Can I remove/add configs via command line?

[linjie nie]

Hi all - 

My vpn configs need to be replaced frequently, so I want to remove all of them and to add some by command line. 

Please advise.

Jason.

[jkbull...gmail.com]

If Tunnelblick is not currently running, you can use the command line as follows:

open -a /Applications/Tunnelblick.app --args  path-to-configuration1   path-to-configuration2   path-to-configuration3...

For example:

open -a /Applications/Tunnelblick.app --args ~/Desktop/config.tblk ~/Desktop/another-configuration.tblk  

 
which will launch Tunnelblick and install two configurations. (The "-a" is used to ensure that the proper copy of Tunnelblick is launched; OS X sometimes launches other, incorrect copies if this is not used.)

This simulates dragging the configurations onto the Tunnelblick.app icon in a Finder window showing "/Applications".

The normal user interaction will be performed, including (for a new configuration) asking if it should be installed as a private or a shared configuration unless the configuration includes an Info.plist which specifies that the configuration  should be private or shared. It will also always ask for an administrator's username/password to install or replace a configuration.

Note: To delete a configuration, you can include an entry in the configuration's Info.plist to uninstall the configuration. (In other words, you "install" a configuration with a special flag that tells Tunnelblick that the configuration should be uninstalled instead of installed. See the "TBUninstall" entry in Info.plist for details.)

When I tried this with Tunnelblick already running, it didn't work. Instead, it just displayed the VPN Details window. That's a bug, and I will try to fix it in the source code later today or tomorrow; I will post a note to this discussion if and when I have done that. If I am able to fix the problem, the fix will be included in the next beta release which is due sometime in the next few days.

You can play around with this before I fix that problem by exiting Tunnelblick before you run the above command. You can exit Tunnelblick easily with the Terminal command

osascript -e 'quit app "Tunnelblick"'

which does not return until Tunnelblick has actually quit (which can take several seconds if Tunnelblick has to close a VPN before quitting). (If Tunnelblick is not running when you execute that command, it returns quickly, so it does no harm to always do it just before the "open" command.)

The only way to replace a configuration without causing the username/password dialog to be shown would be to replace the configuration in the locations Tunnelblick uses for installed configurations. However, the configuration would need to be in its  after-installation format (see Format), and would have to have the proper ownership and permissions on the .tblk and all of its contents, and would need to have a "shadow" copy created (with the proper ownership and permissions). That all is very complex, and would need to be done partly as the user and partly as root (using sudo or equivalent). In addition, I am about to make changes to Tunnelblick that will cause some configurations that have been replaced this way to behave incorrectly until the next time Tunnelblick is launched. I will think about a way around that problem and report back to this discussion if and when I come up with a solution.

[jkbull...gmail.com]

I have found a way to do it from the command line:

osascript -e 'tell application "Finder" to open file ((path to desktop folder as text) & "AB .tblk") using ((path to applications folder as text) & "Tunnelblick.app")'

(all on one line) starts the installation process for AB.tblk on the Desktop.

I fooled around a while trying to get this to work specifying a path such as "/something/something/AB.tblk" but couldn't get it to work – I don't have the necessary AppleScript skills. I assume somebody can figure that out because it is purely an AppleScript syntax issue.

Since this is an easy way to get it to work, I won't be putting a high priority on fixing the "Displays the VPN Details window instead of installing the .tblk" bug.

[linjie nie]

Thank you for reply very much.

I have tried to follow these advise. 

And I found the most difficult part is to remove all configs, (I am sure they are all out of date.) I know I should remove them all, but I don't know exactly what I should remove, I don't know the names(or IDs). 

I have tried to store copies of ovpn files somewhere when them are imported to Tunnelblick, and use these files to uninstall config. But this solution is not error-tolerate. External store is hard to keep consistent with Tunnelblick.

Any thought?

