tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…

Highlighted Articles
  News
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes
  Thanks
  FAQ

Discussion Group
  Read Before You Post

Frequently Asked Questions

On This Page
    What is Tunnelblick?
    Where is the documentation?
    What versions of macOS does Tunnelblick work on?
    What else do I need?
    How do I know the VPN is working?
    What if the Internet doesn't work after I make a connection?
    How do I verify a download?
    Where can I get old versions of Tunnelblick?
    What is a "deployed" version of Tunnelblick?
    How do I install Tunnelblick?
    I have installed Tunnelblick - Now what?
    How do I uninstall Tunnelblick?
    How do I revert to an earlier version of Tunnelblick?
    How do I update Tunnelblick?
    Why does Tunnelblick need root privileges?
    Why does Tunnelblick change the ownership of the configuration files to root?
    Why are routes not restored when closing my VPN connection?
    Why are some checkboxes or buttons dimmed and disabled?
    Why are some checkboxes or buttons missing?
    What versions of OpenVPN does Tunnelblick include?
    Where can I go if my question is not answered here?

What is Tunnelblick?

  • Explanation 1: Tunnelblick is a program that can be used to securely connect a Mac running macOS or OS X to a remote network or the Internet, bypassing untrusted networks, censorship, and eavesdropping. It does this by creating a "Virtual Private Network", or "VPN" to a VPN server using a program named "OpenVPN", which is included within the Tunnelblick application. When you connect through a VPN, your computer sends all network traffic through a "tunnel" to the VPN server, which then passes on your network traffic to a local network or the Internet. It is as if you were connecting to the network or Internet through the VPN server instead of your computer. All traffic between your computer and the VPN server is encrypted.

VPNs are primarily used two ways, or sometimes both ways simultaneously: - To securely connect a computer to the Internet, even though it may be connecting through an untrusted network (a wireless network at a hotel or airport, for example); and - To securely connect a computer to a company's internal network or some part of it (a branch office, for example).

Please see Privacy and Security for important information before you use Tunnelblick to attempt to make yourself anonymous on the Internet.

In addition to Tunnelblick, you need access to a VPN server. Your company may provide one, or you can obtain VPN service from any of several VPN service providers, or you can use another one of your computers or a router to act as a VPN server. See Getting VPN Service for details.

  • Explanation 2: Tunnelblick is a ready-to-use Graphic User Interface (GUI) for OpenVPN on macOS or OS X. It provides easy-to-use control of OpenVPN server and/or client connections.

It runs on macOS or OS X only -- it does not run on Windows, Linux, or iOS (iPhone, iPad, etc.). It comes as a ready-to-use application with all necessary binaries and drivers (including OpenVPN and Tun and Tap system extensions) included. No additional installation is necessary — just add your configuration and encryption information.

Tunnelblick is free software made available under the GNU General Public License, version 2 and may be distributed only in accordance with the terms of that license.

Where is the documentation?

The Tunnelblick disk image includes a link to the Tunnelblick Documentation. There is also help available in Tunnelblick's windows by clicking on the question-mark ("?") button and by hovering the pointer over most buttons and checkboxes.

What versions of macOS does Tunnelblick work on?

Modern versions of Tunnelblick run as 64-bit programs on Intel or Apple Silicon processors.

An older version of Tunnelblick works on OS X 10.4 through 10.10. That version is a Universal 32-bit application, so it runs as an application in 32-bit mode on both Intel and PowerPC Macs under 32-bit and 64-bit kernels. It includes 32/64-bit versions of tun.kext and tap.kext. Tiger, Leopard, and Snow Leopard's 32-bit kernel use the 32-bit tun/tap, and Snow Leopard's 64-bit kernel, and Lion and higher, use the 64-bit tun/tap.

What else do I need?

You need a VPN server to connect to. It could be a server at your company or at a VPN service provider, or it could be a VPN that you have set up yourself at home. See Getting VPN Service for details.

What else you need depends on your situation:

  • If you have a "deployed" version of Tunnelblick (usually from a company or VPN service provider), you may not need anything else — everything is usually included in the customized version of the Tunnelblick application that is distributed.
  • Otherwise, you need either a "configuration file" or enough information about the VPN to edit the sample configuration file that Tunnelblick will offer to install. You will probably also need certificate and key files for encryption. Your company or VPN service provider should provide them.

