• If you haven't already, you can download VPN Tracker using this link.
• After the download has completed, launch the app and click the "Login" button in the top left-hand corner of the app home page.
• Enter your equinux ID and password in the space provided. Hint: This is the login you first created when purchasing VPN Tracker in our online store.

Are you a World Connect User?

You will need to download VPN tracker World Connect. You can do so using this link. VPN Tracker World Connect must be installed using the App Store. Once you've installed the app on your device, sign in with your equinux ID and password.

Parallels

Go to "Preferences" > "Network" in Parallels and change the DHCP ranges for Shared and/or Host-Only Networking so they no longer conflict with your VPN's remote network.

VMware Fusion

A PDF with instructions can be downloaded from the VMware community forums:

• VMware Fusion 3.x
• VMware Fusion 1.x/2.x

By default, traffic to the remote network cannot be sent through the VPN tunnel if it is using the same network as the local network.

Resolving a Network Conflict using Traffic Control

You can use Traffic Control and VPN Tracker will send non-essential local network traffic over the VPN.

Activate Traffic Control:
> Go to Advanced > Traffic Control
> Check "Force traffic over the VPN if remote networks conflict with local networks"

Note that you will never be able to reach the following addresses over VPN: The IP address of your local router, your DHCP server, and your DNS server(s). If you need to reach those IPs over VPN, you will have to resolve the network conflict instead of using Traffic Control. The same applies for any IPs that you need to reach locally and over VPN.

Resolving a Network Conflict Manually

You have two basic options for resolving a conflict:

1. Change the local network to use a different network address. In most situations, this will entail changing the LAN settings on the local router (including DHCP settings if DHCP is used).
2. Change the remote network to use a different network address. With most setups, this entails changing the LAN on the VPN gateway (including DHCP settings if DHCP is used), and changing the IPs used by devices on the VPN gateway's LAN (or triggering a DHCP refresh, if DHCP is used). If the LAN is used in the VPN settings (such as for policies or firewall rules), these will need to be changed as well. Finally, change the remote network in VPN Tracker to match the new settings

If you decide to change the remote network, it makes sense to choose a private network that less commonly used. According to our informal statistics, conflicts are least likely using these networks:

• Subnets of 172.16.0.0/12
• Subnets of 192.168.0.0/16, excluding 192.168.0.0/24, 192.168.1.0/24 and 192.168.168.0/24

If these are not an option, use a subnet of 10.0.0.0/8, excluding 10.0.0.0/24, 10.0.1.0/24, 10.1.0.0/24, 10.1.1.0/24. However, since wireless network operators sometimes choose to use the entire 10.0.0.0/8 network, the first two options are preferred.

If you have a more sophisticated VPN gateway, in particular a SonicWALL, you may be able to set up an alternative remote network on the VPN gateway that is mapped 1:1 through Network Address Translation (NAT) onto the actual network. Users can then connect to this network instead if they have a conflict of networks. We have a guide available that describes this approach for SonicWALL devices.

If the conflict is caused by virtual network interfaces (e.g. Parallels, VMware), see here for more information.

Some kinds of software may cause issues with VPN Tracker:

1. Personal Firewalls / Desktop Firewalls
2. Protection Software (e.g Virus Scanners, Malware Protection)
3. Other VPN Clients / VPN Software (for example NCP Client)

Personal Firewalls usually ask the user, if an app should be allowed to send network traffic. It’s important to grant VPN Tracker full network access. If you have already added rules for VPN Tracker, please whitelist VPN Tracker.

Protection Software often sees VPN traffic as a potential source of threat, as it isn’t able to analyze that traffic because of its very strong encryption. Please ensure VPN Tracker is ignored by any protection software running on your Mac and allow VPN traffic to pass through.

Other VPN clients should not be a problem, if they are designed to co-exist with othe VPN apps. Unfortunately, not all other clients are and some capture all VPN traffic as soon as they are installed, even if the app is not running.
In these situations, you may need to uninstall the VPN client - we also suggest asking the vendor to improve its “cooperation” with other VPN apps.

