loading tap extension on BigSur

916 views
Skip to first unread message

Самойлов Олег Дмитриевич

unread,
Dec 16, 2020, 5:50:41 AM12/16/20
to tunnelbli...@googlegroups.com, Кузьмичев Сергей Николаевич
He all.

According to
https://tunnelblick.net/cBigSur.html

> CAN'T FIX: Tunnelblick's Tun and Tap system extensions do not load.
>
> If your configuration requires a Tun or Tap system extension, connecting to your VPN will fail if an appropriate system extension is not loaded.
>
> macOS Big Sur 11.0.1 does not allow Tunnelblick to load its Tun or Tap system extensions. Apple says that as a workaround "during development" one can temporarily disable System Integrity Protection to allow these system extensions to load when logged in as an Admin user. This workaround may not work in a future version or update of Big Sur — see The Future of Tun and Tap VPNs on macOS.
>
> Note: If you are using a Tun VPN, you can modify your OpenVPN configuration file so it will work without the "Tun" system extension. See The Future of Tun and Tap VPNs on macOS.
>
> FEATURE: Tunnelblick disables loading of Tun and Tap system extensions.
>
> This is actually, really, truly a feature, not a bug!
>
> When running on macOS Big Sur, Tunnelblick forces the settings on Tunnelblick's "Advanced" settings window to "never load" system extensions. You can override that behavior and allow the settings to act normally, which is useful if you have disabled SIP and/or your version of Big Sur allows Tunnelblick to load the system extensions. You can override the behavior by executing the following command in Terminal:
>
> defaults write net.tunnelblick.tunnelblick bigSurCanLoadKexts -bool yes

I has the latest stable version of tunnelblick 3.8.4a.

As I can understand due to BigSur 11.0.1 prevent to load a tap device when SIP is turned on you force to disable UI option for loading such device.
But this is not true by now. I has BigSur 11.1 (updated yesterday), SIP (
prof $ csrutil status
System Integrity Protection status: enabled.
) and after manually enabling "defaults write net.tunnelblick.tunnelblick bigSurCanLoadKexts -bool yes" the device was loaded

225 0 0xffffff7fa236e000 0x6000 0x6000 net.tunnelblick.tun (5300.3) 64C5EF5F-74D9-300D-BE27-724B8A88EFB9 <8 6 5 1>
226 0 0xffffff7fa2367000 0x6000 0x6000 net.tunnelblick.tap (5300.3) 7CADB84E-01B1-3CD4-8FE3-CA4D2BE6C67E <8 6 5 1>

So, IMHO, disabling the devices in the UI was wrong decision, it is working finely. I suppose "Apple says that as a workaround during development" already done in the BigSur 11.1. So, please, return this option back. :)


--
С уважением,
Самойлов Олег
Ведущий разработчик отдела развития инфраструктуры, ООО «ЦНС»

https://www.domclick.ru

Tunnelblick developer

unread,
Dec 16, 2020, 6:23:01 AM12/16/20
to tunnelblick-discuss
Thank you very much for your report. We will update the documentation and and the Tunnelblick program.
Message has been deleted
Message has been deleted

Jithen Singh

unread,
Dec 20, 2020, 1:54:09 PM12/20/20
to tunnelblick-discuss
Does anyone know of a workaround to the tun tap drivers on an M1? I can pull them from Tunnelblick and installed using something like KextDroplet but Tunnelblick wont find them.

Keep seeing - 

Failed to load 'tap-notarized.kext'; status = -603947007|
Unable to load net.tunnelblick.tun and/or net.tunnelblick.tap kexts in 5 tries. (It was not loaded even though the system said it was loaded.)


On Monday, December 21, 2020 at 12:21:34 AM UTC+13 Jithen Singh wrote:
Just saw the posting about TAP not working on Apple Silicon Macs. :(.

Tunnelblick developer

unread,
Dec 20, 2020, 2:10:16 PM12/20/20
to tunnelblick-discuss
@Jithen - Actually, it isn't that Tunnelblick isn't finding the kext. Tunnelblick is trying, and failing, to load the kext itself.

Try setting "Never load Tap driver" on the "Connecting & Disconnecting" tab of the "Advanced" settings page. (After loading the kext with KextDroplet.) That will prevent Tunnelblick from trying to load them.

Jithen Singh

unread,
Dec 20, 2020, 2:40:28 PM12/20/20
to tunnelblick-discuss
Yup - I did think of that as an option. Problem is that I need TAP for my work VPN.

If I set to never load, connection starts then - 
2020-12-21 08:37:43.156616 Cannot allocate TUN/TAP dev dynamically

Jithen Singh

unread,
Dec 20, 2020, 3:07:02 PM12/20/20
to tunnelblick-discuss
Looks like a definate nogo until we have a tap.kext or tun.kext complied in arm64e - 

Executing: /usr/bin/kmutil load -p /Library/Extensions/tap.kext

Error Domain=KMErrorDomain Code=71 "Incompatible architecture: Binary is for x86_64, but needed arch arm64e

Incompatible architecture: Binary is for x86_64, but needed arch arm64e" UserInfo={NSLocalizedDescription=Incompatible architecture: Binary is for x86_64, but needed arch arm64e

Incompatible architecture: Binary is for x86_64, but needed arch arm64e}

Tunnelblick developer

unread,
Jan 4, 2021, 3:33:34 PMJan 4
to tunnelblick-discuss
We're looking for volunteers to test new M1-compatible (we hope) kexts on M1 Macs.

The process of installing the kexts is not pleasant. For this testing, use Kext-Droplet-Big-Sur to load the kexts, which involves three restarts of your computer, then try it out in Tunnelblick 3.8.5beta02.

Email devel...@tunnelblick.net to get a link to download the new kexts. Please let us know which M1 Mac you have and what version of macOS Big Sur you will be using (for example, "11.0.1", "11.1", or "11.2 beta").

Reply all
Reply to author
Forward
0 new messages