Is there a way to add configuration (.ovpn) files without the need of root?

112 views
Skip to first unread message

Tobias Füllmich

unread,
Jul 2, 2025, 3:37:58 PMJul 2
to tunnelblick-discuss
Installed with:

DMG_PATH="/tmp/file/$ProductName$/$InstallFile$"
hdiutil attach "$DMG_PATH" -nobrowse -mountpoint "/tmp/file/$ProductName$_dmg"
ls -la "/tmp/file/$ProductName$_dmg"
"/tmp/file/$ProductName$_dmg/Tunnelblick.app/Contents/Resources/installer" 259
hdiutil detach -force "/tmp/file/$ProductName$_dmg"

I also changed:
/Library/Application Support/Tunnelblick/forced-preferences.plist

to:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>allowNonAdminSafeConfigurationReplacement</key> <true/> </dict> </plist>

Which allows me to add the file but I can't connect because of the following error in the console log:

'/Users/test/Library/Application Support/Tunnelblick/Configurations/file.tblk/Contents/Resources/config.ovpn' is missing.

The file exists but only root can read the file. I also changed the owner of the file and was able to verify that the file permission was the problem.

I know there are commands for adding a private profile in https://tunnelblick.net/cInstallFromCommandLine.html

But what is the key " allowNonAdminSafeConfigurationReplacement" even for when you need the permissions to use the ovpn file?

Tunnelblick Developer

unread,
Jul 2, 2025, 4:00:12 PMJul 2
to tunnelblick-discuss
How exactly did you "add the file" and what file are you talking about?

Tobias Füllmich

unread,
Jul 2, 2025, 4:34:13 PMJul 2
to tunnelblick-discuss
With " Which allows me to add the file ..." I meant an .ovpn file. It didn't matter how I added it drag and drop or klicking on the file did the same.

Steps to reproduce:
  1. Install with "/tmp/file/$ProductName$_dmg/Tunnelblick.app/Contents/Resources/installer" 259
  2. Set the Key  allowNonAdminSafeConfigurationReplacement to true
  3. Import .ovpn file in Tunnelblick
  4. Try to Connect with imported ovpn file -> doesn't work ( "/Users/test/Library/Application Support/Tunnelblick/Configurations/file.tblk/Contents/Resources/config.ovpn"  owner is "root")
  5. Restart Tunnelblick
  6. Get prompted for  credentials of an account with admin privilege, type them in -> on cancel Tunnelblick doesn't start 
  7. Try to Connect with imported ovpn file -> does work ( "/Users/test/Library/Application Support/Tunnelblick/Configurations/file.tblk/Contents/Resources/config.ovpn"  owner is "test")
Message has been deleted
Message has been deleted

Tobias Füllmich

unread,
Jul 3, 2025, 10:11:33 AMJul 3
to tunnelblick-discuss

And how would I do this? because whenever I try I get:
Unbenannt.png

And when I save ("sichern") the file, I need root permissions.

Why am I even able to import an .ovpn file after changing the key? When I should only be able to replace the file.

Tunnelblick Developer schrieb am Donnerstag, 3. Juli 2025 um 13:09:24 UTC+2:
You need to be root to install or replace Tunnelblick or to install configurations.

You can replace safe configurations without being root if allowNonAdminSafeConfigurationReplacement is set. (Note the word "Replacement".)



Tobias Füllmich

unread,
Jul 3, 2025, 10:18:21 AMJul 3
to tunnelblick-discuss
I even get specifically this prompt:

221.png

 on drag and dropping the same file.

Tobias Füllmich

unread,
Jul 3, 2025, 10:46:08 AMJul 3
to tunnelblick-discuss
It seems like my Options are:
  • Giving all Users sudo just because of Tunnelblick -> don't want to security concerns
  • Typing in admin creds every time someone needs to import an ovpn file -> people will riot
  • Creating a launchdeamon that executes at boot that finds and imports the files with root
  • Just installing OpenVPN Connect on that note Tunnelblick is the only major OpenVPN Client that doesn't allow importing .ovpn files as a normal User (OpenVPN Gui also allows it)

Tunnelblick Developer

unread,
Jul 3, 2025, 12:11:32 PMJul 3
to tunnelblick-discuss

My earlier comment that standard users cannot install safe configurations was incorrect. They are able to do that.


If you need your users to be able to install configurations that are not safe, then Tunnelblick is not for you. (And you are enabling them to execute programs as root.)


But… I think the problems you've seen will only happen if Tunnelblick is not relaunched after the forced-preferences.plist file is created or modified and/or if it does not have the correct ownership and permissions. That's a bug which will be fixed in the next beta version of Tunnelblick.


