tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…
Home Downloads Support Documents Issues Source Contribute Contact

Highlighted Articles
  News
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes
  Thanks
  FAQ

Discussion Group
  Read Before You Post

The Future of Tun and Tap VPNs on macOS

On This Page
        The Problem
        How to tell if you have a 'tap' VPN or a 'tun' VPN
        When will this happen?
        How to modify a 'tun' VPN so it will continue to work
        If macOS Catalina still complains
        Always load tun or always load tap
        Disabling SIP
        Old versions of Tunnelblick will not help
        What Apple announced
        What is Tunnelblick doing about it?

For the latest information about Tun and Tap VPNs on macOS Big Sur, see Tunnelblick and macOS Big Sur.

The Problem

Apple has announced changes to macOS which affect many users of Tunnelblick.

You might see a warning from Tunnelblick about this change, or you might see the following warning when connecting your VPN:

window showing the title 'Legacy System Extension' and the text 'existing software on your system loaded a system extension signed by Jonathan Bullard which will be incompatible with a future version of macOS. Contact the developer for support.'

What this means is:

  • If you have a 'tap' VPN, a future version of macOS will cause your VPN to stop working. (Apple's announcement to developers is worded differently and may mean that users will be able to use some mechanism to enable 'tap' VPNs to continue to work, but that interpretation is contradicted by the warning shown above. See What Apple announced, below.) On macOS Big Sur you may be able to allow 'tap' VPNs to continue to work by disabling SIP. You may be able to convert your 'tap' VPN to a 'tun' VPN which will work. However, that requires being able to change the OpenVPN configurations on both your computer and on the VPN server, and it may not provide all of the networking facilities that you are currently using. Consult OpenVPN experts and support for help with doing this.

  • If you have a 'tun' VPN, your configurations may continue to work in future version of macOS without you doing anything, or you might need to make a simple change to the OpenVPN configuration file so that the configuration will continue to work. If your OpenVPN configuration file does not contain a "dev-node" option, you do not need to do anything and the configuration will continue to work. If your OpenVPN configuration file does contain a "dev-node" option, you will need to remove that option so the configuration continues to work (see below).

How to tell if you have a 'tap' VPN or a 'tun' VPN

  1. Click to select a configuration in the left side of the "Configurations" panel of Tunnelblick's "VPN Details" window.
  2. Click on the little "gear" icon at the bottom of the list of configurations and click on either "Examine OpenVPN Configuration file…" or "Edit OpenVPN Configuration File…". The configuration file will open in a window or in Apple's "TextEdit" editor.
  3. Find a line that starts with "dev tun", "dev-type tun", or "dev-node tun". If you find one, you have a 'tun' VPN.
  4. Find a line that starts with "dev tap", "dev-type tap", or "dev-node tap". If you find one, you have a 'tap' VPN.

If you can't find a line that starts with any of the above, ask for help from the Tunnelblick Discussion Group.

When will this happen?

Apple does not announce its intentions in advance, so there may not be any prior notice of this change.

Our best guess based on similar situations in the past is that the earliest Apple will make this change is in the last version of macOS Catalina, which is expected to be released in July or August of 2020. However, it is also possible that Apple will make the change earlier or later, and it is possible that Tunnelblick's VPNs will continue to work for some period of time even after Apple makes the change.

For updated information about macOS Big Sur, see Tunnelblick on macOS Big Sur.

How to modify a 'tun' VPN so it will continue to work

You need to remove the dev-node option if it exists in the VPN's OpenVPN configuration file:

  1. Click to select a configuration in the left side of the "Configurations" panel of Tunnelblick's "VPN Details" window.
  2. Click on the little "gear" icon at the bottom of the list of configurations. If you can click "Make Configuration Private…", do so and have a computer administrator authorize the change. (If you can't click it, don't : )
  3. Click on the little "gear" icon and click on "Edit OpenVPN Configuration File…". The configuration file will open in Apple's "TextEdit" editor.
  4. Find a line that starts with "dev-node tun". If you find one, delete the line. If you dont find one, skip the next step.
  5. Look for a line that starts "dev tun" or "dev-type tun". If neither one exists in the file, add a new line that says "dev tun".
  6. Quit TextEdit, saving the changes if asked.
  7. If you previously made the configuration private, make it shared by clicking the little "gear" icon, clicking "Make Configuration Shared", and having the change authorized by a computer administrator.

