Highlighted Articles
News
Installing Tunnelblick
Uninstalling Tunnelblick
Setting up Configurations
Using Tunnelblick
Getting VPN Service
Common Problems
Configuring OpenVPN
Release Notes
Thanks
FAQ

Discussion Group
Read Before You Post

On This Page
The Tunnelblick Application
OpenVPN, Drivers, and Standard Scripts
Log Files
Key and Certificate Files
Configuration Files
Custom Scripts
LaunchDaemons
Preferences
One More Thing

The Tunnelblick Application

The Tunnelblick application, Tunnelblick.app, must be stored directly in /Applications on the startup volume for security reasons. Thus it cannot be used from network drives or internal or external drives including thumb or flash drives, CD/DVD drives, etc. unless they are being used as the startup volume. Running Tunnelblick from from anywhere except /Applications on the startup volume will result in an offer to install Tunnelblick in /Applications on the startup volume.

OpenVPN, Drivers, and Standard Scripts

The OpenVPN program, openvpn-down-root.so, the 'tun' and 'tap' kext driver files, and standard client up/down scripts are included with, and contained within, Tunnelblick.app.

Log Files

Log files are stored in /Library/Application Support/Tunnelblick/Logs. (Early versions of Tunnelblick stored them in /tmp/tunnelblick). The log files for a configuration are created or deleted and recreated each time the connection is made. There are two log files for each configuration, an OpenVPN log file and a scripts log file. The contents of the files are merged in the display in Tunnelblick's 'VPN Details' window.

Key and Certificate Files

These may be stored anywhere, but typically they are stored in the same folder as the configuration (.ovpn or .conf) file. Key and certificate files associated with a Tunnelblick VPN Configuration (.tblk) are stored inside the configuration itself.

Key and certificate files usually have an extension of .cer, .crt, .der, .key, .p12, .p7b, .p7c, .pem, or .pfx.

Configuration Files

There are two types of configuration files:

Tunnelblick VPN Connection files (.tblk files), which include within them one OpenVPN configuration file and all key, certificate, and script files used by the configuration; and
OpenVPN configuration files (.ovpn and .conf files). Keys, certificates, and scripts associated with a configuration file are often stored as separate files, but may be included within the configuration file itself.

Note: Configurations should always be installed by dropping them on the Tunnelblick icon in the menu bar. If you just move or copy them they may not work properly.

There are five places configuration files may be stored:

Private configurations, including both types of files, are stored in '~/Library/Application Support/Tunnelblick/Configurations'. Since these files are all located in the user's Library folder, they must be set up separately for each user. (Note that the '~' in the path indicates the user's home folder; thus the folder is actually located somewhere such as /Users/username/Library/Application Support/Tunnelblick/Configurations. Do not confuse this Library folder with the /Library folder located at the root of the filesystem.)
Shared configurations, which can only be Tunnelblick VPN Connection files, are stored in /Library/Application Support/Tunnelblick/Shared. Shared configurations do not need to be set up for each user. (In fact, that's the whole point of sharing them!)
Deployed configurations, including both types of files, are stored within the Contents/Resources folder of Tunnelblick.app itself. They do not need to be set up for each user, and are accessible to all users of the computer with access to the application. (To access the internal contents of Tunnelblick.app in the Finder, Control-click Tunnelblick.app in the Applications folder and click 'Show Package Contents”.)
'Shadow' copies of configuration files (if they exist) are located in /Library/Application Support Tunnelblick/Users/username. See 'useShadowConfigurationFiles' in Preferences for details. Shadow copies are created and maintained by Tunnelblick.
Backup copies of Deployed configurations are stored in subfolders of /Library/Application Support/Tunnelblick/Backup. These configurations will be restored if a version of Tunnelblick which is not a Deployed version is installed, making it into a Deployed version.

Note: Prior to Tunnelblick version 3.0b24, private configuration files were stored in ~/Library/openvpn. Version 3.0b24 and later versions automatically move that folder to its new location, and replace it with a symbolic link to the new location.

Custom Scripts

There are two types of custom scripts that can be run at certain points in the connect/disconnect process:

Scripts supported by OpenVPN: Scripts referred to in the OpenVPN configuration file may be included in a Tunnelblick VPN configuration; use filenames without any path information to refer to them in the OpenVPN configuration file.
Scripts supported by Tunnelblick: Tunnelblick VPN Configurations ('.tblk's) can contain custom scripts that will be run automatically at other points in the connect/disconnect process.

