Openvpn Vs Tunnelblick



OpenVPN provides flexible VPN solutions to secure your data communications, whether. OpenVPN is well known for being an extremely secure, long standing VPN platform. But, isnt Tunnelblick just a MacOS client for OpenVPN? If you're looking for the simplest, OpenVPN Access Server and OpenVPN Connect are the way to go if you're implementing your own. Vpn client for Mac: viscosity vs tunnelblick vs shimo? This thread is archived. New comments cannot be posted and votes cannot be cast. I personally use viscosity. By far it is incredibly simple to use. I just had a.ovpn file, imported that file, and then.

This article explains what Tunnelblick is when you need it and how to install/uninstall it. Further, a useful list of VPN providers that allow Tunnelblick connections is included.

If you are running Mac Os you have probably heard people talking about Tunnelblick and how it can be used to set up a VPN connection. You may find below all you need to know about Tunnelblick in order to make the most of it.

What is Tunnelblick?

Tunnelblick is an open source MacOS application that provides secure access to an OpenVPN server. For those of you who don’t know, OpenVPN implements VPN techniques for creating secure point-to-point or site-to-site connections. The server running OpenVPN securely connects the Mac machine to the Internet, bypassing restrictions and censorship.

Tunnelblick is free and comes with easy to use graphic user interface for the control of OpenVPN client and/or server connections. All necessary binaries and drivers, including OpenVPN and tun/tap drivers, are installed and configured by the Tunnelblick VPN package.

Tunnelblick

What you need to run Tunnelblick

Openvpn Vs Tunnelblick

Tunnelblick runs on OS X 10.4 through 10.9.

It is important to understand that it does not provide VPN by itself. It only helps a Mac OS computer to connect to a VPN server.

Thus, you need access to a VPN server with OpenVPN software installed. The OpenVPN server can be:

  • Provided by your company (if you are using it for business purposes). Then you need to get the connection configuration from the network administrator (OpenVPN configuration files: .ovpn / .conf with the appropriate certificate and key files, or a Tunnel blick VPN Configuration: .tblk file).
  • A server provided by a VPN service (take a look below to a list of recommended VPN providers).
  • A more advanced option is to connect to another computer that you have access to or to a router that acts as VPN server. You may consider ZeroShell or Untangle to configure the computer you want to access or OpenVPN on DD-WRT to configure your router.


VPN services that support Tunnelblick

Regarding the VPN service providers, you need to know that not all of them allow their users to connect to their servers using Tunnel blick. Many of them use their own Mac VPN clients or Viscosity to connect with their clients.

You may find below a list with several good VPN providers that allow Tunnelblick VPN connections.

VPN ProviderTunnelblickOwn Mac VPN ClientViscosity
AirVPNYesYes
ExpressVPNYesYesYes
HideMyAssYesYes
ibVPNYesYes
IPVanishYesYes (OSX 10.6.8+)
Private Internet AccessYesYes (10.6+)Yes
PureVPNYesYes
StrongVPNYesYes
VyprVPNYesYes

How to install it

Before starting the installation you need to get the config files from the VPN service provider or from the network administrator (in case you want to connect to the company network). Save them on your Mac OS computer.

Next, here is a quick start guide:

Openvpn Vs Tunnelblick

  1. Download the software GUI for Mac OS.
  2. Install it following the onscreen instructions.
  3. Launch it.
  4. Add configuration files by clicking on ‘I have configuration files‘.
  5. Select ‘OpenVPN Configuration(s)‘.
  6. Next, select ‘Open Private Configurations Folder‘.
  7. Select ‘Done‘.
  8. A new window with the folder ‘Configurations‘ will appear.
  9. Now you need the OpenVPN configuration files. Extract the entire contents into the ‘Configurations‘ folder. Close the window when done.
  10. Launch it from ‘Applications‘.
  11. Click on the icon on the taskbar.
  12. Select a VPN location you would like to connect to and it will prompt you for your VPN username and password.
  13. Connect to the VPN server.

More detailed tutorials (including screenshots) may be found on the VPN providers setup pages: HideMyAss, ibVPN, VyprVPN, Private Internet Access, StrongVPN.