How do I know the VPN is working?

Tunnelblick indicates that the VPN is connected by showing the "open" tunnel in your menu bar (usually near the Spotlight icon).

close up view showing bold Tunnelblick icon in status bar

But whether all IPv4 traffic will be directed through the VPN depends on the OpenVPN options when the VPN was established. If the "redirect-gateways" option appears in the OpenVPN configuration file or in options pushed by the server and accepted by the client, or Tunnelblick's "Route all IPv4 traffic through the VPN" is checked, then all IPv4 traffic should go through the VPN.

An easy way to check if web traffic is going through the VPN is to put enable "Check if the apparent public IP address changed after connecting" for the configuration. If the IP address doesn't change, then check "Route all IPv4 traffic through the VPN". Both of these checkboxes are on the "Settings" tab of Tunnelblick's "VPN Details" window. (Be sure to select all configurations that you want to change before making a change.)

What if the Internet doesn't work after I make a connection?

See Connects to the VPN, but doesn't work.

How do I verify a download?

See Verifying downloads.

Where can I get old versions of Tunnelblick?

Binaries for all available modern versions of Tunnelblick are available on the Downloads page.

Binaries for all available older versions of Tunnelblick are available on the Deprecated Downloads page.

You can build Tunnelblick from the source code on Tunnelblick's GitHub site. See Source.

What is a "deployed" version of Tunnelblick?

A "deployed" version of Tunnelblick is a customized version of the program, which includes everything you need to connect to a VPN: the program itself, configuration file(s), and key and certificate files for encryption.

If you download Tunnelblick from this website, it is not a deployed version. You must also have configuration, key, and certificate files, which should be provided to you by your company or your VPN service provider.

See Deploying Tunnelblick for detailed information about deployed versions of Tunnelblick.

How do I install Tunnelblick?

Download the latest disk image. Double-click it and a window will open with the Tunnelblick icon and the words "Double-click to begin". Control-click the Tunnelblick icon and click "Open" to begin installation. Reinstalls, upgrades, and downgrades will be recognized and the old version of the program is moved to the Trash before installing the new version.

I have installed Tunnelblick - Now what?

Start Tunnelblick by double-clicking it in Applications. It will step you through the process of setting up configuration files. When Tunnelblick is running, it will display the Tunnelblick icon in the status bar at the top of the screen on the right. Usually, the icon is located immediately between the time display and the Spotlight icon. Click on the Tunnelblick icon to reveal the Tunnelblick menu, then click on a configuration to connect using it, or click on "VPN Details" for a window with details for each configuration.

How do I uninstall Tunnelblick?

See Uninstalling Tunnelblick.

How do I revert to an earlier version of Tunnelblick?

Just install the earlier version.

How do I update Tunnelblick?

Each time Tunnelblick is launched, it checks for updates automatically (if that was specified when Tunnelblick was installed) and displays a notice that an update is available. (It also checks every week if it is running for more than a week.)

If automatic checking for updates is not enabled, there are three ways to update Tunnelblick manually:

Whichever method you chose, you will need an administrator username/password the first time a new copy of Tunnelblick is run. All configurations and preferences will be used by the new version (even if it is a "deployed" version).

  • You can update to the latest version of Tunnelblick by clicking "Check for Updates Now" in the "Preferences" panel of Tunnelblick's "VPN Details" window". If an update is available, you will be guided through the update process. If you install an update, your old version will be moved to the Trash.

  • If you don't see an "Options..." menu selection, you are using a very old version of Tunnelblick. You'll need to download the version you wish to use (stable or beta) and follow the "How do I install Tunnelblick?" instructions above.

Why does Tunnelblick need root privileges?

Tunnelblick needs root privileges the first time it is run for two reasons:

  1. It modifies ownership and privileges on parts of the Tunnelblick application itself to make it secure; and
  2. It installs a system "daemon" so it can start OpenVPN as root and perform other operations which require root access, such as loading Tun and Tap system extensions.

OpenVPN needs root privileges because it needs to modify network settings when configuring network devices, changing routes, and adding and removing nameservers. Because we don't want you to enter your computer administrator password every time you start a VPN connection, Tunnelblick comes with the "openvpnstart" setuid root binary that allows you to do exactly one thing: start a VPN connection with super user rights.

