Tunnelblick on macOS Big Sur
If you are using macOS 11 Big Sur, you should use the latest version of Tunnelblick. You should enable Tunnelblick to automatically check for updates (on the "Preferences" panel of Tunnelblick's "VPN Details" window). You can also download the latest version from Tunnelblick Downloads.
The following is the current status of issues that have been seen using the latest version of Tunnelblick on macOS Big Sur.
To report an issue, please follow the instructions at Tunnelblick Issues.
CAN'T FIX: Tunnelblick's Tun and Tap system extensions do not load.
If your configuration requires a Tun or Tap system extension, connecting to your VPN will fail if an appropriate system extension is not loaded.
macOS Big Sur 11.0.1 does not allow Tunnelblick to load its Tun or Tap system extensions. Apple says that as a workaround "during development" one can temporarily disable System Integrity Protection to allow these system extensions to load when logged in as an Admin user. This workaround may not work in a future version or update of Big Sur — see The Future of Tun and Tap VPNs on macOS.
Note: If you are using a Tun VPN, you can modify your OpenVPN configuration file so it will work without the "Tun" system extension. See The Future of Tun and Tap VPNs on macOS.
FEATURE: Tunnelblick disables loading of Tun and Tap system extensions.
This is actually, really, truly a feature, not a bug!
When running on macOS Big Sur, Tunnelblick forces the settings on Tunnelblick's "Advanced" settings window to "never load" system extensions. You can override that behavior and allow the settings to act normally, which is useful if you have disabled SIP and/or your version of Big Sur allows Tunnelblick to load the system extensions. You can override the behavior by executing the following command in Terminal:
defaults write net.tunnelblick.tunnelblick bigSurCanLoadKexts -bool yes
The override can be removed by executing:
defaults delete net.tunnelblick.tunnelblick bigSurCanLoadKexts
WON'T FIX: Sidecar does not work when a VPN is connected using Tunnelblick's default for a configuration.
(This issue is not specific to Big Sur. It is present in all versions of Sidecar.)
Sidecar does not work if IPv6 is disabled. By default, Tunnelblick disables IPv6 while a VPN is connected. This is done to prevent information leaks in common VPN setups (see A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients).
To fix this problem:
(This page was updated 2020-07-16.)