Tunnelblick Chooses Outdated OpenVPN Version

[Bryan Jones]

I have told Tunnelblick 3.8.8 (build 5775) running on macOS Ventura 13.2.1 to connect using OpenVPN 2.5.8, which is the only version available in the UI:

But when I try to connect, the log reveals that Tunnelblick is using an older version of OpenVPN (2.3.18) and the connection is failing because that older version doesn't support some of the options in the config:

If I open the Tunnelblick.app package, navigate into /Contents/Resources/openvpn/ and delete all other OpenVPN versions *except* 2.5.8, Tunnelblick then chooses the correct version and the connection proceeds correctly. However, this produces a "this binary has been tampered with" warning because the code signature is now invalid.

What in the world is going on? How do I get Tunnelblick to use the version of OpenVPN that I've selected in the UI? 

I have done all the usual things: nuked /Library/Application Support/Tunnelblick, ~/Library/Application Support/Tunnelblick, the app's plist file, the cache in ~/Library/caches, etc. Nothing has helped. 

[Tunnelblick developer]

Are you running on Intel or Apple Silicon? If Apple Silicon, do you have Rosetta 2 installed?

[Bryan Jones]

Interesting. This *is* a brand new Mac and I haven't been prompted to install Rosetta 2 yet because I don't have any non-ARM apps left. Tunnelblick still requires Rosetta? macOS never presented the standard prompt to install Rosetta when I launched Tunnelblick. And it seems odd that deleting the other OpenVPN versions from the application bundle resolves the issue—why would Rosetta make the difference between Tunnelblick using the OpenVPN 2.5.8 and 2.3.18?

[Tunnelblick developer]

Tunnelblick doesn't require Rosetta to run, but when Tunnelblick launches, it checks to see if the various versions of OpenVPN that it includes can be run on the processor (Intel or Apple Silicon). The check stalls when run on an Apple Silicon system without Rosetta 2 installed. Because the check stalls, Tunnelblick doesn't finish populating the drop-down list of OpenVPN versions that are available.

Do you have to remove everything except 2.5.8 to prevent the problem, or is it sufficient to remove 2.3.18 OpenSSL v1.0.2u? That's the only binary which is Intel-only – the others all run on either Intel or Apple Silicon. If that's the situation, I know what is causing the problem and will be able to fix it in the next beta version of Tunnelblick.

[Bryan Jones]

Confirmed: it is sufficient to remove just 2.3.18 OpenSSL v1.0.2u from the application bundle. Deleting that resolves the connection issue AND I now see a variety of options in the OpenVPN dropdown menu within the UI.

I'm glad you have a fix in mind. In 2023, it's no longer safe to assume that a user will already have Rosetta 2 installed by the time they install Tunnelblick—we're three years into the Apple Silicon transition, most apps are native, and users who install Tunnelblick on a new Mac are going to run into this same issue without the technical expertise to diagnose it.

Thanks for the help!

[Tunnelblick developer]

Thank you for helping find the bug! I've fixed it in the source code and the fix will be included in the next beta version of Tunnelblick.

[Bryan Jones]

Just to confirm, version 3.8.8a (5776) does indeed resolve this problem. I updated to it just now and everything works without removing anything from the application bundle. Thanks!