Tunnelblick also needs root privileges to secure configuration files. The first time a configuration is used, or if it has been modified, Tunnelblick asks for an administrator username/password so it can change the file's ownership to root before making a connection using that configuration file.

Why does Tunnelblick change the ownership of the configuration files to root?

This is a security issue. OpenVPN configuration files allow you to specify up/down scripts which will be executed with root privileges every time a VPN connection is started or stopped. If the configuration files were owned by the local user, anyone could execute arbitrary code as root by inserting an 'up' directive to the configuration file and pointing it to a (malicious) shell script. Therefore, when a configuration file is first used, Tunnelblick asks for a computer administrator's username and password and uses them to change the ownership of the configuration file to root, so it is protected against unnoticed and possibly malicious changes. If new configuration files are added, Tunnelblick will ask for a computer administrator's authorization to change the ownership of the new file to root before the first use of each new configuration file.

Why are routes not restored when closing my VPN connection?

You are probably using the 'user' or 'group' directive in your OpenVPN client configuration file. If you use it, the OpenVPN process will drop privileges after startup which is additional security measure. However, OpenVPN needs root privileges for restoring the route back to their original state. In short: don't use it.

Tunnelblick contains the "openvpn-down-root.so" plugin for OpenVPN. Together with a per-configuration preference, this allows the use of 'user' and 'group' but it does not allow OpenVPN to restore the routes. See Using Tunnelblick for details on how to do this.

Why are some checkboxes or buttons dimmed and disabled?

Under certain circumstances, checkboxes or buttons may be disabled and will appear dimmed — nothing happens when you click on them. Buttons and checkboxes are disabled when they cannot be used. Examples (from the VPN Details window): - "Monitor connection" is disabled unless "Set nameserver" is selected, because "Set nameserver" is required in order to monitor the connection. - "Share configuration" is disabled when the configuration is not a Tunnelblick VPN Configuration because only Tunnelblick VPN Configurations may be shared. - "Disconnect" is disabled when a configuration is not connected, and "Connect" is disabled when it is already connected. - "when computer starts" is disabled unless a configuration is shared or Deployed, because only shared or Deployed configurations may be automatically connected when the computer starts. - "when Tunnelblick launches" and "when computer starts" are disabled unless "automatically connect" is checked, because they areonly have meaning when it is checked. - "automatically connect", "Set nameserver", "Monitor connection", "Share configuration", and "Make configuration private" are disabled when "when computer starts" is selected. This is because you cannot directly modify them without administrator approval. To modify them, select "when Tunnelblick launches" (which will require an administrator username and password), change the settings to be the way you want, then select "when computer starts" (which will again require administrator approval).

Why are some checkboxes or buttons missing?

  • You are using an older version of Tunnelblick which doesn't implement that checkbox or button; or
  • You are using a "deployed" version of Tunnelblick, and the deployer has specified that that checkbox or button should not be available; or
  • The button has a different label because it is being used for different purpose. Examples:
    • There is one button which displays "Edit configuration" or "Examine configuration", depending on whether you can edit (modify) the configuration, or only examine it. To edit a configuration, you must have write permissions on the folder which contains the configuration, and must be able to write to the configuration file. Non-administrator users of "Deployed" versions of Tunnelblick may be prevented from editing configurations by the deployer. Shared configurations may not be edited directly — make the configuration private, edit it, and then share it to have this effect.
    • There is one button which displays either "Make configuration private" or "Share configuration". If the configuration is already being shared, it shows "Make configuration private". Otherwise, the button shows "Share configuration". Note that if the configuration is part of a "Deployed" version of Tunnelblick, or is not a Tunnelblick VPN Configuration, the button will be disabled (dimmed) because it cannot be shared.

What versions of OpenVPN does Tunnelblick include?

Tunnelblick contains multiple versions of OpenVPN. You can select the version of OpenVPN and the encryption software (OpenSSL or LibreSSL) to use on the "Settings" tab of the "Configurations" panel of Tunnelblick's "VPN Details" window.

Where can I go if my question is not answered here?

Take a look at the documents available in the Tunnelblick documentation and at the OpenVPN FAQ. If you don't find an answer, try the Tunnelblick Discussion Group.