Until then, your script should do the following:

  1. Install Tunnelblick with sudo path-to-Tunnelblick.app/Contents/Resources/installer 259
  2. Quit Tunnelblick with killall Tunnelblick
  3. Store the .plist file with sudo cp path-to-forced-preferences.plist /Library/Application\ Support/Tunnelblick/forced-preferences.plist
  4. Set ownership of the .plist file with sudo chown 0:0 /Library/Application\ Support/Tunnelblick/forced-preferences.plist
  5. Set permissions of the .plist file with sudo chmod 644 /Library/Application\ Support/Tunnelblick/forced-preferences.plist

The user should be then able to install and/or update safe configurations without entering admin credentials.


If that doesn't work, please provide the script you use and the output when the script is executed.

Tobias Füllmich

unread,
Jul 3, 2025, 7:59:20 PMJul 3
to tunnelblick-discuss
Here is me executing the commands:
console.png

Yes I'm using the beta, I tried both 6300 and 6310. 

This is the prompt after importing the .ovpn file:
3.png

Prompt after me trying to connect afterwards:

4.png

The import would not be prossible if the plist wasn't considered by Tunnelblick.

Console.app output at that time:

standard 16:22:33.227466+0200 tunnelblickd Status = 252 from tunnelblick-helper command 'compareShadowCopy config' standard 16:22:33.286174+0200 Tunnelblick tunnelblickd status from compareShadowCopy: 252 tunnelblickd stderr: 'Shadow configuration does not exist: /Library/Application Support/Tunnelblick/Users/test/config.tblk ' standard 16:22:33.291016+0200 Tunnelblick Converting/Installing /Users/test/Library/Application Support/Tunnelblick/Configurations/config.tblk/Contents/Resources/config.ovpn: File '/Users/test/Library/Application Support/Tunnelblick/Configurations/config.tblk/Contents/Resources/config.ovpn' is missing. standard 16:22:33.291099+0200 Tunnelblick commandOptionsStatusForOpenvpnConfigurationAtPath:forTblk: returned 'error occurred' for /Users/test/Library/Application Support/Tunnelblick/Configurations/config.tblk/Contents/Resources/config.ovpn standard 16:22:33.291156+0200 Tunnelblick error status 0 returned from commandOptionsInConfigurationsAtPaths: standard 16:22:33.312113+0200 runningboardd Invalidating assertion 176-141-2423 (target:[app<application.net.tunnelblick.tunnelblick.631577.631844(503)>:1768]) from originator [osservice<com.apple.coreservices.launchservicesd>:141] standard 16:22:33.419209+0200 runningboardd [app<application.net.tunnelblick.tunnelblick.631577.631844(503)>:1768] Ignoring jetsam update because this process is not memory-managed

After restarting Tunnelblick I get prompted with:

5.png

I also restarted the mac the first time but it doesn't seem to work. Please tell me if you need further Information.

Tobias Füllmich

unread,
Jul 3, 2025, 8:07:05 PMJul 3
to tunnelblick-discuss
Ohh I just saw I made a mistake on changing the permissions on the plist file but again I'don't think that is the problem.

Tobias Füllmich

unread,
Jul 3, 2025, 8:37:47 PMJul 3
to tunnelblick-discuss
Just in case I tried it, nothing changed though console log was the same prompts were the same.

Tunnelblick Developer

unread,
Jul 3, 2025, 8:38:41 PMJul 3
to tunnelblick-discuss
So the Tunnelblick install worked, and the .plist file is OK, because Tunnelblick tried to install the configuration without requesting admin credentials.

Did you try to install the configuration as a private configuration, or as a shared configuration?

Tobias Füllmich

unread,
Jul 4, 2025, 2:18:47 AMJul 4
to tunnelblick-discuss
Private and you can see it in the Console.app, it wouldn't try to access "/Users/test/Library/..." because it twouldn't be saved in the user profil.

Also you are not able to import shared without root access I am able to import the config just not able to connect afterwards.

Tunnelblick Developer

unread,
Jul 4, 2025, 7:06:49 AMJul 4
to tunnelblick-discuss
OK, I have found three bugs: one causes a failure of the install, a second causes a failure to warn about the failure to install except in an obscure log entry, and a third causes a failure to properly recover from the failure of the install (it does not delete a partially-installed but unusable configuration).

This will all be fixed in the next beta release, which should be published within the next few days.

Thanks for reporting this problem and for your work helping to solve it.

Tobias Füllmich

unread,
Jul 4, 2025, 8:01:31 AMJul 4
to tunnelblick-discuss
I'm looking forward to it and will test it as soon as it is available. As of now it doesn't sound like the problem I have because it also happens on a freshly installed mac but I hope it resolves it.
Reply all
Reply to author
Forward
0 new messages