How to Disable Encryption(SECLEVEL) in Tunnelblick

[Joni Gaucho]

Hi,

I am looking for help on how to disable encryption in Tunnelblick. I have already found a command on the internet: cipher "DEFAULT:@SECLEVEL=0", but I am not sure how to implement it correctly. Could you please provide me with detailed instructions on how to use this command to disable encryption?

Thank you in advance!

[Tunnelblick developer]

I assume you mean disable the encryption of data going through the VPN.

First: Why?

Second: What is "SECLEVEL"?

Third: You will need to disable encryption of the VPN traffic both your computer and on the OpenVPN server. If you don't control the OpenVPN server, you probably won't be able to disable encryption.

Now, to answer your question (sort of): Tunnelblick doesn't do the encryption,  OpenVPN does. Tunnelblick is basically a program to easily control OpenVPN. OpenVPN encrypts (or doesn't encrypt) the data going through the VPN based on the options in the OpenVPN configuration file and the options passed by the OpenVPN server. You should consult OpenVPN experts/forums; you can find some links at Tunnelblick Support.

[Joni Gaucho]

Thank you for your response. I don't want to disable the encryption, I just want to set it to a lower level.
Here, I am referring to an error message I received from Tunnelblick.  

[Tunnelblick developer]

Same answer given before:

Now, to answer your question (sort of): Tunnelblick doesn't do the encryption,  OpenVPN does. Tunnelblick is basically a program to easily control OpenVPN. OpenVPN encrypts (or doesn't encrypt) the data going through the VPN based on the options in the OpenVPN configuration file and the options passed by the OpenVPN server. You should consult OpenVPN experts/forums; you can find some links at Tunnelblick Support.

[Joni Gaucho]

Sorry I'm still a bit confused about what I should ask in the OpenVPN Forum. 

With an older Version of Tunnelblick (3.8.8a) this wasn't an issue. So I would assume something changed on the Tunnelblick side of things. And also, the earlier mentioned switch "Seclevel=0" is from an OpenVPN Forum where this issue was discussed. 

The solution is to add that to your OpenVPN config file, which Tunnelblick doesn't have, does it? 

So I wouldn't know where I can change these sort of settings.

[Tunnelblick developer]

OK, I think I understand: you updated Tunnelblick and now you can't connect because of an "CA signature digest algorithm too weak" error and you're trying to fix that.

Please read Tunnelblick 4, and see if that helps. If it doesn't, it has a link to instructions about editing your OpenVPN configuration file.

Note that Tunnelblick includes OpenVPN [1], so

• Newer versions of Tunnelblick include newer versions of OpenVPN, and
  
• Tunnelblick configurations do include OpenVPN configurations.

[1] Actually, Tunnelblick includes one or more versions of OpenVPN linked to one or more versions of OpenSSL. OpenVPN creates the VPN, OpenSSL does encryption-related work for OpenVPN.

[Joni Gaucho]

Would it be possible to deploy the OpenVPN version settings of Tunnelblick via Intune? 
Additionally, the checkbox for changes to configurations needs to be adjusted as well.

It would greatly streamline the process and ensure consistency across our devices.  

[Tunnelblick developer]

Almost all settings are determined by Tunnelblick's macOS "preferences". See Preferences.