Errors Loading Kexts (Device Drivers)
Important: See The Future of Tun and Tap VPNs on macOS for information about changes to future versions of macOS.
Tunnelblick may try to load a kext to control the VPN tunnel.
Note: If you are using a "tun" VPN, you can avoid needing to load a kext by doing the following:
- Make sure your OpenVPN configuration file does not include a "dev-node tun" option;
- Make sure your OpenVPN configuration file does include a "dev tun" option; and
- Make sure you have not selected "Always load Tun driver" in the "Connecting & Disconnecting" tab of Tunnelblick's "Advanced" settings window.
The "dev-node tun" option causes OpenVPN to use a "tun" device, which requires a kext to be loaded. If a "dev-node tun" option is not present and a "dev tun" option is present, OpenVPN will use the "utun" device which is built into macOS and does not require a kext to be loaded.
If you are using a "tap" VPN, Tunnelblick must load a kext for your VPN to operate.
If you see the following:
Tunnelblick was not able to load a device driver (kext) that is needed to connect...
There are two possible reasons:
(1) Your version of macOS did not allow the kext to load or you did not give permission for the kext to load:
(2) There may be incompatible kexts already loaded. Recent versions of Tunnelblick try to be "good citizens" by loading kexts only when needed, and unloading them when they are no longer needed. However, some other VPN clients (CiscoAnyConnect SSL VPN, for example) load their own, incompatible kexts when the computer is started and leave them loaded, whether or not a VPN connection is in use. (Some non-VPN software also loads incompatible kexts — for example, Pogoplug loads a "com.pogoplug.xcetun" tun kext which interferes with Tunnelblick's tun kext. "Security" programs also may load incompatible kexts.)
To find out if an incompatible kext is causing the problem, use the
kextstat | grep -v com.apple command in a Terminal window. It will list all of the non-Apple kexts that are loaded. Usually the tun and/or tap kexts show up at or near the end of the list. Common tun/taps are:
- net.tunnelblick.tun and net.tunnelblick.tap: These are the kexts used by current versions of Tunnelblick. When needed, the appropriate one (tun or tap) is loaded when a connection is requested, and unloaded when it is disconnected. Since macOS 10.6.8, "tun" connections do not need to have a kext loaded unless they include a "dev-node tun" OpenVPN option. Tunnelblick uses customized versions of the kexts from tuntaposx, modified to have a Tunnelblick bundle ID and version. Which version Tunnelblick uses depends on the version of macOS being used.
- foo.tun and foo.tap: These are kexts for obsolete Cisco and Tunnelblick VPN clients (and some others), loaded when a very version of Tunnelblick is launched (and unloaded when the computer restarts). If Tunnelblick detects them, it will offer to unload them before connecting.
- com.cisco.cscotun: This is CiscoAnyConnect SSL VPN kext. Cisco's installer causes it to be loaded when the computer starts.
- com.viscosityvpn.Viscosity.tun and com.viscosityvpn.Viscosity.tap: These are kexts used by the Viscosity VPN client.
- com.pogoplug.xcetun: This kext is associated with Pogoplug.
- anchorfree.tun: This kext is associated withHotSpot Shield VPN.
- net.sf.tuntaposx.tap and net.sf.tuntaposx.tun: These are from tuntaposx.
But any non-Apple kext with "tun" or "tap" in its name is likely to be causing the problem, and kexts with other names might be causing the problem.
To unload kexts and allow Tunnelblick to load its own kexts, use the
kextunload Terminal command to unload each loaded tun and tap kext individually. For example, to unload com.viscosityvpn.Viscosity.tun, type the following:
sudo kextunload -b com.viscosityvpn.Viscosity.tun
(The "sudo" is necessary because this command modifies the loading of a device driver. You will be asked for your administrator password, which will not appear (even as asterisks) when you type it.)
If you find that restarting your computer reloads the kext you might need to find where it is being loaded from. Common locations are
- /Users/your username/Library/LaunchDaemons
- /Users/your username/Library/LaunchAgents
There are a user-contributed scripts on the Downloads page that will automatically unload the Cisco kext when Tunnelblick makes a connection, and reload the Cisco kext when the connection is disconnected.