Highlighted Articles
Installing Tunnelblick
Uninstalling Tunnelblick
Installing Configurations
Setting up Configurations
Using Tunnelblick
Getting VPN Service
Common Problems
Configuring OpenVPN
Release Notes
Thanks
FAQ

Discussion Group
Read Before You Post

Getting Started
Quick Start Guide
Welcome to Tunnelblick
What is Tunnelblick?
What else you need
Getting VPN Service
Tunnelblick and Apple Silicon
How You Can Help
FAQ

Downloading and Installing
Downloading and Installing Tunnelblick
Installing System Extensions
Problems Installing Tunnelblick
Stable vs. Beta
Downloading and Installing Configurations
Standard Users Installing or Replacing Configurations
Uninstalling Tunnelblick

Setup and Use
Setup
The Future of Tun and Tap VPNs on macOS
Configuring OpenVPN
Connect Manually vs. when Computer Starts vs. when Tunnelblick Launches
Tunnelblick as a VPN Server
Multi-factor and Two-factor Authentication
Tunnelblick Launching at Login
Managing a Large Number of Configurations
Tunnelblick's Kill Switch
Changing Multiple Settings at Once
Edit or Examine an OpenVPN Configuration File
Exporting and Importing Tunnelblick Setups
Using Tunnelblick
Create a Private OpenVPN Service with AWS Client VPN Endpoint [github.com]

Privacy and Security
Privacy and Security
GDPR Information
XARA Vulnerabilities

Reference
News
FAQ
Tunnelblick Country of Origin Information
Known Issues
Tunnelblick VPN Configurations
'.tblk' Details
Using Scripts
AppleScript Support
Tunnelblick openvpn_xorpatch
Getting VPN Service
Updating Tunnelblick Manually
System requirements
File Locations
Digital Signatures
Generating an HMAC Signature
IP Address Changes
OpenVPN User and Group Options
OpenVPN and OpenSSL Versions Included in Tunnelblick
Preferences
Selecting a Language
Release Notes

Troubleshooting
Tunnelblick on macOS Big Sur
Tunnelblick on macOS Catalina
Tunnelblick on macOS High Sierra and Mojave
Known Issues
Common Problems
Connects OK, But...
Errors Loading System Extensions
Tunnelblick Launches at Startup (Login)
VPN Details Windows Appears at Startup (Login)
System Folder Not Secure
IP Address Changes
OpenVPN User and Group Options
The Tunnelblick Log
The Console Log

Distributing Tunnelblick
Distributing Tunnelblick
VPN Service Provider Tips
Automatic Installation
Old Updatable Configurations
New Simpler Updatable Configurations

Customized Versions
'Deployed' versions
Converting a Deployed Version
Rebranding Tunnelblick
Building from Source
Signing the Application
Modifying the Disk Image
Icon Animation
Custom OpenVPN Binaries

Localization & Translation
Localizing Tunnelblick
Using Crowdin
Other Localization
Translation Notes
Translating HTML
Testing RTL Translations
Translation Status

Vulnerability FAQs
2015-07-10 Vulnerability FAQ
2015-06-11 Vulnerability FAQ
2015-03-19 Vulnerability FAQ
2015-01-08 Vulnerability FAQ
2014-12-01 Vulnerability FAQ
2014-10-01 Vulnerability FAQ
2014-06-11 Vulnerability FAQ
2014-04-08 Vulnerability FAQ
2012-09-12 Vulnerability FAQ

Highlighted Articles
News
Installing Tunnelblick
Uninstalling Tunnelblick
Setting up Configurations
Using Tunnelblick
Getting VPN Service
Common Problems
Configuring OpenVPN
Release Notes
Thanks
FAQ

Discussion Group
Read Before You Post

Important: See The Future of Tun and Tap VPNs on macOS for information about changes to future versions of macOS.

Tunnelblick may try to load a system extension to control the VPN tunnel. (Note: Apple previously used the terms 'kext' and 'kernel extension' but now uses the term 'system extension'.)

Note: If you are using a 'tun' VPN, you can avoid needing to load a system extension by doing the following:

1. Make sure your OpenVPN configuration file does not include a 'dev-node tun' option;
2. Make sure your OpenVPN configuration file does include a 'dev tun' option; and
3. Make sure you have not selected 'Always load Tun driver' in the 'Connecting & Disconnecting' tab of Tunnelblick's 'Advanced' settings window.