These scripts should be located in a Tunnelblick VPN Configurations without any folder structure, and references to them should not contain any path information.

For more information, see Using Scripts.

LaunchDaemons

Durring installation, Tunnelblick sets up a 'daemon' to perform privileged operations such as starting OpenVPN as root. The daemon has a .plist file named net.tunnelblick.tunnelblick.tunnelblickd.plist in /Library/LaunchDaemons.

If a configuration is set to connect when the computer starts, it has a .plist file located in /Library/LaunchDaemons. These .plist files are all named starting with 'net.tunnelblick.startup.'

Preferences

A user's Tunnelblick preferences are contained in ~/Library/Preferences/net.tunnelblick.tunnelblick.plist.

Note: In Tunnelblick 3.2beta10 and earlier, preferences are stored in ~/Library/Preferences/com.openvpn.tunnelblick.plist.

Deployed versions of Tunnelblick may contain a 'forced-preferences.plist' file within the Tunnelblick application itself. They are used to override the user's normal preferences; see Deploying Tunnelblick for details.

Tunnelblick VPN Configurations may also include preference defaults, which are used to initialize the user's preferences (which may then be changed by the user).

One More Thing

Under certain circumstances, Tunnelblick replaces the configuration folder that very old versions of Tunnelblick use,
~/Library/openvpn
with a symbolic link to the new location of the folder,
~/Library/Application Support/Tunnelblick/Configurations

Mac Os X El Capitan Download
Tunnelblick 3.8

Setup NordVPN with TunnelBlick. Note: you can connect to obfuscated servers using TunnelBlick by downloading the configuration files for our obfuscated servers here. The Tunnelblick application is one of the alternative ways to connect to NordVPN servers on your Mac. This is a good option for those who prefer a manual connection and like tinkering with open-source software. General Data Protection Regulation Information - Tunnelblick Free open source OpenVPN VPN client server software GUI for Mac OS X. Includes OpenVPN, OpenSSL, easy-rsa, and drivers.

Mac Os X El Capitan Download

Tunnelblick 3.8

Discussion Group
Read Before You Post

The following is the current status of issues that have been seen using the latest stable version of Tunnelblick on the latest version of macOS Catalina.

Important: See The Future of Tun and Tap VPNs on macOS for information about changes to future versions of macOS.

NEW macOS REQUIREMENT: Restarting the computer is required by macOS Catalina before connecting some configurations for the first time.

If a configuration requires a 'tun' or 'tap' system extension, the first time Tunnelblick asks macOS to load the appropriate system extension, macOS will tell the user that they must give permission to load system extensions signed by 'Jonathan Bullard' in System Preferences : Security & Privacy : General. If the user gives such permission by clicking 'Allow', macOS must restart the computer before the permission will be honored. After the permission has been given and the computer has been restarted, you may then connect all VPN configurations normally.

This only needs to be done one time. Once permission to load system extensions signed by 'Jonathan Bullard' has been granted and the computer has been restarted, no further action is needed. Tunnelblick will be able to load 'tun' and 'tap' system extensions for any configuration without user interaction, and that ability will persist after computer restarts, 'safe boots', and updates to Tunnelblick.

Note: If you are using a 'tun' VPN, you can avoid needing to load the 'tun' system extension. See the note at the start of Errors Loading Kexts (Device Drivers).

WON'T FIX: Sidecar does not work when a VPN is connected using Tunnelblick's default for a configuration.

Sidecar does not work if IPv6 is disabled. By default, Tunnelblick disables IPv6 while a VPN is connected. This is done to prevent information leaks in common VPN setups (see A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients). Bugdom mac os 9 download.

To fix this problem:

Verify with your VPN service provider that no information is leaked if IPv6 traffic is allowed. If you cannot confirm that, you should not proceed and you will not be able to use Sidecar when your VPN is connected.
Launch Tunnelblick.
Click the Tunnelblick icon in the menu bar and then click 'VPN Details'.
Click on the large 'Configurations' button at the top of the window.
Select the configuration(s) you wish to modify.
Remove the check from 'Disable IPv6 unless the server is accessed via IPv6'.

(This page was updated 2020-07-12.)

tumblr.update-tist.download

Tunnelblick Mac Os X Download