This solution probably applies only to systems that were previously running macOS Server to provide VPN services.

The system I’ve been using to run Indigo for home automation has been stuck on High Sierra, due to the removal of support for the VPN server in the macOS Server application under Mojave. But running an older OS isn’t ideal, for several reasons, so I started searching, again, for a method to provide VPN services under Mojave.

After some brief searching, once again, I found positive reviews for VPN Enabler, a handy, low-cost tool ($15) that provides a GUI for the built-in VPN server in Mojave. The VPN services are still present in later version of Mojave; Apple simply removed the ability to administer it from the Server application (the Server application doesn’t work at all in the latest versions of Mojave).

After updating the system to Mojave, I purchased and installed VPN Enabler. I reviewed related settings, including those of my router and the OS firewall, and then modified the iOS client settings to match the new settings. Everything was in place.

But it didn’t work. The iOS client was reporting an error that indicated the it was able to reach the remote VPN server, but the VPN server was terminating the connection. I reviewed my router logs and saw that it was detecting the incoming requests, and the port forwarding rules were still correct.

The iOS client messages weren’t very descriptive, so I decided to review the VPN server logs. One way to find them is to go to the Finder and under Go, select “Go to Folder”. Enter “/var/log” and you’ll end up viewing the various log files. The VPN server logs are actually located in “/var/log/ppp” (I’m actually using L2TP, but the logs for those connections are located in the “ppp” directory; in my case the log file was located in /var/log/ppp/vpnd.L2TP.log).

In reviewing the log file, I found messages about my VPN user account and that it was “not authorized for access”.

When I read the instructions for installing VPN Enabler, I noticed that the latest release notes had a comment that if an existing VPN service was detected it would add any new users to the existing VPN group.

Getting ahead for a moment, this was precisely the cause of the problem. My version of VPN Enabler shows that it should have this fix, but in the end it seems that it did not correct it. Perhaps it had something to do with the fact that I had installed it after upgrading my system to Mojave to a point at which the Server application couldn’t be run.

If you think this might be the cause of your problem, here’s how to verify and correct it. Note that in this case I first created the user through VPN Enabler.

Verify whether or not the com.apple.access_vpn group already exists

Via the Terminal, type the following command:

dscacheutil -q group | grep vpn

If it does exist, you should see this output:

name: com.apple.access_vpn

Verify whether or not your VPN user account is in the com.apple.access_vpn group

At the Terminal, type the following command (replace username with your VPN username):

id -Gn username

This will output a list of groups the user is a part of, including everyone, staff and some others. If you do not see this user in the com.apple.access_vpn group, that’s likely the problem (but note that this is probably only a problem IF you were already using the built-in VPN server).

Adding your VPN user account to the com.apple.access_vpn group

Use the following command, again replacing username with your VPN user account (this should all be on one line).

sudo dseditgroup -o edit -a username -t user com.apple.access_vpn

Verify the VPN user is now in the com.apple.access_vpn group

This is simply done using the same command from earlier, again at the Terminal:

id -Gn username

If the cause of your problem is the same that I experienced, this should solve your problem.