Frequently Asked Questions

Since 2019, Firefox have been rolling out DNS over HTTPS (DoH) by default in several countries, including the USA, Canada, Russia and Ukraine.

What does this mean?

When DoH is enabled, it bypasses your DNS server and instead, domains you enter into your browser are sent via a DoH-compatible DNS server using an encrypted HTTPS connection.

This is intended as a security measure to prevent others (e.g. your ISP) from seeing the websites you are trying to access. However, if you're using a DNS server provided by your VPN gateway, it allows DNS queries to run outside the VPN tunnel. Moreover, if the VPN specifies a DNS server that resolves internal host names, these are either not resolved at all or resolved incorrectly when DoH is enabled.

How to disable DNS over HTTPS in Firefox

To ensure all your DNS queries run via your VPN's DNS, you will need to disable DoH in Firefox. To do so, open your Firefox browser, go to Firefox > Preferences > Network Settings and deselect the checkbox by "Enable DNS over HTTPS":


Click OK to save your changes.

In some circumstances, VPN Tracker may not be able to store your account login credentials in your Keychain.

To fix this issue, please try the following:

• Quit VPN Tracker
• Open Keychain Access from Applications > Utilities
• Select your login keychain
• Choose File > Lock Keychain “login”
• Then choose File > Unlock Keychain “login”

On newer macOS releases, you may not see the option to lock/unlock your Keychain. In that case, please enter the following command via the Terminal:

security lock-keychain ~/Library/Keychains/login.keychain

Once it has been locked, you can then unlock your Keychain again:

security lock-keychain ~/Library/Keychains/login.keychain

(You will need to enter your macOS login password to confirm).

Now re-open VPN Tracker and try signing in again.

If the problem still pops up, try this:

• Quit VPN Tracker
• Go back to Keychain Access
• In the search box enter “VPN Tracker User Auth”
• Delete the VPN Tracker User Auth Token entry

Now re-open VPN Tracker and try signing in again.

Last resort: Reset your keychain

If none of the tips above work, macOS has an option to reset your Keychain. Note that this should only be tried as a last resort, as it completely resets your login Keychain:

• Open Keychain Access
• Go to Keychain > Preferences
• Choose "Reset Default Keychains…"

Afterwards, open VPN Tracker 365 and try signing in again.

If there are any further issues, please contact our support team and include the application logs from this location:
/Library/Application Support/VPN Tracker 365/var/log.

By itself, the IPsec protocol does not support usernames. If you were given a username from your network administrator for connecting to your corporate VPN solution, there are generally two possibilities:

• Your corporate VPN solution uses the term "username" for "identifiers". Please try to use your username as the "Local Identifier" in VPN Tracker.
• Your corporate VPN solution is using Extended Authentication (XAUTH). You can enable XAUTH in VPN Tracker. The software will then prompt for your username and password when the connection is being established.

Don't worry – it happens to all of us!

Just head on over to our login retrieval page, enter your equinux ID or email address and we'll send you your details.

Recently changed your e-mail address? Send us a message!

The main reason why the lifetime of IPSec tunnels is limited is security. The longer a tunnel is alive, the more time an attacker has for an attack and the more data is encrypted with the same session key, which reduces the effort for attackers to find the key.

The IKE Phase 1 tunnel is only used to ensure a secure connection between VPN client and VPN gateway, comparable to a TLS connection (i.e. HTTPS instead of HTTP). Only IKE messages are exchanged via the Phase 1 tunnel, which are used to keep the Phase 1 connection alive and to negotiate Phase 2 tunnels if necessary. The Phase 1 tunnel has no influence on the VPN speed, only on the initial connection setup, so there is never any reason why you should not always work with the strongest protection in Phase 1, that both sides can support. Since very little data is ever sent through the Phase 1 tunnel, there is no reason not to choose a very long lifetime.

The Phase 2 tunnels are used to encrypt the actual data traffic, so the settings here directly influence the overhead, latency and speed of the VPN connection and must be weighed against the security. Also, large amounts of data are encrypted via the Phase 2 tunnels, so you should not set their lifetime too high. If possible, it is always recommended to use Perfect Forward Secrecy (PFS) in Phase 2, which slows down the Phase 2 connection setup a bit, but completely decouples Phase 2 cryptographically from Phase 1, since an independent session key is negotiated and not derived from the session key of Phase 1.

