Frequently Asked Questions
On This Page
What is Tunnelblick?
VPNs are primarily used two ways, or sometimes both ways simultaneously: - To securely connect a computer to the Internet, even though it may be connecting through an untrusted network (a wireless network at a hotel or airport, for example); and - To securely connect a computer to a company's internal network or some part of it (a branch office, for example).
Please see Privacy and Security for important information before you use Tunnelblick to attempt to make yourself anonymous on the Internet.
In addition to Tunnelblick, you need access to a VPN server. Your company may provide one, or you can obtain VPN service from any of several VPN service providers, or you can use another one of your computers or a router to act as a VPN server. See Getting VPN Service for details.
It runs on macOS or OS X only -- it does not run on Windows, Linux, or iOS (iPhone, iPad, etc.). It comes as a ready-to-use application with all necessary binaries and drivers (including OpenVPN and Tun and Tap system extensions) included. No additional installation is necessary — just add your configuration and encryption information.
Tunnelblick is free software made available under the GNU General Public License, version 2 and may be distributed only in accordance with the terms of that license.
Where is the documentation?
The Tunnelblick disk image includes a link to the Tunnelblick Documentation. There is also help available in Tunnelblick's windows by clicking on the question-mark ("?") button and by hovering the pointer over most buttons and checkboxes.
What versions of macOS does Tunnelblick work on?
Modern versions of Tunnelblick run as 64-bit programs on Intel or Apple Silicon processors.
An older version of Tunnelblick works on OS X 10.4 through 10.10. That version is a Universal 32-bit application, so it runs as an application in 32-bit mode on both Intel and PowerPC Macs under 32-bit and 64-bit kernels. It includes 32/64-bit versions of tun.kext and tap.kext. Tiger, Leopard, and Snow Leopard's 32-bit kernel use the 32-bit tun/tap, and Snow Leopard's 64-bit kernel, and Lion and higher, use the 64-bit tun/tap.
What else do I need?
You need a VPN server to connect to. It could be a server at your company or at a VPN service provider, or it could be a VPN that you have set up yourself at home. See Getting VPN Service for details.
What else you need depends on your situation:
How do I know the VPN is working?
Tunnelblick indicates that the VPN is connected by showing the "open" tunnel in your menu bar (usually near the Spotlight icon).
But whether all IPv4 traffic will be directed through the VPN depends on the OpenVPN options when the VPN was established. If the "redirect-gateways" option appears in the OpenVPN configuration file or in options pushed by the server and accepted by the client, or Tunnelblick's "Route all IPv4 traffic through the VPN" is checked, then all IPv4 traffic should go through the VPN.
An easy way to check if web traffic is going through the VPN is to put enable "Check if the apparent public IP address changed after connecting" for the configuration. If the IP address doesn't change, then check "Route all IPv4 traffic through the VPN". Both of these checkboxes are on the "Settings" tab of Tunnelblick's "VPN Details" window. (Be sure to select all configurations that you want to change before making a change.)
What if the Internet doesn't work after I make a connection?
How do I verify a download?
See Verifying downloads.
Where can I get old versions of Tunnelblick?
Binaries for all available modern versions of Tunnelblick are available on the Downloads page.
Binaries for all available older versions of Tunnelblick are available on the Deprecated Downloads page.
What is a "deployed" version of Tunnelblick?
A "deployed" version of Tunnelblick is a customized version of the program, which includes everything you need to connect to a VPN: the program itself, configuration file(s), and key and certificate files for encryption.
If you download Tunnelblick from this website, it is not a deployed version. You must also have configuration, key, and certificate files, which should be provided to you by your company or your VPN service provider.
See Deploying Tunnelblick for detailed information about deployed versions of Tunnelblick.
How do I install Tunnelblick?
Download the latest disk image. Double-click it and a window will open with the Tunnelblick icon and the words "Double-click to begin". Control-click the Tunnelblick icon and click "Open" to begin installation. Reinstalls, upgrades, and downgrades will be recognized and the old version of the program is moved to the Trash before installing the new version.
I have installed Tunnelblick - Now what?