How to uninstall it

Tunnelblick

When you no longer need to use it to connect to a VPN server, follow the below-described actions:

  1. Drag the program from your ‘Applications’ folder to your Trash.
  2. Click your hard disk icon on your desktop (or open your Finder).
  3. Click on ‘Library’->’Application Support’, and ‘Delete’/Trash it folder if it exists.
  4. Click on ‘Library’->’Preferences’, and ‘Delete’/Trash the “com.tunnelblick.Tunnelblick.plist” file if it exists.
  5. Empty your Trash.
  6. Restart your Mac computer.
Openvpn

Can you run Tunnelblick on iPad and iPhone?

Openvpn Vs Tunnelblick 2

No, it is for MacOS only. But you may connect from your iPad or iPhone to an OpenVPN server using applications like OpenVPN Connect.

Tunnelblick for Windows

The app is only available on Mac computers and there is no Windows version. OpenVPN provides easy to use Windows application to connect to the VPN servers running OpenVPN.

Is it vulnerable to the OpenSSL Heartbeat attack?

Several versions of Tunnelblick include a version of the OpenSSL library that is vulnerable to the heartbleed attack:

  • All 3.4 versions before 3.4beta22 (build 3789)
  • All 3.3 versions before 3.3.2 (build 3518.3792)

If you are running one of these versions you need to update to the latest version!

Tunnelblick vs Viscosity

Openvpn Vs Tunnelblick Vpn

Viscosity is a paid alternative to Tunnelblick and it provides a rich user interface for creating, editing, and controlling VPN connections. Basically, it performs the same job, but it looks nicer. Plus, Viscosity is available for both Mac and Windows, unlike Tunnelblick that only runs on Mac computers.

Moreover, Viscosity can run AppleScript or Batch/VBS scripts before connecting/on connect/on disconnect per tunnel.

Thus, if you plan to go with Viscosity, take into account that there are significantly fewer VPN providers that accept Viscosity connections.

The subscription costs $9 and includes email support and free updates for all future 1.x versions.

Conclusion

Tunnelblick is an excellent solution for creating VPN connections on your Mac computers and to secure your Internet traffic. It is simple to install and to use even by those that are not computer freaks. It does not provide VPN by itself, it only helps the Mac to connect to an OpenVPN server. There are plenty of VPN providers that accept such connection (check the list provided in the article). You may consider Viscosity as an alternative to Tunnelblick if you need detailed traffic statistics, enterprise support or script control. Enjoy!

Highlighted Articles
News
Installing Tunnelblick
Uninstalling Tunnelblick
Setting up Configurations
Using Tunnelblick
Getting VPN Service
Common Problems
Configuring OpenVPN
Release Notes
Thanks
FAQ

Discussion Group
Read Before You Post

On This Page
Background
How to Load Tunnelblick's System Extensions
The Long-Term Problem
How to tell if you have a 'tap' VPN or a 'tun' VPN
When will this happen?
How to modify a 'tun' VPN so it will continue to work
If macOS still complains
Always load tun or always load tap
Disabling SIP
Old versions of Tunnelblick will not help
What Apple announced
What is Tunnelblick doing about it?

Background

To connect to a VPN, Tunnelblick needs to use a special kind of device driver:

  • For a Tun VPN, macOS includes a built-in 'utun' device driver which can be
    used so that Tunnelblick's Tun system extension does not need to be loaded.
    Most OpenVPN configuration files will automatically use the 'utun' driver, but
    some include options that require Tunnelblick to use its own Tun system
    extension. Those configuration files should be modified so that the built-in
    macOS 'utun' device driver can be used. (For simple instructions to make such
    modifications, see Errors Loading System Extensions.)

  • For a Tap VPN, Tunnelblick's Tap system extension must be loaded because
    macOS does not have a built-in Tap device driver.

Apple has made it more and more difficult to load system extensions with each
new version of macOS. They have also announced that in 'a future version' of
macOS, you will not be able to use system extensions at all.

How to Load Tunnelblick's System Extensions

If you are using any version of macOS up to and including macOS Sierra,
Tunneblick automatically loads and unloads its system extensions; you do not
need to do anything.

If you are using macOS High Sierra, Mojave, or Catalina, you need to

  1. Attempt to connect the configuration so Tunnelblick attempts to use the system extension;
  2. Open System Preferences >> Security & Privacy;
  3. Give permission to load system extensions signed by 'Jonathan Bullard';
  4. Close System Preferences; and
  5. If you are using macOS Catalina**, restart your computer.

