tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…

Highlighted Articles
  News
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes
  Thanks
  FAQ

Discussion Group
  Read Before You Post

The Future of Tun and Tap VPNs on macOS

On This Page
        Background
        The Long-Term Problem
        When will this happen?
        How to tell if a VPN requires a Tun or Tap System Extension
        How to modify a Tun VPN so it will not require the Tun system extension
        If macOS still complains
        Always load tun or always load tap
        Old versions of Tunnelblick will not help
        What Apple announced
        The Origin of Tunnelblick's Tun and Tap system extensions
        What is Tunnelblick doing about it?

Background

To connect to a VPN, Tunnelblick needs to use a special kind of device driver:

  • For a Tun VPN, macOS includes a built-in "utun" device driver which can be used so that Tunnelblick's Tun system extension does not need to be loaded. Most OpenVPN configuration files will automatically use the "utun" driver, but some include options that require Tunnelblick to use its own Tun system extension. Those configuration files should be modified so that the built-in macOS "utun" device driver can be used. (For simple instructions to make such modifications, see Errors Loading System Extensions.)

  • For a Tap VPN, Tunnelblick's Tap system extension must be loaded because macOS does not have a built-in Tap device driver.

Apple has made it more and more difficult to load system extensions with each new version of macOS. They have also announced that in "a future version" of macOS, you will not be able to use system extensions at all.

The Long-Term Problem

Apple has announced changes to macOS which affect many users of Tunnelblick.

You might see a warning from Tunnelblick about this change, or you might see the following warning when connecting your VPN:

window showing the title 'Legacy System Extension' and the text 'existing software on your system loaded a system extension signed by Jonathan Bullard which will be incompatible with a future version of macOS. Contact the developer for support.'

What this means is:

  • If you have a Tap VPN, a future version of macOS will cause your VPN to stop working. (Apple's announcement to developers is worded differently and may mean that users will be able to use some mechanism to enable Tap VPNs to continue to work, but that interpretation is contradicted by the warning shown above. See What Apple announced, below.) You may be able to convert your Tap VPN to a Tun VPN which will work. However, that requires being able to change the OpenVPN configurations on both your computer and on the VPN server, and it may not provide all of the networking facilities that you are currently using. Consult your VPN service provider or OpenVPN experts and support for help with doing this.

  • If you have a Tun VPN, your configurations may continue to work in future version of macOS without you doing anything, or you might need to make a simple change to the OpenVPN configuration file so that the configuration will continue to work. If your OpenVPN configuration file does not contain a "dev-node" option, you do not need to do anything and the configuration will continue to work. If your OpenVPN configuration file does contain a "dev-node" option, you will need to remove that option so the configuration continues to work (see below).

When will this happen?

Apple does not announce its intentions in advance, so there may not be any prior notice of this change. It could appear at any time, but in the past similar changes were often included in the last point release before a new version of macOS.

On older versions of macOS or OS X, Tunnelblick loaded and unloaded Tun and Tap system extensions without any user interaction – it was done automatically, as needed.

However, that cannot be done on recent versions of macOS and with each new version of macOS Apple has made it more difficult to use the system extensions at all. Although the initial setup to use the system extensions needs only be done one time, it is becoming more and more burdensome:

  • High Sierra required that the user specifically allow Tunnelblick's Tun and Tap system extensions in System Preferences.
  • Catalina added the requirement that the computer be restarted before using system extensions for the first time.
  • Big Sur added the requirement that the user separately install the system extensions before connecting a VPN.
  • On an Apple Silicon Mac, three computer restarts are required: to restart into macOS Recovery to change the security policy, to restart normally to install the system extensions, and to restart normally again to load the system extensions.

How to tell if a VPN requires a Tun or Tap System Extension

Tunnelblick will warn you if one or more of your VPNs requires a Tun or Tap system extension, but you will not see this warning if you clicked "do not warn me about this again". You can "Reset Disabled Warnings" (on the "Preferences" panel of Tunnelblick's "VPN Details" window) and then quit and relaunch Tunnelblick to be warned about the problem, or you can do the following for each of your VPN configurations:

  1. Click to select the configuration in the left side of the "Configurations" panel of Tunnelblick's "VPN Details" window.
  2. Click on the little "gear" icon at the bottom of the list, then click "Edit OpenVPN Configuration File" or "Examine OpenVPN Configuration File".
  3. Look in the new window for lines that begin with "dev":

  • If a line begins with "dev tap" the VPN requires a Tap system extension.

