create configuration file

man 5 vpnd | col -b > /Users/bhr/com.apple.RemoteAccessServers.plist

copy configuration file

sudo cp /Users/bhr/com.apple.RemoteAccessServers.plist /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

sudo chmod 644 /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

sudo chown root:wheel /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

edit configuration file

sudo vi /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

<key>com.apple.ppp.l2tp</key>
 <dict>
 <key>DNS</key>
 <dict>
 <key>OfferedSearchDomains</key>
 <array>
 <string></string>
 </array>
 <key>OfferedServerAddresses</key>
 <array>
 <string>xxx.xxx.xxx.xxx</string>
 <string>xxx.xxx.xxx.xxx</string>
 </array>
 </dict>
 <key>IPSec</key>
 <dict>
 <key>AuthenticationMethod</key>
 <string>SharedSecret</string>
 <key>IdentifierVerification</key>
 <string>None</string>
 <key>LocalCertificate</key>
 <data>
 </data>
 <key>LocalIdentifier</key>
 <string></string>
 <key>RemoteIdentifier</key>
 <string></string>
 <key>SharedSecret</key>
 <string>com.apple.ppp.l2tp</string>
 <key>SharedSecretEncryption</key>
 <string>Keychain</string>
 </dict>
 <key>IPv4</key>
 <dict>
 <key>ConfigMethod</key>
 <string>Manual</string>
 <key>DestAddressRanges</key>
 <array>
 <string>xxx.xxx.xxx.250</string>
 <string>xxx.xxx.xxx.254</string>
 </array>
 <key>OfferedRouteAddresses</key>
 <array/>
 <key>OfferedRouteMasks</key>
 <array/>
 <key>OfferedRouteTypes</key>
 <array/>
 </dict>
<key>VPNHost</key>
 <string>VPN hostname</string>

manage users

in system preferences or create using  dscl . create /Users/vpntest etc.

modify authentication protocols

  • dscl . read /Users/vpntest AuthenticationAuthority
  • sudo dscl . –delete /Users/vpntest AuthenticationAuthority “;ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2>”
  • sudo dscl . –create /Users/vpntest AuthenticationAuthority “;ShadowHash;”
  • sudo dscl . –change /Users/vpntest AuthenticationAuthority “;ShadowHash;” “;ShadowHash;HASHLIST:<SALTED-SHA512,SMB-NT,CRAM-MD5,RECOVERABLE,SALTED-SHA512-PBKDF2>”
  • sudo passwd vpntest

 

  • dscl . read /Users/vpnuser AuthenticationAuthority
  • AuthenticationAuthority: ;ShadowHash;HASHLIST:<SALTED-SHA512,SMB-NT,CRAM-MD5,RECOVERABLE,SALTED-SHA512-PBKDF2>;Kerberosv5;;vpntest@LKDC:SHA1.31045C65F44046CBA1E76210D633F16B056E0363;LKDC:SHA1.320455780470C06CBA1E7610D633F16B056E0363

create shared secret

security add-generic-password -a com.apple.ppp.l2tp -s com.apple.net.racoon -T /usr/sbin/racoon -p ‘Your Shared Secret’ /Library/Keychains/System.keychain

VPN Server start / stop

  • sudo launchctl load -w /Library/LaunchDaemons/com.apple.ppp.l2tp.plist
  • sudo launchctl unload -w /Library/LaunchDaemons/com.apple.ppp.l2tp.plist