The lifetimes of the two phases are basically independent of each other. A Phase 2 tunnel may continue to exist, even if the Phase 1 tunnel over that it was negotiated no longer exists. Thus, Phase 1 may have a shorter lifetime than Phase 2. VPN Tracker always negotiates new tunnels in time before the lifetime expires, so that the connection is normally never interrupted. With Phase 2, the tunnels are seamlessly connected, meaning that not a single data packet is lost during the exchange. This is why even with a very short lifetime of just a few minutes, the impression of an uninterrupted connection is created. Frequent changes of Phase 2 tunnels only lead to a little more data traffic and a little more computing work on both sides of the connection.

Important Notes

The lifetime of the tunnels is explicitly not negotiated. The standard allows that a tunnel has different lifetimes on both sides of the connection. The side, where the lifetime expires first, determines the further procedure. Only if VPN Tracker is that side, it can determine what happens next, otherwise VPN Tracker can only react passively. The latter will always result in a short interruption or even a complete loss of the connection in case of Phase 1. For Phase 2, it depends on whether the other side wants to actively negotiate new Phase 2 tunnels or only deletes the existing ones; the latter also leads to a short-term connection loss.

It's always best to set VPN Tracker to the same lifetime as the other side, because VPN Tracker will always try to intervene in time to avoid a connection loss.

Since there are also IKE/IPSec implementations that delete all Phase 2 tunnels as soon as the corresponding Phase 1 tunnel is deleted, it's always a good idea to select Phase 1 on devices to match the maximum VPN session time expected.

A couple of years ago, a team of security experts released a paper describing an attack that can break an IKEv1 Aggressive Mode Pre-Shared Key connection using an attack that would not equally have been possible with an IKEv1 Main Mode Pre-Shared Key connection, leading to the incorrect assumption that Aggressive Mode is inherently insecure. This claim, however, is not backed up by objective facts. What most people don't know, part of that attack was the ability to guess the Pre-Shared Key (PSK) using a brute force attack and such a brute force attack can only be successful if the PSK is weak. A PSK is also just a password and as with every password, choosing a weak password always leads to poor security. As long as your PSK is at least 14 characters long (the longer the better), consists out of lower case letters, upper case letters and digits, and was randomly generated, so it's impossible to somehow guess it, and as long as your Phase 1 hash algorithm is at least SHA1 (or better, we recommend SHA-256 if possible), there's absolutely no reason to consider IKEv1 Aggressive Mode with Pre-Shared Key as less secure than IKEv1 Main Mode with Pre-Shared Key. If you want to be even more secure, switch to certificate based authentication instead of PSK if possible as then the attack is not possible at all.

Technical background:

The Pre-Shared Key (PSK) is not a password used for encryption of any data, it's used for authentication, just when you log in to a website using a username and a password. During Phase 1, both sides must prove to each other to know the PSK. This cannot be done by just sending it to the other side, as if the other side didn't know it before, it will know it after receiving it. Instead both sides calculate a number (a hash digest) out of data they exchanged so far (data that will be different every time you start a new connection, which ensures the calculated value will be as well) and the PSK. Only this digest is send to other side. The other side can now verify that digest by performing the same calculations and comparing the result with the digest received. If both are equal, the sender must have used the same PSK in the calculation, which proves knowledge of the PSK. Then the receiver also calculates such a digest, using a slightly different formula as before, leading to an entirely different result, and sends it back in reply to also prove its knowledge.

The differences between Main Mode and Aggressive Mode is simply that in Main Mode the digest is exchanged encrypted because the session key exchange already negotiated a session encryption key when the digest is exchanged, whereas in Aggressive Mode it is exchanged unencrypted as part of the key exchange that will lead to a session key. By snooping the connection establishment of an Aggressive Mode connection, the attackers were able to get the digest as well as all values required to calculate that digest, except for the PSK itself. Please note that this alone doesn't mean the connection is broken already, it only means that the attackers now have enough data to start guessing the PSK using a brute force or dictionary attack. Only if the PSK is too weak to withstand those attacks and the attackers are able to correctly guess it, the connection will be broken. That's why a good, secure PSK is essential.

