If you want to learn about why you should use a VPN on your MacBook, iMac, or Mac Mini, please check out 5 Best VPNs for macOS. As its name would suggest, that article also recommendations some great VPN services to use with your Mac.
Most VPN providers feature detailed Mac setup guides on their websites, but this article provides a general overview of how to install a VPN on your Mac.
Use a VPN’s custom Mac software
macOS is not quite as well supported by custom VPN clients as Windows is, but most VPNs offer dedicated Mac software. As we shall see in a bit, manually configuring a VPN in MacOS is not hard, but using a custom VPN is just insanely easy.
Because of the custom nature of the software, setup details can vary a little from VPN to VPN. However, in general:
- Register an account with your chosen VPN provider.
- Download its Mac software.
- Install the app. This usually just involves double-clicking on the downloaded .dmg file and following instructions.
- Run the app. You’ll likely be prompted to enter your account details on the first run. Note that it is normal for VPN apps to require admin privileges to run.
Once in the app, simply select a VPN server you wish to connect to, and hit “Connect.” It is worth, however, going through the app’s options. Important settings such as DNS leak protection and kill switches are often optional and must be manually enabled. I have no idea why, but there you go.
ExpressVPN’s “Network Lock feature provides a firewall-based kill switch and DNS leak protection. So do be sure it is turned on.
You may also want to check that the app is using the OpenVPN protocol, as many default to less secure (but possibly faster) VPN protocols. Pleases see here for more information on VPN protocols.
Tunnelblick is a free and open source OpenVPN client that can be configured to work with either special Tunnelblick configuration files (.tblk), or any standard OpenVPN configuration files (.ovpn and .conf).
It now includes full DNS leak and Web Real-Time Communication (WebRTC) leak protection. The latest beta client also features a firewall-based kill switch.
1. Download Tunnelblick or regular OpenVPN configuration files from your chosen VPN service. You will need one file per VPN server location, although it’s often possible to download multiple configurations in a single zip file. In this case, you’ll need to unzip the files before they can be used.
3. Drag the configuration file (or multiples files for multiple server configurations) to the Tunnelblick icon in the menu bar.
4. Hit “Install,” then choose whether to install just for yourself or all users of your Mac. It will probably ask for your Admin password.
5. And that’s setup done! To connect to a VPN server, click on the Tunnelblick icon in the menu bar and select a VPN server.
The icon will turn a darker shade to indicate that you are connected. If you hover the cursor over it, it will display additional information.
Turn on DNS leak protection
IPv4 and IPv6 DNS leak protection are not enabled by default in Tunnelblick. To enable DNS leak protection go to Configurations -> Settings and tick the boxes next to “Route all IPv4 traffic through the VPN” and “Disable IPv6.”
Note that Tunnelblick does not protect against WebRTC leaks. As such, you’ll need to fix the issue manually (Safari is not affected, anyway).
Turn on the kill switch
New to the latest beta version of Tunnelblick is a very welcome kill switch feature. This ensures that your real Internet Protocol (IP) address is not exposed in the event of a VPN dropout.
To enable the kill switch, go to Configurations and click on the individual VPN configuration (the kill switch must be enabled for each configuration). Click on the “On unexpected disconnect” field and select Disable Network Access from the drop-down menu.
Manually configure PPTP, L2TP/IPsec, or IKEv2
macOS comes with a built-in VPN client that supports the PPTP, L2TP/IPsec, and IKEv2 VPN protocols. For reasons discussed in detail in VPN Encryption: The Complete Guide, I always recommend using an OpenVPN app instead. But IKEv2 is also a good option.
The big advantage of PPTP, L2TP/IPsec and IKEv2 VPN connection is that they can be setup without the need to download a third party VPN app.
- Go to System Preferences -> Network. Click the + button and select Interface: VPN in the pop-up dialog box.
- Choose a VPN protocol (“VPN Type”) and pick a name for the VPN connection (optional).
- Fill in server details with the settings provided by your chosen VPN service.
The built-in macOS VPN client does not feature any form of WebRTC leak protection, so if using a vulnerable browser you should disable WebRTC manually. Note that Safari does not use WebRTC and is therefore not vulnerable to WebRTC leaks. It is, however, closed source proprietary software.
How do I know the VPN is working?
No matter what kind of VPN you use, macOS will display an icon in the notification bar whenever the VPN is connected. This lets you know at-a-glance that you are protected.
Clicking on the icon will usually display additional details and options. For further confirmation the VPN is connected and working correctly, you can run an IP leak test…
Check for IP leaks
Once connected to the VPN (using whatever method), it is a good idea check for IP leaks.
The example above shows a bad case of IPv6 leaks. The IPv4 DNS result correctly shows that I am connected to a VPN server in the US, but the website can see my real UK IPv6 address via both a regular DNS leak and WebRTC. Fail!
Note that Private-Use – [RFCxxxx] IPs are local IPs only. They cannot be used to identify an individual or device, and so do not constitute an IP leak.
macOS is a great platform to run a VPN on. It is also very easy to do so!
Image credit: By guteksk7/Shutterstock