Errors Loading Kexts (Device Drivers)
Important: See The Future of Tun and Tap VPNs on macOS for information about changes to future versions of macOS.
Tunnelblick may try to load a kext to control the VPN tunnel.
Note: If you are using a "tun" VPN, you can avoid needing to load a kext by doing the following:
The "dev-node tun" option causes OpenVPN to use a "tun" device, which requires a kext to be loaded. If a "dev-node tun" option is not present and a "dev tun" option is present, OpenVPN will use the "utun" device which is built into macOS and does not require a kext to be loaded.
If you are using a "tap" VPN, Tunnelblick must load a kext for your VPN to operate.
If you see the following:
Tunnelblick was not able to load a device driver (kext) that is needed to connect...
There are three possible reasons:
(1) If you are using macOS Mojave 10.14.5 Beta 2 and Tunnelblick 3.7.9beta05, Tunnelblick will not be able to load kexts. See Problems Loading Kexts on macOS 10.14.5;
(2) If you are using macOS High Sierra or higher, you may not have allowed Tunnelblick to load the kext. See Errors Loading Kexts (Device Drivers) on macOS High Sierra (10.13) and higher;
(3) There may be incompatible kexts already loaded. Recent versions of Tunnelblick try to be "good citizens" by loading kexts only when needed, and unloading them when they are no longer needed. However, some other VPN clients (CiscoAnyConnect SSL VPN, for example) load their own, incompatible kexts when the computer is started and leave them loaded, whether or not a VPN connection is in use. (Some non-VPN software also loads incompatible kexts — for example, Pogoplug loads a "com.pogoplug.xcetun" tun kext which interferes with Tunnelblick's tun kext. "Security" programs also may load incompatible kexts.)
To find out if an incompatible kext is causing the problem, use the
To unload kexts and allow Tunnelblick to load its own kexts, use the
(The "sudo" is necessary because this command modifies the loading of a device driver. You will be asked for your administrator password, which will not appear (even as asterisks) when you type it.)
If you find that restarting your computer reloads the kext you might need to find where it is being loaded from. Common locations are
There are a user-contributed scripts on the Downloads page that will automatically unload the Cisco kext when Tunnelblick makes a connection, and reload the Cisco kext when the connection is disconnected.