Loadscreen210

Highlighted Articles
News
Installing Tunnelblick
Uninstalling Tunnelblick
Setting up Configurations
Using Tunnelblick
Getting VPN Service
Common Problems
Configuring OpenVPN
Release Notes
Thanks
FAQ

Discussion Group
Read Before You Post

On This Page
Starting Tunnelblick
Quitting Tunnelblick
Automatically Starting Tunnelblick Upon Login
Normal Tunnelblick Operation
The 'VPN Details' Window
Configurations
Appearance
Preferences
Utilities
Info
Keyboard Shortcuts
Using More than One VPN Configuration
Connecting to More than One VPN Simultaneously
Command-Line Interface

Starting Tunnelblick

Ensyc driver. To launch Tunnelblick, double-click Tunnelblick in the Applications folder. Parrot driver download.

Tunnelblick will automatically be launched the next time you log in if you do not quit Tunnelblick before you log out, shut down, or restart your computer.

Tunnelblick requires few computer resources when no VPN is connected, so most people leave it running all the time.

Quitting Tunnelblick

To quit Tunnelblick, click on the Tunnelblick icon in the menu bar at the top of your screen, then click 'Quit Tunnelblick'. You can also type quit Tunnelblick by typing Command-Q when a Tunnelblick window is at the front of the display.

• When you quit Tunnelblick, all open connections will be closed except those for configurations which are set to automatically connect 'when the computer starts'.

Automatically Starting Tunnelblick Upon Login

Tunnelblick is a menu bar item, not an application. If Tunnelblick is running when you log out, shut down, or restart your computer, Tunnelblick will automatically launch the next time you log in. If you do not want Tunnelblick to launch automatically the next time you log in, quit Tunnelblick before you log out, shut down, or restart.

Tunnelblick will also be launched automatically if any VPNs are active when you log in.

(Don't confuse the automatic launch of Tunnelblick upon login with the 'automatically connect on launch” option, which causes a connection to be established whenever Tunnelblick is launched.)

Normal Tunnelblick Operation

Once Tunnelblick has been launched, you control it from the Tunnelblick icon in the menu bar at the top of your screen. The Tunnelblick icon is usually placed near the Spotlight icon.

When no VPN connection is active, the icon is dim:

When a VPN is connected, the icon is dark:

If you click on the icon, you'll see a drop down menu similar to the following:

There will be a 'Connect” menu item for each available VPN configuration; configurations in subfolders appear on submenus. Click on a 'Connect' item to establish the corresponding VPN connection. While the connection is being established, a dash will appear in the menu item and the Tunnelblick icon will darken and lighten repeatedly.

Depending on your setup, you may be asked for a passphrase and/or username/password. You can save your passphrase, username, or password in Apple's Keychain by checking the appropriate checkbox.

The connection will be active until you disconnect it or log out.

Putting your computer to sleep will close the connection; when the computer wakes up Tunnelblick will attempt to reestablish the connection. (This behavior may be modified using Tunnelblick's 'Advanced' settings window.)

Use 'Disconnect” from the drop-down menu to close the VPN connection.

Use 'Quit” to close all open connections and quit the program and prevent Tunnelblick from starting itself at your next login at your computer.

Note: Tunnelblick will not automatically disconnect a configuration that is set up to automatically connect 'when the computer starts'. The connection will remain open until your computer shuts down or you specifically disconnect it.

The 'VPN Details' Window

When the Tunnelblick menu is displayed, if you click on 'VPN Details” a window similar to the following will appear:

This window has five panels: Configurations, Appearance, Preferences, Utilities, and Info. Select a panel by clicking on its button in the toolbar at the top of the window. The 'Configurations' panel is shown above.

Configurations

The Configurations panel has an entry for each configuration on the left side. Tabs with the log and settings for the configuration selected on the left side are displayed on the right side. You may adjust the relative sizes of the left and right side by dragging the small dot between the two sides.

Note: The username and password of a computer administrator are required for most changes to configurations.

At the bottom of the list of configurations on the left side of the window there are three small buttons:

• The '+' button guides you through the process of adding a new configuration.

• The '-' button deletes the selected configuration.

• The 'gear' button pops down a list of other actions to take using the selected configuration:

'Connect' and 'Disconnect' buttons connect or disconnect the configuration selected on the left side of the window. Another button allows you to copy diagnostic info to the Clipboard so you may paste it into an email or other document to get help troubleshooting a problem, and a help button displays detailed help.

The 'Log' tab (shown above) displays the log for the configuration.

