User profile for user: berglöwe123
berglöwe123 Author
User level: Level 1
6 points

When does MacOS delete VPN connections?

Hi community, apparently MacOS stores data about VPN connections in /Library/Preferences/SystemConfiguration/preferences.plist. I use a VPN App called "WireGuard" and when I create a connection in it, an entry to the plist file is added and the secret keys are stored in the key chain (kind: wg-quick(8) config).


WireGuard stores a base64 coded "PasswordReference" in the mentioned plist file that when it starts (TunnelsManager.swift) will be attempted to be matched against the keychain entry's "Account" value.


If WireGuard can't match either side, the now "orphan" entry will be removed with log message:

"Removing orphaned tunnel with non-verifying keychain entry [Account]".


Now, the issue is that this apparently happens to not just me (read lots of reports elsewhere without any solution).


It would be nice to know in which cases MacOS removes entries from preferences.plist or rewrites them in an incompatible way so that the WireGuard app removes the remaining configuration from the key chain.


Thanks in advance for your support.

MacBook Pro 16″, macOS 14.7

Posted on Jul 26, 2025 2:52 PM

Reply
4 replies
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
143,099 points

Jul 31, 2025 10:34 AM in response to berglöwe123

As for some options…



Try the built-in VPN, and see if that works well enough for your needs:

VPN overview for Apple device deployment - Apple Support


Another semi-related configuration option potentially useful here is a VPN client connecting into a VPN server running on the remote gateway firewall box, where I control that box. That’s easier than managing a VPN pass-through.




As for the WireGuard issue…



That’s not going to get solved around here.


According to the following source code (yellow-ish highlight added), it’s apparently WireGuard reporting the cited error:

https://git.zx2c4.com/wireguard-apple/commit/?id=adcbd17ebeedaf6fa8106c8835ebf43667170878




I’d suspect the issue is with the Keychain implementation and upgrade details, and not the plist; that the plist is secondary to whatever WireGuard issue, or Apple Keychain issue, or Apple Keychain upgrade issue, is arising.


I’m not going to rummage the WireGuard code path leading up to that WireGuard diagnostic to review what and how it is doing what it does, nor the details of the WireGuard use of Keychain, nor whatever might happen with Apple macOS updates and Keychain.




As for one potential future…



Apple has been migrating away from the current file-based Keychain implementation to the data protection Keychain, so I’d expect somebody working on WireGuard will be revisiting this source code eventually anyway. If they haven’t already migrated.


Related: On Mac Keychains | Apple Developer Forums


Per Apple: ”The file-based keychain is on the road to deprecation. It’s not officially deprecated, but some of the APIs surrounding it are. For example, SecKeychainCreate was deprecated in the macOS 12 SDK. Moreover, new features, like iCloud Keychain, require the data protection keychain.”


Reply
User profile for user: leroydouglas
leroydouglas
Community+ 2025
User level: Level 10
197,742 points

Jul 31, 2025 8:36 AM in response to berglöwe123

berglöwe123 wrote:

Hi community, apparently MacOS stores data about VPN connections in /Library/Preferences/SystemConfiguration/preferences.plist. I use a VPN App called "WireGuard"


It would be nice to know in which cases MacOS removes entries from preferences.plist or rewrites them in an incompatible way so that the WireGuard app removes the remaining configuration from the key chain.

Thanks in advance for your support.


see—Remove a VPN configuration...

Set up a VPN connection on Mac - Apple Support

Set up a VPN connection on Mac - Apple Support



Maybe this is not an issue...


A true VPN tunnel, for example between you and your job or a Bank server would be of value, otherwise might be time to re-think the usage.


If your work mandates the use of a point to point VPN— contact your work IT network admin, and verify if they block or not access to the Internet which is common practice on a work network.


see: Public VPN's are anything but private or safe

https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/

https://gist.github.com/joepie91/5a9909939e6ce7d09e29

https://www.eccu.edu/blog/cybersecurity/5-reasons-why-you-should-not-use-free-vpns/

https://krebsonsecurity.com/2024/05/is-your-computer-part-of-the-largest-botnet-ever/

https://www.pcmag.com/news/the-feds-have-some-advice-for-highly-targeted-individuals-dont-use-a-vpn


*ref: Help with Firewall Settings macOS 15.5 - Apple Community

ref: Route Incoming https traffic from other p… - Apple Community




Reply
User profile for user: berglöwe123
berglöwe123 Author
User level: Level 1
6 points

Jul 31, 2025 8:57 AM in response to leroydouglas

Hi Leroy,

the aim is to establish VPN connections between machines I control. These might be IoT-Devices, Routers, VPS or Web Spaces, ...

Thanks for the warnings about the VPN from commercials.

I specifically asked for when MacOS removes WireGuard-managed configuration from the MacOS System Configuration. I can't use a protocol that is supported out-of-the-box by MacOS. Most of them need hardware acceleration on the other side, which might be of a problem in case of some IoT devices.

Thanks.

Reply
User profile for user: leroydouglas
leroydouglas
Community+ 2025
User level: Level 10
197,742 points

Jul 31, 2025 9:30 AM in response to berglöwe123

berglöwe123 wrote:

Hi Leroy,
the aim is to establish VPN connections between machines I control. These might be IoT-Devices, Routers, VPS or Web Spaces, ...
Thanks for the warnings about the VPN from commercials.

I specifically asked for when MacOS removes WireGuard-managed configuration from the MacOS System Configuration.

I can't use a protocol that is supported out-of-the-box by MacOS. Most of them need hardware acceleration on the other side, which might be of a problem in case of some IoT devices.
Thanks.


I am of little help here.


Possibly a google search would be your friend...or wireguard support


ex. https://serversideup.net/blog/how-to-configure-a-wireguard-macos-client/


ref: https://www.wireguard.com/ support: team@wireguard.com



further—


Call Customer Support  (800) MYAPPLE (800–692–7753)


or on line  https://getsupport.apple.com/


Outside the USA—Contact Apple for support and service by phone

See a list of Apple phone numbers around the world.

Contact Apple Support - Apple Support 




Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

When does MacOS delete VPN connections?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up