tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…
Home Downloads Support Documents Issues Source Contribute Contact

Highlighted Articles
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes

Discussion Group
  Read Before You Post

Tunnelblick on macOS Big Sur

Important: See The Future of Tun and Tap VPNs on macOS for information about changes to future versions of macOS.

If you have an M1 Mac, also see Tunnelblick and Apple Silicon.

If you are using macOS Big Sur, you should use the latest beta version of Tunnelblick. You should allow Tunnelblick to automatically check for updates on the "Preferences" panel of Tunnelblick's "VPN Details" window. Be sure to put a check in "Check for updates to beta versions".

The following is the current status of issues that have been seen using Tunnelblick on macOS Big Sur.

To report an issue, please follow the instructions at Tunnelblick Issues.

FIX PLANNED: Tunnelblick's Tun and Tap system extensions do not load.

If your configuration requires a Tun or Tap system extension, connecting to your VPN will fail if an appropriate system extension is not loaded.

  • If you are using a Tun VPN, you can — and should — modify your OpenVPN configuration file so it will work without the "Tun" system extension. See Errors Loading System Extensions for instructions.
  • If you are using a Tap VPN, your configuration requires a Tap system extension.

A future version of macOS will not allow the use of Tunnelblick's system extensions. See The Future of Tun and Tap VPNs on macOS.

On Intel Macs, Tunnelblick's system extensions can be used after doing the following (the process may be simplified in a future version of Tunnelblick):

  1. Use Kext-Droplet-Big-Sur to install and load Tunnelblick's system extensions. (Tunnelblick's system extensions are located in /Applications/Tunnelblick.app/Contents/Resources and are named tap-notarized.kext and tun-notarized.kext.)
  2. Tell Tunnelblick not to disable loading of Tun and Tap system extensions (see below); and
  3. Set Tunnelblick to "Never load Tun driver" and "Never load Tap driver" (in the "Advanced" settings window).

You will also need to tell macOS that it should allow sytem extensions signed by "Jonathan Bullard", see Tunnelblick on macOS High Sierra and macOS Mojave.

On Apple Silicon Macs, macOS does not allow Tunnelblick to use its system extensions because they are not built for ARM processors. The developers plan to release a version of Tunnelblick which will enable the use of Tap configurations.

We're looking for volunteers to test new M1-compatible (we hope) system extensions (kexts) on M1 Macs. For this round of testing, you need to be comfortable using the command line and use Kext-Droplet-Big-Sur to load the kexts, which involves three restarts of your computer, then try them out in Tunnelblick 3.8.5beta02. Email developers@tunnelblick.net to get a link to download the new kexts. Please let us know which M1 Mac you have and what version of macOS Big Sur you will be using (for example, "11.0.1", "11.1", or "11.2 beta").

FEATURE: Tunnelblick disables loading of Tun and Tap system extensions.

When running on macOS Big Sur 11.0.1 or later, Tunnelblick forces the settings on Tunnelblick's "Advanced" settings window to "never load" system extensions. (The developers plan to release a version of Tunnelblick which will be "smarter" about this.) You can override that behavior and allow the settings to act normally by executing the following command in Terminal:

     defaults write net.tunnelblick.tunnelblick bigSurCanLoadKexts -bool yes

The override can be removed by executing:

     defaults delete net.tunnelblick.tunnelblick bigSurCanLoadKexts

WON'T FIX: Sidecar does not work when a VPN is connected using Tunnelblick's default for a configuration.

(This issue is not specific to Big Sur. It is present in all versions of Sidecar.)

Sidecar does not work if IPv6 is disabled. By default, Tunnelblick disables IPv6 while a VPN is connected. This is done to prevent information leaks in common VPN setups (see A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients).

To fix this problem:

  1. Verify with your VPN service provider that no information is leaked if IPv6 traffic is allowed. If you cannot confirm that, you should not proceed and you will not be able to use Sidecar when your VPN is connected.
  2. Launch Tunnelblick.
  3. Click the Tunnelblick icon in the menu bar and then click "VPN Details".
  4. Click on the large "Configurations" button at the top of the window.
  5. Select the configuration(s) you wish to modify.
  6. Remove the check from "Disable IPv6 unless the server is accessed via IPv6".
  Deutsch     Français     中文(简体)     Русский     Español     日本語     …