tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…

Highlighted Articles
  News
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes
  Thanks
  FAQ

Discussion Group
  Read Before You Post

OpenVPN User and Group OpenVPN Options

OpenVPN's "user" and "group" options cause OpenVPN to drop its "root" (system administrator) privileges after setting up the VPN. Otherwise, OpenVPN continues to run as root until the VPN is disconnected and OpenVPN quits.

This is done so that if OpenVPN is successfully attacked the damage the attacker can do is limited because it is running without root privileges.

However, this can cause two problems if (as is usual) the VPN setup changes routing or DNS or other network settings:

  • The "down" script that Tunnelblick typically uses to restore the pre-VPN network settings (other than routing changes) when the VPN is disconnected will not function properly because it is not running as root. The VPN will not be disconnected correctly and network settings will be left in an inconsistent state. There is an easy fix for this and Tunnelblick offers to use it automatically. When the fix (to use the "openvpn-down-root.so" plugin) is used, OpenVPN will not be running as root but the "down" script will run as root and be able to restore the pre-VPN network settings.

  • OpenVPN will not be able to undo the routing changes it made while setting up the VPN because it is no longer running as root when it disconnects and macOS requires a program changing routes to be running as root. Tunnelblick cannot detect this problem before it happens, but when does happen, Tunnelblick may display a warning. The only current solution to this problem is to remove the "user" and "group" options from the OpenVPN configuration file.

If either of these problems happen, OpenVPN may not be able to reconnect the VPN. Reconnects are a normal part of the operation of the VPN and are expected to happen in many situations, including:

  • When network problems cause a "ping restart" because the OpenVPN server did not respond for a specified time.
  • When Dynamic challenge/response (see Multi-factor Authentication) is being used. It requires a reconnect as part of its normal operation.
  • When certain encryption setups are used. They require periodic reconnects to maintain security.