Tunnelblick on macOS Catalina
Important: See The Future of Tun and Tap VPNs on macOS for information about changes to future versions of macOS.
If you are using macOS Catalina, you should use the latest version of Tunnelblick. You should allow Tunnelblick to automatically check for updates on the "Preferences" panel of Tunnelblick's "VPN Details" window.
The following is the current status of issues that have been seen using the latest stable version of Tunnelblick on the latest version of macOS Catalina.
To report an issue, please follow the instructions at Tunnelblick Issues.
NEW macOS REQUIREMENT: Restarting the computer is required by macOS Catalina before connecting some configurations for the first time.
If a configuration requires a Tun or Tap system extension, the first time Tunnelblick asks macOS to load the appropriate system extension, macOS will tell the user that they must give permission to load system extensions signed by "Jonathan Bullard" in System Preferences : Security & Privacy : General. If the user gives such permission by clicking "Allow", macOS must restart the computer before the permission will be honored. After the permission has been given and the computer has been restarted, you may then connect all VPN configurations normally.
This only needs to be done one time. Once permission to load system extensions signed by "Jonathan Bullard" has been granted and the computer has been restarted, no further action is needed. Tunnelblick will be able to load Tun and Tap system extensions for any configuration without user interaction, and that ability will persist after computer restarts, "safe boots", and updates to Tunnelblick.
If your VPN requires the Tun system extension, you can – and should – modify your OpenVPN configuration file so the system extension will not be required.
WON'T FIX: Sidecar does not work when a VPN is connected using Tunnelblick's default for a configuration.
Sidecar does not work if IPv6 is disabled. By default, Tunnelblick disables IPv6 while a VPN is connected. This is done to prevent information leaks in common VPN setups (see A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients).
To fix this problem: