tunnelblick icon Tunnelblick free software for OpenVPN on OS X and macOS This website collects GDPR "Personal Information"…
We need translators for several languages…
Home Downloads Support Documents Issues Source Contribute Contact

Highlighted Articles
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes

Discussion Group
  Read Before You Post

Tunnelblick and macOS High Sierra (10.13)

Recent versions of Tunnelblick work on macOS High Sierra.

The following are known problems as of 2017-10-06:

#1 "Tunnelblick was unable to start OpenVPN to connect VPN. For details, see the log in the VPN Details… window" when trying to connect. If the log shows a series of errors followed by "Unable to load net.tunnelblick.tun and/or net.tunnelblick.tap kexts in 5 tries. Status = 27" you may have encountered a new security feature in 10.13 ("Secure Kernel Extension Loading") which restricts the loading of kexts (system extensions).

In some situations when you try to connect to a VPN, High Sierra blocks Tunnelblick from loading a system extension. macOS pops up a window that looks like this:

Screenshot of window with title 'System Extension Blocked' saying 'A program tried to load new system extension(s) signed by (blocked-by-red area). If you want to enable these extensions, go to the Security & Privacy System Preferences pane.'

(Tunnelblick's kexts are signed by "Jonathan K. Bullard", so that's what would appear in the blocked-by-red area of the window.)

The user then has 30 minutes to allow the new system extension to be loaded. As the window notes, that can be done on the "Security & Privacy" pane of "System Preferences". (The window doesn't say it, but it can only be done on the "General" tab of that pane.) Here is a screenshot:

Screenshot of the 'General' tab of the Security & Privacy System Preferences pane with a section reading 'system software from developer (blocked-by-red area) was blocked from loading' and an 'allow' button.'

(The "System software developer" in the blocked-by-red area will be "Jonathan K. Bullard".)

If the user doesn't grant approval within 30 minutes, the approval cannot ever be granted, the system extension is permanently barred form being loaded by macOS, and the user can never connect to the VPN.

If you are using a "tun" VPN, you can avoid needing to load a system extension by making sure your configuration file does not include a "dev-type tun" option (it should include a "dev tun" option). The "dev-type tun" option causes OpenVPN to use a "tun" device, which requires a kext to be loaded. If a "dev-type tun" option is not present, OpenVPN will use a "utun" device which is built into macOS 10.6.8 and higher and does not require a kext to be loaded.

If you are using a "tap" VPN, you cannot avoid needing to load a system extension.

Possible workaround: It is possible (but has not been confirmed yet) that the problem can be solved by installing a different version of Tunnelblick (the stable version instead of the beta version, or vice-versa, see Stable vs. Beta Releases). The different version may cause macOS to pop up the window warning about the system extension being blocked, and start a 30-minute window for it to be allowed. For updates, or to report if this worked for you or didn't work for you, please see Can't connect to VPN on High Sierra in the Tunnelblick Discussion Group.

If you are currently using the stable release, you can just "update" to the beta release:

  1. Launch Tunnelblick
  2. Click on the Tunnelblick icon in the menu bar and click "VPN Details…". A new window will appear.
  3. Click on the large "Preferences" button at the top of the new window.
  4. Put a check in the "Check for updates to beta versions" checkbox.
  5. Click the "Check Now" button.
  6. You will be guided through the process of updating to the beta version.

If you are currently using the beta version, you must download the stable version and install it (by double-clicking, as usual). Installing the stable version over the beta or vice versa will preserve your configurations and preferences; the program is "smart enough" to recognize that it is doing an upgrade or downgrade. You can download stable and beta versions from the Tunnelblick Downloads page.

#2 Tunnelblick is unable to connect and the log in the VPN Details… window mentions problems with a certificate. According to this post, you need to set the configuration to use a version of OpenVPN with OpenSSL, not a version with LibreSSL.

You can choose which version of OpenVPN/SSL on the "Settings" tab of the "Configurations" panel of Tunnelblick's "VPN Details" window. By default, Tunnelblick uses a version of OpenVPN with OpenSSL.

Tip: If you select multiple configurations in the list on the left side using the Shift or Command keys, then when you change a setting the change will be applied to all of the selected configurations.

#3 "Temporary directory (--tmp-dir) fails" problems when trying to connect have been reported in GitHub Issue #380.

This problem appears to only affect early beta versions of macOS 10.13. Some of the messages posted on the Issue suggest that disabling System Integrity Protection solves the problem but that is dangerous, difficult, unnecessary, and can cause other problems. A better solution, if the problem affects you, is detailed in that Issue: add a "--tmp-dir" option in the OpenVPN configuration file.

  Deutsch     Français     中文(简体)     Русский     Español     日本語     …