You are looking at this from the wrong end. Typically you chose the VPN server and that dictates what VPN client you can use. For example if you buy a Cisco VPN appliance e.g. a Cisco ASA then you can use the Cisco AnyConnect client with it. SonicWALL as a comparison have their own VPN server and their own matching VPN client which again you have to buy licenses for. (You cannot use Cisco AnyConnect to connect to a SonicWALL or vice versa.)
Most VPN servers support multiple different VPN protocols and this typically also means it is possible to use various different VPN clients. The following are the main VPN protocols.
- PPTP - obsolete, considered to be insecure and in fact no longer supported by Apple
- L2TP - another old protocol but not as bad as PPTP and still supported by Apple
- IPSec - original a Cisco only protocol but now widely supported by others, Apple provide a built-in IPSec client
- IKEv2 - one of the newest protocols with many new security enhancements, Apple provide a built-in IKEv2 client
- SSL - a lot of VPN servers now support SSL the same encryption used by websites, this approach allows deploying the client and settings via a website typically via a Java web-browser installation. As this type of Java is notorious for being used by malware I have always felt this was a terrible idea
- OpenVPN - a particular example of an SSL VPN system, OpenVPN is free open-source software for both the server and the client and is available for Macs
To summarise, Apple currently provide built-in VPN clients for L2TP, IPSec, and IKEv2. So with these you don't have to buy a client, but depending on the VPN server you are using and how it handles its licenses you still might need a license for the VPN server for each user.
An approach I have used is to build a Linux server which is free and install the also free StrongSwan5 software on that. StrongSwan5 supports both IPSec and IKEv2. I have then been able to use the built-in again free Apple client to connect to this. This may at least initially require more work and you might not get any manufacturer support but it works and is completely free.
Note: Whilst Apple do provide built-in L2TP, IPSec and IKEv2 clients, some VPN server makers do 'strange things' which means for example that the Apple IPSec client cannot connect to a SonicWALL IPSec VPN server. (I have got the Apple L2TP client to connect to a SonicWALL acting as an L2TP server.) In this case there are some third-party VPN clients for the Mac which you have to pay for which the authors have written to cope with these cases. See https://www.vpntracker.com/us/compatibility.html
