How to Build Your Own VPN with the $20 macOS Server

VPNs can be useful tools for keeping you secure online. A VPN encrypts your traffic, useful when you’re using a public Wi-Fi hotspot or any network you don’t trust. There are many different third party VPN services to choose from, but ultimately using a VPN means trusting the service will keep your browsing data private.

Unless, of course, you build your own VPN. It sounds hard to do, right? But if you’re got a Mac desktop that’s always connected to your network, you can set up your own VPN server for just $20, and it probably won’t take you more than a half hour to set up if you know your way around a network. And if you don’t, this is a good chance to learn.

Apple’s server software, macOS Server, offers a VPN service that’s easy to configure, giving you encrypted internet access from anywhere while also allowing you to access your files remotely. You’ll just need:

  • A Mac desktop that’s always connected to your network via ethernet. You could find a cheap Mac Mini on Craigslist, or you could use use an existing iMac if you have one.
  • macOS Server, which you can download from the Mac App Store for $20.
  • A router you can configure with port forwarding and dynamic DNS. Apple’s AirPort routers make things very simple thanks to integration, but most routers should work fine.

Here’s how to set all this up. It’s not as complicated as it sounds, we promise.

Step One: Install macOS Server

The first thing you’ll need to do, assuming you haven’t already, is purchase macOS Server ($20) from the Mac App Store and install it on the computer you plan to use as your VPN. This could be your iMac, if you own one, or you could use a Mac Mini purchased specifically for use as a server: it’s up to you.

Feel free to launch the software after installing; it will configure a few things and then be more or less ready for you. In order to use the VPN, however, we need to configure a few things on your network.

Step Two: Set Up Port Forwarding

Connecting to your VPN requires port forwarding, which needs to be configured at the router level. If you own an Apple AirPort router, congratulations: macOS Server will do this automatically when you set up your VPN. Feel free to skip this section, and follow the prompts when they come up later.

If you use a non-Apple router, however, you’ll need to set things up yourself. We’ve talked about setting up port forwarding in the past, so read that article for more detail. But to summarize, you need to start by accessing your router’s admin interface by typing your router IP address into a web browser.

From there, you need to find the port forwarding settings, and forward the following ports to your macOS Server’s IP address:

  • UDP 500, for ISAKMP/IKE
  • UDP 1701, for L2TP
  • UDP 4500, for IPsec NAT Traversal

How you do this will depend on your router; again, read our article on port forwarding for more information. Depending on your router setup, you may also want to set up a local static IP for that Mac.

Step Three: Set Up Dynamic DNS

Have you paid your ISP for a static IP? If so you can skip this step and use that IP to connect to your VPN. (Note: This is not the same as the static IP we discussed in the last section; this is a static IP for your whole network—not one computer. Only your ISP can provide this, and not all do.)

If your ISP doesn’t provide static IP addresses, or you haven’t paid for one, you’ll have to set up dynamic DNS on your router instead, which gives you a web address you can use to connect to your home network from afar. Our article on the subject explains how.

I use NoIP, which is free, but there are plenty of options out there. Simply sign up for a service and configure your router to use it. In the rare case that your router doesn’t support dynamic DNS, there’s software you can install on your server to monitor your IP instead.

Step Four: Enable the VPN Service

Head back to your macOS Server, if you weren’t using it already, and launch the macOS Server software. Head to the VPN section.

In the “VPN Host Name” field, type the Dynamic DNS address you set up above (or your ISP’s static IP, if you have one). Create a custom “shared secret” in that field: the longer and more random it is, the more secure your connection will be. Copy this secret for use on other machines.

Everything else here is basically optional, and intended more for advanced users. Client Addresses lets you designate a block of local IP addresses for connected devices. DNS settings lets you define the DNS servers used by connected devices. And Routes lets you define the connection path used by connected devices.

When you’ve configured everything to your liking, click the big On/Off switch at top-right. Your VPN will turn on.

Finally, there’s the “Configuration Profile” button. This will create a file you can send to macOS and iOS devices for quickly configuring a connection to your VPN, saving you and any other users from having to type out the Shared Secret and configuring things.

How to Connect to Your VPN

Now that your VPN is set up, it’s time to connect to it using another device. Note that you can’t connect locally: it will only work if you’re outside your home network. I connected to my neighbor’s Wi-Fi to test things, though you could disable Wi-Fi on your phone and connect via your data connection instead.

The simplest way to connect on a Mac is to create a Configuration Profile on the server hosting your VPN connection, then open that Profile. This will configure your Mac to connect to your VPN, requiring only a username and password.

If that’s not an option, it’s also possible to do this manually. Head to System Preferences > Network, then click the “+” button at bottom-left to add a new network. Choose “VPN.”

Choose “L2TP over IPSec” as the VPN type, then give it whichever name you like. Click “Create.”

Under “Server Address” use your static IP or dynamic DNS address, and under “Account Name” use the primary account used on your macOS Server. Next click “Authentication Settings.”

Enter your Shared Secret, and optionally your user password if you’d prefer not to have to enter it every time.

You should now be able to connect to your VPN! You can also connect from iOS, Windows, Linux, and Android devices, assuming they support L2TP. You’ll just need:

  • Your dynamic DNS address, or IP address
  • The VPN type, which is L2TP using IPSec
  • Your Shared Secret
  • A username and password

We’ve got articles explaining how to connect to a VPN from every major platform. Combine these with the above knowledge and you’ll be connected in no time.

How fast your personal VPN runs will depend on your home internet connection’s upload speed, and it will almost certainly be slower than just connecting to a network without a VPN. Still, when you need security, it’s nice to have something you built yourself, and access to the files on your home network is an added plus.

Justin Pot is a staff writer for How-To Geek, and a technology enthusiast who lives in Hillsboro, Oregon. Follow him on Twitter and Facebook, if you want. You don't have to.