Here are some common examples of the types of apps mentioned above. If you are uncertain whether any of these applications may be installed on your system, try the following:

• Open the app “Terminal”
• Copy and paste the following command: systemextensionsctl list

You’ll get a list of all system extensions installed on your system. Just compare that list with the identifiers in parenthesis below:

• Little Snitch
  (at.obdev.littlesnitch.networkextension)
   
• TripMode
  (ch.tripmode.TripMode.FilterExtension, com.alix-sarl.TripMode.FilterExtension)
   
• Sophos Anti Virus
  (com.sophos.endpoint.networkextension, com.sophos.endpoint.scanextension)
   
• Symantec Endpoint Protection / Norton AntiVirus
  (com.symantec.mes.systemextension)
   
• Kaspersky Internet/Total Security
  (com.kaspersky.kav.systemextension, com.kaspersky.kav.networkextension)
   
• Intego Mac Internet Security
  (com.intego.netbarrier.extension, com.intego.virusbarrier.extension)
   
• Fortinet FortiClient
  (com.fortinet.forticlient.macos.systemextension, com.fortinet.forticlient.macos.networkextension)
   
• Cisco Advanced Malware Protection (AMP) / Cisco Secure Endpoint
  (com.cisco.amp.endpointsecurity.extension, com.cisco.amp.networkextension)
   
• eset Security Products
  (com.eset.endpointsecurity.systemextension, com.eset.networkextension)
   

SonicWALL Simple Client Provisioning with VPN Tracker is available with all SonicWALLs running SonicOS 4.0 or newer and all editions of VPN Tracker.

If you are still using VPN Tracker 6 or earlier, Professional or Player Edition is required.

Beta versions are soon to be released versions of VPN Tracker 365. We like to release beta versions to allow users to give us feedback on new features we've been developing before we roll them out to the general public. If you would like to become part of our beta testing program, you will need to activate access to early release versions in the app.

Open the VPN Tracker 365 app and go to "VPN Tracker 365" > "Preferences"
Next to "Update", check the box "Get early access to Pre-Release versions"
From the drop down menu, select "Beta versions"

Tip: Next to "Update" you can also check "Automatically check for updates". This way, VPN Tracker 365 will inform you whenever a new beta version is available for testing. Are you an experienced IT admin wanting to take things one step further? Check out our Nightly builds... If you run into issues on a beta version and want to get back to an older build, you can always find our latest official release on the version history page. Please also note that you can deactivate beta testing at any time by unchecking the box in your app preferences.

Such a setup is called “Host to Everywhere” in VPN Tracker. All non-local traffic will be sent through the VPN. For this setup to work, it must be properly configured in VPN Tracker and on the VPN gateway:

1. The Network Topology must be set to “Host to Everywhere” in VPN Tracker
2. The VPN gateway must accept an incoming VPN connection with a 0.0.0.0/0 (= everywhere) endpoint

Once these are configured, it should already be possible to establish the VPN connection. However, it is very likely that Internet access will not yet work. For Internet access to work, several more things need to be configured on the VPN gateway:

1. The VPN gateway must route VPN traffic not destined for its local networks out on the Internet
2. This traffic must be subject to Network Address Translation (NAT) in order for replies to reach the VPN gateway
3. In many cases, a suitable remote DNS setup is necessary for DNS resolution to continue to work

Note that not alll VPN gateways can be configured for Host to Everywhere connections. Most devices designed for small office or home networks (e.g. devices by NETGEAR or Linksys) are not capable of dealing with Host to Everywhere connections.

VPN Tracker supports industry standard OpenVPN, IPsec (IKEv1 + IKEv2), L2TP, PPTP, SSL, SSTP, and WireGuard® protocols. This means that it will work with almost all devices supporting these types of VPN connections.

A list of tested devices is available on our website

What if my device is not on this list?

There are hundreds of VPN devices available on the market, and we'd love to offer device profiles for all of them. Unfortunately, it is impossible to test all devices. If your gateway is not in the list, it will probably still work with VPN Tracker.

Tip: Try out one of our custom protocol profiles to test your VPN connection free in VPN Tracker on Mac, iPhone or iPad.

VPN Tracker may prompt you for different passwords depending on the action you're performing. This guide explains what each prompt means and which password you should enter.

1. Your Mac Password

When is it needed?
– Installing VPN Tracker
– Approving system extensions

Why?
macOS requires your administrator password to authorize changes on your system.

Where do I find it?
This is your local Mac password – the one you use to log in when your Mac starts up.

