To improve security and performance, we’re removing support for the IKEv2 VPN protocol from our macOS app. If you currently use IKEv2, you’ll need to switch to a modern VPN protocol before the change takes effect.

Apple’s native IKEv2 implementation on macOS has been a source of ongoing security concerns, including traffic leaks that can expose your real IP address. Powerful, sleek, and secure modern VPN protocols — such as WireGuard®(nueva ventana) and our own Stealth protocol — offer better performance and stronger privacy guarantees.

There is no longer a reason for us to continue supporting IKEv2, and we have long since stopped doing so on all our other apps.

What to use instead of IKEv2

Instead of IKEv2, you can use:

  • Smart Protocol (default): Let the app automatically select the best protocol for your network. This is the easiest option, and is enabled by default. Smart Protocol will intelligently switch between protocols and ports as needed.
  • WireGuard: A fast, lightweight, and secure protocol that is now the default on our macOS app. WireGuard offers significantly better performance than IKEv2, with the added benefit of excellent security.
  • Stealth: Our custom obfuscation protocol is based on WireGuard and tunneled over TLS. Stealth is designed to defeat censorship and deep packet inspection in restrictive network environments.
Change VPN protocol on macOS

Learn how to change VPN protocols or select Smart Protocol

Don’t see WireGuard or Stealth as an option?

WireGuard and Stealth require the use of a macOS network extension (called system extensions on older macOS versions). If you don’t see these protocols listed in your Proton VPN app, it likely means the system isn’t enabled. This is a common issue, as macOS blocks third-party system extensions by default as a security measure, and you need to manually allow them.

Learn how to install macOS network extensions

macOS network extensions

Who is affected?

This update affects everyone using the IKEv2 protocol in the Proton VPN macOS app. If you haven’t manually changed VPN protocol, you are most likely already using WireGuard or Smart Protocol and don’t need to do anything.To check your current protocol, open the Proton VPN app and go to SettingsConnection tab → Protocol. If it shows Smart, WireGuard, WireGuard (TCP), or Stealth, you’re all set.

What do you need to do?

  • If your protocol is set to Smart, WireGuard, or Stealth: Nothing. You’re already using a modern protocol.
  • If your protocol is set to IKEv2: Switch to Smart Protocol or WireGuard in Settings → Connection → Protocol.
  • Check your connection profiles: If you have created custom VPN connection profiles, these may still use IKEv2 (even after you’ve updated your default protocol). Go to the Profiles tab, review each profile, and switch any that still use IKEv2 to Smart Protocol or WireGuard.
An IKEv2 VPN profile

When do you need to do it?

We’ll be removing IKEv2 support from our servers starting April 2026. The entire process won’t happen overnight (final support will end in February 2027), but it will become increasing likely that your IKEv2 connection will fail  April 2026 onward.

Why are we making this change?

In addition to the security concerns about Apple’s IKEv2 implementation, and the fact that modern WireGuard-based protocols offer much better performance than IKEv2, maintaining support for IKEv2 has negative consequences for all our users.

IKEv2 operates on well-known, fixed ports (UDP 500 and 4500) that are trivially easy to scan for. Countries that censor the internet (such as China, Russia, and Myanmar) actively probe these ports to detect and flag the IP addresses of our VPN servers.

Once flagged, these IP addresses are added to commercial databases (“blacklists”) used by websites, streaming services, and other online platforms to block access or serve CAPTCHAs to anyone connecting from those addresses.

This affects everyone in Proton VPN community who uses these servers, not just those using IKEv2. By closing these ports, we make our servers significantly harder to fingerprint and reduce the likelihood of our IP addresses being flagged. The result is a better browsing experience for everyone.

Removing IKEv2 from our macOS app allows us to:

  • Improve your security: Apple’s IKEv2 implementation has known vulnerabilities that are outside our control to fix. By moving to protocols fully managed by us, we can protect your privacy better.
  • Reduce complexity: Supporting fewer protocols means a leaner, more reliable app with fewer potential points of failure.
  • Accelerate development: A simpler codebase lets us ship new features and improvements faster.
  • Deliver better performance: WireGuard and Stealth are modern protocols built from the ground up to be fast and efficient, offering noticeably better speeds and lower battery drain than IKEv2.

A better, faster VPN experience

WireGuard is faster, more battery-efficient, and reconnects more quickly than IKEv2 — especially when switching between Wi-Fi and mobile networks. Combined with Smart Protocol’s automatic network probing, you’ll get the best possible connection without having to think about protocol selection at all.

If you connect to Proton VPN from a censored environment, Stealth provides robust obfuscation capabilities that IKEv2 simply does not. This change will result in a better VPN experience for all our macOS community members.