Tunnelblick and macOS High Sierra (10.13)
Recent versions of Tunnelblick work on macOS High Sierra.
The following are known problems as of 2017-10-06:
In some situations when you try to connect to a VPN, High Sierra blocks Tunnelblick from loading a system extension. macOS pops up a window that looks like this:
(Tunnelblick's kexts are signed by "Jonathan K. Bullard", so that's what would appear in the blocked-by-red area of the window.)
The user then has 30 minutes to allow the new system extension to be loaded. As the window notes, that can be done on the "Security & Privacy" pane of "System Preferences". (The window doesn't say it, but it can only be done on the "General" tab of that pane.) Here is a screenshot:
(The "System software developer" in the blocked-by-red area will be "Jonathan K. Bullard".)
If the user doesn't grant approval within 30 minutes, the approval cannot ever be granted, the system extension is permanently barred form being loaded by macOS, and the user can never connect to the VPN.
If you are using a "tun" VPN, you can avoid needing to load a system extension by making sure your configuration file does not include a "dev-type tun" option (it should include a "dev tun" option). The "dev-type tun" option causes OpenVPN to use a "tun" device, which requires a kext to be loaded. If a "dev-type tun" option is not present, OpenVPN will use a "utun" device which is built into macOS 10.6.8 and higher and does not require a kext to be loaded.
If you are using a "tap" VPN, you cannot avoid needing to load a system extension.
Possible workaround: It is possible (but has not been confirmed yet) that the problem can be solved by installing a different version of Tunnelblick (the stable version instead of the beta version, or vice-versa, see Stable vs. Beta Releases). The different version may cause macOS to pop up the window warning about the system extension being blocked, and start a 30-minute window for it to be allowed. For updates, or to report if this worked for you or didn't work for you, please see Can't connect to VPN on High Sierra in the Tunnelblick Discussion Group.
If you are currently using the stable release, you can just "update" to the beta release:
If you are currently using the beta version, you must download the stable version and install it (by double-clicking, as usual). Installing the stable version over the beta or vice versa will preserve your configurations and preferences; the program is "smart enough" to recognize that it is doing an upgrade or downgrade. You can download stable and beta versions from the Tunnelblick Downloads page.
You can choose which version of OpenVPN/SSL on the "Settings" tab of the "Configurations" panel of Tunnelblick's "VPN Details" window. By default, Tunnelblick uses a version of OpenVPN with OpenSSL.
Tip: If you select multiple configurations in the list on the left side using the Shift or Command keys, then when you change a setting the change will be applied to all of the selected configurations.
This problem appears to only affect early beta versions of macOS 10.13. Some of the messages posted on the Issue suggest that disabling System Integrity Protection solves the problem but that is dangerous, difficult, unnecessary, and can cause other problems. A better solution, if the problem affects you, is detailed in that Issue: add a "--tmp-dir" option in the OpenVPN configuration file.