在 2015年11月15日星期日 UTC+8上午4:40:02，jkbull...gmail.com写道：

[jkbull...gmail.com]

You can remove a configuration by installing it with a special flag. The flag is a "TBUninstall" entry in an Info.plist file which can be included in a .tblk that is being installed. See Info.plist section on the .tblk Details page. If you do it any other way, it will leave all the settings for the configuration in Tunnelblick's Info.plist file, and the old settings will be used if you reinstall the configuration (or install something different with the same name, which Tunnelblick will consider to be a reinstall.

So you could do that from the command line the same as installing a configuration. But you'd need to know the names of the configurations.

In a few days, a new beta version of Tunnelblick will allow you to remove (uninstall) multiple configurations at one time by selecting them in the list on the left of the VPN Details window (using the shift or command keys as is standard in OS X) and then clicking the "gear" icon and "Remove Configurations".

You can get the names of "shared" configurations by listing

/Library/Application Support/Tunnelblick/Shared

You can get the names of "private" configurations by listing

/Users/USERNAME/Library/Application Support/Tunnelblick/Configurations

Note that folder names inside /Shared or /Configurations are used in the name of the configuration, so the name of the configuration at

/Users/USERNAME/Library/Application Support/Tunnelblick/Configurations/foo/bar/bee.tblk

is

foo/bar/bee.tblk

[Brian Call]

Is there any way to install configurations (or Tunnelblick.app for that matter) as root to suppress user dialogs? I would love to fully automate the deployment of Tunnelblick using Puppet, but I don't see any documented method that would allow this. Any ideas? Requiring the user to authenticate if the configuration is marked as 'shared' in the Info.plist seems unnecessary, but maybe I'm missing something.

Thanks.

-Brian

[Tunnelblick developer]

Tunnelblick does not provide a way to install configurations as root to suppress the authentication dialogs.

All configurations have at least some parts owned by root:wheel (for security reasons), so installing configurations requires authentication.

Most of the work of installing a configuration is done by the non-priviledged part of Tunnelblick. However, most of the complicated part of installing a configuration is the "management" part (processing the configuration's Info.plist) and error checking, so you could do it in a limited manner by manipulating files and, optionally, OS X "user defaults" (preferences).

Here's a way to create a "shared" configuration as root via the command line. ("Private configurations are more complicated because there are actually two copies of each one, one owned by the user and one owned by root:wheel):

1. Create a "Tunnelblick VPN Configuration", which in it's simplest form is a file or files inside three folders:

NAME_OF_CONFIG.tblk_temp/

Contents/

Resources/

config.ovpn

OPTIONAL_OTHER_FILE(S)_FOR_THE_CONFIGURATION 

 

 a. Note the ".tblk_temp" extension; that will be changed as the last step of the installation.

 b. config.ovpn references to key/cert/other files should have just the name of the file, without any path.

 c. Files must have extensions "known" to Tunnelblick; for example ".key", ".cert", ".sh", ".pem", etc. 

2. Copy the configuration to /Library/Application Support/Tunnelblick/Shared

3. Set ownership and permissions of /Library/Application Support/Tunnelblick/Shared/NAME_OF_CONFIG.tblk_temp and all of it's subfolders and files to match that of some existing shared configuration that was installed by Tunnelblick.

a. Everything is owned by root:wheel. 

b. Different types of files have different permissions, but all ".ovpn" files have the same permissions, all ".key" files have the same permissions, etc.

4. Use the "defaults" command to change the default settings for the configuration as needed. Prefix each preference with the name of the configuration. For example, set the "autoConnect" preference of the "XYZ.tblk_temp" configuration with 

defaults write net.tunnelblick.tunnelblick XYZautoConnect -bool 1

a. This must be done as the user (or must specify the user's net.tunnelblick.tunnelblick domain if root).

5. Rename

/Library/Application Support/Tunnelblick/Shared/NAME_OF_CONFIG.tblk_temp

to

/Library/Application Support/Tunnelblick/Shared/NAME_OF_CONFIG.tblk

[Brian Call]

Thanks for this post, it's helped me out a lot.