Support Center / Proton VPN macOS manual IKEv2 VPN setup

Proton VPN macOS manual IKEv2 VPN setup

Note: We have an official Proton VPN app for macOS that provides the easiest way to connect to our servers and allows you to benefit from many of Proton VPN’s advanced features. For example:

Get Proton VPN for macOS

You can also connect to Proton VPN servers manually using the following VPN protocols:

  • OpenVPN (using TunnelBlick)
  • WireGuard (using any “vanilla” WireGuard client, including the official open-source app)
  • IKEv2 (using the built-in macOS VPN client)

In this guide, we show you how to manually configure devices running Mac OS X 10.11 (El Capitan) or newer to connect to our servers using the IKEv2 protocol. Please note that connecting in this way means you will not benefit from the advanced features available through the official Proton VPN macOS app.

macOS manual IKEv2 VPN setup for Proton VPN

1. Import the Proton VPN IKEv2 certificate.

Click here to download the certificate, and open it in Finder. This will open the Keychain Access app, and you will be asked to verify that you wish to import the certificate into your  Keychain.

2. Trust IKEv2 connections using the certificate.

In Keychain Access, find the Proton VPN Root CA right-clickGet info. (The same certificate will appear in both the login and System Roots keychains. You can edit either instance.)

Get infor for the Proton VPN certificate

3. Trust IKEv2 when using the certificate.

Using the dropdown menu next to IP Security (IPsec), select Always Trust. You do not need to trust this certificate for any other purpose. Be sure to close the window when you’re done (x), at which point you will be asked to verify the changes using your password or biometrics. 

Trust IP Security (IPsec)
4. Go System Preferences Network +.

Add new network

5. Create a new network interface.

Select:

  • Interface: VPN
  • VPN Type: IKEv2
  • Service name: Choose any name for the VPN connection that makes sense to you

Setup an IKEv2 VPN interface

6. Enter VPN server details.

Enter the name of the VPN server you would like to connect to into both the Server Address and Remote ID fields. Click Authentication Settings… when you’re done.

Enter server settings

To find the names of our VPN servers, log in to account.protonvpn.com using your browser and go to DownloadsOpenVPN Configuration files → select the server you would like to connect to, and in the Actions column next to it, click the dropdown icon to see the server name.

Clicking on the server name will save it to your clipboard for easy pasting into the macOS Settings menu. 

Proton VPN server names

7. Ensure authentication by Username is selected (it is by default), and enter your IKEv2 login details. Click OK when you’re done.

Enter IKEv2 login details

 

These IKEv2 login details are not the same as your regular Proton VPN login details. To find your IKEv2 login details, log in to account.protonvpn.com and go to AccountOpenVPN / IKEv2 username.

 

IKEv2 and OpenVPN login details

8. Back on the main Network Settings screen, click Apply to finish setting up the new VPN connection and Connect to establish a VPN connection to our server.

Apply and Connect

You are now connected to Proton VPN using IKEv2!

Connected

Related articles:
Proton VPN macOS OpenVPN setup
Proton VPN iOS IKEv2 manual setup

Post Comment

7 comments

  1. Jos

    Would it be possible to generate a .mobileconfig file for macOS / iOS users?
    Or publish the exact VPN configuration details (like IKEv2 & Child Security Association Parameters, Certificate details, Connection details such as Perfect Forward Secrecy etc.)?

  2. ProtonVPN Team

    Hello Jos, we will send out the config to your email you provided here. :)

  3. PacketPusher

    Just wanted to post this because it was not found in any documentation anywhere on the site. Due to the setup with PFsense and using strict firewall configurations; egress traffic is filtered (i,e,. outbound traffic), you must open the outbound ports below for Proton App which uses IKEv2:

    IP Protocol Type= UDP,
    UDP Port Number= 500 <- Used by IKEv2

    IP Protocol Type= UDP,
    UDP Port Number= 4500 <- Used by IKEv2

  4. aras

    i need to connect with ip address instead of hostname on ikev2. can you change your config server to provide this option?

  5. ProtonVPN Team

    Hey Aras, shoot us an e-mail via https://protonvpn.com/support-form if you need server IP addresses. Also, you can ping the server hostname, which is listed in the OpenVPN Config file, though it might not be the most convenient way to get IPs. We are planning to list hostnames on our website in the near future as well.

  6. Bob

    It would be nice if you said it only works for paid servers.