The 'Settings' tab (shown above) allows you to see and modify several settings for the configuration

'Connect” specifies when the configuration should be connected:

• 'Manually' specifies that you will connect the configuration manually.
• 'When Tunnelblick launches' specifies that the configuration is to be connected when Tunnelblick is launched.
• 'When computer starts' specifies that the configuration to be connected when the computer starts. You can only choose 'when the computer starts' for shared configurations or 'Deployed' configurations.

'Set DNS/WINS' specifies how to handle DNS and WINS settings when the VPN is active:

• Set nameserver” is the default. It causes scripts to be run before a connection is opened and after the connection is closed. The scripts set up DNS and WINS as required by the VPN and restore DNS and WINS information when the VPN is disconnected.
• 'Do not set nameserver' does not change DNS or WINS settings;
• 'Set nameserver (3.1) manipulates DNS settings the way that Tunnelblick 3.1 does;
• 'Set nameserver (3.0b10) manipulates DNS settings the way that Tunnelblick 3.0b10 does; and
• 'Set nameserver (alternate 1)' manipulates DNS settings in a different way that is more compatible with some configurations.

'Monitor network settings' causes network settings to be monitored for changes. It is available only when 'Set nameserver' or 'Set nameserver 3.1' is selected. When a change is detected, the connection will be disconnected and reconnected. Other actions and actions for changes to specific network settings can be specified on the 'While Connected' tab of the 'Advanced' settings window.

'Route all IPv4 traffic through the VPN' causes Tunnelblick to start OpenVPN with the '--redirect-gateway def1' option.

'Disable IPv6 (tun only)' disables IPv6 on all network interfaces while the configuration is connected.

'Check if the apparent public IP address changed after connecting' checks the IP address before and after connecting. This can be used to detect some DNS problems.

'Reset the primary interface after disconnecting' will restore network connectivity after disconnecting from some configurations which are badly written.

Additional settings may be examined and modified by clicking the 'Advanced' button.

Appearance

The 'Appearance' panel of the 'VPN Details' window allows you to modify Tunnelblick's appearance:

Preferences

The 'Preferences' panel of the 'VPN Details' window allows you to modify Tunnelblick's behavior, check for updates, and reset disabled warnings:

Utilities

The 'Utilities' panel of the 'VPN Details' window has buttons to perform several tasks related to Tunnelblick or OpenVPN:

Info

The 'Info' panel of the 'VPN Details' window displays information about the Tunnelblick program and the people who have contributed to it:

(Note: the credits scroll to reveal additional contributors; not all contributors are displayed in the above screenshot.)

Keyboard Shortcuts

You may use the standard keyboard shortcuts in the 'VPN Details' window:

Using More than One VPN Configuration

You can have any number of configurations installed; each of the configurations will be available in the drop down menu and in the 'Details” window.

Connecting to More than One VPN Simultaneously

Tunnelblick can maintain multiple simultaneous open connections to different VPNs.

However, this is for experts only:

• If you use 'Set nameserver” (which uses standard scripts to save/change/restore DNS/WINS data) with one or more connections your DNS settings may not be saved and restored properly and DNS might or might not work. It depends on the order in what DNS settings you want to use and which connections are opened and closed. Connections may close and be reopened because of communications errors over which you have no control, which can cause unpredictable results. Not recommended.
• If you don't use 'Set nameserver”, and your customized configuration files are suitably written to work together with custom scripts, things can work. But if you don't handle the DNS and routing settings properly, lots of things could go wrong. So this isn't recommended either unless you really know what you're doing and have a NEED to connect to multiple VPNs simultaneously.
• VPN administrators might not be happy that you are connecting their networks together. Most VPN client software limits you to a single connection, probably for that reason.

Command-Line Interface

Tunnelblick has support for AppleScript, allowing you to list configurations and connect or disconnect them via AppleScript or the command line.

Highlighted Articles
News
Installing Tunnelblick
Uninstalling Tunnelblick
Setting up Configurations
Using Tunnelblick
Getting VPN Service
Common Problems
Configuring OpenVPN
Release Notes
Thanks
FAQ