If you made changes to the file and did not change it from shared to private and back to shared, the next time you connect the configuration you will be asked to have a computer administrator authorize the changes.

If macOS Catalina still complains

Always load tun or always load tap

If you have a 'tun' VPN which does not need to be modified, or has been modified as described above, and Tunnelblick or macOS Catalina still complains, then you have changed a Tunnelblick setting and should restore it to the default setting. All configurations should be set to "Load tun driver automatically" and "Load tap driver automatically". These settings are found on the "Connecting & Disconnecting" tab of the "Advanced" settings window. Tunnelblick 3.8.3beta03 and later will automatically disable loading of "tun" and "tap" system extensions on versions of macOS that do not allow Tunnelblick to load them.

Disabling SIP

System Integrity Protection ("SIP") is a feature of macOS which helps keep your computer safe (see About System Integrity Protection on your Mac).

Although it is not recommended because it makes your computer less safe, if you are using macOS Big Sur or later disabling SIP may allow your computer to connect a 'tap' VPN. See Configuring System Integrity Protection for instructions to disable SIP.

Old versions of Tunnelblick will not help

This situation is caused by a change in macOS, not a change in Tunnelblick, so older versions of Tunnelblick will not help. All Macs running OS X 7.5 or later should use the latest stable or beta version of Tunnelblick. See Deprecated Downloads for a version of Tunnelblick that should be used on earlier versions of OS X and on all PowerPC Macs.

What Apple announced

Apple has announced that "future OS releases will no longer load system extensions that use deprecated KPIs by default". Tunnelblick includes, and for some configurations loads one of two such extensions:

  • 'tap' configurations always require the use of one system extension.
  • 'tun' configurations may require the use of the other system extension but can easily be modified so no system extension is required.

It isn't clear what Apple means by the phrase "by default". It may mean that Apple will provide a mechanism for users to allow loading of system extensions that use deprecated KPIs. However, Apple's practice has been to make such mechanisms very difficult to use, and the warning in macOS Catalina does not indicate such a mechanism will be provided.

Beta versions of macOS Big Sur may allow system extensions to be loaded if SIP is disabled. See Tunnelblick on macOS Big Sur for an additional step that you need to take when using Tunnelblick 3.8.4beta01 and lower.

What is Tunnelblick doing about it?

In the short term:

  • macOS Catalina 10.15.5 loads Tunnelblick's system extensions. Although system extensions signed by "Jonathan Bullard" must be interactively allowed by the user in the Security and Privacy window of System Preferences, macOS guides the user through the process.

  • macOS Big Sur 11.0 Developer Beta 3 (20A5323l) refuses to load Tunnelblick's existing, notarized system extensions unless SIP is disabled. It isn't known if this behavior will be present in future beta versions of Big Sur or in the final version of Big Sur. Apple's suggested workaround, using an "installer package", cannot be easily integrated into the Tunnelblick installation process. It is possible that someone else will develop an installer which can load Tunnelblick's system extensions and make it publicly available, but there is no way to know if or when that will happen. (If it does happen, we expect to link to the installer or installers on the Downloads page.)

  • Versions of Tunnelblick that are running on macOS Big Sur may disable loading of system extensions. You may override this; see Tunnelblick on macOS Big Sur for details.

  • Apple proposes that programs such as Tunnelblick be modified to use a different method to accomplish the function that the system extensions currently perform. The current Tunnelblick developers do not have the time or expertise to use the new method Apple proposes and have no plans to do so. It is possible that someone else will develop such an alternative method and make it publicly available, but there is no way to know if or when that will happen. (If it does happen, we expect to include it in Tunnelblick.)

In the longer term:

At some point in the future when Tunnelblick no longer supports versions of macOS that can load system extensions, system extension loading and unloading will probably be removed from Tunnelblick. Historically, Tunnelblick has supported several years of macOS releases. As of June 2020 Tunnelblick supports OS X and macOS versions as far back as 10.7.5, which was released in 2012, so it is anticipated that the removal will not take place until the mid- to late-2020s.

  Deutsch     Français     中文(简体)     Русский     Español     日本語     …