Huntload222

Highlighted Articles
News
Installing Tunnelblick
Uninstalling Tunnelblick
Setting up Configurations
Using Tunnelblick
Getting VPN Service
Common Problems
Configuring OpenVPN
Release Notes
Thanks
FAQ

Discussion Group
Read Before You Post

On This Page
Background
How to Load Tunnelblick's System Extensions
The Long-Term Problem
How to tell if you have a 'tap' VPN or a 'tun' VPN
When will this happen?
How to modify a 'tun' VPN so it will continue to work
If macOS still complains
Always load tun or always load tap
Disabling SIP
Old versions of Tunnelblick will not help
What Apple announced
What is Tunnelblick doing about it?

Background

To connect to a VPN, Tunnelblick needs to use a special kind of device driver:

• For a Tun VPN, macOS includes a built-in 'utun' device driver which can be
  used so that Tunnelblick's Tun system extension does not need to be loaded.
  Most OpenVPN configuration files will automatically use the 'utun' driver, but
  some include options that require Tunnelblick to use its own Tun system
  extension. Those configuration files should be modified so that the built-in
  macOS 'utun' device driver can be used. (For simple instructions to make such
  modifications, see Errors Loading System Extensions.)

• For a Tap VPN, Tunnelblick's Tap system extension must be loaded because
  macOS does not have a built-in Tap device driver.

Apple has made it more and more difficult to load system extensions with each
new version of macOS. They have also announced that in 'a future version' of
macOS, you will not be able to use system extensions at all.

How to Load Tunnelblick's System Extensions

If you are using any version of macOS up to and including macOS Sierra,
Tunneblick automatically loads and unloads its system extensions; you do not
need to do anything.

If you are using macOS High Sierra, Mojave, or Catalina, you need to

1. Attempt to connect the configuration so Tunnelblick attempts to use the system extension;
2. Open System Preferences >> Security & Privacy;
3. Give permission to load system extensions signed by 'Jonathan Bullard';
4. Close System Preferences; and
5. If you are using macOS Catalina**, restart your computer.

If you are using macOS Big Sur on an Intel Mac, you need to:

1. Restart your computer in Recovery mode;
2. Open /Applications/Utilities/Terminal;
3. Execute 'csrutil disable' command in Terminal;
4. Restart your computer normally;
5. Attempt to connect the configuration so Tunnelblick attempts to use the system extension;
6. Open System Preferences >> Security & Privacy;
7. Give permission to load system extensions signed by 'Jonathan Bullard';
8. Close System Preferences;
9. Restart your computer normally;
10. Restart your computer in Recovery mode;
11. Open /Applications/Utilities/Terminal;
12. Execute 'csrutil enable' command in Terminal; and
13. Restart your computer normally.

If you are using macOS Big Sur on an Apple Silicon Mac, you need to use the latest beta version of Tunnelblick. See Tunnelblick and Apple Silicon for details.

The Long-Term Problem

Apple has announced changes to macOS which affect many users of Tunnelblick.

You might see a warning from Tunnelblick about this change, or you might see the following warning when connecting your VPN:

What this means is:

• If you have a 'tap' VPN, a future version of macOS will cause your VPN to stop working. (Apple's announcement to developers is worded differently and may mean that users will be able to use some mechanism to enable 'tap' VPNs to continue to work, but that interpretation is contradicted by the warning shown above. See What Apple announced, below.) You may be able to convert your 'tap' VPN to a 'tun' VPN which will work. However, that requires being able to change the OpenVPN configurations on both your computer and on the VPN server, and it may not provide all of the networking facilities that you are currently using. Consult your VPN service provider or OpenVPN experts and support for help with doing this.

• On macOS Big Sur 11.0.1 you may be able to allow 'tap' VPNs to continue to work by disabling SIP.

• On macOS Big Sur 11.1.0 disabling SIP is not necessary.

