Skip to main content

SecureLinkVPN for macOS

SecureLinkVPN is a native macOS application that provides secure VPN connectivity to the SecureLink SD-WAN platform. It supports both WireGuard and IKEv2 protocols and runs as a menu bar application.

Requirements

  • macOS 13 (Ventura) or later
  • Apple Silicon (M1–M4) or Intel
  • Network access to your SecureLink orchestrator

Installation

  1. Download SecureLinkVPN from your organization's distribution channel
  2. Open the .dmg and drag SecureLinkVPN to Applications
  3. Launch the app — it appears in the menu bar (top-right of the screen)
note

On first launch, macOS will ask you to allow the VPN configuration. Click Allow in the system dialog. This is required for both WireGuard and IKEv2 protocols.

Initial Setup

1. Connect to Your Orchestrator

On first launch, you'll see the Setup screen:

  • Orchestrator URL — Enter the URL provided by your administrator (e.g., https://api.securelink.example.com)
  • Organization Code — Enter your tenant code (e.g., NET-LNK)

The app contacts the orchestrator's discovery endpoint to automatically configure API and authentication URLs.

2. Sign In

Enter your SecureLink credentials (username and password). Authentication is handled through your organization's identity provider (Keycloak SSO). After successful sign-in, the app exchanges your credentials for a session token.

3. Register Your Device

After signing in, you'll see a Register Device prompt:

  • The app generates a unique device fingerprint
  • Click Register Device to register with the orchestrator
  • The server assigns you a VPN configuration (tunnel IP, endpoint, encryption keys or certificates)

Registration is one-time per device. Your configuration is securely stored in the macOS Keychain.

Connecting

Click the SecureLinkVPN icon in the menu bar, then click Connect.

The connection process:

  1. App loads your VPN configuration from the Keychain
  2. Establishes an encrypted tunnel to your assigned edge
  3. Menu bar icon changes to indicate connected status
  4. Traffic flows through the VPN according to your routing policy

To disconnect, click the menu bar icon and click Disconnect.

Protocol Support

SecureLinkVPN supports two VPN protocols. The protocol is determined during device registration based on your edge's App VPN configuration:

WireGuard

  • High-performance, lightweight protocol
  • Uses Curve25519 key exchange and ChaCha20-Poly1305 encryption
  • Client generates a keypair; public key is registered with the edge
  • IP pool: 10.10.0.0/16

IKEv2

  • Standards-based IPSec protocol
  • Uses certificate-based authentication (PKCS#12 bundle provided by the server)
  • Native macOS support — no third-party framework needed
  • IP pool: 10.11.0.0/16
Switching Protocols

If your administrator changes the edge's App VPN protocol (e.g., from WireGuard to IKEv2), the app detects this on the next connection and prompts you to re-register your device to receive the updated configuration.

SecureLinkVPN runs as a menu bar application with no dock icon. The menu bar icon reflects connection state:

Icon StateMeaning
Shield (outline)Disconnected
Shield (filled, green)Connected
Shield (rotating)Connecting
Shield with warningDegraded (stale handshake)

The menu shows:

  • Connection status with live metrics (bytes sent / received)
  • Connect / Disconnect toggle
  • Open Dashboard — opens the main app window with detailed metrics
  • Quit — closes the app

Metrics Dashboard

Click Open Dashboard from the menu bar to see detailed connection information:

MetricDescription
Sent / ReceivedTotal bytes transferred (e.g., "1.5 MB")
Connection DurationTime connected (e.g., "1h 23m")
Assigned IPYour VPN tunnel IP address
EndpointEdge server address and port
Last HandshakeTime since last successful handshake (e.g., "32 seconds ago")
HealthGreen circle (healthy) or orange circle (degraded)

Connection Health

The app monitors connection health continuously:

  • Healthy — Handshake within the last 3 minutes
  • Degraded — Handshake older than 3 minutes (may indicate network issues)
  • Reconnecting — Auto-reconnect in progress with exponential backoff (2s → 32s, max 5 attempts)

Auto-reconnect only activates if the connection was previously established and you didn't manually disconnect. If you clicked Disconnect, the app respects your intent and does not reconnect automatically.

Settings

Click Settings in the dashboard to view or override:

  • API URL, Keycloak URL, Realm, and Client ID
  • Tenant code, ID, and name
  • Device name and ID

These are auto-configured during setup. Manual override is only needed for troubleshooting or connecting to alternate environments.

Troubleshooting

VPN won't connect

  • Verify network connectivity to the orchestrator and edge
  • Check that the edge is online in the SecureLink management UI
  • Ensure your device registration is active (not revoked)
  • Try disconnecting and reconnecting

Degraded connection

  • The app shows a degraded state when the last handshake is older than 3 minutes
  • Check for network changes (WiFi to Ethernet, network switching)
  • Disconnect and reconnect to force a fresh handshake

"Re-registration required"

  • Your administrator changed the App VPN protocol on the edge
  • Click the re-register prompt to get new VPN configuration

IKEv2 connection issues with dual NICs

  • If your Mac has both WiFi and Ethernet on the same subnet, IKEv2 may route through the wrong interface
  • Disconnect the unused network adapter to resolve