cPkgs - tunnelblick - Tunnelblick VPN Configurations Details - OpenVPN GUI for Mac OS X

Tunnelblick Discussion Group

Download Tunnelblick

News

Getting Started with Tunnelblick

Welcome to Tunnelblick
What is Tunnelblick?
What else you need
Getting VPN Service
How you can help
FAQ

Installation, Setup, and Usage

Installing 3.1 & 3.2
Uninstalling 3.1 & 3.2
Using Tunnelblick 3.1
Using Tunnelblick 3.2
Setting up Tunnelblick
Configuring OpenVPN
Tunnelblick as a VPN Server

Installing and Using Tunnelblick 3.0

Troubleshooting

Known Issues
Common Problems
Connects OK, But...
The Tunnelblick Log
The Console Log
How to get help

Releases

Stable Releases
Beta Releases
Release notes

Customized Versions

Distributing Tunnelblick
"Deployed" versions
".tblk" Details
Using Scripts
Icon Animation
Deployed vs. Tunnelblick VPN Configurations
Localizing Tunnelblick

For Developers

Building from Source
Modifying the disk image
Localizing Tunnelblick
Making Translations
Translation Status

Reference

FAQTunnelblickGoogleCodePage
Thanks
Known Issues
Release notes
AppleScript Support
Getting VPN Service
System requirements
Preferences 3.3
Preferences 3.2
Preferences 3.1
Preferences 3.0
Tunnelblick VPN Configurations
File Locations
Digital Signatures
Translation Status

What's New in 3.1
What's New in 3.2

Details About 3.0
Details About 3.1
Details About 3.2

cPkgs

Tunnelblick VPN Configurations Details

Updated Dec 6, 2011 by jkbull...@gmail.com

Introduction
Creation and Modification
File References in the OpenVPN Configuration File
Installation
Format
Info.plist
Preferences
Up/Down Shell Scripts
Tunnelblick Shell Scripts
Automatic Installation
CFBundleIdentifier Conflicts
Name Conflicts During Installation
Name Conflicts After Installation

Introduction

A Tunnelblick VPN Configuration (a "Configuration") is a folder with an extension of .tblk that contains information about one or more VPN configurations.

Configurations provide a convenient way to distribute VPN configurations separate from the Tunnelblick application itself.
Configurations may be installed to be private to a single user or shared by all users of the computer.
Configurations may be automatically installed when Tunnelblick is installed by including them in the Tunnelblick disk image.
Configurations may be set up to connect when the computer starts, and persist through logins and logouts.
Configurations may contain identification and version information to assist in version control.
Configurations may contain scripts that are run at particular points in the connection process.
Installing a Configuration "secures" it by setting ownership and permissions on its contents.
Installing a Configuration requires a computer administrator username/password (as does Tunnelblick installation).
A Configuration installed as private will be "shadow copied" to the boot drive if it is on a volume which cannot be secured (e.g., a network volume or a volume on an external drive) or if the "Use Shadow Copies" preference is set.
The configuration file of a Configuration that is private may be edited. The configuration file of a Configuration that is shared may only be examined.

Tunnelblick VPN Configurations are available in Tunnelblick 3.1 and up.

Configurations must be installed before they can be used. Install a Configuration by double-clicking it. (Tunnelblick must have been installed before the Configuration is double-clicked.)

Creation and Modification

Tunnelblick VPN Configurations are easily created and modified. See Creating and Installing a Tunnelblick VPN Configuration and Modifying a Tunnelblick VPN Configuration.

File References in the OpenVPN Configuration File

Within the OpenVPN configuration file itself, refer to other files, such as key or certificate files, without using a path or path prefix -- just use the name of the file.

Example: Refer to the "xyz.key" file in the OpenVPN configuration file as "key xyz.key", not "key abc/xyz.key".

Installation

Installation of a Configuration can be done manually by double-clicking it or by dragging it to a Tunnelblick icon in Finder. (A Configuration cannot be dragged to the Tunnelblick icon in the Status Bar.) Installation can also be done automatically when Tunnelblick is installed from a disk image or certain other other volumes (see Automatic Installation).

When a Configuration is installed, it's contents are copied and arranged in a specific way and the copy is secured by setting ownership and permissions on the copy's contents.

An installed Configuration may be shared or private. Configurations to be shared are copied to /Library/Application Support/Tunnelblick/Shared, and Configurations to be kept private are copied to ~/Library/Application Support/Tunnelblick/Configurations.

Format

Tunnelblick Configurations are folders with an extension of ".tblk". The extension causes OS X to treat the folder as a "package" -- in most cases it is treated as if it were a single file. To look at the contents of a package (i.e. inside what was the folder), control-click or right-click the package and select "Show Package Contents".

Configurations may be nested one level deep. That is, a Configuration may contain within it other Configurations. When such a Configuration is installed, it installs all of the Configurations within it. The Configurations within it may not include Configurations, however -- only one level of included Configurations is allowed.

The contents of a Tunnelblick VPN Configuration are arranged as follows after installation (files should not be arranged this way prior to installation: before installation all files should all just be at the top level of the .tblk, and the configuration file may have any name):

    sample.tblk/
        Contents/
            (Optional) Info.plist
            Resources/
                config.ovpn, containing OpenVPN configuration information
                (Optional) up/down shell scripts
                (Optional) Tunnelblick shell scripts
                (Optional, deprecated shell scripts) up.sh, down.sh, nomonitor.up.sh, and/or nomonitor.down.sh
                (Optional) key, certificate, and/or other shell script files

The name of the Configuration (without ".tblk") is used as the display name of the configuration unless it conflicts with an existing name (see Name Conflicts During Installation).

