Frequently Asked Questions
VPNs are primarily used two ways, or sometimes both ways simultaneously:
In addition to Tunnelblick, you need access to a VPN server. Your company may provide one, or you can obtain VPN service from any of several VPN service providers, or you can use another one of your computers or a router to act as a VPN server. See Getting VPN Service for details.
It runs on OS X Tiger (10.4), Leopard (10.5), and Snow Leopard (10.6). It comes as a ready-to-use Universal application with all necessary binaries and drivers (including OpenVPN and tun/tap) included. No additional installation is necessary -- just add your configuration and encryption information.
Tunnelblick is free software licensed under the GNU General Public License (GPL) Version 2.
The Tunnelblick disk image includes a link to the Tunnelblick Documentation. There is also help available in Tunnelblick's main window, the VPN Details… window.
Does Tunnelblick work on Snow Leopard? Leopard? Tiger? Lion? Mountain Lion? Panther? Intel? PowerPC?
Yes. Tunnelblick is a Universal 32-bit application, so it runs as an application in 32-bit mode on both Intel and PowerPC Macs under Tiger, Leopard, Snow Leopard, Lion, and Mountain Lion, under 32-bit and 64-bit kernels. It includes 32/64-bit versions of tun.kext and tap.kext. Tiger, Leopard, and Snow Leopard's 32-bit kernel use the 32-bit tun/tap, and Snow Leopard's 64-bit kernel, Lion, and Mountain Lion use the 64-bit tun/tap.
Mountain Lion works best with Tunnelblick 3.3beta36 and up, but can be run on 3.3beta21 and with some setups, on 3.2.8.
Panther requires a very old version, Tunnelblick 2.0.1.
You need a VPN server to connect to. It could be a server at your company or at a VPN service provider, or it could be a VPN that you have set up yourself at home. See Getting VPN Service for details.
What else you need depends on your situation:
Tunnelblick indicates that the VPN is connected by showing the "open" tunnel in your menu bar (usually near the Spotlight icon).
But whether all traffic will be directed through the VPN depends on the settings in the OpenVPN configuration file. If the "redirect-gateway def1" option appears, then all traffic should go through the VPN.
An easy way to check if web traffic is going through the VPN is to go to http://whatismyipaddress.com -- it should give the IP address of the OpenVPN server, not the address of your (OpenVPN client) computer. If it doesn't, then add the "redirect-gateway def1" option to your OpenVPN configuration file.
To get the "SHA-1" checksum of a file, use the following command in Terminal:
/usr/bin/openssl sha1 path-to-the-file
/usr/bin/openssl sha1 /Users/johnsmith/Downloads/Tunnelblick_3.0.dmg
All available versions of Tunnelblick are available on the Downloads page.
A "deployed" version of Tunnelblick is a customized version of the program, which includes everything you need to connect to a VPN: the program itself, configuration file(s), and key and certificate files for encryption.
If you download Tunnelblick from this website, it is not a deployed version. You must also have configuration, key, and certificate files, which should be provided to you by your company or your VPN service provider.
See Deploying Tunnelblick for detailed information about deployed versions of Tunnelblick.
Download the latest disk image. Double-click it and a window will open with the Tunnelblick icon and the words "Double-click to begin". Double-click the Tunnelblick icon and you will be guided through the process of copying Tunnelblick to your Applications folder. Reinstalls, upgrades, and downgrades will be recognized and the old version of the program is moved to the Trash before installing the new version.
Start Tunnelblick by double-clicking it in Applications. It will step you through the process of setting up configuration files. When Tunnelblick is running, it will display the Tunnelblick icon in the status bar at the top of the screen on the right. Usually, the icon is located immediately between the time display and the Spotlight icon. Click on the Tunnelblick icon to reveal the Tunnelblick menu, then click on a configuration to connect using it, or click on "VPN Details…" for a window with details for each configuration.
For Tunnelblick 3.1beta18 (2010-010-16) and later, download the disk image with the version you wish to install (all available versions are on the Downloads Page. Double-click it and a window will open with the Tunnelblick icon and the words "Double-click to begin". Double-click the Tunnelblick icon and you will be guided through the process. Reinstalls, upgrades, and downgrades will be recognized and the old version of the program is moved to the Trash before installing the new version.
For earlier versions of Tunnelblick, you'll have to drag your existing version (usually found in /Applications) to the Trash and then drag and drop the version on the disk image to /Applications.
Each time Tunnelblick is launched, it checks for updates automatically (if that was specified when Tunnelblick was installed) and displays a notice that an update is available. (It also checks every week if it is running for more than a week.)
(Note: Due to a bug in older versions of Tunnelblick, update notices are sometimes not visible. For versions of Tunnelblick earlier than 3.0b16, the user must display the "VPN Details…" window and click in that window for the popup window to appear. For versions of Tunnelblick earlier than 3.0b24, the user must display the "VPN Details…" window for the popup window to appear. For version 3.0b24 and later, update notices will be visible without any user action.)
If automatic checking for updates is not enabled, there are three ways to update Tunnelblick manually:
Whichever method you chose, you will need an administrator username/password the first time a new copy of Tunnelblick is run. All configurations and preferences will be used by the new version (even if it is a "deployed" version).
Tunnelblick needs root privileges the first time it is run for two reasons:
OpenVPN needs root privileges because it needs to modify network settings when configuring network devices, changing routes, and adding and removing nameservers. Because we don't want you to enter your computer administrator password every time you start a VPN connection, Tunnelblick comes with the "openvpnstart" setuid root binary that allows you to do exactly one thing: start a VPN connection with super user rights.
Tunnelblick also needs root privileges to secure configuration files. If a configuration file is not owned by root, Tunnelblick asks for an administrator username/password so it can change the file's ownership to root before making a connection using that configuration file.
This is a security issue. OpenVPN configuration files allow you to specify up/down scripts which will be executed with root privileges every time a VPN connection is started or stopped. If the configuration files were owned by the local user, anyone could execute arbitrary code as root by inserting an 'up' directive to the configuration file and pointing it to a (malicious) shell script. Therefore, when a configuration file is first used, Tunnelblick asks for a computer administrator's username and password and uses them to change the ownership of the configuration file to root, so it is protected against unnoticed and possibly malicious changes. If new configuration files are added, Tunnelblick will ask for a computer administrator's username and password to change the ownership of the new file to root before the first use of each new configuration file.
You are probably using the 'user' or 'group' directive in your OpenVPN client configuration file. If you use it, the OpenVPN process will drop privileges after startup which is additional security measure. However, OpenVPN needs root privileges for restoring the route back to their original state. In short: don't use it.
As of version 3.0b22, Tunnelblick contains the "openvpn-down-root.so" plugin for OpenVPN. Together with a per-configuration preference, this allows the use of 'user' and 'group'. See Using Tunnelblick for details on how to do this.
Under certain circumstances, checkboxes or buttons may be disabled and will appear dimmed -- nothing happens when you click on them. Buttons and checkboxes are disabled when they cannot be used. Examples (from the VPN Details… window):
You can check the version of OpenVPN included in your copy of Tunnelblick by starting Tunnelblick, then selecting "Options…" from the Tunnelblick menu, then selecting "About…".
PLEASE USE THE TUNNELBLICK DISCUSSION GROUP FOR COMMENTS OR QUESTIONS