Discussion Group
Read Before You Post

On This Page
It's complicated!
I used a different program and uninstalled it, but with Tunnelblick all I can see are my old configurations!
How can you tell if OpenVPN connected to a server?
If OpenVPN is not connected to the server
OpenVPN Connects, but you can't surf the Internet
A connection is established, but drops out or is restarted after a few seconds or minutes, or DNS stops working after a few minutes
An error messages says to see details in the Console Log
An error message says 'write to TUN/TAP : Input/output error (code=5)'
An error message says 'You have tried to connect using a configuration file that is the same as the sample configuration file installed by Tunnelblick'
An OpenVPN log entry says 'potential route subnet conflict'
An OpenVPN log entry says 'Cannot allocate TUN/TAP dev dynamically'
An error message says 'Tunnelblick was not able to load a device driver (kext) that is needed to connect..'
An OpenVPN log entry says 'Tunnelblick: openvpnstart status #247: Error: Unable to load tun and tap kexts. Status = 71'
An OpenVPN log entry says 'Tunnelblick: openvpnstart status #247: Error: Unable to load net.tunnelblick.tun and/or net.tunnelblick.tap kexts in 5 tries. Status = 71'
An OpenVPN log entry says 'Note: unable to redirect default gateway -- Cannot read current default gateway from system'
An OpenVPN log entry says 'Cannot load certificate file XXX.crt: error: 02001002:system library:fopen:No such file or directory: error: 20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines'
An OpenVPN log entry says 'TLS Error: Auth Username/Password was not provided by peer'
An OpenVPN log entry says 'script failed: could not execute external program'
Cannot Empty the Trash
I am repeatedly asked for my password or token value (Tunnelblick 3.6.9beta02 or higher)

It's complicated!

Tunnelblick is an interface for OpenVPN. Most problems people think they have with Tunnelblick are really problems they are having with OpenVPN, so what follows is a mix of information about Tunnelblick and OpenVPN.

OpenVPN is such a powerful tool with so many options, and computer configurations are so varied, that it is difficult to have an exhaustive guide to troubleshooting problems. Tunnelblick is designed to deal easily with the most common setups, so if it doesn't apply to your situation, or doesn't help, ask the Tunnelblick Discussion Group or the OpenVPN users mailing list for help.

I used a different program and uninstalled it, but with Tunnelblick all I can see are my old configurations!

The different program (for example, Urban Shield) uses a customized version of Tunnelblick that makes backups of their configurations and restores them when Tunnelblick starts up, and also hides all other configurations. To solve this problem:

1. Rename the /Library/Application Support/Tunnelblick folder to be named Tunnelblick.old. (This will hide the backup, so Tunnelblick doesn't see it and doesn't restore it.)
2. Reinstall Tunnelblick from the .dmg (disk image)

How can you tell if OpenVPN connected to a server?

1. Click on the Tunnelblick icon at the top of the display.
2. See what appears in the drop-down list for the configuration you are trying to troubleshoot:
   • If the entry shows Connect xyz, configuration xyz is not connected and Tunnelblick is not trying to connect
   • If the entry shows √ Disconnect xyz, configuration xyz is connected
   • If the entry shows - Connect xyz, Tunnelblick is trying to connect configuration xyz

If OpenVPN is not connected to the server

If OpenVPN can't connect to the server and Tunnelblick hasn't popped up a window explaining why, there should be one or more error messages in the OpenVPN log to indicate what the problem is. To see the OpenVPN log, click on the Tunnelblick icon, click on 'VPN Details', click on the large 'Configurations' button at the top of the window, click on the name of the configuration you are troubleshooting on the left side of the window, and then click on the 'Log' tab on the right side. The OpenVPN log is the large area of black text on a white background. (It contains messages from Tunnelblick in addition to the messages from OpenVPN.)

Look at lines near the end of the log for an error message.

OpenVPN Connects, but you can't surf the Internet

See Connects OK, But..

A connection is established, but drops out or is restarted after a few seconds or minutes, or DNS stops working after a few minutes

This can have several causes:

• Another computer on your network is attempting to connect to the VPN using the same credentials.
• You don't have 'Monitor connection' checked. When DHCP is renewed, the change is ignored (because 'Monitor connection' isn't checked) and the VPN-supplied DNS server is replaced with the DHCP-supplied server. Often a DHCP-supplied server will only respond to queries which originate within that network. Since the DNS queries originate from the VPN, which is outside of that network, the queries will not be answered. Put a check next to 'Monitor network'.

An error messages says to see details in the Console Log

See The Console Log for instructions on viewing the Console Log.

An error message says 'write to TUN/TAP : Input/output error (code=5)'

OpenVPN may display a series of these messages when using a TAP connection. Although a few such messages are normal, if they continue to be displayed for more than a few seconds and the connection is never established, try to connect with DNS/WINS set to 'Set nameserver (alternate 1)'.

An error message says 'You have tried to connect using a configuration file that is the same as the sample configuration file installed by Tunnelblick'

This means that you have tried to connect to a VPN without setting up a configuration file. Consult your network administrator or your VPN service provider to obtain configuration and other files or the information you need to modify the sample file. For more information, see Getting VPN Service.

An OpenVPN log entry says 'potential route subnet conflict'

This means that the remote network you are creating a VPN to has IP addresses that are also in your local LAN.

