tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…
Home Downloads Support Documents Issues Source Contribute Contact

Highlighted Articles
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes

Discussion Group
  Read Before You Post

Tunnelblick on macOS Big Sur

If you are using macOS 11 Big Sur, you should use the latest beta version of Tunnelblick. You should enable Tunnelblick to automatically check for updates to the latest beta version (on the "Preferences" panel of Tunnelblick's "VPN Details" window). You can also download the latest beta from Tunnelblick Downloads.

The following is the current status of issues that have been seen using the latest beta version of Tunnelblick on beta and release versions of macOS Big Sur.

To report an issue, please follow the instructions at Tunnelblick Issues. Please include the build number of macOS Big Sur under which the problem occurs. To get the build number, click on the small Apple icon at the top left corner of the screen and then click "About This Mac". A window will appear with information about your computer. The build number is the string of numbers and letters that appears in parentheses after "Version 11". You may need to click on "Version 11" to see the build number.

Tunnelblick's Tun and Tap system extensions do not load.

If your configuration requires a "tun" or "tap" system extension, connecting to your VPN will fail if an appropriate system extension is not loaded.

macOS Big Sur 11.0 Developer Beta 10 (20A5323l) does not allow Tunnelblick to load its "tun" or "tap" system extensions. Apple says that as a workaround "during development" you can temporarily disable System Integrity Protection to allow these system extensions to load when logged in as an Admin user. This workaround may not work in the first release version of Big Sur — see The Future of Tun and Tap VPNs on macOS.

Note: If you are using a "tun" VPN, you can modify your OpenVPN configuration file so it will work without the "tun" system extension. See the note at the start of Errors Loading Kexts (Device Drivers).

Tunnelblick disables loading of Tun and Tap system extensions.

When running on Big Sur, Tunnelblick Beta 3.8.4beta01 and higher force the settings on Tunnelblick's "Advanced" settings window to "never load" system extensions. You can override that behavior and allow the settings to act normally, which is useful if you have disabled SIP and/or your version of Big Sur allows Tunnelblick to load the system extensions. You can override the behavior by executing the following command in Terminal:

     defaults write net.tunnelblick.tunnelblick bigSurCanLoadKexts -bool yes

The override can be removed by executing:

     defaults delete net.tunnelblick.tunnelblick bigSurCanLoadKexts

FIXED IN Tunnelblick 3.8.3beta03: Tunnelblick refuses to run.

Tunnelblick versions earlier than 3.8.3beta03 refuse to run on macOS Big Sur 11.0 Developer Beta 3 (20A5323l), complaining that the ""/tmp" folder is not secure. Tunnelblick 3.8.3beta03 includes a fix for this problem.

WON'T FIX: Sidecar does not work when a VPN is connected using Tunnelblick's default for a configuration.

(This issue is not specific to Big Sur. It is present in all versions of Sidecar.)

Sidecar does not work if IPv6 is disabled. By default, Tunnelblick disables IPv6 while a VPN is connected. This is done to prevent information leaks in common VPN setups (see A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients).

To fix this problem:

  1. Verify with your VPN service provider that no information is leaked if IPv6 traffic is allowed. If you cannot confirm that, you should not proceed and you will not be able to use Sidecar when your VPN is connected.
  2. Launch Tunnelblick.
  3. Click the Tunnelblick icon in the menu bar and then click "VPN Details".
  4. Click on the large "Configurations" button at the top of the window.
  5. Select the configuration(s) you wish to modify.
  6. Remove the check from "Disable IPv6 unless the server is accessed via IPv6".

(This page was updated 2020-07-16.)

  Deutsch     Français     中文(简体)     Русский     Español     日本語     …