Using Other OpenVPN Binaries
On This Page
How to use your own OpenVPN binary in Tunnelblick
How to use versions of OpenVPN/OpenSSL from newer or older versions of Tunnelblick in your version of Tunnelblick
Although the Tunnelblick application includes several OpenVPN binaries, Tunnelblick also has the ability to use OpenVPN binaries that are not included in Tunnelblick or were included in older or newer versions of Tunnelblick.
Note that the binaries must contain executable code for the processor on which you are running Tunnelblick. For example, old binaries with only Intel code will not run on Apple Silicon Macs (even under Rosetta).
How to use your own OpenVPN binary in Tunnelblick
1) You need an OpenVPN binary. If your configurations use the "down-root" plugin, you need a binary of that, too.
The files must have exactly the following names: "openvpn" and "openvpn-down-root.so".
2) Create a folder named "Openvpn" on your Desktop or some other convenient place.
3) In that folder, create a subfolder named "openvpn-VVV-NNN-SSS", where
- VVV is the version of OpenVPN (such as "2.4.8", or "2.5_git_57623b4")
- NNN is the name of the SSL library built into OpenVPN ("openssl", "libressl", "mbedtls", or "boringssl")
- SSS is the version of the SSL library (such as "1.0.2u" or "1.1.1d")
Note that:
- The subfolder name should not contain hyphen characters ("-") other than the three hyphens separating the versions and names.
- The subfolder name should not contain spaces, but underscore characters ("_") will be shown as spaces when Tunnelblick displays the OpenVPN version.
- SSL library names will be shown "nicely" when Tunnelblick displays them.
- Additional text may be added at the end of the subfolder name to describe it more fully.
So "openvpn-2.5_git_57623b4-openssl-1.0.2u_Without_scramble_patch" will be displayed as "OpenVPN 2.5 git 57623b4 OpenSSL 1.0.2u Without scramble patch"
4) Move or copy your "openvpn" binary into the subfolder (and the "openvpn-down-root.so" binary, if needed).
5) Create similarly-named subfolders for each OpenVPN binary you wish to use and copy the binaries into them.
6) Optional:
- Set ownership of the "Openvpn" folder and all of its contents to root:wheel.
- Set permissions of the "Openvpn" folder and its subfolders to 0755.
- Set permissions on each "openvpn" binary to 0755.
- Set permissions on each "openvpn-down-root.so" binary to 0744.
7) Move or copy the "Openvpn" folder to /Library/Application Support/Tunnelblick. (You will be asked by Finder for a computer administrator's authorization.)
8) Quit Tunnelblick (if it is running) and launch it. If you did not set the ownership and permissions in step 6 above (or you set them incorrectly), Tunnelblick will ask for administrator authorization to secure Tunnelblick and will then set the ownership and permissions for you.
You're done! You can specify which OpenVPN/SSL combination to use for each configuration in the "Settings" tab of Tunnelblick's "VPN Details" window. Note that changes made there are applied to all of the configurations selected on the left side of the window.
How to use versions of OpenVPN/OpenSSL from newer or older versions of Tunnelblick in your version of Tunnelblick
Below is a script which automates copying OpenVPN binaries from a copy of Tunnelblick into /Library/Application Support/Tunnelblick/Openvpn so they can be used in the version of Tunnelblick you are using.
Note that older versions of OpenVPN/OpenSSL probably contain serious security vulnerabilities!
#!/bin/bash
#
# copy-openvpn-binaries-from-Tunnelblick.sh
#
# Copyright 2025 by Jonathan K. Bullard. All rights reserved.
#
# Script to copy OpenVPN binaries from Tunnelblick.app into /Library/Application Support/Tunnelblick/Openvpn.
# Tunnelblick will use them starting the next time it is launched.
#
# Does not copy OpenVPN binaries that are already available to Tunnelblick.
#
# Returns a staus of 0 if there were no errors, or 1 if an error occurred.
#
# Usage:
#
# copy-openvpn-binaries-from-Tunnelblick.sh PATH
#
# 'PATH' is the path to the Tunnelblick.app that contains
# the copies of OpenVPN that you wish to add to Tunnelblick.
function show_usage() {
echo "Usage:"
echo ""
echo " copy-openvpn-binaries-from-Tunnelblick.sh PATH"
echo ""
echo " 'PATH' is the path to the Tunnelblick.app that contains"
echo " the copies of OpenVPN that you wish to add to Tunnelblick."