The same attack is in fact also possible with a Main Mode PSK connection, it just requires some extra work. For a Main Mode connection it's not enough to just snoop the traffic, the attackers would need to perform a so called Man-in-the-Middle (MitM) attack, allowing them to capture and manipulate all traffic exchanged. By performing a MitM attack, attackers can break the key exchange and thus will be able to decrypt all the exchanged packets. Doing so will not make it possible to break into your VPN, they still need to know the PSK for that, otherwise they cannot successfully authenticate to the other side and then Phase 1 will never complete, but that way they can get all the information required to start guessing on the PSK, just as in case of a an Aggressive Mode connection. And if an attacker is already able to snoop on your VPN traffic (which is required to attack Aggressive Mode), it's very likely that attacker is equally possible to perform a MitM attack and in that case using Main Mode will not offer you any additional protection.

A PSK out of 11 random alphanumeric characters offers an entropy of approx. 64 bits, that's 2^64 possible values. Modern high end graphics adapter (as of 2015) can calculate in the order of 1 billion SHA-256 hashes a second. On average one has to try 50% of all possible values to find a match, wich would be about 292 years. Yet if the attackers have an array of 100 such graphics adapters, it would "only" be around 3 years. If the PSK is 14 characters, the entropy is about 80 bits and you are already at 19,154,798 years. Now even having 10,000 graphics adapters would help a lot. Also one must consider the costs of such an attack, which is not so much the cost of buying all these graphics adapters, rather their power consumption when all these graphics adapters run at maximum current 24 hours a day and that for years, decades, or even centuries. The power costs will be billions of dollar and all that to just break one single PSK connection in the entire world. And whenever you change the PSK, an attacker must start all over, so if you change the PSK regularly, let's say once a year, an attacker has at most one year to find it; that's very ambitious, even for a weak PSK.

VPN Tracker for Mac fully supports all the latest macOS versions, including macOS Sequoia

Starting from macOS 11, Apple have made some key changes to the macOS security architecture. VPN Tracker for Mac offers full support for all the latest macOS versions. This includes support for: IPsec VPN, IKEv2 (Beta), OpenVPN, L2TP VPN, PPTP VPN, SonicWall SSL VPN, Fortinet SSL VPN, Windows SSTP VPN, Cisco AnyConnect VPN and WireGuard® VPN.

Tip: Sign up for VPN Tracker Insider Updates to get Beta releases as soon as they are available.

WireGuard® is a registered trademark of Jason A. Donenefeld.

Symptom

As soon as you connect your VPN tunnel, Skype is not able to make calls any longer, however calls started prior to connecting the VPN continue to work.

Solution

Make sure the field Local Address is not empty. If it is, fill in a private IP address. A private IP address has the following form:

• 192.168.x.x
• 10.x.x.x
• 172.y.x.x

x: A number of the range 0 to 255.
y: A number of the range 16 to 31.

Only rule: It must not be an IP address from a remote network on the other side of the VPN tunnel (must not partially match an entry of the field "Remote Networks"), as choosing such an address will make the tunnel stop working (it will connect, but you cannot really reach anything over it).

Alternate Solutions

If the solution above does not fix your issues, make sure that

• DNS resolution still works once the VPN tunnel is up.
   
• Public Internet servers are still reachable once the VPN tunnel is up.
   
• In case of a Host to Everywhere connection, make sure the VPN gateway does not block any network traffic that is crucial for Skype to work.
   

Explanation

VPN Tracker creates a virtual tunnel interface for every VPN tunnel. Like any network interface, this virtual tunnel interface requires an IP address to be functional as an IP network interface. If your VPN gateway assigns you an IP address, the assigned address is applied to the tunnel interface. If not, the address you put into Local Address will be used. If you leave local address empty, the IP address of your primary network interface will be used.

In the last case, your system ends up with two interfaces with identical IP addresses. This is allowed and usually not a problem, unless a software does “stupid things”, like querying the network interface for a given IP address and then ignoring the order of precedence of the returned results.

Sie können mit VPN Tracker 365 Ihre VPN Verbindung so konfigurieren, dass nur Verbindungen ihr Ihr Netzwerk darüber geht. Normales Surfen im Web nutzt dann Ihre ganze normale Internetverbindung.

Sie können mit unserer VPN Wizard App für FritzBox eine neue Verbindung entsprechend konfigurieren.