If you are using macOS Big Sur on an Intel Mac, you need to:

  1. Restart your computer in Recovery mode;
  2. Open /Applications/Utilities/Terminal;
  3. Execute 'csrutil disable' command in Terminal;
  4. Restart your computer normally;
  5. Attempt to connect the configuration so Tunnelblick attempts to use the system extension;
  6. Open System Preferences >> Security & Privacy;
  7. Give permission to load system extensions signed by 'Jonathan Bullard';
  8. Close System Preferences;
  9. Restart your computer normally;
  10. Restart your computer in Recovery mode;
  11. Open /Applications/Utilities/Terminal;
  12. Execute 'csrutil enable' command in Terminal; and
  13. Restart your computer normally.

If you are using macOS Big Sur on an Apple Silicon Mac, you need to use the latest beta version of Tunnelblick. See Tunnelblick and Apple Silicon for details.

The Long-Term Problem

Apple has announced changes to macOS which affect many users of Tunnelblick.

You might see a warning from Tunnelblick about this change, or you might see the following warning when connecting your VPN:

What this means is:

  • If you have a 'tap' VPN, a future version of macOS will cause your VPN to stop working. (Apple's announcement to developers is worded differently and may mean that users will be able to use some mechanism to enable 'tap' VPNs to continue to work, but that interpretation is contradicted by the warning shown above. See What Apple announced, below.) You may be able to convert your 'tap' VPN to a 'tun' VPN which will work. However, that requires being able to change the OpenVPN configurations on both your computer and on the VPN server, and it may not provide all of the networking facilities that you are currently using. Consult your VPN service provider or OpenVPN experts and support for help with doing this.

  • On macOS Big Sur 11.0.1 you may be able to allow 'tap' VPNs to continue to work by disabling SIP.

  • On macOS Big Sur 11.1.0 disabling SIP is not necessary.

  • If you have a 'tun' VPN, your configurations may continue to work in future version of macOS without you doing anything, or you might need to make a simple change to the OpenVPN configuration file so that the configuration will continue to work. If your OpenVPN configuration file does not contain a 'dev-node' option, you do not need to do anything and the configuration will continue to work. If your OpenVPN configuration file does contain a 'dev-node' option, you will need to remove that option so the configuration continues to work (see below).

How to tell if you have a 'tap' VPN or a 'tun' VPN

First, click to select a configuration in the left side of the 'Configurations' panel of Tunnelblick's 'VPN Details' window.

Then, examine the title of the 'VPN Details' window. If it includes:

  • '- UTUN -': you have a 'tun' VPN but it does not require a system extension. You don't need to do anything.
  • '- TUN -': you have a 'tun' VPN which requires a system extension. See below for instructions for modifying the OpenVPN configuration file so the system extension is not required.
  • '- TAP -': you have a 'tap' VPN which requires a system extension. Contact your VPN service provider for help.

When will this happen?

Apple does not announce its intentions in advance, so there may not be any prior notice of this change. It may appear in a version of macOS Big Sur, or may appear in a later version of macOS. Minecraft pe 1.16.

For updated information about macOS Big Sur, see Tunnelblick on macOS Big Sur.

How to modify a 'tun' VPN so it will continue to work

You need to remove the dev-node option if it exists in the VPN's OpenVPN configuration file:

  1. Click to select a configuration in the left side of the 'Configurations' panel of Tunnelblick's 'VPN Details' window.
  2. Click on the little 'gear' icon at the bottom of the list of configurations. If you can click 'Make Configuration Private…', do so and have a computer administrator authorize the change. (If you can't click it, don't : )
  3. Click on the little 'gear' icon and click on 'Edit OpenVPN Configuration File…'. The configuration file will open in Apple's 'TextEdit' editor.
  4. Find a line that starts with 'dev-node tun'. If you find one, delete the line. If you dont find one, skip the next step.
  5. Look for a line that starts 'dev tun' or 'dev-type tun'. If neither one exists in the file, add a new line that says 'dev tun'.
  6. Quit TextEdit, saving the changes if asked.
  7. If you previously made the configuration private, make it shared by clicking the little 'gear' icon, clicking 'Make Configuration Shared', and having the change authorized by a computer administrator.