2. Your equinux ID (VPN Tracker Account)

When is it needed?
– Logging into the VPN Tracker app (Mac or iOS)
– Accessing your account at my.vpntracker.com

Why?
This is your personal VPN Tracker account, giving you access to your plan, team, connections, and device settings.

Where do I find it?
This password is usually saved in your Keychain or Passwords app under “id.equinux.com”.

3. Pre-Shared Key (PSK) / Shared Secret

When is it needed?
– When setting up or connecting to a VPN connection

Why?
Some VPNs use a PSK to authenticate users. This key must match what’s configured on the VPN gateway.

Tip for Teams: Admins can share pre-configured VPN connections via TeamCloud to avoid PSK confusion.

Where do I find it?
This is usually set by your company’s VPN admin and stored in the connection. You typically don’t need to know it yourself.

4. Your Company Login (XAUTH Credentials)

When is it needed?
– When connecting to a company VPN

Why?
You may need to enter your company login (often the same credentials you use at work) to authenticate with the VPN.

Where do I find it?
You should have received it from your IT team — and hopefully not written it on a Post-it under your keyboard.

Especially so-called "clean up tools" that also scan for malware can report false-positives. If you suspect VPN Tracker 365 or Mail Designer 365 to be infected, we recommend to upload your copy of the app to www.virustotal.com which is a free service that scans your uploaded files using several reputable virus scanners. If any of the virus scanners on this site flags the app, please contact us.

How can I verify that my copy of VPN Tracker 365 or Mail Designer has not been modified?

All our apps are properly code-signed by Apple, so macOS can verify that the app has not been tampered with. You can check the integrity by opening Terminal.app and entering the following command:

spctl --assess "/Applications/VPN Tracker 365.app"

Please note that double quotes around the path are required because the path contains spaces. If your copy is in a different location, please replace "/Applications/VPN Tracker 365.app" with the proper path to the app. The output may look like this:

/Applications/VPN Tracker 365.app: accepted
    source=Notarized Developer ID

If the app has been modified, an error message like this is printed:

Mail Designer 365.app: invalid signature (code or signature have been modified)

Please contact us if your copy of VPN Tracker 365 or Mail Designer 365 has an invalid signature.

How can I verify that my copy of VPN Tracker 365 or Mail Designer 365 was signed by equinux?

All our apps are properly code-signed by Apple, so macOS can verify that the app has not been tampered with. You can review this signature by opening Terminal.app and entering the following command:

  codesign -d -vv "/Applications/VPN Tracker 365.app" 

Please note that double quotes around the path are required because the path contains spaces. If your copy is in a different location, please replace "/Applications/VPN Tracker 365.app" with the proper path to the app. The output may look like this:

Executable=/Applications/VPN Tracker 365.app/Contents/MacOS/VPN Tracker 365
    Identifier=com.vpntracker.365mac
    Format=app bundle with Mach-O universal (x86_64 arm64)
    CodeDirectory v=20500 size=81953 flags=0x10000(runtime) hashes=2550+7 location=embedded
    Signature size=9071
    Authority=Developer ID Application: equinux AG (MJMRT6WJ8S)
    Authority=Developer ID Certification Authority
    Authority=Apple Root CA
    Timestamp=1. Jun 2021 at 17:22:51
    Info.plist entries=42
    TeamIdentifier=MJMRT6WJ8S
    Runtime Version=11.1.0
    Sealed Resources version=2 rules=13 files=684
    Internal requirements count=1 size=216

The important parts to look out for here are the lines starting with "Authority": They list the chain of trust. The last entry must always be "Apple Root CA", the entry above must either be "Developer ID Certification Authority" or "Apple Worldwide Developer Relations Certification Authority" for App Store versions. The first entry must either be "Developer ID Application: equinux AG" (VPN Tracker 365), "Developer ID Application: Tower One GmbH" (Mail Designer 365 non-App Store), or "Apple Mac OS Application Signing" (Mail Designer 365 App Store). Again, if you see a different entry, please contact us.

Current Firmware (Fireware XTM)

WatchGuard Firebox X Edge e-Series devices with Fireware XTM (Fireware 11) are fully supported in current versions of VPN Tracker. For details please see our configuration guide.

Older Firmware

Devices running an older firmware may often work using the following setup. Please note however that we can't guarantee that this setup will work in all cases.