One way to fix this is to include a 'redirect gateway local' option in the OpenVPN configuration file and un-check Tunnelblick's 'Route all IPv4 traffic through the VPN'. (All traffic will still be routed through the VPN because of the 'redirect gateway' option.)

Another way to fix this is to change the addresses of your local LAN. You do this by changing your router's configuration. For some routers you specify the first three numbers of the LAN (e.g. 192.168.77); in other routers you specify the address of the router itself (e.g. 192.168.77.1).

After changing the LAN address, you should restart all computers (and other network devices including network printers), so they start using addresses in the new address range.

Example:
WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]

This means that both the remote network and your local network are using the 192.168.1.** range of IP addresses. So change your local network to use, for example, 192.168.5.**, or 192.168.23.*. If you get the same warning message, try another address range.

An OpenVPN log entry says 'Cannot allocate TUN/TAP dev dynamically'

This problem indicates a problem with the Tun and/or Tap system extensions.

• It can be caused by the following sequence in the configuration file:
  dev-type tun
  dev abcdefg
  and a workaround is to replace both lines with the single line
  dev tun
  (substitute 'tap' for 'tun' in the above if this is a Tap configuration.)
• It can be caused by extra Tun or Tap system extensions being loaded. See the following entry.

An error message says 'Tunnelblick was not able to load a device driver (kext) that is needed to connect..'

An OpenVPN log entry says 'Tunnelblick: openvpnstart status #247: Error: Unable to load tun and tap kexts. Status = 71'

An OpenVPN log entry says 'Tunnelblick: openvpnstart status #247: Error: Unable to load net.tunnelblick.tun and/or net.tunnelblick.tap kexts in 5 tries. Status = 71'

Please see Errors Loading System Extensions.

An OpenVPN log entry says 'Note: unable to redirect default gateway -- Cannot read current default gateway from system'

There is a problem (in macOS and/or OpenVPN) which causes OpenVPN to be unable to read the default gateway when you try to connect OpenVPN through an existing PPP connection; here is a workaround:

Create a ppp start-up script /etc/ppp/ip-up and add the following:

#!/bin/sh
PATH=/sbin:/usr/sbin/:/usr/bin:/bin
gw=`ifconfig ppp0|grep inet| awk '{ print $4 }'`
route change default $gw -ifscope ppp0


Save the script and make it executable running chmod a+x /etc/ppp/ip-up.

Please note that the above script was made for interface ppp0. If for any reason you have more/other, make the changes accordingly.

An OpenVPN log entry says 'Cannot load certificate file XXX.crt: error: 02001002:system library:fopen:No such file or directory: error: 20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines'

Your certificate file (XXX.crt) was not found. Usually the file should be in the same folder as the OpenVPN configuration file, not in a subfolder. For example, if the configuration file has a line such as
cert abcde.crt
or
ca abcde.crt
then the file abcde.crt should be in the same folder as the configuration. If the configuration file has a line such as
cert xyz/abcde.crt
or
ca xyz/abcde.crt
then the file abcde.crt should be in the xyz subfolder of the folder with the configuration.

An OpenVPN log entry says 'TLS Error: Auth Username/Password was not provided by peer'

Your client configuration file should include an 'auth-user-pass' option.

An OpenVPN log entry says 'script failed: could not execute external program'

An up or down script contains an error. Common causes:

• The use of a script file with Windows line breaks (CR-LF) instead of Unix/Mac line breaks (LF).
• The use of a script file that does not have execute permission for root.
• The use of a script file with syntax errors.

Cannot Empty the Trash

If you dragged an old copy of Tunnelblick to the Trash and now cannot empty the Trash and because Finder complains that something is 'in use' (probably something named Sparkle.framework), try the following:

Launch Terminal (in /Applications/Utilities).

Copy/paste the following into Terminal:

You will be asked for your password. Type it in (it will not show up as you type it) then press the 'enter/return' key on the keyboard.

Quit Terminal, then try to empty the Trash.

I am repeatedly asked for my password or token value (Tunnelblick 3.6.9beta02 or higher)

For some OpenVPN setups that use 'small block' ciphers and username/password authentication or two-factor authentication (2FA), this can be very annoying because the user will be asked to authenticate each time 64 MB has been transferred through the VPN.

There are several ways to avoid the problem:

• Use a cipher which is not a 'small block' cipher. (This must be done on both OpenVPN client and OpenVPN server.)
• Use OpenVPN 2.4 or higher and enable cipher negotiation. This must be done on both the server and client.
• For username/password authentication, have Tunnelblick save the username and password in the Keychain.
• For 2FA, do not use --auth-nocache, and use the --auth-token option in the client-connect and auth-user-pass-verify scripts on the server side to ask for 2FA once per session only.

More information is available at OpenVPN and SWEET32.