How Do I Install a VPN on a Mac? - How do I Configure a VPN on my Mac?

Most VPN providers feature detailed Mac setup guides on their websites, but this article provides a general overview of how to install a VPN for Mac.

Use a VPN’s custom Mac software

macOS is not quite as well supported by custom VPN clients as Windows is, but most VPNs offer dedicated Mac software. As we shall see in a bit, manually configuring a VPN in MacOS is not hard, but using a custom VPN is just insanely easy.

Because of the custom nature of the software, setup details can vary a little from VPN to VPN. However, in general:

  1. Register to a VPN, see our best VPNs guide for more information.
  2. Download its Mac software.
  3. Install the app. This usually just involves double-clicking on the downloaded .dmg file and following instructions.
  4. Run the app. You’ll likely be prompted to enter your account details on the first run. Note that it is normal for VPN apps to require admin privileges to run.

Once in the app, simply select a VPN server you wish to connect to, and hit “Connect.” It is worth, however, going through the app’s options. Important settings such as DNS leak protection and kill switches are often optional and must be manually enabled. I have no idea why, but there you go.

Expressvpn Mac 2

ExpressVPN’s “Network Lock feature provides a firewall-based kill switch and DNS leak protection. So do be sure it is turned on.

You may also want to check that the app is using the OpenVPN protocol, as many default to less secure (but possibly faster) VPN protocols. Pleases see here for more information on VPN protocols.


Tunnelblick is an open source free to download OpenVPN client that can be configured to work with either special Tunnelblick configuration files (.tblk), or any standard OpenVPN configuration files (.ovpn and .conf).

It now includes full DNS leak and Web Real-Time Communication (WebRTC) leak protection. The latest beta client also features a firewall-based kill switch.

1. Download Tunnelblick or regular OpenVPN configuration files from your chosen VPN service. You will need one file per VPN server location, although it's often possible to download multiple configurations in a single zip file. In this case, you'll need to unzip the files before they can be used.

2. Download, install and launch Tunnelblick. On the Welcome screen, select “I have the configuration files.”

Tunnelblick 1

3. Drag the configuration file (or multiples files for multiple server configurations) to the Tunnelblick icon in the menu bar.

Tunnelblick 3

4. Hit “Install,” then choose whether to install just for yourself or all users of your Mac. It will probably ask for your Admin password.

Tunnelblick 6

5. And that’s setup done! To connect to a VPN server, click on the Tunnelblick icon in the menu bar and select a VPN server.

Tunnelblick 4

The icon will turn a darker shade to indicate that you are connected. If you hover the cursor over it, it will display additional information.


Turn on DNS leak protection

IPv4 and IPv6 DNS leak protection are not enabled by default in Tunnelblick. To enable DNS leak protection go to Configurations -> Settings and tick the boxes next to “Route all IPv4 traffic through the VPN” and “Disable IPv6.”

Tunnelblick 7

Note that Tunnelblick does not protect against WebRTC leaks. As such, you'll need to fix the issue manually (Safari is not affected, anyway).

Turning on kill switch on Mac

New to the latest beta version of Tunnelblick is a very welcome kill switch feature. This ensures that your real Internet Protocol (IP) address is not exposed in the event of a VPN dropout.

To enable the kill switch, go to Configurations and click on the individual VPN configuration (the kill switch must be enabled for each configuration). Click on the “On unexpected disconnect” field and select Disable Network Access from the drop-down menu.

Tunnelblick Kill Switch

Manually Configure VPN for Mac PPTP, L2TP/IPsec, or IKEv2

macOS comes with a built-in VPN client that supports the PPTP, L2TP/IPsec, and IKEv2 VPN protocols. For reasons discussed in detail in VPN Encryption: The Complete Guide, I always recommend using an OpenVPN app instead. But IKEv2 is also a good option.

The big advantage of PPTP, L2TP/IPsec and IKEv2 VPN connection is that they can be setup without the need to download a third party VPN app.

  1. Go to System Preferences -> Network. Click the + button and select Interface: VPN in the pop-up dialog box.
  2. Choose a VPN protocol (“VPN Type”) and pick a name for the VPN connection (optional).

Macos 1

  1. Fill in server details with the settings provided by your chosen VPN service.


The built-in macOS VPN client does not feature any form of WebRTC leak protection, so if using a vulnerable browser you should disable WebRTC manually. Note that Safari does not use WebRTC and is therefore not vulnerable to WebRTC leaks. It is, however, closed source proprietary software.

How to Test a VPN for Mac

No matter what kind of VPN you use, macOS will display an icon in the notification bar whenever the VPN is connected. This lets you know at-a-glance that you are protected.

Airvpn Mac

Clicking on the icon will usually display additional details and options. For further confirmation the VPN is connected and working correctly, you can run an IP leak test…

Check Mac VPN for IP leaks

Once connected to the VPN (using whatever method), it is a good idea check for IP leaks.

Ip Leak Example 2

The example above shows a bad case of IPv6 leaks. The IPv4 DNS result correctly shows that I am connected to a VPN server in the US, but the website can see my real UK  IPv6 address via both a regular DNS leak and WebRTC. Fail!

For more information about staying secure online in the United Kingdom, take a look at our Best VPN UK guide.

Note that Private-Use - [RFCxxxx] IPs are local IPs only. They cannot be used to identify an individual or device, and so do not constitute an IP leak.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.


There are no comments yet.

Got Something to Say?

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

Large brand with very good value, and a budget price

Longtime top ranked VPN, with great price and speeds

One of the largest VPNs, voted best VPN by Reddit