Start by creating a new user on the Firebox Edge and then configure MUVPN support for this user.

In VPN Tracker, use a "Custom Connection" device profile as the basis for your new connection.

Map the WatchGuard settings to your VPN Tracker configuration as shown in the table below:

Watchguard	VPN Tracker
Account Name	Local Identifier
Shared Key	Preshared Key
Virtual IP Address	Local Address
Authentication Algorithm	Phase 1 and Phase 2 Hash/Authentication Algorithms
Encryption Algorithm	Phase 1 and Phase 2 Encryption Algorithms
Key expiration in hours	Phase 1 and Phase 2 Lifetime

The following settings are independent of your specific MUVPN configuration:

• Local Identifier Type: Email (even if it is a name and not an email address)
• Exchange Mode: Aggressive
• Phase 1 Diffie-Hellman Group: Group 2 (1024 bit)
• Perfect Forward Secrecy (PFS): off

Finally make sure the that VPN Tracker's "Network" setting is set to "Host to Network", and the correct Remote Network (i.e. the network that you want connect to through the VPN) is used (e.g. 192.168.1.0/255.255.255.0).

Please check if it is possible to open the address https://my.vpntracker.com in Safari. This problem tends to occur if our website is blocked through a firewall or another content filter.

Luckily, this is an incorrect report. The XCSSET malware is a trojan that replicates project files via Xcode; it targets mostly developers. To get it, you would need to download an infected Xcode project and build it. It creates fake apps and also downloads and installs payload (adware and similar things). So it does not infect existing apps. An interesting property of XCSSET is that it's mostly implemented in AppleScript. The generated fake apps contain a folder "Contents/Resources/Scripts" in which those AppleScript files reside. You can right-click on VPN Tracker 365 or Mail Designer 365 in Finder, then click on "Show Package Contents" to check whether this Scripts folder or any AppleScript files (*.scpt) can be found; VPN Tracker 365 and Mail Designer 365 do not contain AppleScript files.

VPN Tracker is licensed per user. That means each person using VPN Tracker needs their own license.

To prevent security issues, account sign-ins are checked by an automatic system. There are multiple possible causes that can trigger an account lock:

• Sharing one account with other people
• The account is being used as a "generic" account (e.g. "Lab computer 1"), instead of being personalized for one person

To fix a locked account being shared with other people

• Go to my.vpntracker.com
• Sign in with your equinux ID
• Go to "My Subscriptions" and choose "Add plans…"
• Add additional licenses for each person that needs VPN access and complete your order
• Once you have the correct number of licenses for your team, assign the new licenses to your co-workers – check out our Team Setup Guide for step-by-step instructions

Once you have completed these steps, please contact our support team and include your equinux ID and order confirmation number. A team member will review your details and will be able to lift the restrictions on your account.

For any other questions, please reach out to our Account Security Team.

A Technical Support Report contains your VPN Tracker settings and relevant network and system settings that our technical support team needs to be able to assist you quickly. Confidential data (e.g passwords, pre-shared keys, private keys) are not included in a Technical Support Report (TSR).

How to create a Technical Support Report on a Mac:

‣ Click on your VPN connection in VPN Tracker 365.
‣ In the bottom right corner under the "Status" tab, you will see the TSR button.
‣ Click the button to generate the report and follow the instructions to send to our support team.

How to create a Technical Support Report on an iPhone/iPad:

‣ Tap on the connection. The connection card appears.
‣ Tap on “Feedback”
‣ Provide a short description of the connection problem
‣ Tap on Send

If you have an issue connecting to the VPN in the first place, please make a connection attempt right before creating the Technical Support Report, then create the Technical Support Report as soon as the connection attempt has failed.

If you can connect to the VPN, but something is not working right after the connection has been established, please establish the VPN connection, then create the Technical Support Report while the VPN is connected.

You can either email the report directly to our support team from VPN Tracker 365, or save it to email later or from a different computer, or to upload it using the contact form on our website:

Whenever possible, also include screenshots of the VPN setup on your VPN gateway.

New Mac? No problem. The latest version of VPN Tracker for Mac offers full support for Macs with M2 chips, as well as compatibility with the latest macOS versions, including macOS 15 Sequoia. Download the latest version here.

The PPTP protocol consists of two components: one using TCP transport (also used for websites) and another using GRE transport. The latter often causes issues.

