This short tutorial shows how to set up an L2TP VPN connection on your Mac. It also explains the available L2TP authentication options, how to manually set L2TP VPN on Mac, and what alternatives you may consider.
L2TP VPN setup on macOS [Summary]
Setting up L2TP on Mac is easy and the following options are available:
- Option 1: Manually set up the L2TP connection on your Mac:
- Open System Preferences > Network window.
- Add a new connection by clicking on the “+” button.
- Select the VPN as the Interface and L2TP over IPSec as the VPN Type.
- Type in the connection or service name and click on the Create button.
- Enter the VPN server address to the Server Address textbox and the VPN user name to the Account Name field.
- Further, click the Authentication Settings button.
- Select the authentication method for both the user and the machine, usually Shared Secret for machine authentication and Password for user authentication.
- Click the Connect button.
- Option 2: Set up the L2TP connection using a third-party VPN client.
- Option 3: Use a VPN app that can create an L2TP VPN tunnel.
- Option 4: Set up L2TP on your router and connect your Mac to the router.
Are you looking for more options to connect to a VPN on macOS? Here is how to use a VPN on Mac.
What is L2TP? What is L2TP over IPSec?
L2TP (Layer 2 Tunneling Protocol) is a VPN protocol derived from PPTP (Point-to-Point Tunneling Protocol) that does not offer any encryption by itself. That is why L2TP is usually paired with IPSec, an encryption protocol, to secure the data passing the VPN tunnel.
L2TP/IPSec uses a process called double encapsulation: firstly it establishes a PPP connection, and, secondly, it uses IPSec for encryption.
IPSec with AES encryption is considered secure, despite rumors that the NSA deliberately weakened the protocol.
macOS provides native support for the L2TP/IPSec protocol (called L2TP over IPSec), and you may set it up manually from the Network settings.
L2TP over IPSec authentication options
The L2TP over IPSec implementation available in macOS supports multiple authentication mechanisms.
As the L2TP/IPSec consists of two parts, each of them has its own authentication:
- Machine Authentication (for IPSec) has two methods:
- User Authentication (for L2TP), after the Machine Authentication has been successful, with the following options:
- Password – provided by the administrator of the VPN server. It is the simplest authentication method, but the least secure.
- RSA SecurID – RSA SecurIDs are physical devices (a.k.a, tokens) provided to VPN users, that generate random series of numbers that are used for authentication.
- Certificate – Security certificates installed on the VPN user’s device are used to establish a secure connection to the VPN server.
- Kerberos – It is a highly secure authentication method as it transfers the user’s password only once when the user logs into a computer on a network.
- CryptoCard – CryptoCards are physical token generators similar to RSA SecurIDs. However, they can be used for other functions additionally to VPN authentication.
How to set up L2TP VPN on Mac
You may start to configure L2TP on Mac by manually setting up the connection, by installing a VPN client app, or using a native app from a VPN provider.
Manually set up an L2TP VPN connection
macOS allows you to create a new VPN connection with L2TP by setting up the built-in VPN module. The setup consists of the following steps:
- Click on the Apple icon in the top left corner of your screen.
- Open System Preferences and click on the Network icon.
- Click on the “+” button from the left side of the window.
- For the Interface, select VPN.
- Further, choose L2TP over IPSec as the VPN Type.
- Enter the connection name and click on the Create button.
- Start the VPN configuration: enter the VPN server address (name or IP) to the Server Address textbox and the VPN user name to the Account Name field. Keep the checkbox Show VPN status in the menu bar checked.
- Next, click the Authentication Settings … button.
- Select the authentication method for both the user and the machine (explained above). You have to enter the pre-shared key for machine authentication and fill in the password field for user authentication most of the time.
- Optionally, you may change the DNS server settings by clicking the Advanced button.
- Finally, click the Apply button and then Connect.
To disable the VPN on Mac, open the VPN connection properties (System Preferences > Network > VPN connection name) and click on the Disconnect button.
Use a Mac VPN client
Another option at hand is to install a Mac VPN client that is able to create VPN tunnels for various VPN protocols, L2TP/IPSec included.
The following commercial Mac VPN client apps are available:
- Shimo (€49 permanent license) supports L2TP, OpenVPN, SSL, AnyConnect, SSH. L2TP can be set up easily:
- Click the “+” button to create a new connection.
- Choose PPTP/L2TP as the VPN account type and click the Create button.
- Enter the VPN address (Remote Host), the username, and password. Click the Create button.
- Double-click the connection row to open the settings.
- Go to the Advanced tab and change the protocol to L2TP.
- Get back to Basic and choose the authentication methods.
- Click the Save button, and you may initiate the connection.
- VPNTracker is a fantastic VPN client for Mac, but it is quite expensive ($99/year). It allows you to set up L2TP connections on the latest macOS versions easily.
Use native VPN client apps
Most of the top VPN providers offer access to the OpenVPN and WireGuard protocols as they are considered the most secure and reliable. However, there is still VPN software that you may use to connect with L2TP from Mac:
- VPN.ac – The VPN.ac Mac app exposes various flavors of OpenVPN (128-bit, 256-bit, ECC, XOR), but it can also create L2TP/IPSec VPN tunnels.
- StrongVPN offers access to L2TP as a good balance between speed and privacy.
- PureVPN – to get started with this VPN service, subscribe to the 7-day trial for $0.99, install the Mac app, open the App Settings tab, and select the L2TP protocol.
Set up L2TP on your router
When you need to connect several devices to the VPN, a very convenient option is to set up the VPN on your router. Further, by connecting a Mac or a Windows laptop to the router, you start accessing the Internet encrypted and securely.
To set up L2TP on a router (if the router is able to create L2TP connections) you need to:
- Log in to the router admin area.
- Search for the VPN settings page and choose L2TP.
- Set the L2TP parameters (server IP or name, username, password) and authentication settings.
- Connect your Mac to the router and test the VPN connection.
L2TP VPN alternatives on Mac
L2TP is a good VPN protocol, but you may consider using others that are safer, faster, and more reliable:
- OpenVPN is regarded as the de facto VPN standard protocol. It is open-source, secure, and fast. You may either use Tunnelblick or Viscosity to set up OpenVPN on Mac.
- WireGuard, the new kid on the block, is lite, and it seems to be even faster than OpenVPN.
L2TP VPN on Mac FAQs
How secure is L2TP over IPSec?
The IPSec encryption is secure; thus, the L2TP/IPSec protocol is considered safe. However, there are rumors that the NSA has deliberately weakened the protocol.
Is L2TP TCP or UDP?
The L2TP uses UDP (port 1701) to transmit the L2TP packet, including payload and header.
As a viable alternative to PPTP, the L2TP/IPSec protocol provides secure and reliable VPN access. However, it is slower than PPTP.
The major advantage of L2TP/IPSec is that you may still set it up on all major operating systems (Mac, Windows, iOS, Android, Linux).
All recent versions of macOS (Big Sur, Catalina, Mojave included) support L2TP. Thus, you may proceed with the manual setup seamlessly. Additionally, you may initiate an L2TP connection using a third-party VPN client app or a VPN native app. The broader approach is to set up L2TP on your router and connect to the router all devices you need to use the VPN tunnel.
Would you like to learn about VPNs? Subscribe to our newsletter! It will make a Transylvanian baby-bat 🦇happy.