Errors Loading System Extensions

Important: See The Future of Tun and Tap VPNs on macOS for information about changes to future versions of macOS.

Tunnelblick may try to load a system extension to control the VPN tunnel. (Note: Apple previously used the terms "kext" and "kernel extension" but now uses the term "system extension".)

If your VPN requires the Tun system extension, you can – and should – modify your OpenVPN configuration file so the system extension will not be required.

If you are using a Tap VPN, Tunnelblick must load a system extension for your VPN to operate.

Errors Messages When Loading System Extensions

If you see a message similar to one of the following:

Tunnelblick was not able to load a device driver (kext) that is needed to connect...

Tunnelblick was not able to load a system extension that is needed to connect...

There are two possible causes for this message:

(1) Your version of macOS did not allow the system extension to load or you did not give permission for the system extension to load:

• If you are using macOS Monterey or higher, see Tunnelblick on macOS Monterey and higher.
• If you are using macOS Big Sur, see Tunnelblick on macOS Big Sur.
• If you are using macOS Catalina, see Tunnelblick on macOS Catalina.
• If you are using macOS High Sierra or Mojave, see Tunnelblick on macOS High Sierra and macOS Mojave.

(2) There may be incompatible system extensions already loaded. Recent versions of Tunnelblick try to be "good citizens" by loading system extensions only when needed, and unloading them when they are no longer needed. However, some other VPN clients (CiscoAnyConnect SSL VPN, for example) load their own, incompatible system extensions when the computer is started and leave them loaded, whether or not a VPN connection is in use. (Some non-VPN software also loads incompatible system extensions — for example, Pogoplug loads a "com.pogoplug.xcetun" Tun system extension which interferes with Tunnelblick's Tun system extension. "Security" programs also may load incompatible system extensions.)

To find out if an incompatible system extension is causing the problem, use the kextstat | grep -v com.apple command in a Terminal window. It will list all of the non-Apple system extensions that are loaded. Usually the Tun and/or tap system extensions show up at or near the end of the list. Common Tun/Tap system extensions are:

• net.tunnelblick.tun and net.tunnelblick.tap: These are the system extensions used by current versions of Tunnelblick. When needed, the appropriate one (Tun or Tap) is loaded when a connection is requested, and unloaded when it is disconnected. Since macOS 10.6.8, Tun connections do not need to have a system extension loaded unless they include a "dev-node tun" OpenVPN option. Tunnelblick uses customized versions of the system extensions from tuntaposx, modified to have a Tunnelblick bundle ID and version. Which version Tunnelblick uses depends on the version of macOS being used.
• foo.tun and foo.tap: These are system extensions for obsolete Cisco and Tunnelblick VPN clients (and some others), loaded when a very old version of Tunnelblick is launched (and unloaded when the computer restarts). If Tunnelblick detects them, it will offer to unload them before connecting.
• com.cisco.cscotun: This is Cisco AnyConnect SSL VPN system extension. Cisco's installer causes it to be loaded when the computer starts.
• com.viscosityvpn.Viscosity.tun and com.viscosityvpn.Viscosity.tap: These are system extensions used by the Viscosity VPN client.
• com.pogoplug.xcetun: This system extension is associated with Pogoplug.
• anchorfree.tun: This system extension is associated withHotSpot Shield VPN.
• net.sf.tuntaposx.tap and net.sf.tuntaposx.tun: These are from tuntaposx. But any non-Apple system extension with "tun" or "tap" in its name is likely to be causing the problem, and system extensions with other names might be causing the problem.

To unload system extensions and allow Tunnelblick to load its own system extensions, use the kextunload Terminal command to unload each loaded Tun and Tap system extension individually. For example, to unload com.viscosityvpn.Viscosity.tun, type the following:

sudo kextunload -b com.viscosityvpn.Viscosity.tun

(The "sudo" is necessary because this command modifies the loading of a device driver. You will be asked for your administrator password, which will not appear (even as asterisks) when you type it.)

If you find that restarting your computer reloads the system extension you might need to find where it is being loaded from. Common locations are

• /Users/your username/Library/LaunchDaemons
• /Users/your username/Library/LaunchAgents
• /Library/LaunchDaemons
• /Library/LaunchAgents
• /System/Library/LaunchDaemons
• /System/Library/LaunchAgents

There are user-contributed scripts on the Downloads page that will automatically unload the Cisco system extension when Tunnelblick makes a connection, and reload the Cisco system extension when the connection is disconnected.