If your internet provider or router does not fully support GRE, VPN Tracker can initiate the TCP part but fails to receive a response when the GRE connection starts.

To check if your network supports PPTP connections, use the VPN Tracker Connection Checker. If the result does not indicate a successful connection, verify your internet setup.

Some routers require “PPTP Passthrough” to be enabled for GRE to function correctly. Check your router’s manual for instructions.

The main reason why the lifetime of IPSec tunnels is limited is security. The longer a tunnel is alive, the more time an attacker has for an attack and the more data is encrypted with the same session key, which reduces the effort for attackers to find the key. The IKE Phase 1 tunnel is only used to ensure a secure connection between VPN client and VPN gateway, comparable to a TLS connection (i.e. HTTPS instead of HTTP). Only IKE messages are exchanged via the Phase 1 tunnel, which are used to keep the Phase 1 connection alive and to negotiate Phase 2 tunnels if necessary. The Phase 1 tunnel has no influence on the VPN speed, only on the initial connection setup, so there is never any reason why you should not always work with the strongest protection in Phase 1, that both sides can support. Since very little data is ever sent through the Phase 1 tunnel, there is no reason not to choose a very long lifetime. The Phase 2 tunnels are used to encrypt the actual data traffic, so the settings here directly influence the overhead, latency and speed of the VPN connection and must be weighed against the security. Also, large amounts of data are encrypted via the Phase 2 tunnels, so you should not set their lifetime too high. If possible, it is always recommended to use Perfect Forward Secrecy (PFS) in Phase 2, which slows down the Phase 2 connection setup a bit, but completely decouples Phase 2 cryptographically from Phase 1, since an independent session key is negotiated and not derived from the session key of Phase 1. The lifetimes of the two phases are basically independent of each other. A Phase 2 tunnel may continue to exist, even if the Phase 1 tunnel over that it was negotiated no longer exists. Thus, Phase 1 may have a shorter lifetime than Phase 2. VPN Tracker always negotiates new tunnels in time before the lifetime expires, so that the connection is normally never interrupted. With Phase 2, the tunnels are seamlessly connected, meaning that not a single data packet is lost during the exchange. This is why even with a very short lifetime of just a few minutes, the impression of an uninterrupted connection is created. Frequent changes of Phase 2 tunnels only lead to a little more data traffic and a little more computing work on both sides of the connection.

Important Notes

The lifetime of the tunnels is explicitly not negotiated. The standard allows that a tunnel has different lifetimes on both sides of the connection. The side, where the lifetime expires first, determines the further procedure. Only if VPN Tracker is that side, it can determine what happens next, otherwise VPN Tracker can only react passively. The latter will always result in a short interruption or even a complete loss of the connection in case of Phase 1. For Phase 2, it depends on whether the other side wants to actively negotiate new Phase 2 tunnels or only deletes the existing ones; the latter also leads to a short-term connection loss. It's always best to set VPN Tracker to the same lifetime as the other side, because VPN Tracker will always try to intervene in time to avoid a connection loss. Since there are also IKE/IPSec implementations that delete all Phase 2 tunnels as soon as the corresponding Phase 1 tunnel is deleted, it's always a good idea to select Phase 1 on devices to match the maximum VPN session time expected.

Configuration guides for configuring VPN Tracker with Cisco devices are available here.

Configuration guides for Cisco Small Business (Linksys) devices are available here.

Import of Cisco IPsec VPN Client Configuration Files (.pcf)

Cisco VPN Client configuration files that use group password authentication can be imported into VPN Tracker:

‣ "File" > "Import 3rd Party Configuration" > "Cisco .pcf"

VPN Tracker 365 TeamCloud has been designed from the ground up to offer highly secure cloud storage for your team's VPN connections.

TeamCloud - Key Security Architecture

• Built using end-to-end encryption - our servers have no access to your connection data
• Securely encrypted with user-specific encryption keys for additional security
• Encryption runs locally in your browser

Managing connections on the web

my.vpntracker uses sophisticated WebAssembly technology to securely decrypt and encrypt your sensitive connection details locally within your browser - without sending any unencrypted data through the VPN Tracker servers. This allows Team Managers to edit connection files and add additional Team Members to TeamCloud on the web, without needing a Mac or VPN Tracker 365 running locally.