Tunnelblick uninstall script

[franco]

Hi, just a quick question,

is it safe to use the uninstall script located in the App-bundle as a standalone uninstall script or is there something I need to pay attention to?

I'm trying to:

1. Save configuration files not belonging to our company to the users Desktop or in a shared directory (depending where they are installed)

2. Completely uninstall Tunnelblick and its components/configurations from the machine

3. Deploy the current stable release of Tunnelblick to the machine including the current company profile and suppress warnings about IP not changed / DNS not changed

On a test machine everything is working beautifully (tested with the uninstall script from the website) but before I scope our 900+ computers I just want to make sure.

[Tunnelblick developer]

I'm not sure what you mean by "tested with the uninstall script from the website". I suggest you copy the script from the current stable version of Tunnelblick. The tunnelblick-uninstaller.sh" script hasn't changed since 2020-12-02 (commit c3d672).

It should be OK to use the "tunnelblick-uninstaller.sh" script as long as you invoke it in a way similar to the way it is invoked by "tunnelblick-uninstaller.applescript", which in turn is invoked by MenuController's "uninstall" method.

Here are some comments/suggestions. (Some are probably obvious and I mean no disrespect in providing them).

• Make sure no instances of Tunnelblick are running – processes named "Tunnelblick".
• Wait for the "tunnelblickd" to quit if it is running (it times out, I think after 30 seconds of no activity).
• Make sure no instances of OpenVPN are running – processes named "openvpn".
• Run the script as root and provide all three arguments as specified in lines 427-429 of the script.
• Run a script you provide (from the latest stable Tunnelblick, as noted above) -- don't not use the script that is in whatever possibly old version of Tunnelblick on the machine that the uninstall is being performed on.
• Be sure to test it on a machine running Big Sur, which has the most stringent security requirements, and/or on a beta of macOS Monterey if any of the machines might be running it.

Installing the current company profile and suppressing warnings about IP or DNS not changing is separate from uninstalling, but I gather you know how to do that.

[franco]

Thank you for your answer and your suggestions.

With "tested with the uninstall script from the website" I meant that I extracted the .sh from the Tunnelblick Uninstaller 1.12 from the website (which is from 2018 and outdated). I'll use the new one now.

• The check if some processes related to Tunnelblick/openvpn are still open is in place (with a grace period of 1minute. Never seen anything above 34 seconds) and if something goes wrong the script terminates with a warning for the user.
• The helper script which invokes the uninstall script when all checks are passed and all configs are saved is run as root, as is the uninstall script itself  (the whole process is managed by Jamf)
  
• I'll test it again on 10.14 & 10.15, x64 & arm and with a selected few machines in the wild before pulling the trigger for the whole company

The only other thing I'm scratching my head at is:

After a successful install and as last step, I'm opening Tunnelblick as the currently logged in user and she/he has to authenticate with admin credentials to change ownership/permissions to the Tunnelblick app. Is it possible to chmod them from a script? This I still can't get to work. Luckily every employee is an admin, only a few laptops have standard accounts...

Tank you very much.

[Tunnelblick developer]

The easiest way to install Tunnelblick from a script is to invoke the binary "installer" program in Tunnelblick.app/Contents/Resources/installer. When invoked as root with the proper arguments it will copy Tunnelblick.app from wherever it is into /Applications and set up the ownership and permissions so that the user doesn't need to do anything. I think you may also need to use installer to replace (or install) tunnelblickd but don't recall offhand.

The installer can also be used to install configurations, but they must be in the form of a bundle (with a Contents folder, etc.). When you install a configuration with Tunnelblick, it creates a proper bundle and then invokes the installer to install that bundle.

Take a look at this discussion. It's old, so you might want to look at the Tunnelblick source code to confirm the bitmask settings (which could very well have changed). You can find the definitions starting about line 430 in tunnelblick/defines.h.

[franco]

Perfect, thanks for your time and pointing me to that thread. That will help me tremendously putting together the final bits.