Ihre neue VPN Verbindung für Fritzbox können es mit der kostenlosen VPN Tracker 365 Demo testen:
http://www.vpntracker.com/de/download.html#vpnt365

With both SMB (Windows File Sharing) and AFP (Apple File Sharing), low latency connections are key to achieving good performance. This is of course assuming that you already have a connection with reasonable bandwidth in between the two VPN endpoints (this can be easily verified by transferring a larger file through HTTP or FTP).

Using SSL VPN? Switch to IPSec

In comparison to SSL VPN, IPSec is able to offer much faster connection speeds as it runs on the network layer – level 3 of the OSI – meaning it’s much closer to the physical hardware. This will give you a faster VPN performance.

Learn more in this blog post.

Finder Settings

If you are using the Finder and the issue is mostly with listing folders (but not so much when actually copying files), try turning off icons/icon previews in the Finder's View Options (Cmd-J).

Reducing Latency

If you experience performance issues both when listing folders and when transferring files, your aim should be to reduce latency. Some ways to reduce latency include:

• Avoid high-latency Internet uplinks (e.g. satellite, some types of wireless providers, line aggregation, ...).
• When using a DSL line, see with your ISP if you can get "fast path" enabled (= interleaving turned off). ISPs sometimes market this as an option for online gaming, but it's also very helpful for AFP/SMB or connecting to some types of database backends.
• Make sure VPN traffic is appropriately prioritized in order not to be slowed down by someone else using the same Internet connection.

To measure latency between the two endpoints of the VPN, use ping to a host on the other end of the connection (or, when pinging from the client end, ping the VPN gateway). For your convenience, VPN Tracker has a ping utility built right in, it can be found in the Tools menu.

To measure latency of each endpoint's individual uplink, it's often helpful to do a ping the local router (to make sure there are no unnecessary latencies introduced in the local network) and the ISP's first router (to get an idea if enabling fast path or switching ISPs may be a suitable measure to decrease latency).

If you cannot reduce latency any further:

If you are in a situation where you cannot reduce latency any further (or where the base latency from the distance between the two endpoints itself is so large local measures won't make much difference), consider switching to a file transfer protocol that is less vulnerable to latency, e.g. WebDAV or FTP, or use measures such as reducing the number of files and folders in a hierarchy to increase performance.

To establish a VPN connection to a certain location (such as your office), you will need a VPN gateway at that location. This gateway could be a hardware VPN gateway device (see our compatibility page for compatible devices and setup guides).

The VPN gateway needs to be connected to the Internet (e.g. to a DSL modem or similar), preferably with a static IP address or it should be capable of using a service like DynDNS.org to map its dynamic IP to a hostname. Configuration is easiest if the VPN gateway is also the router (default gateway) of its network. If the VPN gateway is not the router of its network, a suitable routing setup may be necessary for traffic over the VPN to be routed correctly.

Configuration details can be found in the configuration guides for specific devices.

To connect to a WireGuard® VPN server - e.g. in order to remotely connect to your home network -, you need a VPN client app. VPN Tracker supports WireGuard® VPN connections on Mac, iPhone and iPad!

To get connected, follow these 3 steps:

1. Open VPN Tracker and add a new WireGuard® connection
2. Upload your WireGuard® configuration file or scan your QR code
3. Save your connection to your account using secure end-to-end encryption

You can now connect to your WireGuard® VPN server on Mac, iPhone or iPad.

→ More information on connecting to WireGuard® VPN in VPN Tracker

WireGuard® is a registered trademark of Jason A. Donenfeld.

Migrating an existing Windows PPTP VPN connection to a Mac may sound daunting, but with VPN Tracker 365 the process is quick and easy. By the end, you will be able to connect your Mac to your PPTP VPN connection and continue working as normal.

Here's how it works:

Find your PPTP VPN connection settings in the Control Panel of your Windows PC
Start VPN Tracker 365 on your Mac and click the "+" to create a new PPTP connection
Copy the connection settings from the first step into the configuration window
Finally, start up your PPTP connection to test

You can now use your Windows PPTP VPN connection on your Mac, thanks to VPN Tracker 365. If you require a more detailed walkthrough, please check out this step-by-step PDF guide: Migrating a Windows PPTP VPN Configuration

Find out more about PPTP VPN under macOS Big Sur

If you need to force quit your software for any reason (e.g. your screen has frozen or the app is not responding) please do one of the following:

• If the app you want to quit is in your dock, hold the "Option" (⌥) key and right-click on the app icon, then, select "Force Quit" from the menu.
• You can also hold down "Option" (⌥) + "Cmd" (⌘) + "Esc" which will trigger a window with a list of apps you have running. To force quit one or more of these apps, simply select it from the list and click the "Force Quit" button.