}
SOURCE_OPENVPN_PATH="$1/Contents/Resources/openvpn"
TUNNELBLICK_OPENVPN_PATH="/Applications/Tunnelblick.app/Contents/Resources/openvpn"
LIBRARY_OPENVPN_PATH="/Library/Application Support/Tunnelblick/Openvpn"
#
# Make sure a path was specified and it contains a folder of OpenVPN binaries
#
if [ -z "$1" ] \
|| [ ! -d "$SOURCE_OPENVPN_PATH" ] ; then
show_usage
exit 0
fi
#
# Create a list of names of the folders containing the binaries in
# in /Applications/Tunnelblick.app.
#
declare -a VERSION_NAMES_IN_APP
for full_path in "$TUNNELBLICK_OPENVPN_PATH"/* ; do
name="$( basename "$full_path" )"
# DON'T include the "default" symlink!
if [ "$name" != "default" ] ; then
VERSION_NAMES_IN_APP+=("$name")
fi
done
#
# Create a list of names of the folders containing the binaries in
# in /Library/Application Support/Tunnelblick/Openvpn.
#
declare -a VERSION_NAMES_IN_L_AS_T_O
if [ -d "$LIBRARY_OPENVPN_PATH" ] ; then
for full_path in "$LIBRARY_OPENVPN_PATH"/* ; do
name="$( basename "$full_path" )"
VERSION_NAMES_IN_L_AS_T_O+=("$name")
done
fi
#
# Create a list of paths of the folders containing the binaries to copy.
# Don't include binaries that are already installed in /Applications/Tunnelblick.app
# or /Library/Application Support/Tunnelblick/Openvpn.
declare -a CONTAINER_PATHS
for full_path in "$SOURCE_OPENVPN_PATH"/* ; do
name="$( basename "$full_path" )"
# DON'T include the "default" symlink!
if [ "$name" != "default" ] ; then
# DON'T include if already in VERSION_NAMES_IN_APP
not_found=true
for i in "${VERSION_NAMES_IN_APP[@]}" ; do
if [ "$i" == "$name" ] ; then
not_found=false
fi
done
if $not_found ; then
# DON'T include if already in VERSION_NAMES_IN_L_AS_T_O
not_found=true
for i in "${VERSION_NAMES_IN_L_AS_T_O[@]}" ; do
if [ "$i" == "$name" ] ; then
not_found=false
fi
done
if $not_found ; then
CONTAINER_PATHS+=("$full_path")
echo "Will add $name"
fi
fi
fi
done
#
# If there aren't any binaries to copy, announce that and exit success
#
if [ ${#CONTAINER_PATHS[@]} == "0" ] ; then
echo "All versions of OpenVPN in $1 are already available in Tunnelblick."
exit 0
fi
echo "If asked, please enter your macOS login password. It is needed to make secure copies of OpenVPN."
#
# Create /Library/Application Support/Tunnelblick/Openvpn if it doesn't already exist.
# Enforce ownership and permissions of root:wheel and 0755.
#
if [ ! -d "$LIBRARY_OPENVPN_PATH" ] ; then
sudo mkdir "$LIBRARY_OPENVPN_PATH"
if [ $? -ne 0 ] ; then
echo "Failed: mkdir \"$LIBRARY_OPENVPN_PATH\""
exit 1
fi
fi
if [ "$( stat -f "%Su" "$LIBRARY_OPENVPN_PATH" )" != "root" ] \
|| [ "$( stat -f "%Sg" "$LIBRARY_OPENVPN_PATH" )" != "wheel" ]; then
sudo chown 0:0 "$LIBRARY_OPENVPN_PATH"
if [ $? -ne 0 ] ; then
echo "Failed: sudo chown 0:0 \"$LIBRARY_OPENVPN_PATH\""
exit 1
fi
fi
if [ "$(stat -f "%p" "$LIBRARY_OPENVPN_PATH" )" != "40755" ] ; then
sudo chmod 0755 "$LIBRARY_OPENVPN_PATH"
if [ $? -ne 0 ] ; then
echo "Failed: sudo chmod 0755 \"$LIBRARY_OPENVPN_PATH\""
exit 1
fi
fi
#
# Copy the folders containing OpenVPN binaries
#
for full_path in "${CONTAINER_PATHS[@]}" ; do
sudo cp -pR "$full_path" "$LIBRARY_OPENVPN_PATH"
done
#
# Set ownership of everything in /Library/Application Support/Tunnelblick/Openvpn.
# Permmissions should be correct because the -p option was used in the 'sudo cp' command above
#
sudo chown -R 0:0 "$LIBRARY_OPENVPN_PATH"
if [ $? -ne 0 ] ; then
echo "Failed: sudo chown -R 0:0 \"$LIBRARY_OPENVPN_PATH\""
exit 1
fi
|