• If you have a 'tun' VPN, your configurations may continue to work in future version of macOS without you doing anything, or you might need to make a simple change to the OpenVPN configuration file so that the configuration will continue to work. If your OpenVPN configuration file does not contain a 'dev-node' option, you do not need to do anything and the configuration will continue to work. If your OpenVPN configuration file does contain a 'dev-node' option, you will need to remove that option so the configuration continues to work (see below).

How to tell if you have a 'tap' VPN or a 'tun' VPN

First, click to select a configuration in the left side of the 'Configurations' panel of Tunnelblick's 'VPN Details' window.

Then, examine the title of the 'VPN Details' window. If it includes:

• '- UTUN -': you have a 'tun' VPN but it does not require a system extension. You don't need to do anything.
• '- TUN -': you have a 'tun' VPN which requires a system extension. See below for instructions for modifying the OpenVPN configuration file so the system extension is not required.
• '- TAP -': you have a 'tap' VPN which requires a system extension. Contact your VPN service provider for help.

When will this happen?

Apple does not announce its intentions in advance, so there may not be any prior notice of this change. It may appear in a version of macOS Big Sur, or may appear in a later version of macOS.

For updated information about macOS Big Sur, see Tunnelblick on macOS Big Sur.

How to modify a 'tun' VPN so it will continue to work

You need to remove the dev-node option if it exists in the VPN's OpenVPN configuration file:

1. Click to select a configuration in the left side of the 'Configurations' panel of Tunnelblick's 'VPN Details' window.
2. Click on the little 'gear' icon at the bottom of the list of configurations. If you can click 'Make Configuration Private…', do so and have a computer administrator authorize the change. (If you can't click it, don't : )
3. Click on the little 'gear' icon and click on 'Edit OpenVPN Configuration File…'. The configuration file will open in Apple's 'TextEdit' editor.
4. Find a line that starts with 'dev-node tun'. If you find one, delete the line. If you dont find one, skip the next step.
5. Look for a line that starts 'dev tun' or 'dev-type tun'. If neither one exists in the file, add a new line that says 'dev tun'.
6. Quit TextEdit, saving the changes if asked.
7. If you previously made the configuration private, make it shared by clicking the little 'gear' icon, clicking 'Make Configuration Shared', and having the change authorized by a computer administrator.

If you made changes to the file and did not change it from shared to private and back to shared, the next time you connect the configuration you will be asked to have a computer administrator authorize the changes.

If macOS still complains

Always load tun or always load tap

If you have a 'tun' VPN which does not need to be modified, or has been modified as described above, and Tunnelblick or macOS Catalina still complains, then you have changed a Tunnelblick setting and should restore it to the default setting. All configurations should be set to 'Load tun driver automatically' and 'Load tap driver automatically'. These settings are found on the 'Connecting & Disconnecting' tab of the 'Advanced' settings window. Recent versions of Tunnelblick will automatically disable loading of 'tun' and 'tap' system extensions on versions of macOS that do not allow Tunnelblick to load them.

Disabling SIP

System Integrity Protection ('SIP') is a feature of macOS which helps keep your computer safe (see About System Integrity Protection on your Mac).

Although it is not recommended because it makes your computer less safe, if you are using macOS Big Sur 11.0.1, disabling SIP may allow your computer to connect a 'tap' VPN. See Configuring System Integrity Protection for instructions to disable SIP.

It has been reported that on macOS Big Sur 11.1.0 disabling SIP is no longer necessary. This has not been verified by the Tunnelblick developers.

Old versions of Tunnelblick will not help

This situation is caused by changes in macOS, not a change in Tunnelblick, so older versions of Tunnelblick will not help. All Macs running OS X 7.5 or later should use the latest stable or beta version of Tunnelblick. See Deprecated Downloads for a version of Tunnelblick that should be used on earlier versions of OS X and on all PowerPC Macs.

