tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…

Highlighted Articles
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes

Discussion Group
  Read Before You Post

Connect Manually vs. when Computer Starts vs. when Tunnelblick Launches

Tunnelblick can be set up to connect a VPN manually, when the computer starts, or when Tunnelblick launches.

In most situations, the most appropriate choice is "Manually" or "Connect when Tunnelblick launches".

Connect Manually means that you must click a "Connect" button or menu item to connect to the VPN.

Connect when computer starts and Connect when Tunnelblick launches seem similar, and on a computer set up to log in a user automatically when it starts up they behave similarly, but they actually do two different things:

  • Connect when computer starts connects the VPN when the computer starts, whether or not a user will be logged in. It is usually used for VPN servers, not clients. Because there is no one logged in, Tunnelblick will not be launched or running – only OpenVPN will be running. That means that certain features are not available, such as checking that the IP address changes when connected.

  • Connect when Tunnelblick launches connects the VPN when the Tunnelblick program launches (starts) – and that can only happen when someone is logged in. You can launch Tunnelblick manually, but under certain circumstances Tunnelblick will launch itself when you log in. For example, if if you leave Tunnelblick running (with or without being connected to to a VPN) when you log out, Tunnelblick will be launched when you log back in. That's what most users do.


  1. Connect when computer starts is only available for "Shared" configurations. It is not available for "Private" configurations.

  2. Connect when computer starts is only available for configurations that do not include the OpenVPN auth-user-pass option without parameters and do not have credentials saved in the Keychain. That's because there is nobody logged in when the computer starts, so no user can be asked for the credentials and no user's Keychain is available to access stored credentials. If your VPN requires a username/password, you can put them in a file. See the VPN Username/Password section of Using Tunnelblick as a VPN Server for details of how to set this up.

  3. Although Connect when computer starts may seem to be a way to insure that all network traffic goes through the VPN, it doesn't really do that. That's because the process of making the VPN connection itself requires an Internet connection, and that connection is available to other programs running on your computer. So traffic to the Internet can "leak" outside of the VPN for seconds or tens of seconds until the VPN is actually connected. The only way to avoid such leaks is to set up a firewall such as pf to allow traffic only to/from the VPN server(s).