Highlighted Articles
News
Installing Tunnelblick
Uninstalling Tunnelblick
Setting up Configurations
Using Tunnelblick
Getting VPN Service
Common Problems
Configuring OpenVPN
Release Notes
Thanks
FAQ

Discussion Group
Read Before You Post

On This Page
Background
How to Load Tunnelblick's System Extensions
The Long-Term Problem
How to tell if you have a 'tap' VPN or a 'tun' VPN
When will this happen?
How to modify a 'tun' VPN so it will continue to work
If macOS still complains
Always load tun or always load tap
Disabling SIP
Old versions of Tunnelblick will not help
What Apple announced
What is Tunnelblick doing about it?

Background

To connect to a VPN, Tunnelblick needs to use a special kind of device driver:

• For a Tun VPN, macOS includes a built-in 'utun' device driver which can be
  used so that Tunnelblick's Tun system extension does not need to be loaded.
  Most OpenVPN configuration files will automatically use the 'utun' driver, but
  some include options that require Tunnelblick to use its own Tun system
  extension. Those configuration files should be modified so that the built-in
  macOS 'utun' device driver can be used. (For simple instructions to make such
  modifications, see Errors Loading System Extensions.)

• For a Tap VPN, Tunnelblick's Tap system extension must be loaded because
  macOS does not have a built-in Tap device driver.

Apple has made it more and more difficult to load system extensions with each
new version of macOS. They have also announced that in 'a future version' of
macOS, you will not be able to use system extensions at all.

How to Load Tunnelblick's System Extensions

If you are using any version of macOS up to and including macOS Sierra,
Tunneblick automatically loads and unloads its system extensions; you do not
need to do anything.

If you are using macOS High Sierra, Mojave, or Catalina, you need to

1. Attempt to connect the configuration so Tunnelblick attempts to use the system extension;
2. Open System Preferences >> Security & Privacy;
3. Give permission to load system extensions signed by 'Jonathan Bullard';
4. Close System Preferences; and
5. If you are using macOS Catalina**, restart your computer.

If you are using macOS Big Sur on an Intel Mac, you need to:

1. Restart your computer in Recovery mode;
2. Open /Applications/Utilities/Terminal;
3. Execute 'csrutil disable' command in Terminal;
4. Restart your computer normally;
5. Attempt to connect the configuration so Tunnelblick attempts to use the system extension;
6. Open System Preferences >> Security & Privacy;
7. Give permission to load system extensions signed by 'Jonathan Bullard';
8. Close System Preferences;
9. Restart your computer normally;
10. Restart your computer in Recovery mode;
11. Open /Applications/Utilities/Terminal;
12. Execute 'csrutil enable' command in Terminal; and
13. Restart your computer normally.

If you are using macOS Big Sur on an Apple Silicon Mac, you need to use the latest beta version of Tunnelblick. See Tunnelblick and Apple Silicon for details.

The Long-Term Problem

Apple has announced changes to macOS which affect many users of Tunnelblick.

You might see a warning from Tunnelblick about this change, or you might see the following warning when connecting your VPN:

What this means is:

• If you have a 'tap' VPN, a future version of macOS will cause your VPN to stop working. (Apple's announcement to developers is worded differently and may mean that users will be able to use some mechanism to enable 'tap' VPNs to continue to work, but that interpretation is contradicted by the warning shown above. See What Apple announced, below.) You may be able to convert your 'tap' VPN to a 'tun' VPN which will work. However, that requires being able to change the OpenVPN configurations on both your computer and on the VPN server, and it may not provide all of the networking facilities that you are currently using. Consult your VPN service provider or OpenVPN experts and support for help with doing this.

• On macOS Big Sur 11.0.1 you may be able to allow 'tap' VPNs to continue to work by disabling SIP.

• On macOS Big Sur 11.1.0 disabling SIP is not necessary.

• If you have a 'tun' VPN, your configurations may continue to work in future version of macOS without you doing anything, or you might need to make a simple change to the OpenVPN configuration file so that the configuration will continue to work. If your OpenVPN configuration file does not contain a 'dev-node' option, you do not need to do anything and the configuration will continue to work. If your OpenVPN configuration file does contain a 'dev-node' option, you will need to remove that option so the configuration continues to work (see below).

How to tell if you have a 'tap' VPN or a 'tun' VPN

First, click to select a configuration in the left side of the 'Configurations' panel of Tunnelblick's 'VPN Details' window.

Then, examine the title of the 'VPN Details' window. If it includes:

• '- UTUN -': you have a 'tun' VPN but it does not require a system extension. You don't need to do anything.
• '- TUN -': you have a 'tun' VPN which requires a system extension. See below for instructions for modifying the OpenVPN configuration file so the system extension is not required.
• '- TAP -': you have a 'tap' VPN which requires a system extension. Contact your VPN service provider for help.

When will this happen?

Apple does not announce its intentions in advance, so there may not be any prior notice of this change. It may appear in a version of macOS Big Sur, or may appear in a later version of macOS.

For updated information about macOS Big Sur, see Tunnelblick on macOS Big Sur.

