tunnelblick icon Tunnelblick free software for OpenVPN on OS X and macOS We need translators for several languages…
Home Downloads Support Documents Issues Source Contribute Contact

Highlighted Articles
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes

Discussion Group
  Read Before You Post

Errors Loading Kexts (Device Drivers) on macOS High Sierra (10.13) and higher

If you see the following on macOS High Sierra and higher:

Tunnelblick was not able to load a device driver (kext) that is needed to connect...

there are two likely reasons:

(1) You may have encountered a new security feature in High Sierra and higher which restricts the loading of kexts (system extensions).

In some situations when you try to connect to a VPN, High Sierra and higher blocks Tunnelblick from loading a system extension. macOS pops up a window that looks like this:

Screenshot of window with title 'System Extension Blocked' saying 'A program tried to load new system extension(s) signed by (blocked-by-red area). If you want to enable these extensions, go to the Security & Privacy System Preferences pane.'

(Tunnelblick's kexts are signed by "Jonathan K. Bullard", so that's what would appear in the blocked-by-red area of the window.)

The user then has 30 minutes to allow the new system extension to be loaded. As the window notes, that can be done on the "Security & Privacy" pane of "System Preferences". (The window doesn't say it, but it can only be done on the "General" tab of that pane.) Here is a screenshot:

Screenshot of the 'General' tab of the Security & Privacy System Preferences pane with a section reading 'system software from developer (blocked-by-red area) was blocked from loading' and an 'allow' button.'

(The "System software developer" in the blocked-by-red area will be "Jonathan K. Bullard" for Tunnelblick kexts.)

If the user doesn't grant approval within 30 minutes, the ability to approve the kext disappears and will only reappear after trying to connect the VPN again. When that happens, the original window does not appear (it is only shown once) but the ability to approve the kext reappears for 30 more minutes.

If you are using a "tun" VPN, you can avoid needing to load a system extension by making sure your configuration file does not include a "dev-type tun" option (it should include a "dev tun" option). The "dev-type tun" option causes OpenVPN to use a "tun" device, which requires a kext to be loaded. If a "dev-type tun" option is not present, OpenVPN will use a "utun" device which is built into macOS 10.6.8 and higher and does not require a kext to be loaded.

If you are using a "tap" VPN, you cannot avoid needing to load a system extension.

(2) If you are not running on macOS Sierra or higher, or if you approved the loading of the kext on High Sierra, please see Errors Loading Kexts (Device Drivers).

  Deutsch     Français     中文(简体)     Русский     Español     日本語     …