same issues on MacMini/Catalina reported under:

FB 15957415

I was able to move to an older MacMini running 10.13.6 (HighSierra).

Here some observations during testing.

It seems from the WAN connection on the server.log that the IPSEC connection is established (6 times) but the L2TP dialog is not successful.

Copying the vpnd configuration from a MacMini 10.15.2 to the MacMini running 10.13.6 gives a successful connection on both LAN and WAN.

As a site note I use a freebsd firewall using pf between the LAN and a ARRIS TG1683G Router/Modem by Xfinity(Comcast).

When I connect the client to the DMZ between the freebsd firewall and the Xfinity router and use the DMZ address as the VPN Server address I get a successful connection to the the MacMini running Catalina.

Somewhere I read that PPP is no longer supported in Catalina, and somewhere else that it was the PPTP.ppp kernel extension. Either way, I suspect that PPP somehow explains the VPN problem in Catalina.

When I set up a new iMac under Catalina 10.15 from a Carbon Copy Cloner clone of my Mojave Mac Mini, CCC reported a folder /private/var/run/vpnd-L2TP.pid as a “previously relocated item,” which seems to mean it could not install it.

This is not related.

You can connect from macOS 10.15 to a vpnd server running in macOS 10.14 just fine, meaning that there is no missing kernel extension for that type of connection.

Moreover, you can connect from macOS 10.15 client to macOS 10.15 server running vpnd within the same local network, it just does not work for external connection (probably a NAT issue).

I’ll repeat my previous post for those who haven’t read far back:

I have very successfully set up on Catalina, a Parallels Mojave client running the native VPN I was using before Catalina ruined it. Works great! And was “ free” since I already had Parallels to use with Windows. Also let’s me run Acrobat 32 bit as well!

I agree, but since this is a personal VPN, I have 32G of memory, AND if I'm using the VPN I'm not home to use the server itself it's a cheap and easy solution. Haven't noticed any degradation in performance when I'm home and the Parallels client is running anyway.

I couldn't get VPN to work with Catalina, so installed Ubuntu as a VPN server on VMware Fusion, doesn't take much memory at all. Yes, would be nice to use it on the main OS.

Not looking forward to Apple's next release of their OS. Wonder what other services they are going to strip off !

Why unbelievable? They've triaged this and decided that only a relative few of us use it, and so our screams won't be loud enough to rock the prioritizers. Just because that's true doesn't make it right or good, of course, but Apple's the biggest gorilla in this jungle, so…. And honestly, there are worse bugs which go unresolved forever, although I'd guess this one would be pretty easy to identify and fix. Maybe we should scream louder, but given the stripping Apple gave MacOS Server, I'm guessing it wouldn't help.

The problem is with the vpnd binary in /usr/sbin. ppp, racoon and kernel work fine. To fix it copy in a version of vpnd from a prior, but recent, macos version. I used the binary from Mojave (10.14) and vpn server now works fine on Catalina for both internal and external connections (I copied the binary to /usr/local/bin and changed the plist to load it).