Warning: unknown OpenVPN processes when switching user

[mlev...@gmail.com]

    I have Tunnelblick installed on an Apple OS 10.8.5 system. I see the following behavior. Tunnelblick connections are off (not connected), but it's running (icon in menubar). I switch user, and right away switch back (without doing anything with Tunneblick). I then see the attached window with the Warning: Unknown OpenVPN processes message. What does this mean?

[Tunnelblick developer]

Thanks for your report. I'm sorry you're having this problem.

All of the following assumes you do not have other software that starts processes named "openvpn" (another VPN client, for example). If you do, then what you are seeing is correct, and only you can decide if the other OpenVPN process should be terminated.

========

The window means that there is a process named "openvpn" that is not recognized by Tunnelblick as being a process that it created to connect to a VPN. That doesn't necessarily mean that the process wasn't created by Tunnelblick -- it is more likely that Tunnelblick lost track of a process that it created. That would be troubling and probably indicates a bug in Tunnelblick.

I think the symptom that you see (the window about unknown OpenVPN processes) is showing up because of an earlier problem -- one that existed before you switched users. That problem was that although there was a process named "openvpn" (and thus a VPN connection), the Tunnelblick icon was indicating that there was NOT a VPN connection.

That could be caused by some unanticipated interaction between fast user switching, logging in, and the settings for when configurations are set to connect. And it could have to do with a problem with the configuration that causes it to not disconnect properly under some circumstances.

Please check that all configurations are set to connect "Manually", and not "When computer starts" or "when Tunnelblick launches", and indicate whether you have ever used these non-Manually settings.

Then please run the following test:

1. Make sure all Tunnelblick configurations are set to connect "manually".
2. Quit Tunnelblick and then launch it again.
3. Wait two minutes without doing anything. (To give Tunnelblick time to check for processes named "openvpn"; the two minutes is to make sure Tunnelblick gives up checking for them.
4. Switch to another user and then immediately switch back.

and report back.

[mlev...@gmail.com]

It looks to me like, when the user switches and logs on another user, the login process runs another copy of Tunnelblick (for the new user, as one of the applications that start up when users first log in), which is noticed by the first one and it complains.  All my configurations are set to connect "Manually". What I see is that simply switching user doesn't cause this window. What causes it is running Tunnelblick from the other user's account. When I switch to an account for the first time, it runs Tunnelblick and that causes the first instance from the first account to complain. Subsequent switching, or quitting it from either one of the accounts, makes the message go away.

Btw I would love to make it so that one user is *always* on the VPN, and the other user is not.  Better yet (don't know if this is possible), would be to have Tunnelblick VPN active for one user, and the other user could have no VPN or run a Cisco VPN client. Is it possible to have them play nicely like that and keep separated "per user"?

[Tunnelblick developer]

"Separation by user" isn't really possible in the general case because of the way that VPNs work: they intercept traffic going to the Internet and send it in a different way (usually encrypted to a VPN server on the Internet). At the point that the VPN software intercepts the traffic, it isn't clear what user originated the traffic, so the VPN software can't decide to which VPN the traffic should be sent. And some traffic is originated by special users such as root, so there is the question of where that traffic should be directed.

(Remember that even if you have "switched" from user A to user B, user A's programs are still running.)

That said, it is possible to have one user use a "split VPN" (that is, only some of the user's traffic goes through a VPN) while a different user's traffic traffic would go through a different VPN. Note that either user would be able to use the other's VPN, too (because at the point the VPN decision is made, the software doesn't know which user originated the request. Currently that must be done with custom scripts because Tunnelblick does not support different DNS servers for each VPN.

[Tunnelblick developer]

It is possible that this problem is fixed in Tunnelblick 3.6.9beta02, released 2016-11-04.

On Sunday, October 30, 2016 at 12:13:03 PM UTC-4, <> wrote:

[Michael Levin]

Is not working for me. I let it update to the latest beta, and it still gave the same error, but now won't actually run in the other user account!