Roadwarrior with Apple macOS & iOS

Using IPsec VPNs with macOS and iOS is very simple to set up in IPFire since Core Update 14X. Settings including certificates can be imported easily into the operating systems by using Apple's configuration profiles.

Create a new Roadwarrior connection

Using Certificates

The connection needs to be set up with a couple of parameters that are supported by macOS and iOS:

  • The IPFire system should have a FQDN which resolves from the public Internet
  • The CA certificate must contain a subjectAlternativeName with the system's FQDN which must be used for IPsec, too

For each device, you will need to create an own connection. In this example, the connection is called MyConnection, the FQDN of my IPFire system is, and my device is called my-iphone.

The connection will give the device access to the subnet and assign a DNS server in that subnet. Using split-horizon DNS is optional and the field can be left empty. If you want your device to pass all traffic through the VPN, you can set the local subnet to

Local ID must be set to the IPFire's FQDN prefixed by an "@" sign. Remote ID must be the system's hostname prefixed by an "@" sign and the hostname must also be added to the certificate as "Subject Alternative Name" prefixed with "DNS:".

Do not forget to set a password to protect the certificate.


Check the box to go to the advanced settings page after you clicked "Save".


Apple devices do not support all ciphers and other algorithms than IPFire does. Only the first selection will be passed in the configuration profile. Supported are as follows:

  • iOS 13: AES-256/192/128-GCM/CBC, SHA512/384/256, MODP-1024 only

Using Pre-Shared-Keys

This version is substantially less secure than using certificates and therefore not recommended, but works too. Make sure you are setting the local and remote IDs.

Import the VPN configuration on your device

After you have created the connection, you can download the Apple configuration profile by clicking the Apple icon next to your new connection and transfer it to your device.

Optionally you can edit the profile with Apple Configurator 2 if you have need for some custom settings.

Import the profile where you will be asked for the password for the private key.


After the profile has been imported, the VPN will connect automatically and will remain established whenever possible.

Edit Page ‐ Yes, you can edit!

Older Revisions • May 28 at 5:47 pm • Michael Tremer