tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…

Highlighted Articles
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes

Discussion Group
  Read Before You Post

Using Tunnelblick as a VPN Server

Note: Although Tunnelblick can be used to control an OpenVPN server, it is most useful when there will be only one type of user of the server. There are programs specifically written for controlling OpenVPN servers which allow you to control individual users of the server and contain many server-specific functions that are not included in Tunnelblick.

All versions of Tunnelblick allow the use of OpenVPN as a server:

  • An OpenVPN server (or client) can be started when the computer starts and keep running until the computer shuts down.
  • Tunnelblick may be used to start or stop the OpenVPN server (or client) to edit the configuration file.

To start OpenVPN (either a client or server) when the computer starts:

  1. Share the configuration (or make it Deployed).
  2. Once a configuration is shared, set it to connect "When computer starts". The next time the computer is started, the configuration will be connected even before anyone logs in. You can also connect the configuration using Tunnelblick without restarting the computer .

Whenever you quit Tunnelblick (or you log out, which causes Tunnelblick to quit), Tunnelblick will leave "when computer starts" configurations connected, but close all other configurations that are connected.

VPN Username/Password

If an OpenVPN configuration requires a username/password, usually it includes "auth-user-pass" without a parameter, which directs OpenVPN to ask Tunnelblick for a username and password. Tunnelblick then either asks the user for them using a dialog box, or retrieves them from the currently-logged-in-user's Keychain (if the user had previously asked Tunnelblick to save them in the Keychain).

That doesn't work for "when computer starts" configurations because no user is logged in. There's no way to display a dialog, and there is no Keychain available.

However, you can change the OpenVPN configuration file so it will work. Change "auth-user-pass" to "auth-user-pass abc.key", and include a plain-text "abc.key" file which contains the username on the first line and the password on the second line. In that situation OpenVPN obtains the username and password directly from the file, which works even if no user is logged in.

Put the "abc.key" file and the modified OpenVPN configuration file in a folder along with any other files that are needed for the configuration. Rename the folder to be XXX.tblk (where XXX is the name you want for the VPN) and then drag/drop it onto the Tunnelblick icon in the menu bar to install it. Tunnelblick copies the folder and secures the abc.key file, so you should securely delete the folder so the username/password cannot be accessed by others.

(You can choose any name for the "abc" part, but to ensure that the file is not visible to other users, it must have an extension of ".key".)

Tip: To edit the configuration file, the configuration must first be disconnected and made private. Then, after editing, make the configuration shared and connect it so that it will be secured.