I have been working on an improved and more stable VPN option for macOS users since the demise of PPtP.
My personal preference is for an improved firewall experience using UTM appliances like FortiGate and then leveraging SSLVPN, as it seems to work from a large majority of locations and internet connection types. However, the cost of implementation of a solution like this means not every site will be able to do this.
In lieu of that being an option for a number of sites where VPN is a requirement, I have been trying to understand if I can make a secure, reliable and predictable VPN configuration from macOS.
To that end, I have been able to get an IKEv2 IPSec VPN (no L2TP), secured by certificates, not username and password, working nicely.
However, it does require a Configuration Profile to be generated for each device that needs to be connected. Once configured, the configuration profile is really only suitable for a single user.
There are some advantages:
- It can control the configuration with a single profile download and installation on the device, and it does not require manual processes or steps on the device.
- It can control what traffic is routed down the VPN tunnel; only traffic for the remote at the end of the tunnel is routed via the VPN, all other traffic goes out the customer’s local LAN. This is better than previous versions of PPtP routing however, because the router can push additional routes for complex sites where the need is for multiple subnets to be accessible via a single VPN connection.
- The use of certificates dramatically improves the security of the connection.
- Revocation of a certificate from the router means it is possible to instantly block a device from connecting.
- Certificates can have time limits such as days, weeks or months if required, and once expired, can never be used again!
- On newer Mikrotik routers, such as the RB750Gr3, there is built-in hardware acceleration for IPSec encryption/decryption which means VPN connectivity is nice and fast.
There are also some disadvantages:
- A configuration profile with a user certificate for each user that will need to connect by VPN has to be built with Apple Configurator.
- The configuration profiles only work for macOS and IOS devices; manual configuration for Windows users can be done.
- IPSec pass-thru may still not be enabled on every site and/or device where end-users connect from.
- The configuration on the router is complex and will need careful validation, particularly for sites with existing IPSec tunnel configurations.
- The certificates expire, so some known period of time after it is configured, everything will stop working until the certificates are updated and the profiles re-generated.
I have tested from 10.11 through to 10.13 with no issues on a known good site (eg. local internet connections that I can manage).
I will do some more testing over the coming days from other sites as I visit, but it does look like a viable alternative.
Once I have confirmed it is working, I will do some documentation and post another update.
[ Update at 20:47: it also works directly on iOS 11 – you can email the provisioning profile to an account on the device and add it easily that way! ]
Leave a Reply