The output from openvpnstart is just wrong. The copies of OpenVPN that Tunnelblick uses are in /Applications/Tunnelblick.app/Contents/Resources/openvpn, not /Library/Application Support/Tunnelblick/bin/openvpn. I have just committed a fix to the source code to reflect this.
You should be able to replace an existing copy of OpenVPN inside of Tunnelblick.app with your own version. It will make the signature invalid and that has some effects, but you might be able to live with them, depending on how you use Tunnelblick. If you use the down-root plugin, it probably should be replaced, too. Replacing the binary with a symlink may not work, though, because that may be seen as a "symlink attack" and rejected.
openvpnstart runs as root to perform its functions (not directly; it uses the tunnelblickd daemon to do that in effect). It is critical that a user not be allowed to invoke arbitrary programs when Tunnelblick is invoking OpenVPN. So it isn't as simple as adding an option to have openvpnstart accept an arbitrary path because that would allow a non-privileged user to execute arbitrary code as root.
We could put a symlink in /Library/Application Support/Tunnelblick that would point to the version of OpenVPN to use, and invoke openvpnstart with a flag or other indication to use that symlink. But then what if you want several different versions of OpenVPN? It starts to get messy.
I would much rather have Tunnelblick itself include versions of OpenVPN that use the LibreSSL libraries, perhaps replacing the existing OpenSSL versions or perhaps adding the LibreSSL versions in addition to the existing OpenSSL versions.
I would welcome a GitHub PR to do build OpenVPN with LibreSSL, as long as it
- Adds an option or options (in Tunnelblick's "third_party/Makefile-common) that is/are easily controlled, so that we could build versions of OpenVPN with OpenSSL, or LibreSSL, or both; and
- The building is done in the same manner as the OpenSSL is build now (Tunnelblick source includes a .tar.gz of OpenSSL, and optionally patches it before building it).
A naming convention would need to be established to differentiate OpenVPN with LibreSSL from OpenVPN with OpenSSL, and the GUI would have to be extended so that is shown in a user-friendly manner, but that's easy. It should work to suffix LibreSSL versions with "-L" and thus have "openvpn-2.3.4-L" for OpenVPN 2.3.4 built with the LibreSSL library. (At some point that could then be extended to have an mbedSSL version using a "-M" suffix.)
That would be a great project for someone to do; it doesn't require any familiarity with Tunnelblick itself, just the third-party build process. (I'd be happy to do the GUI part; in fact I might add that the next time I am working on that part of the Tunnelblick source, in the hopes that the rest would be done someday.)
We could put a symlink in /Library/Application Support/Tunnelblick that would point to the version of OpenVPN to use, and invoke openvpnstart with a flag or other indication to use that symlink. But then what if you want several different versions of OpenVPN? It starts to get messy.Agreed that gets messy. How about enumerating all files and symlinks in /Library/Application Support/Tunnelblick/openvpn with execute bits set and present them in the UI list? That entire directory structure is owned by 'root:wheel' on install so there would be no worry of unprivileged users redirecting symlinks, adding scripts or otherwise executable code.
I would much rather have Tunnelblick itself include versions of OpenVPN that use the LibreSSL libraries, perhaps replacing the existing OpenSSL versions or perhaps adding the LibreSSL versions in addition to the existing OpenSSL versions.Agreed... my feature request is really just an option to expand functionality ahead of mainstream adoption... but it is a handy option :) Pushing the ovpn builds back into your bundle and code signing is more appropriate.
I would welcome a GitHub PR to do build OpenVPN with LibreSSL, as long as it
- Adds an option or options (in Tunnelblick's "third_party/Makefile-common) that is/are easily controlled, so that we could build versions of OpenVPN with OpenSSL, or LibreSSL, or both; and
- The building is done in the same manner as the OpenSSL is build now (Tunnelblick source includes a .tar.gz of OpenSSL, and optionally patches it before building it).
Sure I have some time, I could look into this. I'm not a dev though, just an aspiring one, so please be patient with me and feel free to enlighten me on the right and wrong way.
A naming convention would need to be established to differentiate OpenVPN with LibreSSL from OpenVPN with OpenSSL, and the GUI would have to be extended so that is shown in a user-friendly manner, but that's easy. It should work to suffix LibreSSL versions with "-L" and thus have "openvpn-2.3.4-L" for OpenVPN 2.3.4 built with the LibreSSL library. (At some point that could then be extended to have an mbedSSL version using a "-M" suffix.)and -B for BoringSSL.
I would much rather have Tunnelblick itself include versions of OpenVPN that use the LibreSSL libraries, perhaps replacing the existing OpenSSL versions or perhaps adding the LibreSSL versions in addition to the existing OpenSSL versions.
...
I would welcome a GitHub PR to do build OpenVPN with LibreSSL, as long as it
- Adds an option or options (in Tunnelblick's "third_party/Makefile-common) that is/are easily controlled, so that we could build versions of OpenVPN with OpenSSL, or LibreSSL, or both; and
- The building is done in the same manner as the OpenSSL is build now (Tunnelblick source includes a .tar.gz of OpenSSL, and optionally patches it before building it)
A naming convention would need to be established to differentiate OpenVPN with LibreSSL from OpenVPN with OpenSSL, and the GUI would have to be extended so that is shown in a user-friendly manner, but that's easy. It should work to suffix LibreSSL versions with "-L" and thus have "openvpn-2.3.4-L" for OpenVPN 2.3.4 built with the LibreSSL library. (At some point that could then be extended to have an mbedSSL version using a "-M" suffix.)and -B for BoringSSL.