Tunnelblick 4

Problems Connecting with Tunnelblick 4

Tunnelblick 4 changes the version of OpenVPN/OpenSSL that is used by default, so you may not be able to connect with that default version. In addition, it does not include some old versions of OpenVPN/OpenSSL that are included in Tunnelblick 3, which may mean that you cannot use Tunnelblick 4 until your VPN has been updated to use newer versions of OpenVPN/OpenSSL.

If you can't connect with the default version of OpenVPN/OpenSSL, try connecting using each of the other, different versions of OpenVPN/OpenSSL in Tunnelblick 4. You can select a version from the "OpenVPN version" button on the "Configurations" panel of Tunnelblick's "VPN Details" window. Be sure to select the configuration or configurations you wish to connect in the list on the left before selecting a version of OpenVPN/OpenSSL to try.

If you can connect only with one or more of the other versions

• Your VPN setup relies on insecure algorithms or programs. Future versions of Tunnelblick will not include these algorithms and programs. Contact your VPN service provider and have them update the VPN to be compatible with OpenVPN 2.6, which is the current version of OpenVPN, and OpenSSL 3.0, which is the Long Term Support version of OpenSSL.

As a temporary workaround until that's done, you can continue to use earlier versions of OpenVPN with OpenSSL 1.1.1w, or you can try adding the "providers legacy default" option to the OpenVPN configuration file, which may in some circumstances allow OpenSSL 3.0 to use insecure algorithms. (See Edit or Examine an OpenVPN Configuration File.)

• If you are asked for a passphrase when using Tunnelblick 4's default version of OpenVPN/OpenSSL, but you are not asked for a passphrase when using OpenVPN 2.6.9 - OpenSSL 1.1.1w, please see our Issue about this problem. A critical tip was provided by Andrew:

"It's worth noting that this error (OpenSSL unsupported RC2-40-CBC) and the repeated passphrase prompts can occur even when the server and all of the certs/keys use proper ciphers, but the PKCS#12 bundle containing the certs & keys uses legacy ciphers. This behavior also occurs with GUI frontends on other platforms, including the Windows OpenVPN GUI and the GNOME Network Manager plugin. And on all of these, you have no indication what the real problem is until you check the log...

"Notably, the default .p12 output of all OpenSSL versions except OpenSSL 3 (OpenSSL <= 1.1, LibreSSL, etc.) uses legacy ciphers RC2-40/3DES/SHA1 which OpenSSL 3 refuses to load without the -legacy option [which OpenVPN sends to OpenSSL 3 if the OpenVPN "providers legacy default" option is specified]. It is possible to generate an OpenSSL 3-compliant .p12 bundle on OpenSSL 1.1 with the appropriate options; I submitted such a patch to EasyRSA. (It's been merged but not yet included in any release.)

"This was the case in my setup and after I created a new .p12 file with the same contents but using AES-256/SHA256 it now works with OpenVPN 2.6 + OpenSSL 3.

"A workaround is to extract the certs & keys and use the appropriate separate config file options (ca, cert, key instead of p12). But as you say, it's really up to the server administrator to supply clients with compatible credentials."

If you cannot connect with any of the versions of OpenVPN/OpenSSL in Tunnelblick 4, please post a report on the Tunnelblick Discussion Group by following the instructions at Before You Post About a Problem, then try Tunnelblick 3.8.8b, which can be found on our Deprecated Downloads page.

Major Changes in Tunnelblick 4

• Adds support for client-pending-auth with WEB_AUTH.

• Adds commands to install private and shared configurations from the command line. See Installing and Deleting VPN Configurations.

• Changes the versions of OpenVPN/OpenSSL that were included in Tunnelblick 3.

• Changes the default version of OpenVPN/OpenSSL used for connecting.

• Includes several other improvements and fixes many problems.

Tunnelblick 4 changes the versions of OpenVPN/SSL that were included in Tunnelblick 3:

• LibreSSL 2.7.1 has been removed.