How to modify a 'tun' VPN so it will continue to work

You need to remove the dev-node option if it exists in the VPN's OpenVPN configuration file:

1. Click to select a configuration in the left side of the 'Configurations' panel of Tunnelblick's 'VPN Details' window.
2. Click on the little 'gear' icon at the bottom of the list of configurations. If you can click 'Make Configuration Private…', do so and have a computer administrator authorize the change. (If you can't click it, don't : )
3. Click on the little 'gear' icon and click on 'Edit OpenVPN Configuration File…'. The configuration file will open in Apple's 'TextEdit' editor.
4. Find a line that starts with 'dev-node tun'. If you find one, delete the line. If you dont find one, skip the next step.
5. Look for a line that starts 'dev tun' or 'dev-type tun'. If neither one exists in the file, add a new line that says 'dev tun'.
6. Quit TextEdit, saving the changes if asked.
7. If you previously made the configuration private, make it shared by clicking the little 'gear' icon, clicking 'Make Configuration Shared', and having the change authorized by a computer administrator.

If you made changes to the file and did not change it from shared to private and back to shared, the next time you connect the configuration you will be asked to have a computer administrator authorize the changes.

If macOS still complains

Always load tun or always load tap

If you have a 'tun' VPN which does not need to be modified, or has been modified as described above, and Tunnelblick or macOS Catalina still complains, then you have changed a Tunnelblick setting and should restore it to the default setting. All configurations should be set to 'Load tun driver automatically' and 'Load tap driver automatically'. These settings are found on the 'Connecting & Disconnecting' tab of the 'Advanced' settings window. Recent versions of Tunnelblick will automatically disable loading of 'tun' and 'tap' system extensions on versions of macOS that do not allow Tunnelblick to load them.

Disabling SIP

System Integrity Protection ('SIP') is a feature of macOS which helps keep your computer safe (see About System Integrity Protection on your Mac).

Although it is not recommended because it makes your computer less safe, if you are using macOS Big Sur 11.0.1, disabling SIP may allow your computer to connect a 'tap' VPN. See Configuring System Integrity Protection for instructions to disable SIP.

It has been reported that on macOS Big Sur 11.1.0 disabling SIP is no longer necessary. This has not been verified by the Tunnelblick developers.

Old versions of Tunnelblick will not help

This situation is caused by changes in macOS, not a change in Tunnelblick, so older versions of Tunnelblick will not help. All Macs running OS X 7.5 or later should use the latest stable or beta version of Tunnelblick. See Deprecated Downloads for a version of Tunnelblick that should be used on earlier versions of OS X and on all PowerPC Macs.

What Apple announced

Apple has announced that 'future OS releases will no longer load system extensions that use deprecated KPIs by default'. Tunnelblick includes, and for some configurations loads one of two such extensions:

• 'tap' configurations always require the use of one system extension.
• 'tun' configurations may require the use of the other system extension but can easily be modified so no system extension is required.

It isn't clear what Apple means by the phrase 'by default'. It may mean that Apple will provide a mechanism for users to allow loading of system extensions that use deprecated KPIs. However, Apple's practice has been to make such mechanisms very difficult to use, and the warning in macOS Catalina does not indicate such a mechanism will be provided.

Early versions of macOS Big Sur may allow system extensions to be loaded if SIP is disabled, see Tunnelblick on macOS Big Sur.

On macOS Big Sur 11.1.0 disabling SIP is no longer necessary.

What is Tunnelblick doing about it?

In the short term:

• macOS Catalina loads Tunnelblick's system extensions (which are signed by 'Jonathan Bullard'), but the user must interactively allow this in the Security and Privacy window of System Preferences.

• macOS Big Sur 11.0.1 refuses to load Tunnelblick's existing, notarized system extensions unless SIP is disabled. It isn't known if this behavior will be present in future versions of Big Sur; 11.1.0 does not require SIP to be disabled. Apple's suggested workaround, using an 'installer package', cannot be easily integrated into the Tunnelblick installation process. It is possible that someone else will develop an installer which can load Tunnelblick's system extensions and make it publicly available, but there is no way to know if or when that will happen. (If it does happen, we expect to link to the installer or installers on the Downloads page.)

• Versions of Tunnelblick that are running on macOS Big Sur may disable loading of system extensions. You may override this; see Tunnelblick on macOS Big Sur for details.

• Apple proposes that programs such as Tunnelblick be modified to use a different method to accomplish the function that the system extensions currently perform. The current Tunnelblick developers do not have the time or expertise to use the new method Apple proposes and have no plans to do so. It is possible that someone else will develop such an alternative method and make it publicly available, but there is no way to know if or when that will happen. (If it does happen, we expect to include it in Tunnelblick.)

In the longer term:

At some point in the future when Tunnelblick no longer supports versions of macOS that can load system extensions, system extension loading and unloading will probably be removed from Tunnelblick. Historically, Tunnelblick has supported several years of macOS releases. As of June 2020 Tunnelblick supports OS X and macOS versions as far back as 10.7.5, which was released in 2012, so it is anticipated that the removal will not take place until the mid- to late-2020s.