Info.plist

Info.plist is optional. If it exists, it must be an OS X property list file, with keys from the following table. The only mandatory key is TBPackageVersion; all others are optional.

Key	Description	Default	Examples
CFBundleIdentifier (case-insensitive)	A string that uniquely identifies the configuration and the individual or organization distributing the Configuration.	(None)	com.example.tbconfigs.config27a
CFBundleVersion	A string representing the version number that is used to determine later/earlier versions of the Configuration (see CFBundleIdentifier Conflicts). The string must consist of a major version number, optionally followed by a decimal point and a minor version number, optionally followed by a decimal point and a bugfix version number	(None)	1.16.4
CFBundleShortVersionString	A string to display as the version (in Get Info, for example)	(None)	1.6 Test 3
TBPackageVersion (required)	A string with the Configuration version number	1	The string "1" (without the quotation marks)
TBReplaceIdentical	A string specifying whether to install the Configuration over a Configuration with the same CFBundleIdentifier. Must be "yes", "no", "ask", or "force" (without the quotation marks)	ask	yes
TBSharePackage	A string specifying whether to install the Configuration as shared or private, or to ask the user. Must be "shared", "private", or "ask" (without the quotation marks)	ask	ask
TBPreference	See Preferences		TBPreferenceuseDNS

Preferences

A Configuration's Info.plist may also optionally contain entries (strings, numbers, and booleans) with keys that start with "TBPreference". The entries are preferences for the configuration. If not already present (with any value), each entry will be copied to the user's regular preferences each time Tunnelblick loads the Configuration (when Tunnelblick is launched or the Configuration is installed). When the entries are copied, "TBPreference" is replaced with the display name of the Configuration. Note that the "autoConnect" option triggers a connection when Tunnelblick is started, so a configuration with "TBPreferenceautoConnect" is not connected automatically when it is installed, but is connected automatically the next time Tunnelblick is launched.

In a Deployed version of Tunnelblick, the forced-preferences in Deploy will override any Configuration-specified preferences.

Up/Down Shell Scripts

If the Configuration contains up.tunnelblick.sh, down.tunnelblick.sh, up.sh, down.sh, nomonitor.up.sh, and/or nomonitor.down.sh, those shell scripts will be used instead of Tunnelblick's standard scripts, or scripts in Deploy, when connecting with the Configuration and "Set nameserver" is selected for the Configuration's configuration.

For backward compatibility, scripts other than up.tunnelblick.sh and down.tunnelblick.sh will be used if they exist.

In a Deployed version of Tunnelblick, a Configuration's up/down scripts will override the corresponding scripts in Deploy.

Tunnelblick Shell Scripts

If the Configuration includes pre-connect.sh, post-tun-tap-load.sh, connected.sh, reconnecting.sh, post-disconnect.sh scripts, they will be executed (as root) at the corresponding point in the connection process. This allows manipulation of kexts and/or the network configuration and user notification of events. (If the scripts load special kexts, you can use the "-doNotLoadTapKext" and "-doNotLoadTunKext" preferences to cause Tunnelblick to not try to load its own kexts.) post-tun-tap-load.sh, connected.sh, and reconnecting.sh are available in Tunnelblick 3.2beta02 and later only. See Using Scripts for more details.

Automatic Installation

When Tunnelblick itself is installed by double-clicking Tunnelblick.app on a disk image or other volume from which it cannot be used, all Configurations in the "auto-install" and ".auto-install" folders that are in the same folder that contains the Tunnelblick.app being installed are installed (subject to CFBundleIdentifier Conflicts and Name Conflicts During Installation).

CFBundleIdentifier Conflicts

On automatic or manual installation of a Configuration, if a Configuration with an identical CFBundleIdentifier is already installed:

If the new Configuration's "TBReplaceIdentical" is "no", the Configuration will not be installed.
If the new Configuration's "TBReplaceIdentical" is "yes", the existing Configuration will be replaced without notifying the user if it has an equal or higher "CFBundleVersion" than the existing installed Configuration. If it has a lower "CFBundleVersion", the Configuration will not be installed.
If the new Configuration's "TBReplaceIdentical" is "force", the existing Configuration will be replaced without notifying the user.
If the new Configuration's "TBReplaceIdentical" is "ask", the existing Configuration will be replaced only after getting the user's consent.

When an existing Configuration is replaced, the new copy takes the display name of the existing version, regardless of the name of the new Configuration. Thus, the new version will inherit the existing version's preferences and Keychain items.

Name Conflicts During Installation

If the display name of a Configuration is the same as the name of an existing .ovpn or .conf file or an existing Configuration that has a different CFBundleIdentifier, the user will be asked to rename the Configuration or cancel the installation.

Name Conflicts After Installation

Configurations are displayed from

Tunnelblick.app/Contents/Resources/Deploy
/Library/Application Support/Tunnelblick/Shared/*.tblk
/Library/Application Support/Tunnelblick/Shared/*.ovpn and *.conf
~/Library/Application Support/Tunnelblick/Configurations/*.tblk`
~/Library/Application Support/Tunnelblick/Configurations/*.ovpn and *.conf

in that order. If a display name matches an earlier display name, the later configuration will be ignored and only the earlier display name will be displayed, making only the earlier configuration available.