  7. ProtonVPN Team

    Hey Bob, this method for free servers requires a server IP address. For example ping us-free-01.protonvpn.com and use the IP address you will get instead of the hostname.

Comments are closed.

Secure
your internet

Get Proton VPN
Get Proton VPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:
contact@protonvpn.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xsBNBFiYeeIBCACpwuYcTsACyjQaqY3tOUonokamGZf3VDuLvcA9nQnu4vlB
n1RFFUJa5Pmf2yZ9EjJFSldTl5lreE3tFf53CcZ9wKa1R6aMnN/0VqURJho0
ZTqevQlCvuJ9kKHkDck3Em0/1WWnhDJgabp+fOa5HAHoAvcNy5gVPuexTT/N
wp6QcfB7w+qFhf73s0bcSn5RC+FAYlQxZVFhFtA7/7LthBVatDJrYLYP9XJd
zOZqz9AX0XZwKal25RcVeGHkNKgloo0bTgro4D88MR7saqXFHTRhy3+Wss7c
uqrh0uIkVmqtadoK/rAbqOyFXQ2DlvSMVrEMLUvwlZbC0taqcKDfNA+FABEB
AAHNLWNvbnRhY3RAcHJvdG9udnBuLmNvbSA8Y29udGFjdEBwcm90b252cG4u
Y29tPsLAfwQQAQgAKQUCWJh54wYLCQcIAwIJEN4dfnhhw11TBBUIAgoDFgIB
AhkBAhsDAh4BAAoJEN4dfnhhw11T6PwIAKgIHTUaEcCFQ5WfmwGpdhRgFe7H
gnHR8UOFPrRKnbCOQgTVPGwCFt8UVFhEgbmtroThU89DpxFSYUOD6nZ2k1X3
X4Q9OsItFUUuhPtLJrkz5ghtZLmsAH/edTRbVU1Ew1E8KbylLFI1J5yId7zR
GdnaTXv/E7P3po5X/b08TFAhXSyYYUbMeQuthbJajtpFygr53lm47cOWa4N8
udqLhmpheaQj04DuqYXOGC08JQn+XbHzhFl5Yvlt9Idk8+7c2UJ0qgWKQ5ZV
mquRAw5HDCQM5OqF1MoImDxOH+tK3PUlvFDsLZ1WPEOHK/EN12sPBx0x1R04
fcPTPdbMwgISGM3OwE0EWJh54gEIALqhrLUpvarPc0nkuHpyJC/MsrIDPLuV
qMc49tgjgDBsyIKJFEP9qCnkSOEixaFi+nTljUSpkHGR+PvEGecmcOdW6djN
QGxon/nwBT9d8HbtxJesaEIzwRAxmqQW9MqNq4UsfNQ0VvUYqV9wEbYfdDT/
jZfz9N0hjFELF1sg3UPcCRijhf162bp+rLQdO9vWVUbOdMQvsM/kyUJ6JMXR
xUtyKC05ddxii2SMr4XUW45ostPbxJybOF5oSZpEb1EIlrTLLPAe/498XlBW
hpRAPe+9ZfNs7drMvUEFnnOXahrXAuaaZpyaS/XBaloqSb1+v2AkUep3dbSF
PaRtbXRMS+kAEQEAAcLAaAQYAQgAEwUCWJh54wkQ3h1+eGHDXVMCGwwACgkQ
3h1+eGHDXVMZ4Qf4hu5N8/uYNDqJMFRIWSCpPGxmyIVXGARG4hgR8gwPZY9K
fReAUndX3uODBNIgZU7I3YntawU1DlP6GpP6yyR/8lfUMNCAXPDmd+zTFYIJ
UDHD8sw2GRrFVzFOKUpAapWFOI4XjSMP2UiK4HgrpUjAhe1wSaa7nEjtAuYT
zFx1QSuQD1iYcOF/FAm7EuhBIfWITjYAobGM6gonPbp3IPHM52rUbulllcdV
vCLs+blcyiVCGZlNcmlg3eibAJJL19TQLqT2DbQvQ/SyVBJGjoT+y4TTRtmZ
cebEjt2KJcc4x2lzPq3z2KJNyJTOTMB+aYD9Ma9IObDds+M/+5XDWi7f
=ueTT
-----END PGP PUBLIC KEY BLOCK-----

You can also Tweet to us:
@ProtonVPN