  • If a line begins with "dev-node tun", the VPN requires a Tun system extension, but you can modify the OepnVPN configuration file so the Tun system extension is not required; see below.

  • Otherwise, the VPN does not require a Tun or Tap system extension.

How to modify a Tun VPN so it will not require the Tun system extension

First, make sure the VPN does not have "Always load Tun driver" selected in the "Advanced" settings window.

Then, you need to remove the dev-node option if it exists in the VPN's OpenVPN configuration file and make sure a "dev tun" option exists:

  1. Click to select a configuration in the left side of the "Configurations" panel of Tunnelblick's "VPN Details" window.
  2. Click on the little "gear" icon at the bottom of the list of configurations. If you can click "Make Configuration Private…", do so and have a computer administrator authorize the change. (If you can't click it, don't : )
  3. Click on the little "gear" icon and click on "Edit OpenVPN Configuration File…". The configuration file will open in Apple's "TextEdit" editor.
  4. Find a line that starts with "dev-node tun". If you find one, delete the line. If you dont find one, skip the next step.
  5. Look for a line that starts "dev tun" or "dev-type tun". If neither one exists in the file, add a new line that says "dev tun".
  6. Quit TextEdit, saving the changes if asked.
  7. If you previously made the configuration private, make it shared by clicking the little "gear" icon, clicking "Make Configuration Shared", and having the change authorized by a computer administrator.

If you made changes to the file and did not change it from shared to private and back to shared, the next time you connect the configuration you will be asked to have a computer administrator authorize the changes.

If macOS still complains

Always load tun or always load tap

If you have a Tun VPN which does not need to be modified, or has been modified as described above, and Tunnelblick or macOS still complains, then you have changed a Tunnelblick setting and should restore it to the default setting. All configurations should be set to "Load tun driver automatically" and "Load tap driver automatically". These settings are found on the "Connecting & Disconnecting" tab of the "Advanced" settings window. Recent versions of Tunnelblick will automatically disable loading of "tun" and "tap" system extensions on versions of macOS that do not allow Tunnelblick to load them.

Old versions of Tunnelblick will not help

This situation is caused by changes in macOS, not a change in Tunnelblick, so older versions of Tunnelblick will not help. All Macs running OS X 10.10 or later should use the latest stable or beta version of Tunnelblick. See Deprecated Downloads for a version of Tunnelblick that should be used on earlier versions of OS X and on all PowerPC Macs.

What Apple announced

Apple has announced that "future OS releases will no longer load system extensions that use deprecated KPIs by default". Tunnelblick's Tun and Tap system extensions use some of the deprecated KPIs.

  • Tap configurations always require the use of one system extension.
  • Tun configurations may require the use of the other system extension but can easily be modified so no system extension is required.

It isn't clear what Apple means by the phrase "by default". It may mean that Apple will provide a mechanism for users to allow loading of system extensions that use deprecated KPIs. However, Apple's practice has been to make such mechanisms very difficult to use, and the warning in macOS does not indicate such a mechanism will be provided.

The Origin of Tunnelblick's Tun and Tap system extensions

Tunnelblick uses customized versions of the Tun and Tap system extensions from tuntaposx that were written by Mattias Nissler. tuntaposx has not been actively maintained for several years and the extensions are not notarized, so they cannot be used on recent versions of macOS. The changes made to tuntaposx for Tunnelblick primarily identify the system extensions as parts of Tunnelblick and allow them to be built with modern versions of Xcode and for Apple Silicon. Tunnelblick's Tun and Tap system extensions are signed and notarized to allow them to be used on recent versions of macOS.

What is Tunnelblick doing about it?

In the short term:

Apple proposes that programs such as Tunnelblick be modified to use a different method to accomplish the function that the system extensions currently perform. The current Tunnelblick developers do not have the time or expertise to use the new method Apple proposes and have no plans to do so. It is possible that someone else will develop such an alternative method and make it publicly available, but there is no way to know if or when that will happen. If it does happen, we expect to include it in Tunnelblick.

In the longer term:

We expect it to continue to support Tun configurations using "utun" indefinitely.

However, at some point in the future when Tunnelblick no longer supports versions of macOS that can load system extensions, system extension loading and unloading will probably be removed from Tunnelblick and Tunnelblick will no longer support Tap configurations. Historically, Tunnelblick has supported several years of macOS releases. As of February 2022 Tunnelblick supports OS X and macOS versions as far back as 10.10, which was released in 2014, so it is anticipated that the removal will not take place until the mid- to late-2020s.