What Apple announced

Apple has announced that 'future OS releases will no longer load system extensions that use deprecated KPIs by default'. Tunnelblick includes, and for some configurations loads one of two such extensions:

• 'tap' configurations always require the use of one system extension.
• 'tun' configurations may require the use of the other system extension but can easily be modified so no system extension is required.

It isn't clear what Apple means by the phrase 'by default'. It may mean that Apple will provide a mechanism for users to allow loading of system extensions that use deprecated KPIs. However, Apple's practice has been to make such mechanisms very difficult to use, and the warning in macOS Catalina does not indicate such a mechanism will be provided.

Early versions of macOS Big Sur may allow system extensions to be loaded if SIP is disabled, see Tunnelblick on macOS Big Sur.

On macOS Big Sur 11.1.0 disabling SIP is no longer necessary.

What is Tunnelblick doing about it?

In the short term:

• macOS Catalina loads Tunnelblick's system extensions (which are signed by 'Jonathan Bullard'), but the user must interactively allow this in the Security and Privacy window of System Preferences.

• macOS Big Sur 11.0.1 refuses to load Tunnelblick's existing, notarized system extensions unless SIP is disabled. It isn't known if this behavior will be present in future versions of Big Sur; 11.1.0 does not require SIP to be disabled. Apple's suggested workaround, using an 'installer package', cannot be easily integrated into the Tunnelblick installation process. It is possible that someone else will develop an installer which can load Tunnelblick's system extensions and make it publicly available, but there is no way to know if or when that will happen. (If it does happen, we expect to link to the installer or installers on the Downloads page.)

• Versions of Tunnelblick that are running on macOS Big Sur may disable loading of system extensions. You may override this; see Tunnelblick on macOS Big Sur for details.

• Apple proposes that programs such as Tunnelblick be modified to use a different method to accomplish the function that the system extensions currently perform. The current Tunnelblick developers do not have the time or expertise to use the new method Apple proposes and have no plans to do so. It is possible that someone else will develop such an alternative method and make it publicly available, but there is no way to know if or when that will happen. (If it does happen, we expect to include it in Tunnelblick.)

In the longer term:

At some point in the future when Tunnelblick no longer supports versions of macOS that can load system extensions, system extension loading and unloading will probably be removed from Tunnelblick. Historically, Tunnelblick has supported several years of macOS releases. As of June 2020 Tunnelblick supports OS X and macOS versions as far back as 10.7.5, which was released in 2012, so it is anticipated that the removal will not take place until the mid- to late-2020s.

Highlighted Articles
News
Installing Tunnelblick
Uninstalling Tunnelblick
Setting up Configurations
Using Tunnelblick
Getting VPN Service
Common Problems
Configuring OpenVPN
Release Notes
Thanks
FAQ

Discussion Group
Read Before You Post

Important: See The Future of Tun and Tap VPNs on macOS for information about changes to future versions of macOS.

Tunnelblick may try to load a system extension to control the VPN tunnel. (Note: Apple previously used the terms 'kext' and 'kernel extension' but now uses the term 'system extension'.)

Note: If you are using a 'tun' VPN, you can avoid needing to load a system extension by doing the following:

1. Make sure your OpenVPN configuration file does not include a 'dev-node tun' option;
2. Make sure your OpenVPN configuration file does include a 'dev tun' option; and
3. Make sure you have not selected 'Always load Tun driver' in the 'Connecting & Disconnecting' tab of Tunnelblick's 'Advanced' settings window.

The 'dev-node tun' option causes OpenVPN to use a 'tun' device, which requires a system extension to be loaded. If a 'dev-node tun' option is not present and a 'dev tun' option is present, OpenVPN will use the 'utun' device which is built into macOS and does not require a system extension to be loaded.

Also, see Edit or Examine an OpenVPN Configuration File.

(If you are using a 'tap' VPN, Tunnelblick must load a system extension for your VPN to operate.)