• OpenSSL 3.0 has been added. It is the current version of OpenSSL.

• OpenVPN 2.3 has been removed. It was last updated more than six years ago and is no longer supported by OpenVPN. (It had been include in Tunnelblick to allow connections to VPN servers in old hardware.)

• OpenVPN 2.6 has been added. It is the current version of OpenVPN.

OpenVPN 2.4 and 2.5 are still included for compatibility with older VPN servers, but will be removed in future versions of Tunnelblick. If your VPN requires them, it should be updated to be compatible with the current version, 2.6.

• OpenVPN 2.4 is no longer supported by OpenVPN.
• OpenVPN 2.5 will be supported by OpenVPN until 2024-07-01.

The default version of OpenVPN/SSL has changed

The default version of OpenVPN/SSL has changed from OpenVPN 2.5 with OpenSSL 1.1.v to OpenVPN 2.6 with OpenSSL 3.0.

The newer, default version of OpenSSL can cause problems if the VPN setup is very old and relies on insecure algorithms.

The most common symptom is that the VPN doesn't connect and the status switches back and forth between "Authorizing" and "Waiting for server response".

If that happens, examine the log. If you see the following error messages:

 OpenSSL: error:0A00014D:SSL routines::legacy sigalg disallowed or unsupported

or

 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0)

or similar error messages from OpenSSL, try changing the version of OpenVPN/SSL to OpenVPN 2.6.9 - OpenSSL 1.1.1w.

If that works and the VPN connects, contact whoever gave you your VPN configurations. The configurations use an out-of-date encryption, hash, or signature algorithms that are no longer secure and are not supported by modern versions of OpenSSL.

At some point Tunnelblick will no longer include OpenSSL 1.1.1w. It is no longer supported by OpenSSL, and does not receive security updates, so you should get your configurations set up to be compatible with newer versions.

If that does not work and the VPN does not connect with OpenVPN 2.6.9 - OpenSSL 1.1.1w, try OpenVPN 2.5.9 and 2.4.12. If it connects with one of them, contact whoever gave you your VPN configurations. The configurations require an out-of-date version of OpenSSL and should be updated.

At some point Tunnelblick will no longer include OpenVPN 2.5.9 and 2.4.12. 2.4.12 is no longer supported by OpenVPN, and 2.5.9 will only be supported until 2024-07-01. Your VPN setup should be updated to be compatible with the current version, 2.6.

If no combination of OpenVPN/OpenSSL works, please post a report on the Tunnelblick Discussion Group by following the instructions at Before You Post About a Problem, then try Tunnelblick 3.8.8b, which can be found on our Deprecated Downloads page.

The newer, default version of OpenVPN can cause problems if the VPN setup is very old.

If the VPN does not connect with OpenVPN 2.6.9 - OpenSSL 3.0.13 or OpenVPN 2.6.9 - OpenSSL 1.1.1w, try OpenVPN 2.5.9 and 2.4.12. If it connects with one of them, contact whoever gave you your VPN configurations. The configurations require an out-of-date version of OpenVPN and should be updated as soon as possible.

At some point Tunnelblick will no longer include OpenVPN 2.5.9 and 2.4.12. 2.4.12 is no longer supported by OpenVPN, and 2.5.9 will only be supported until 2024-07-01. Your VPN setup should be updated to be compatible with the current version, 2.6.

If no version of OpenVPN works, please post a report on the Tunnelblick Discussion Group by following the instructions at Before You Post About a Problem, then try Tunnelblick 3.8.8b, which can be found on our Deprecated Downloads page.

If the VPN does not connect with any version of OpenVPN/OpenSSL, see

• Tunnelblick on macOS Monterey, Ventura, and Sonoma
• Tunnelblick on macOS Big Sur
• Tunnelblick on macOS Catalina
• Tunnelblick on macOS High Sierra and macOS Mojave