Tunnelblick on M1 Macs

Tunnelblick developer

unread,

Feb 5, 2021, 2:29:15 PM2/5/21

to tunnelblick-discuss

A new version of Tunnelblick is being tested by a small number of people. This discussion is for them to provide feedback and communicate with each other.

If you have an M1 Mac and would like to join in the testing and this dicussion, please email devel...@tunnelblick.net.

Tunnelblick 3.8.5beta03 (build 5623), currently being tested :

Runs natively on M1 Macs. (The application itself and OpenVPN.)
Includes the ability to install and uninstall the kexts via a button on Tunnelblick's "Utilities" panel, so you don't need to use Kext-Droplet-Big-Sur.
Fixes all known problems with the original kexts that were tested.

Here are the known limitations and problems:

Changing security settings in Recovery mode is still needed to allow kexts not supplied by Apple. We can't do anything about that, but it is something that only needs to be done once.
The version of OpenVPN 2.3.18 which includes OpenSSL 1.0 is not available (because it cannot yet be built for the M1's ARM architecture). There are no plans to fix this: these are very old versions of both programs and OpenVPN 2.3.18 which includes LibreSSL provides the same functionality.
macOS seems to always load both the tun and tap kexts even if Tunnelblick only asks for one to be loaded. This may not be able to be fixed. (We might be able to load both, then unload the one we don't want, but that's of limited utility and probably not that useful, so we currently have no plans to fix this.)
Tunnelblick is not currently able to "unload" the kexts, so once it has loaded them, they will stay loaded until a reboot or until you remove them by hand with "sudo kextunload -b net.tunnelblick.tap" and "sudo kextunload -b net.tunnelblick.tun". We do plan to fix this if possible.
The kexts cannot be uninstalled unless they are unloaded. Tunnelblick will (for now) react to this failure by telling the use to restart macOS. This will be fixed "automatically" if we can fix the problem unloading kexts. Until then, you can unload the kexts manually before uninstalling as described above.
In the drop-down list used to select a version of OpenVPN to be used, the list is not sorted correctly. This we will definitely fix!

Tunnelblick developer

unread,

Feb 5, 2021, 2:49:39 PM2/5/21

to tunnelblick-discuss

Everyone's feedback on a new document, Installing System Extensions, would also be appreciated.

Jean Jacques de Jong

unread,

Feb 6, 2021, 7:48:17 AM2/6/21

to tunnelblick-discuss

Works flawlessly on my Mac Mini M1 with macOS 11.2

Tunnelblick developer

unread,

Feb 6, 2021, 7:59:23 AM2/6/21

to tunnelblick-discuss

An additional problem has been found:

The "Advanced" button has disappeared! (From the "Settings" tab of the "Configurations" panel of Tunnelblick's "VPN Details" page.)

Fixing this is simple: make the window taller! Just drag the bottom border of the window down until you see the "Advanced" button".

What's happened is that macOS Big Sur has made the contents of part of the window taller, so they don't all fit, and the "Advanced" button is hidden. That will be fixed.

Mike Nash

unread,

Feb 6, 2021, 9:20:18 AM2/6/21

to tunnelblick-discuss

Works perfectly for me on M1 and also tested with 11.3 beta

Matheus Reis

unread,

Feb 8, 2021, 4:47:43 PM2/8/21

to tunnelblick-discuss

Hello everyone!

I've tried to allow and restart my Mac after doing the recommended process and still doesn't connect.

Here is my connection details.

Using MacBook Pro m1 on macOS BigSur 11.2 (20D64)

2021-02-08 17:58:25.565498 *Tunnelblick: macOS 11.2 (20D64); Tunnelblick 3.8.5beta03 (build 5623); prior version 3.8.5beta02 (build 5620)

2021-02-08 17:58:25.867418 *Tunnelblick: Attempting connection with mateus.reis-client using shadow copy; Set nameserver = 769; monitoring connection

2021-02-08 17:58:25.867680 *Tunnelblick: openvpnstart start mateus.reis-client.tblk 56150 769 0 1 0 34652530 -ptADGNWradsgnw 2.3.18-libressl-2.7.1

2021-02-08 17:58:25.898592 *Tunnelblick: openvpnstart starting OpenVPN

2021-02-08 17:58:45.978460 *Tunnelblick:

Could not start OpenVPN (openvpnstart returned with status #247)

Contents of the openvpnstart log:

openvpnstart log:

Failed to load the tap kext; status = -603946981

Unable to load net.tunnelblick.tun and/or net.tunnelblick.tap kexts in 5 tries. (It was not loaded even though the system said it was loaded.)

Tunnelblick developer

unread,

Feb 8, 2021, 4:50:18 PM2/8/21

to tunnelblick-discuss

Matheus, you may be being hit by a macOS bug that is supposedly fixed in 11.3. Please try to uninstall the kexts (on Tunnelblick's Utilities panel) and then install them again (on the same panel).

Luther Wakefield

unread,

Feb 9, 2021, 11:19:42 AM2/9/21

to tunnelbli...@googlegroups.com

I am in a loop on every restart that it tells me that I need to Allow under Security & Privacy that the System Software from developer “Jonathan Bullard” has been updated. Once I restart, it takes me right back to needing to Allow.

Luther Wakefield

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tunnelblick-discuss/0813cc10-2078-4c57-b2d5-0e1a50a2cc10n%40googlegroups.com.

Tunnelblick developer

unread,

Feb 9, 2021, 11:31:19 AM2/9/21

to tunnelblick-discuss

Sorry you're having this problem, Luther. Apparently it's cause by a macOS bug that may be fixed in 11.3.

One other person had a similar problem, and another. Here is his description of how he fixed it (used successfully by one other person):

The issue was the stale (previous) records/approvals for the kexts. Could be because the previous ones or the ones that currently ship with TB are for x86 were loaded previously.

So what I had to do was manually remove these records from the KextPolicy db. See the post here - https://stackoverflow.com/questions/47810161/macos-high-sierra-kext-loading-are-there-any-ways-to-cancel-user-approval/51684219#51684219

After opening the db - I was able to run a select and find your team_id. Reboot into recovery and run the commands to remove the stale (previous) records/approvals. Rerun a select to check they have been removed and infact any other tap/tun ones were gone.
Note that

You don't need to do "After opening the db - I was able to run a select and find your team_id". The Tunnelblick team_id is Z2SG5H3HC8
When done, use the "Install system extensions" button in the new version of Tunnelblick.

Agustin Diaz

unread,

Feb 9, 2021, 5:28:58 PM2/9/21

to tunnelblick-discuss

Hello.

I am receiving the following error messages when trying to connect.

2021-02-09 14:14:19.072404 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.
2021-02-09 14:14:19.072424 ERROR: Failed to apply push options
2021-02-09 14:14:19.072444 Failed to open tun/tap interface
2021-02-09 14:14:19.072925 SIGUSR1[soft,process-push-msg-failed] received, process restarting
2021-02-09 14:14:19.073128 MANAGEMENT: >STATE:1612908859,RECONNECTING,process-push-msg-failed,,,,,
2021-02-09 14:14:19.074825 MANAGEMENT: CMD 'hold release'
2021-02-09 14:14:19.074946 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2021-02-09 14:14:19.074975 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

I am using the MacBook Pro M1 Big Sur 11.2.1.

Thanks.