Auto-skip Tunnelblick prompts

[Will Kuo]

Hi team,

There are some prompts that need to manually click "ok" to skip when executing the Tunnelblick script. e.g. allow Java to access Tunnelblick, allow terminal to access Tunnelblick, allow simultaneously connection (as the attachment "connect_prompt.png"). I would like to know whether there is any approach to auto-skip this kind of prompts? Thanks.

[Tunnelblick developer]

As far as I know, Tunnelblick cannot affect macOS prompts such as those asking permission for Java or Terminal to access Tunnelblick. That's a security feature of macOS.

But skipping Tunnelblick prompts so the prompt is never shown even one time can be done for any prompt that has a "Do not warn about this again" checkbox.

You'll have to dig into the Tunnelblick preferences to do that. Showing a prompt is skipped if a preference corresponding to the prompt is set to "true". (Note that some of the preferences are per-configuration preferences -- that is, there is a separate preference for each configuration.)

For a list of all such preferences, you can look in the Tunnelblick source code. The defines.h file contains two lists; one for non-configuration-dependent preferences, one for per-configuration preferences. That file changes, of course, as new preferences are added or made obsolete and other changes are made.

To set a preference "true" you can use this command:

     defaults write net.tunnelblick.tunnelblick NAME -bool yes

to un-do that, you can use this command:

     defaults delete net.tunnelblick.tunnelblick NAME

For per-configuration preferences, NAME is the name of the configuration followed by a hyphen followed by the name of the preference, e.g. VPN_NAME-PREFERENCE_NAME.

[Will Kuo]

Hi team,

Thanks for your guidance. Now we find another prompts (public IP address was not different) as the attachment:
=========

This computer's apparent public IP address was not different after connecting to XXXXX. It's still XXXXX
This may mean that your VPN is not configured correctly.

=========

I cannot find the related program preferences in the official site:

- https://tunnelblick.net/cPreferences.html

Is there any approach to auto-skip this prompt? Thanks.

[Tunnelblick developer]

As I wrote earlier, the webpage you linked to just shows some of the most common preferences:

For a list of all such preferences, you can look in the Tunnelblick source code. The defines.h file contains two lists; one for non-configuration-dependent preferences, one for per-configuration preferences. That file changes, of course, as new preferences are added or made obsolete and other changes are made.

The one you want for this one is "skipWarningThatIPAddressDidNotChangeAfterConnection".

[Will Kuo]

Hi team,

Thanks for your quick reply and guidance. Now we face another pop-up "Replace one configuration" (as the attachment) when running some tests.  The version is the latest beta version (Tunnelblick 5.0.1beta01).

Check the source code defines.h,  and find one possible setting "allowNonAdminSafeConfigurationReplacement", is it the right setting for our scenario.

• https://github.com/Tunnelblick/Tunnelblick/blob/master/tunnelblick/defines.h#L698

Please help to take a look when you have time, thanks.

[Tunnelblick developer]

No. That prompt doesn't have a skip checkbox, so it can't be skipped; it also requires a computer admin's authorization.

There are ways around both of those restrictions, however. Please read Tunnelblick's documentation, especially the "Distributing Tunnelblick" section.

[Will Kuo]

Hi team,

I think one possible workaround to avoid the pop-up "Replace one configuration" is deleting the configuration after the e2e test. Based on the Section "Deleting configurations from the Command Line" in doc: 

• https://tunnelblick.net/cInstallConfigs.html

We can delete "Office" configuration by the command: 

• sudo /Applications/Tunnelblick.app/Contents/Resources/installer 0x2001 ~/Library/Application\ Support/Tunnelblick/Configurations/Office.tblk

However, it requires password to execute "sudo" command, and doesn't meet our use case.

Can we delete the configuration by Apple script? Or are there any approach we can avoid the pop-up "Replace one configuration"? 

By the way, I find the pop-up "Replace one configuration" doesn't occur in the previous pre-beta version: 5.0.0beta02-TEST-3 (build 6013), but occurs in the latest beta version:  5.0.1beta01 (build 6020)

Not sure whether the "Replace one configuration" pop-up is a new feature or a bug?

Thanks for help.

[Tunnelblick developer]

Please see Administrator Authorization to Install Tunnelblick and Configurations, Standard Users Installing or Replacing Configurations, and AppleScript Support.

The "Replace one configuration" pop-up is an old feature. We don't support test builds, they're just for testing specific features, so I don't plan to investigate why the warning didn't appear in Tunnelblick 5.0.0beta02-TEST-3 (build 6013).

[Will Kuo]

Hi team,

Based on the doc:
- https://tunnelblick.net/cNonAdminInstalls.html

A standard user will be allowed to install a new configuration if 

- (A) the checkbox is not checked, 

- (B) the configuration is being installed as a private configuration, and 

- (C) the configuration does not contain any OpenVPN commands or scripts, references to such commands or scripts, or Tunnelblick VPN Configuration scripts that run as root.

I believe that we already meet the criteria (A)(B).

However, we use random available port (for OpenVPN) for the same configuration name (replacement), it doesn't meet the criteria (C). Is this idea right?

Thanks for help.

[Tunnelblick developer]

I don't know what you mean by "we use random available port (for OpenVPN) for the same configuration name (replacement)".

Just try it.