tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…
Home Downloads Support Documents Issues Source Contribute Contact

Highlighted Articles
  News
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes
  Thanks
  FAQ

Discussion Group
  Read Before You Post

Tunnelblick and macOS Catalina

The following is the current status of issues that have been seen using the latest stable version of Tunnelblick on the latest version of macOS Catalina.


NEW macOS REQUIREMENT: Restarting the computer is required by macOS Catalina before connecting some configurations for the first time.

If a configuration requires a "tun" or "tap" system extension, the first time Tunnelblick asks macOS to load the appropriate system extension, macOS will tell the user that they must give permission to load system extensions signed by "Jonathan Bullard" in System Preferences : Security & Privacy : General. If the user give such permission by clicking "Allow", macOS must restart the computer before the permission will be honored. After the permission has been given and the computer has been restarted, you may then connect all VPN configurations normally.

This only needs to be done one time. Once permission to load system extensions signed by "Jonathan Bullard" has been granted and the computer restarted, no further action is needed. Tunnelblick will be able to load "tun" and "tap" system extensions for any configuration without user interaction, and that ability will persist after computer restarts, "safe boots", and updates to Tunnelblick.

Note: If you are using a "tun" VPN, you can avoid needing to load the "tun" system extension. See the note at the start of Errors Loading Kexts (Device Drivers).


WON'T FIX: Sidecar does not work when a VPN is connected using Tunnelblick's default for a configuration.

Sidecar does not work if IPv6 is disabled. By default, Tunnelblick disables IPv6 while a VPN is connected. This is done to prevent information leaks in common VPN setups (see A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients).

To fix this problem:

  1. Verify with your VPN service provider that no information is leaked if IPv6 traffic is allowed. If you cannot confirm that, you should not proceed and you will not be able to use Sidecar when your VPN is connected.
  2. Launch Tunnelblick.
  3. Click the Tunnelblick icon in the menu bar and then click "VPN Details".
  4. Click on the large "Configurations" button at the top of the window.
  5. Select the configuration(s) you wish to modify.
  6. Remove the check from "Disable IPv6 unless the server is accessed via IPv6".

FIXED: Catalina refuses to open a downloaded Tunnelblick disk image, saying it is "from an unidentified developer".

This problem was fixed in Catalina beta 3.

This was a bug in Catalina beta 2.

Workaround: Open the disk image by Control-clicking it and selecting "Open". You'll again be told it is from an unidentified developer, but you can click the "Open" button to open the disk image. Once the disk image has been opened, you can double-click the Tunnelblick icon to install Tunnelblick without further warnings.


FIXED: "Installation or repair took too long or failed" appears when trying to install Tunnelblick.

This problem was fixed in Tunnelblick 3.8.0beta04. It was reported as Issue #559.


FIXED: "System Requirements Not Met: the tmp system folder (/tmp) is not secure" appears each time Tunnelblick is launched.

This problem was fixed in Tunnelblick 3.8.0beta03. It was reported as Issue 554.


(This page was updated 2019-11-03.)

  Deutsch     Français     中文(简体)     Русский     Español     日本語     …