If you see this error: "LCP timeout" or "LCP: timeout sending Config-Requests", here are two things to check:
1. To use PPTP behind a NAT router, your router must support "PPTP Passthrough" and this option also needs to be enabled.

Please ensure that your router supports "PPTP Passthrough" and please ensure it is also enabled. Check your router's manual. If your router has no support for it, you may have to replace it if you require to use PPTP.

2. Please also check if your ISP is running "DS Lite" connection to you. With "DS Lite", users only get private IP addresses that are network address translated at the provider and this is usually incompatible with PPTP. You require a public IPv4 address or switch to a different VPN protocol. Call your ISP and ask for "a public IPv4 address".

Setting up Shortcuts to your most important services in VPN Tracker 365 is easy and will drastically improve your workflow.

To get started, go to "File" > "New" > "VPN Shortcuts"

Open the Shortcuts Dock by clicking on the arrow to reveal all available Shortcuts in VPN Tracker 365. Then, drag out the icon for the application or service you would like to configure (e.g. internal website).



Now configure your Shortcut by filling in all the requested information as prompted by VPN Tracker 365. If you are unsure of any details, your network admin or a member of our support team will be able to help you get set up.



Continue this process until you have built up a collection of Shortcuts for all your most-used external services. Then, exit the editing mode by clicking again on the arrow at the bottom of the window to close the Shortcuts Dock:



To test your Shortcut, simply click on the icon. This should launch your VPN connection and instantly start up your service.

Want to see Shortcuts in action? This 2 minute video tutorial shows you how to set up VPN Shortcuts in VPN Tracker 365:

Importing a pre-existing VPN connection from your Mac to use in VPN Tracker 365 is straightforward.

Open the VPN Tracker 365 app, then go to File > Import > System VPN Connections.



VPN Tracker will scan your Mac for VPN connections that are compatible with VPN Tracker 365. You can then select and import the connections you want.
Please note that only compatible connections can be imported.

For a certificate to be available in the "Local Certificate" list, it must be present in the Mac OS X Keychain with its corresponding private key.

You can easily check this in the Keychain Access application: If a certificate is listed under "My Certificates" (and not just "Certificates"), its private key is available and you will be able to select it in VPN Tracker as the "Local Certificate".

Important note for CheckPoint VPN users:

The Mac OS X Keychain Access application currently does not understand how to read private keys from some CheckPoint generated certificates.

To properly import the certificate into the Mac OS X Keychain, first convert it using the openssl command line tool:

1. Open a Terminal ("Applications" > "Utilities" > "Terminal")
   
   
2. Convert the certificate to PEM format:

     openssl pkcs12 -in /Users/joe/Desktop/MyCheckPointCert.p12 -out /tmp/out.pem
   

   Replace /Users/joe/Desktop/MyCheckPointCert.p12 with the path to the actual certificate that you want to convert.

   You will first be asked for the password that the certificate is encrypted with. If you do not know it, please ask the administrator who has created your certificate for you. You will then be asked twice for the password that will be used to protect the exported PEM file. You can use the same password that the original certificte was encrypted with. Note that no characters will appear on screen while you type in your passwords. Simply type the password and press the return key.

3. Convert the PEM file back to PKCS#12 (.p12) format:

     openssl pkcs12 -in /tmp/out.pem -export -out ~/Desktop/MyFixedCheckPointCert.p12
   

   Replace /Users/joe/Desktop/MyFixedCheckPointCert.p12 with the path where you want the fixed certificate to be stored.

   You will first be asked for the password that you have just used for exporting to the PEM file, and then for a password to protect the fixed .p12 file with. You can again use the same password for everything.

Now double-click your fixed certificate file to import it into the Mac OS X keychain.

If you're running FortiOS 3, please make sure you are running at least MR6 patch 2. Previous firmware releases have an issue that will cause the device to respond incorrectly to VPN Tracker's attempts to use XAUTH in combination with an Aggressive Mode based connection.

Some kinds of software may cause issues with VPN Tracker:

1. Personal Firewalls / Desktop Firewalls
2. Protection Software (e.g Virus Scanners, Malware Protection)
3. Other VPN Clients / VPN Software (for example NCP Client)

Personal Firewalls usually ask the user, if an app should be allowed to send network traffic. It’s important to grant VPN Tracker full network access. If you have already added rules for VPN Tracker, please whitelist VPN Tracker.

Protection Software often sees VPN traffic as a potential source of threat, as it isn’t able to analyze that traffic because of its very strong encryption. Please ensure VPN Tracker is ignored by any protection software running on your Mac and allow VPN traffic to pass through.

Other VPN clients should not be a problem, if they are designed to co-exist with othe VPN apps. Unfortunately, not all other clients are and some capture all VPN traffic as soon as they are installed, even if the app is not running.
In these situations, you may need to uninstall the VPN client - we also suggest asking the vendor to improve its “cooperation” with other VPN apps.

Here are some common examples of the types of apps mentioned above. If you are uncertain whether any of these applications may be installed on your system, try the following:

• Open the app “Terminal”
• Copy and paste the following command: kextstat | grep -v com.apple

You’ll get a list of all kernel extensions that are not from Apple. Just compare that list with the identifiers in parenthesis below:

• Little Snitch
  (at.obdev.nke.LittleSnitch)
   
• TripMode
  (ch.tripmode.TripModeNKE)
   
• Sophos Anti Virus
  (com.sophos.kext.oas, com.sophos.nke.swi)
   
• Symantec Endpoint Protection / Norton AntiVirus
  (com.symantec.kext.SymAPComm, com.symantec.kext.internetSecurity, com.symantec.kext.ips, com.symantec.kext.ndcengine, com.symantec.SymXIPS)
   
• Kaspersky Internet/Total Security
  (com.kaspersky.nke ,com.kaspersky.kext.kimul, com.kaspersky.kext.klif, com.kaspersky.kext.mark)
   
• Intego Mac Internet Security
  (com.intego.netbarrier.kext.network, com.intego.virusbarrier.kext.realtime, com.intego.netbarrier.kext.process, com.intego.netbarrier.kext.monitor)
   
• Fortinet FortiClient
  (com.fortinet.fct.kext.avkern2, com.fortinet.fct.kext.fctapnke)
   
• Cisco Advanced Malware Protection (AMP)
  (com.cisco.amp.nke, com.cisco.amp.fileop)
   
• TUN/TAP based VPN Clients
  (net.sf.tuntaposx.tap, net.sf.tuntaposx.tun)
   
• eset Security Products
  (com.eset.kext.esets-kac, com.eset.kext.esets-mac und com.eset.kext.esets-pfw)
   

Recently, root certificates for "Let's Encrypt" expired. Apple has decided not to update root certificates for OS X versions older than macOS 10.12. This means that when apps or Safari on your Mac access websites using Let's Encrypt root certificates, they will not load correctly.

Note: this is a general OS X issue that you will want to address to ensure you can access all websites and services.

This issue also affects the secure communication between VPN Tracker and the my.vpntracker.com account service.

How to fix this issue

1. Download the latest VPN Tracker version for your system:
• Mac OS X 10.9 or 10.10: VPN Tracker 365 20.0.1
• Mac OS X 10.11: Get the latest VPN Tracker 365 version


2. Install the root certificate fix
• Visit our certificate fix page
• Download the fix
• Open the profile in System Preferences and choose "Install"


3. Re-launch VPN Tracker and sign in again

If you are still experiencing the same problem, please try this:

• Open Safari
• Go to Preferences > Privacy > Manage website data
• Search for 'equinux' and 'vpntracker' and choose 'Remove all'

VPN Tracker 9 & VPN Tracker 10

Older VPN Tracker versions may also have issues due to certifcates as described above. As these versions are end-of-life, we can no longer offer support for them. The steps above should also apply to these versions. For support and to use VPN Tracker on the latest macOS versions, please switch to a new VPN Tracker plan.

The XAUTH password is generally your company login. It is NOT your equinux ID. Your XAUTH is stored on your VPN gateway or on some remote server your VPN gateway asks for authentication (LDAP server, RADIUS server, Active Directory Server, etc.). If you do not know it, or need to reset it, ask your System Admin for help on this.

