tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…
Home Downloads Support Documents Issues Source Contribute Contact

Highlighted Articles
  News
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes
  Thanks
  FAQ

Discussion Group
  Read Before You Post

The Future of Tun and Tap VPNs on macOS

On This Page
        The Problem
        How to tell if you have a 'tap' VPN or a 'tun' VPN
        When will this happen?
        How to modify a 'tun' VPN so it will continue to work
        Always load tun or always load tap
        If macOS Catalina still complains
        What Apple announced
        What is Tunnelblick doing about it?

The Problem

Apple has announced changes to macOS which affect most users of Tunnelblick.

You might see a warning from Tunnelblick about this change, or you might see the following warning when connecting your VPN:

window showing the title 'Legacy System Extension' and the text 'existing software on your system loaded a system extension signed by Jonathan Bullard which will be incompatible with a future version of macOS. Contact the developer for support.'

What this means is:

  • If you have a 'tap' VPN, a future version of macOS will cause your VPN to stop working. (Apple's announcement to developers is worded differently and may mean that users will be able to use some mechanism to enable 'tap' VPNs to continue to work, but that interpretation is contradicted by the warning shown above. See What Apple announced, below.) You may be able to convert your 'tap' VPN to a 'tun' VPN which will work. However, that requires being able to change the OpenVPN configurations on both your computer and on the VPN server, and it may not provide all of the networking facilities that you are currently using. Consult OpenVPN experts and support for help with doing this.

  • If you have a 'tun' VPN, your configurations may continue to work in future version of macOS without you doing anything, or you might need to make a simple change to the OpenVPN configuration file so that the configuration will continue to work. If your OpenVPN configuration file does not contain a "dev-node" option, you do not need to do anything and the configuration will continue to work. If your OpenVPN configuration file does contain a "dev-node" option, you will need to remove that option so the configuration continues to work (see below).

How to tell if you have a 'tap' VPN or a 'tun' VPN

  1. Click to select a configuration in the left side of the "Configurations" panel of Tunnelblick's "VPN Details" window.
  2. Click on the little "gear" icon and click on either "Examine OpenVPN Configuration file…" or "Edit OpenVPN Configuration File…". The configuration file will open in a window or in Apple's "TextEdit" editor.
  3. Find a line that starts with "dev tun", "dev-type tun", or "dev-node tun". If you find one, you have a 'tun' VPN.
  4. Find a line that starts with "dev tap", "dev-type tap", or "dev-node tap". If you find one, you have a 'tap' VPN.

If you can't find a line that starts with any of the above, ask for help from the Tunnelblick Discussion Group.

When will this happen?

Our best guess based on similar situations is that the earliest Apple will make this change is in the last version of macOS Catalina, which is expected to be released in June or July of 2020. However, it is also possible that Apple will make the change earlier, and it is possible that Tunnelblick's VPNs will continue to work for some period of time even after Apple makes the change.

How to modify a 'tun' VPN so it will continue to work

You need to remove the dev-node option if it exists in the VPN's OpenVPN configuration file:

  1. Click to select a configuration in the left side of the "Configurations" panel of Tunnelblick's "VPN Details" window.
  2. Click on the little "gear" icon at the bottom of the list. If you can click "Make Configuration Private…", do so and have a computer administrator authorize the change. (If you can't click it, don't : )
  3. Click on the little "gear" icon and click on "Edit OpenVPN Configuration File…". The configuration file will open in Apple's "TextEdit" editor.
  4. Find a line that starts with "dev-node tun". If you find one, delete the line. If you dont find one, skip the next step.
  5. Look for a line that starts "dev tun" or "dev-type tun". If neither one exists in the file, add a new line that says "dev tun".
  6. Quit TextEdit, saving the changes if asked.
  7. If you previously made the configuration private, make it shared by clicking the little "gear" icon, clicking "Make Configuration Shared", and having the change authorized by a computer administrator.

If you made changes to the file and did not change it from shared to private and back to shared, the next time you connect the configuration you will be asked to have a computer administrator authorize the changes.

Always load tun or always load tap

If macOS Catalina still complains

If you have a 'tun' VPN which does not need to be modified, or has been modified as described above, and Tunnelblick or macOS Catalina still complains, then you have changed a Tunnelblick setting and should restore it to the default setting. All configurations should be set to "Load tun driver automatically" and "Load tap driver automatically". These settings are found on the "Connecting & Disconnecting" tab of the "Advanced" settings window.

What Apple announced

Apple has announced that "future OS releases will no longer load kernel extensions that use deprecated KPIs by default". Tunnelblick includes, and for some configurations uses, two such extensions:

  • 'tap' configurations always require the use of one kernel extension.
  • 'tun' configurations may require the use of the other kernel extension but can easily be modified so no kernel extension is required.

It isn't clear what Apple means by the phrase "by default". It may mean that Apple will provide a mechanism for users to allow loading of kernel extensions that use deprecated KPIs. However, Apple's practice has been to make such mechanisms very difficult to use, and the warning in macOS Catalina does not indicate such a mechanism will be provided.

What is Tunnelblick doing about it?

Nothing is planned. Apple proposes that programs such as Tunnelblick be modified to use a different method to accomplish the function that the kernel extensions currently perform. The current Tunnelblick developers do not have the time or expertise to use the new method Apple proposes and have no plans to do so. It is possible that someone else will develop such an alternative method and make it publicly available, but there is no way to know if or when that will happen. (If it does happen, we expect to include it in Tunnelblick.)

  Deutsch     Français     中文(简体)     Русский     Español     日本語     …