tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…

Highlighted Articles
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes

Discussion Group
  Read Before You Post

Detecting IP Address Changes

The "apparent public IP address" is the address that is used on the (public) Internet as a computer's "return address".

Tunnelblick can check that the computer's "apparent public IP address" (APIPA) changes after connecting to a VPN, which is what most users want to happen. Some users want to use a VPN only for communication with a specific server or servers – such as an educational institution's library servers or an organization's intranet servers – and want all other Internet traffic to be sent normally, outside of the VPN. They don't want their APIPA to change.

This feature can be enabled or disabled using a checkbox on the "Preferences" panel of Tunnelblick's "VPN Details" window.

If the IP Address Does Not Change

If the computer's APIPA does not change, it may be due to an error or omission in the OpenVPN configuration. By default, OpenVPN only sends traffic through the VPN that is destined for the VPN. Normal traffic to websites, for example, is not sent through the VPN. That can be changed, to send all traffic through the VPN, by including a "--redirect-gateway" option in the OpenVPN configuration file, or by the OpenVPN server "pushing" the "--redirect-gateway" option to your computer.

If the OpenVPN configuration file (and the options pushed to the computer by the OpenVPN server) do not include the "--redirect-gateway" option, Tunnelblick will supply the "--redirect-gateway def1" version of the option if you select the configuration and check the "Route all traffic through the VPN" checkbox on Tunnelblick's "VPN Details" window.

Technical Details

Tunnelblick detects the change by determining the computer's APIPA before connecting and comparing it with the APIPA five seconds after the connection succeeded.

Tunnelblick determines the APIPA by sending a "GET" request to "https://tunnelblick.net/ipinfo". That web page returns a webpage that consists of three strings separated by commas: the APIPA, port to which the reply was directed, and the IP address of the tunnelblick.net webserver itself.

Five seconds after a successful connection, Tunnelblick sends another identical "GET" request. If there is a response and the APIPA has not changed, the user is notified by a pop-up alert window.

If there is no answer within 30 seconds, it is assumed that either DNS is not working or access to the Internet in general is impaired. To determine which, Tunnelblick sends a "GET" request using the IP address of the tunnelblick.net webserver that was returned by the pre-connection "GET" request. If that request succeeds, it means that DNS was not able to resolve the "tunnelblick.net" name, so there is a DNS problem. If that request fails, it means that the computer is unable to access the tunnelblick.net server directly, which usually indicates a problem reaching the Internet in general -- a routing problem.

Note that there could be other reasons that the tunnelblick.net webpage is not available. There could be a problem with the tunnelblick.net server, or there could be a firewall that blocks access to that server.


The URL that Tunnelblick uses for the "GET" request is contained in the "IPCheckURL" entry in Tunnelblick.app's Info.plist. It can be overridden by a forced preference (from a Deployed version of Tunnelblick) named "IPCheckURL". For security reasons, it must be a forced preference.