VPN Tracker or equinux have nothing to do with this password. Your VPN gateway just tells VPN Tracker "Ask the user for a username and a password and tell me what the user has entered" and that is what VPN Tracker does and in respond to the information the gateway replies "Sorry, but that is not valid username-password-combination, I can't let you in, bye".
In VPN Tracker you can just click on the blue label next to the XAUTH setting and the XAUTH dialog will appear; just overwrite the existing values with new values.
See page 16 in our manual

If you use a dynamic DNS service (e.g. DynDNS, NoIP, DynU, FreeDNS) and your VPN gateway is not responding, please check that your DynDNS service has updated with your current IP address.

If it is not up-to-date, please check the dynamic DNS configuration on your VPN gateway.

There is a known bug in the Watchguard firmware that is causing a lot of trouble. Currently, we still do not know why VPN Tracker is triggering this bug, as the Windows client seems to not trigger it. We talked with Watchguard, but even they could not tell us what we are doing wrong. Basically the tunnel dies internally in the Watchguard (it's still shown as open and established, but traffic arriving over this tunnel is rejected as if the tunnel was closed).

If you are using a Branch Office VPN at the moment, try switching to a MUVPN if possible. MUVPN works with VPN Tracker as well and usually yields for better results.

Please refer to the following description.

VPN Tracker Pro is a great asset if you are a consultant, a system or network administrator, or are working with multiple VPN connections:

• Export VPN connections for yourself and other users.
• Scan the remote network for services or to assist users.
• Connect to multiple VPNs at the same time.
• Manage a large number of VPNs using search, a condensed layout, and connection groups.
• Configure your Mac as a router to provide the entire network with a VPN tunnel using Network to Network connections.

In order to get OpenVPN connections from Ubiquiti Unifi to work correctly with VPN Tracker, the following change must be made to the config file before importing it into VPN Tracker:

- Download the OpenVPN configuration file from the Unifi console.
- Open the configuration file with a text editor.
- Identify this line:
Cipher AES-256-CBC
- Change the line to:
AES-256-GCM
- Save the file.
- Import the file into VPN Tracker

Setting up an OpenVPN connection to your NETGEAR Nighthawk device on Mac, iPhone or iPad is easy with VPN Tracker. VPN Tracker has a device profile specifically set up to work with the NETGEAR Nighthawk range, which means configuration is super straightforward.

With the help of this configuration guide, you'll be up and running with your NETGEAR Nighthawk in no time.

Importing your Windows SSTP connection into VPN Tracker 365 to use on your Mac? VPN Tracker 365 supports all the custom configuration options you need to use your VPN flexibly.

Don't want to run all your traffic through the VPN? You can configure the connection to "Host to Network" to only send network-relevant traffic through the VPN.

Once you have selected "Host to network", you can connect and VPN Tracker 365 will automatically set a route to just send data for the network behind your VPN and route all other traffic (i.e. personal traffic) separately through your normal internet connection.



Note, this will give you the same behaviour as unchecking the "use default gateway on remote network" option on Windows.

Current Firmware (Fireware XTM)

WatchGuard Firebox X Edge e-Series devices with Fireware XTM (Fireware 11) are fully supported in current versions of VPN Tracker. For details please see our configuration guide.

Older Firmware

Devices running an older firmware may often work using the following setup. Please note however that we can't guarantee that this setup will work in all cases.

Start by creating a new user on the Firebox Edge and then configure MUVPN support for this user.

In VPN Tracker, use a "Custom Connection" device profile as the basis for your new connection.

Map the WatchGuard settings to your VPN Tracker configuration as shown in the table below:

Watchguard	VPN Tracker
Account Name	Local Identifier
Shared Key	Preshared Key
Virtual IP Address	Local Address
Authentication Algorithm	Phase 1 and Phase 2 Hash/Authentication Algorithms
Encryption Algorithm	Phase 1 and Phase 2 Encryption Algorithms
Key expiration in hours	Phase 1 and Phase 2 Lifetime

The following settings are independent of your specific MUVPN configuration:

• Local Identifier Type: Email (even if it is a name and not an email address)
• Exchange Mode: Aggressive
• Phase 1 Diffie-Hellman Group: Group 2 (1024 bit)
• Perfect Forward Secrecy (PFS): off

Finally make sure the that VPN Tracker's "Network" setting is set to "Host to Network", and the correct Remote Network (i.e. the network that you want connect to through the VPN) is used (e.g. 192.168.1.0/255.255.255.0).