If you see a message similar to one of the following:

Tunnelblick was not able to load a device driver (kext) that is needed to connect...

Tunnelblick was not able to load a system extension that is needed to connect...

There are two possible causes for this message:

(1) Your version of macOS did not allow the system extension to load or you did not give permission for the system extension to load:

• If you are using an Apple Silicon Mac, see Tunnelblick and Apple Silicon.
• If you are using macOS Big Sur, see Tunnelblick on macOS Big Sur.
• If you are using macOS Catalina, see Tunnelblick on macOS Catalina.
• If you are using macOS High Sierra or Mojave, see Tunnelblick on macOS High Sierra and macOS Mojave.

(2) There may be incompatible system extensions already loaded. Recent versions of Tunnelblick try to be 'good citizens' by loading system extensions only when needed, and unloading them when they are no longer needed. However, some other VPN clients (CiscoAnyConnect SSL VPN, for example) load their own, incompatible system extensions when the computer is started and leave them loaded, whether or not a VPN connection is in use. (Some non-VPN software also loads incompatible system extensions — for example, Pogoplug loads a 'com.pogoplug.xcetun' tun system extension which interferes with Tunnelblick's tun system extension. 'Security' programs also may load incompatible system extensions.)

To find out if an incompatible system extension is causing the problem, use the kextstat | grep -v com.apple command in a Terminal window. It will list all of the non-Apple system extensions that are loaded. Usually the tun and/or tap system extensions show up at or near the end of the list. Common tun/taps are:

• net.tunnelblick.tun and net.tunnelblick.tap: These are the system extensions used by current versions of Tunnelblick. When needed, the appropriate one (tun or tap) is loaded when a connection is requested, and unloaded when it is disconnected. Since macOS 10.6.8, 'tun' connections do not need to have a system extension loaded unless they include a 'dev-node tun' OpenVPN option. Tunnelblick uses customized versions of the system extensions from tuntaposx, modified to have a Tunnelblick bundle ID and version. Which version Tunnelblick uses depends on the version of macOS being used.
• foo.tun and foo.tap: These are system extensions for obsolete Cisco and Tunnelblick VPN clients (and some others), loaded when a very old version of Tunnelblick is launched (and unloaded when the computer restarts). If Tunnelblick detects them, it will offer to unload them before connecting.
• com.cisco.cscotun: This is Cisco AnyConnect SSL VPN system extension. Cisco's installer causes it to be loaded when the computer starts.
• com.viscosityvpn.Viscosity.tun and com.viscosityvpn.Viscosity.tap: These are system extensions used by the Viscosity VPN client.
• com.pogoplug.xcetun: This system extension is associated with Pogoplug.
• anchorfree.tun: This system extension is associated withHotSpot Shield VPN.
• net.sf.tuntaposx.tap and net.sf.tuntaposx.tun: These are from tuntaposx.
  But any non-Apple system extension with 'tun' or 'tap' in its name is likely to be causing the problem, and system extensions with other names might be causing the problem.

To unload system extensions and allow Tunnelblick to load its own system extensions, use the kextunload Terminal command to unload each loaded tun and tap system extension individually. For example, to unload com.viscosityvpn.Viscosity.tun, type the following:

sudo kextunload -b com.viscosityvpn.Viscosity.tun

(The 'sudo' is necessary because this command modifies the loading of a device driver. You will be asked for your administrator password, which will not appear (even as asterisks) when you type it.)

If you find that restarting your computer reloads the system extension you might need to find where it is being loaded from. Common locations are

• /Users/your username/Library/LaunchDaemons
• /Users/your username/Library/LaunchAgents
• /Library/LaunchDaemons
• /Library/LaunchAgents
• /System/Library/LaunchDaemons
• /System/Library/LaunchAgents

There are user-contributed scripts on the Downloads page that will automatically unload the Cisco system extension when Tunnelblick makes a connection, and reload the Cisco system extension when the connection is disconnected.