Virtual Private Networks (VPNs) are recommended privacy tools that help conceal your online activity from prying eyes. Whether it's custom software, OpenVPN or Mac's built-in VPN solution that you're interested in, our guide is here to simplify things by walking you through their benefits and how to set them up.
Use a VPN’s custom Mac software
The first thing to do is to choose the right provider for you. While we’ve made things easier for you with our list of the best Mac VPNs out there, there are a few things to take into consideration depending on what you want a VPN for:
- Privacy – All VPNs are designed hide your IP address from internet service providers and authorities like the government, but not all offer the same amount of privacy. Some retain identifiable data on their users, such as usage logs. For ultimate privacy, you’ll want to select a reliable no-logs VPNs.
- Streaming - Since VPNs allow you to change your IP’s location to almost anywhere in the world, they allow you to unblock restricted websites and get around censorship. Not all of them can get around geo-restricted streaming services, however, as country-specific services detect and block those trying to access from another country. You’ll need a specific Hulu or BBC iPlayer VPN if you want access to these platforms, or a Netflix VPN to unlock regional content.
- Torrenting - If you torrent without a VPN, your real, identifiable IP address will appear in the Peers section and leave you exposed to all sorts of repercussions. A VPN can help with this, but not all providers allow for torrenting. Instead, you need a torrenting VPN that specifically states that it allows for torrenting, as these services have a vested interest in protecting your privacy.
- Multi-device - It’s all well and good selecting the perfect VPN for your macOS device, but if you are using it on more than just your Mac, then the number of simultaneous connections and systems supported will affect your decision.
macOS is not quite as well supported by custom VPN clients as Windows is, but there are still plenty to choose from that offer dedicated Mac software. Most follow the same principles to install, but there might be slight variances to account for that are shown on the provider’s set of instructions:
- Register to a VPN. See our best VPNs guide for more information.
- Download its Mac software.
- Install the app. This usually just involves double-clicking on the downloaded .dmg file and following instructions.
- Run the app. You’ll likely be prompted to enter your account details on the first run. Note that it is normal for VPN apps to require admin privileges to run.
Once in the app, simply select a VPN server you wish to connect to, and hit "Connect.” It is worth, however, going through the app’s options. Important settings such as DNS leak protection and kill switches are often optional and must be manually enabled. I have no idea why, but there you go.
ExpressVPN’s "Network Lock feature provides a firewall-based kill switch and DNS leak protection. So do be sure it is turned on.
You may also want to check that the app is using the OpenVPN protocol, as many default to less secure (but possibly faster) VPN protocols. Pleases see here for more information on VPN protocols.
Tunnelblick is an open source, free to download OpenVPN client that can be configured to work with either special Tunnelblick configuration files (.tblk), or any standard OpenVPN configuration files (.ovpn and .conf).
It now includes full DNS leak and Web Real-Time Communication (WebRTC) leak protection. The latest beta client also features a firewall-based kill switch.
Download Tunnelblick or regular OpenVPN configuration files from your chosen VPN service. You will need one file per VPN server location, although it's often possible to download multiple configurations in a single zip file. In this case, you'll need to unzip the files before they can be used.
Download, install and launch Tunnelblick. On the Welcome screen, select "I have the configuration files.”
Drag the configuration file (or multiples files for multiple server configurations) to the Tunnelblick icon in the menu bar.
Hit "Install,” then choose whether to install just for yourself or all users of your Mac. It will probably ask for your Admin password.
And that’s your VPN all set up! To connect to a VPN server, click on the Tunnelblick icon in the menu bar and select a VPN server.
The icon will turn a darker shade to indicate that you are connected. If you hover the cursor over it, it will display additional information.
Turn on DNS leak protection
IPv4 and IPv6 DNS leak protection are not enabled by default in Tunnelblick. To enable DNS leak protection go to Configurations -> Settings and tick the boxes next to Route all IPv4 traffic through the VPN and Disable IPv6.
Note that Tunnelblick does not protect against WebRTC leaks. As such, you'll need to fix the issue manually (Safari is not affected, anyway).
Turning on kill switch on Mac
New to the latest beta version of Tunnelblick is a very welcome kill switch feature. This ensures that your real Internet Protocol (IP) address is not exposed in the event of a VPN dropout.
To enable the kill switch, go to Configurations and click on the individual VPN configuration (the kill switch must be enabled for each configuration). Click on the On unexpected disconnect field and select Disable Network Access from the drop-down menu.
Manually Configure VPN for Mac PPTP, L2TP/IPsec, or IKEv2
macOS comes with a built-in VPN client that supports the PPTP, L2TP/IPsec, and IKEv2 VPN protocols. For reasons discussed in detail in VPN Encryption: The Complete Guide, I always recommend using an OpenVPN app instead. But IKEv2 is also a good option.
The big advantage of PPTP, L2TP/IPsec, and IKEv2 VPN connection is that they can be set up without the need to download a third party VPN app.
Go to System Preferences -> Network. Click the + button and select Interface: VPN in the pop-up dialog box.
Choose a VPN protocol("VPN Type”) and pick a name for the VPN connection (optional).
Fill in server details with the settings provided by your chosen VPN service.
The built-in macOS VPN client does not feature any form of WebRTC leak protection, so if using a vulnerable browser you should disable WebRTC manually. Note that Safari does not use WebRTC and is therefore not vulnerable to WebRTC leaks. It is, however, closed source proprietary software.
How to Test a VPN for Mac
No matter what kind of VPN you use, macOS will display an icon in the notification bar whenever the VPN is connected. This lets you know at-a-glance that you are protected.
Clicking on the icon will usually display additional details and options. For further confirmation the VPN is connected and working correctly, you can run an IP leak test…
Check Mac VPN for IP leaks
Once connected to the VPN (using whatever method), it is a good idea to check for IP leaks.
The example above shows a bad case of IPv6 leaks. The IPv4 DNS result correctly shows that I am connected to a VPN server in the US, but the website can see my real UK IPv6 address via both a regular DNS leak and WebRTC. To call this a failure is an understatement.
For more information about staying secure online in the United Kingdom, take a look at our Best VPN UK guide.
Note that Private-Use - [RFCxxxx] IPs are local IPs only. They cannot be used to identify an individual or device, and so do not constitute an IP leak.