Start Tunnelblick by double-clicking it in Applications. It will step you through the process of setting up configuration files. When Tunnelblick is running, it will display the Tunnelblick icon in the status bar at the top of the screen on the right. Usually, the icon is located immediately between the time display and the Spotlight icon. Click on the Tunnelblick icon to reveal the Tunnelblick menu, then click on a configuration to connect using it, or click on "VPN Details" for a window with details for each configuration.
How do I uninstall Tunnelblick?
How do I revert to an earlier version of Tunnelblick?
Just install the earlier version.
How do I update Tunnelblick?
Each time Tunnelblick is launched, it checks for updates automatically (if that was specified when Tunnelblick was installed) and displays a notice that an update is available. (It also checks every week if it is running for more than a week.)
If automatic checking for updates is not enabled, there are three ways to update Tunnelblick manually:
Whichever method you chose, you will need an administrator username/password the first time a new copy of Tunnelblick is run. All configurations and preferences will be used by the new version (even if it is a "deployed" version).
Why does Tunnelblick need root privileges?
Tunnelblick needs root privileges the first time it is run for two reasons:
OpenVPN needs root privileges because it needs to modify network settings when configuring network devices, changing routes, and adding and removing nameservers. Because we don't want you to enter your computer administrator password every time you start a VPN connection, Tunnelblick comes with the "openvpnstart" setuid root binary that allows you to do exactly one thing: start a VPN connection with super user rights.
Tunnelblick also needs root privileges to secure configuration files. The first time a configuration is used, or if it has been modified, Tunnelblick asks for an administrator username/password so it can change the file's ownership to root before making a connection using that configuration file.
Why does Tunnelblick change the ownership of the configuration files to root?
This is a security issue. OpenVPN configuration files allow you to specify up/down scripts which will be executed with root privileges every time a VPN connection is started or stopped. If the configuration files were owned by the local user, anyone could execute arbitrary code as root by inserting an 'up' directive to the configuration file and pointing it to a (malicious) shell script. Therefore, when a configuration file is first used, Tunnelblick asks for a computer administrator's username and password and uses them to change the ownership of the configuration file to root, so it is protected against unnoticed and possibly malicious changes. If new configuration files are added, Tunnelblick will ask for a computer administrator's authorization to change the ownership of the new file to root before the first use of each new configuration file.
Why are routes not restored when closing my VPN connection?
You are probably using the 'user' or 'group' directive in your OpenVPN client configuration file. If you use it, the OpenVPN process will drop privileges after startup which is additional security measure. However, OpenVPN needs root privileges for restoring the route back to their original state. In short: don't use it.
Tunnelblick contains the "openvpn-down-root.so" plugin for OpenVPN. Together with a per-configuration preference, this allows the use of 'user' and 'group' but it does not allow OpenVPN to restore the routes. See Using Tunnelblick for details on how to do this.
Why are some checkboxes or buttons dimmed and disabled?
Under certain circumstances, checkboxes or buttons may be disabled and will appear dimmed — nothing happens when you click on them. Buttons and checkboxes are disabled when they cannot be used. Examples (from the VPN Details window): - "Monitor connection" is disabled unless "Set nameserver" is selected, because "Set nameserver" is required in order to monitor the connection. - "Share configuration" is disabled when the configuration is not a Tunnelblick VPN Configuration because only Tunnelblick VPN Configurations may be shared. - "Disconnect" is disabled when a configuration is not connected, and "Connect" is disabled when it is already connected. - "when computer starts" is disabled unless a configuration is shared or Deployed, because only shared or Deployed configurations may be automatically connected when the computer starts. - "when Tunnelblick launches" and "when computer starts" are disabled unless "automatically connect" is checked, because they areonly have meaning when it is checked. - "automatically connect", "Set nameserver", "Monitor connection", "Share configuration", and "Make configuration private" are disabled when "when computer starts" is selected. This is because you cannot directly modify them without administrator approval. To modify them, select "when Tunnelblick launches" (which will require an administrator username and password), change the settings to be the way you want, then select "when computer starts" (which will again require administrator approval).
Why are some checkboxes or buttons missing?
What versions of OpenVPN does Tunnelblick include?
Tunnelblick contains multiple versions of OpenVPN. You can select the version of OpenVPN and the encryption software (OpenSSL or LibreSSL) to use on the "Settings" tab of the "Configurations" panel of Tunnelblick's "VPN Details" window.
Where can I go if my question is not answered here?