If you made changes to the file and did not change it from shared to private and back to shared, the next time you connect the configuration you will be asked to have a computer administrator authorize the changes.

If macOS still complains

Always load tun or always load tap

If you have a 'tun' VPN which does not need to be modified, or has been modified as described above, and Tunnelblick or macOS Catalina still complains, then you have changed a Tunnelblick setting and should restore it to the default setting. All configurations should be set to 'Load tun driver automatically' and 'Load tap driver automatically'. These settings are found on the 'Connecting & Disconnecting' tab of the 'Advanced' settings window. Recent versions of Tunnelblick will automatically disable loading of 'tun' and 'tap' system extensions on versions of macOS that do not allow Tunnelblick to load them.

Disabling SIP

System Integrity Protection ('SIP') is a feature of macOS which helps keep your computer safe (see About System Integrity Protection on your Mac).

Although it is not recommended because it makes your computer less safe, if you are using macOS Big Sur 11.0.1, disabling SIP may allow your computer to connect a 'tap' VPN. See Configuring System Integrity Protection for instructions to disable SIP.

It has been reported that on macOS Big Sur 11.1.0 disabling SIP is no longer necessary. This has not been verified by the Tunnelblick developers.

Old versions of Tunnelblick will not help

This situation is caused by changes in macOS, not a change in Tunnelblick, so older versions of Tunnelblick will not help. All Macs running OS X 7.5 or later should use the latest stable or beta version of Tunnelblick. See Deprecated Downloads for a version of Tunnelblick that should be used on earlier versions of OS X and on all PowerPC Macs.

What Apple announced

Apple has announced that 'future OS releases will no longer load system extensions that use deprecated KPIs by default'. Tunnelblick includes, and for some configurations loads one of two such extensions:

  • 'tap' configurations always require the use of one system extension.
  • 'tun' configurations may require the use of the other system extension but can easily be modified so no system extension is required.

It isn't clear what Apple means by the phrase 'by default'. It may mean that Apple will provide a mechanism for users to allow loading of system extensions that use deprecated KPIs. However, Apple's practice has been to make such mechanisms very difficult to use, and the warning in macOS Catalina does not indicate such a mechanism will be provided.

Early versions of macOS Big Sur may allow system extensions to be loaded if SIP is disabled, see Tunnelblick on macOS Big Sur.

On macOS Big Sur 11.1.0 disabling SIP is no longer necessary.

What is Tunnelblick doing about it?

In the short term:

  • macOS Catalina loads Tunnelblick's system extensions (which are signed by 'Jonathan Bullard'), but the user must interactively allow this in the Security and Privacy window of System Preferences.

  • macOS Big Sur 11.0.1 refuses to load Tunnelblick's existing, notarized system extensions unless SIP is disabled. It isn't known if this behavior will be present in future versions of Big Sur; 11.1.0 does not require SIP to be disabled. Apple's suggested workaround, using an 'installer package', cannot be easily integrated into the Tunnelblick installation process. It is possible that someone else will develop an installer which can load Tunnelblick's system extensions and make it publicly available, but there is no way to know if or when that will happen. (If it does happen, we expect to link to the installer or installers on the Downloads page.)

  • Versions of Tunnelblick that are running on macOS Big Sur may disable loading of system extensions. You may override this; see Tunnelblick on macOS Big Sur for details.

  • Apple proposes that programs such as Tunnelblick be modified to use a different method to accomplish the function that the system extensions currently perform. The current Tunnelblick developers do not have the time or expertise to use the new method Apple proposes and have no plans to do so. It is possible that someone else will develop such an alternative method and make it publicly available, but there is no way to know if or when that will happen. (If it does happen, we expect to include it in Tunnelblick.)

In the longer term:

At some point in the future when Tunnelblick no longer supports versions of macOS that can load system extensions, system extension loading and unloading will probably be removed from Tunnelblick. Historically, Tunnelblick has supported several years of macOS releases. As of June 2020 Tunnelblick supports OS X and macOS versions as far back as 10.7.5, which was released in 2012, so it is anticipated that the removal will not take place until the mid- to late-2020s.





Comments are closed.