The 'dev-node tun' option causes OpenVPN to use a 'tun' device, which requires a system extension to be loaded. If a 'dev-node tun' option is not present and a 'dev tun' option is present, OpenVPN will use the 'utun' device which is built into macOS and does not require a system extension to be loaded.

Also, see Edit or Examine an OpenVPN Configuration File.

(If you are using a 'tap' VPN, Tunnelblick must load a system extension for your VPN to operate.)

If you see a message similar to one of the following:

Tunnelblick was not able to load a device driver (kext) that is needed to connect...

Tunnelblick was not able to load a system extension that is needed to connect...

There are two possible causes for this message:

(1) Your version of macOS did not allow the system extension to load or you did not give permission for the system extension to load:

• If you are using an Apple Silicon Mac, see Tunnelblick and Apple Silicon.
• If you are using macOS Big Sur, see Tunnelblick on macOS Big Sur.
• If you are using macOS Catalina, see Tunnelblick on macOS Catalina.
• If you are using macOS High Sierra or Mojave, see Tunnelblick on macOS High Sierra and macOS Mojave.

(2) There may be incompatible system extensions already loaded. Recent versions of Tunnelblick try to be 'good citizens' by loading system extensions only when needed, and unloading them when they are no longer needed. However, some other VPN clients (CiscoAnyConnect SSL VPN, for example) load their own, incompatible system extensions when the computer is started and leave them loaded, whether or not a VPN connection is in use. (Some non-VPN software also loads incompatible system extensions — for example, Pogoplug loads a 'com.pogoplug.xcetun' tun system extension which interferes with Tunnelblick's tun system extension. 'Security' programs also may load incompatible system extensions.)

To find out if an incompatible system extension is causing the problem, use the kextstat | grep -v com.apple command in a Terminal window. It will list all of the non-Apple system extensions that are loaded. Usually the tun and/or tap system extensions show up at or near the end of the list. Common tun/taps are:

• net.tunnelblick.tun and net.tunnelblick.tap: These are the system extensions used by current versions of Tunnelblick. When needed, the appropriate one (tun or tap) is loaded when a connection is requested, and unloaded when it is disconnected. Since macOS 10.6.8, 'tun' connections do not need to have a system extension loaded unless they include a 'dev-node tun' OpenVPN option. Tunnelblick uses customized versions of the system extensions from tuntaposx, modified to have a Tunnelblick bundle ID and version. Which version Tunnelblick uses depends on the version of macOS being used.
• foo.tun and foo.tap: These are system extensions for obsolete Cisco and Tunnelblick VPN clients (and some others), loaded when a very old version of Tunnelblick is launched (and unloaded when the computer restarts). If Tunnelblick detects them, it will offer to unload them before connecting.
• com.cisco.cscotun: This is Cisco AnyConnect SSL VPN system extension. Cisco's installer causes it to be loaded when the computer starts.
• com.viscosityvpn.Viscosity.tun and com.viscosityvpn.Viscosity.tap: These are system extensions used by the Viscosity VPN client.
• com.pogoplug.xcetun: This system extension is associated with Pogoplug.
• anchorfree.tun: This system extension is associated withHotSpot Shield VPN.
• net.sf.tuntaposx.tap and net.sf.tuntaposx.tun: These are from tuntaposx.
  But any non-Apple system extension with 'tun' or 'tap' in its name is likely to be causing the problem, and system extensions with other names might be causing the problem.

To unload system extensions and allow Tunnelblick to load its own system extensions, use the kextunload Terminal command to unload each loaded tun and tap system extension individually. For example, to unload com.viscosityvpn.Viscosity.tun, type the following:

sudo kextunload -b com.viscosityvpn.Viscosity.tun

(The 'sudo' is necessary because this command modifies the loading of a device driver. You will be asked for your administrator password, which will not appear (even as asterisks) when you type it.)

If you find that restarting your computer reloads the system extension you might need to find where it is being loaded from. Common locations are

• /Users/your username/Library/LaunchDaemons
• /Users/your username/Library/LaunchAgents
• /Library/LaunchDaemons
• /Library/LaunchAgents
• /System/Library/LaunchDaemons
• /System/Library/LaunchAgents

There are user-contributed scripts on the Downloads page that will automatically unload the Cisco system extension when Tunnelblick makes a connection, and reload the Cisco system extension when the connection is disconnected.