The Tunnelblick Application
The Tunnelblick application, Tunnelblick.app, must be stored directly in /Applications on the startup volume for security reasons. Thus it cannot be used from network drives or internal or external drives including thumb or flash drives, CD/DVD drives, etc. unless they are being used as the startup volume. Running Tunnelblick from from anywhere except /Applications on the startup volume will result in an offer to install Tunnelblick in /Applications on the startup volume.
OpenVPN, Drivers, and Standard Scripts
The OpenVPN program, openvpn-down-root.so, the Tun and Tap system extension files, and standard client up/down scripts are included with, and contained within, Tunnelblick.app.
Log files are stored in /Library/Application Support/Tunnelblick/Logs. (Early versions of Tunnelblick stored them in /tmp/tunnelblick). The log files for a configuration are created or deleted and recreated each time the connection is made. There are two log files for each configuration, an OpenVPN log file and a scripts log file. The contents of the files are merged in the display in Tunnelblick's "VPN Details" window.
Key and Certificate Files
These may be stored anywhere, but typically they are stored in the same folder as the configuration (.ovpn or .conf) file. Key and certificate files associated with a Tunnelblick VPN Configuration (.tblk) are stored inside the configuration itself.
Key and certificate files usually have an extension of .cer, .crt, .der, .key, .p12, .p7b, .p7c, .pem, or .pfx.
There are two types of configuration files:
Note: Configurations should always be installed by dropping them on the Tunnelblick icon in the menu bar. If you just move or copy them they may not work properly.
There are five places configuration files may be stored:
Note: Prior to Tunnelblick version 3.0b24, private configuration files were stored in ~/Library/openvpn. Version 3.0b24 and later versions automatically move that folder to its new location, and replace it with a symbolic link to the new location.
There are two types of custom scripts that can be run at certain points in the connect/disconnect process:
These scripts should be located in a Tunnelblick VPN Configurations without any folder structure, and references to them should not contain any path information.
For more information, see Using Scripts.
Durring installation, Tunnelblick sets up a "daemon" to perform privileged operations such as starting OpenVPN as root. The daemon has a .plist file named net.tunnelblick.tunnelblick.tunnelblickd.plist in /Library/LaunchDaemons.
If a configuration is set to connect when the computer starts, it has a .plist file located in /Library/LaunchDaemons. These .plist files are all named starting with "net.tunnelblick.startup."
A user's Tunnelblick preferences are contained in
Note: In Tunnelblick 3.2beta10 and earlier, preferences are stored in
Deployed versions of Tunnelblick may contain a "forced-preferences.plist" file within the Tunnelblick application itself. They are used to override the user's normal preferences; see Deploying Tunnelblick for details.
Tunnelblick VPN Configurations may also include preference defaults, which are used to initialize the user's preferences (which may then be changed by the user).
One More Thing
Under certain circumstances, Tunnelblick replaces the configuration folder that very old versions of Tunnelblick use,