tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…

Highlighted Articles
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes

Discussion Group
  Read Before You Post

Administrator Authorization to Install Tunnelblick and Configurations

Why authorization by an administrator is needed to install Tunnelblick

Authorization by a computer administrator is required to install Tunnelblick because macOS requires elevated privileges to make changes to the network configuration. Some parts of Tunnelblick need to make changes to the network configuration to connect and disconnect VPNs, so those parts require elevated privileges. Those parts of Tunnelblick are run as root so macOS will allow the changes. To set up these parts of Tunnelblick to run as root, Tunnelblick needs authorization from a computer administrator.

Why authorization by an administrator may be needed to install configurations

The parts of Tunnelblick that run as root include OpenVPN, and OpenVPN can run scripts specified by the configuration. These scripts also run as root, so if a standard user (a non-administrator user) is able to modify the configuration, they could set up the configuration to run scripts as root.

Tunnelblick prevents this by defaulting to require authorization by a computer administrator to make changes to the configuration that could cause scripts to be run.

Tunnelblick includes the ability allow standard users to install or make changes to "safe" configurations (configurations which do not run scripts, or which only run scripts as the user) without a computer administrator's authorization. That ability is disabled by default, and is controlled by the "Require administrator authorization to install all configurations" checkbox. If it is unchecked, "safe" configurations can be installed or modified by a standard user; only "unsafe" configurations (those which run scripts) will require computer administrator authorization to be installed or modified. A computer administrator's authorization is required to change the checkbox.

How Tunnelblick obtains authorization

Tunnelblick does not ask for a computer administrator's password -- macOS does

When Tunnelblick requires authorization from a computer administrator, it asks macOS for that authorization. macOS presents the user with a window asking for the password (or, if the user is not an administrator, an administrator name and password). If the password is correct and for a computer administrator, macOS gives Tunnelblick an authorization token, and Tunnelblick uses that token to perform privileged operations. Tunnelblick itself does not have access to the password.

Why Touch ID cannot be used for authorization by Tunnelblick

Tunnelblick uses a macOS authorization mechanism that does not support Touch ID. (As described above, this mechanism is used so that Tunnelblick does not have access to passwords.)

Tunnelblick's "admin mode" allows changes to be made for five minutes without further authorization

Tunnelblick has an "admin mode" which, after obtaining authorization by a computer administrator, allows any changes that would usually require such authorization to be made for five minutes without further authorization. The limit of five minutes is imposed by macOS and cannot be changed by Tunnelblick.

To enter admin mode, click the "Admin mode" button at the top of the "VPN Details" window. After obtaining authorization from a computer administrator, the button will display the time remaining in "admin mode". Click the button again to cancel the admin mode. If not cancelled manually, admin mode will be cancelled automatically five minutes after it started.