Tunnelblick 3.5.25 not connecting starting 2 months ago

235 views
Skip to first unread message

xxVOXxx

unread,
Oct 2, 2023, 4:02:51 AM10/2/23
to tunnelblick-discuss
I've been successfully connecting to ExpressVPN for a long time on OSX 10.8 using TB 3.5.25 and recently is has stopped working.  I can still connect using a newer MacOS version with a newer version of Tunnelblick 3.8.7a.  Disclaimer I know little about how any of this works but after ExpressVPN's official app dropped support for older OS's I had to search for solutions and started using TB and honestly I like using it better than the app so I'd like to keep it working.  Customer service over there is little help they are repeating lines off a script and shuffling from agent to agent with no traceability and limited product knowledge so I'm on my own here...

It looks like the newer version of TB uses newer OpenVPN versions 2.5.4 & 2.4.11 and the older one uses 2.4.4 and 2.3.18.  It feels like that could be the problem but I don't know how to fix it on the older version. 

The error I get when using 2.3.18 is
2023-10-02 03:56:42 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2023-10-02 03:56:42 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-10-02 03:56:42 MANAGEMENT: Client disconnected
2023-10-02 03:56:42 Cipher algorithm 'AES-256-GCM' not found
2023-10-02 03:56:42 Exiting due to fatal error

The error on 2.4.4 is
2023-10-02 03:58:06 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2023-10-02 03:58:06 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-10-02 03:58:06 MANAGEMENT: Client disconnected
2023-10-02 03:58:06 Cipher AES-256-GCM not supported
2023-10-02 03:58:06 Exiting due to fatal error

I was told that they use  OpenVPN 2.4.4 and Cipher AES-256-GCM, but 2.4.4 won't connect on TB 3.5.25.  What am I missing?  Any help would be appreciated.

Tunnelblick developer

unread,
Oct 2, 2023, 8:33:28 AM10/2/23
to tunnelblick-discuss
Please post the diagnostic info obtained by following the instructions at Read Before You Post.

xxVOXxx

unread,
Oct 2, 2023, 7:47:58 PM10/2/23
to tunnelblick-discuss
Thanks for the reply!  No problem, the info I posted before was actually from the same log as outlined in RBYP, but here is the full log as requested:


*Tunnelblick: OS X 10.8.5; Tunnelblick 3.5.25 (build 4270.5160); Admin user

Configuration XVPN - I New York

"Sanitized" condensed configuration file for /Users/*****/Library/Application Support/Tunnelblick/Configurations/XVPN - I New York.tblk:

dev tun
fast-io
persist-key
persist-tun
nobind
remote usa-newyork-ca-version-2.expressnetw.com 1195
remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-GCM
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass
<cert>
[Security-related line(s) omitted]
</cert>
<key>
[Security-related line(s) omitted]
</key>
<tls-auth>
[Security-related line(s) omitted]
</tls-auth>
<ca>
[Security-related line(s) omitted]
</ca>


================================================================================

"Sanitized" full configuration file

dev tun
fast-io
persist-key
persist-tun
nobind
remote usa-newyork-ca-version-2.expressnetw.com 1195

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-GCM
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass

<cert>
 [Security-related line(s) omitted]
</cert>
<key>
 [Security-related line(s) omitted]
</key>
<tls-auth>
 [Security-related line(s) omitted]
</tls-auth>
<ca>
 [Security-related line(s) omitted]
</ca>



================================================================================

There are no unusual files in XVPN - I New York.tblk

================================================================================

Configuration preferences:

-routeAllTrafficThroughVpn = 0
-keychainHasPrivateKey = 0
-keychainHasUsernameAndPassword = 0
-keychainHasUsername = 0
-openvpnVersion = 2.4.4
-lastConnectionSucceeded = 0

================================================================================

Wildcard preferences:


================================================================================

Program preferences:

skipWarningAboutInvalidSignature = 1
placeIconInStandardPositionInStatusBar = 0
launchAtNextLogin = 1
notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
tunnelblickVersionHistory = (
    "3.5.25 (build 4270.5160)"
)
lastLaunchTime = 717982865.493162
doNotShowSplashScreen = 1
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
installationUID (not shown)
keyboardShortcutIndex = 1
namedCredentialsThatAllConfigurationsUse = Common
updateCheckAutomatically = 0
updateSendProfileInfo = 0
NSWindow Frame ConnectingWindow = 605 519 389 187 0 0 1600 878
detailsWindowFrameVersion = 4270.5160
detailsWindowFrame = {{204, 225}, {900, 468}}
detailsWindowLeftFrame = {{0, 0}, {183, 350}}
leftNavSelectedDisplayName = XVPN - I New York
haveDealtWithSparkle1dot5b6 = 1
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
SUEnableAutomaticChecks = 0
SUFeedURL = https://www.tunnelblick.net/appcast-s.rss
SUScheduledCheckInterval = 86400
SUSendProfileInfo = 0
SULastCheckTime = 2023-10-01 15:04:13 +0000
SULastProfileSubmissionDate = 2023-10-01 14:48:46 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 16
WebKitStandardFont = Times

================================================================================

Tunnelblick Log:

2023-10-02 19:41:15 *Tunnelblick: OS X 10.8.5; Tunnelblick 3.5.25 (build 4270.5160)
2023-10-02 19:41:15 *Tunnelblick: Attempting connection with XVPN - I New York using shadow copy; Set nameserver = 1; monitoring connection
2023-10-02 19:41:15 *Tunnelblick: openvpnstart start XVPN\ -\ I\ New\ York.tblk 1337 1 0 1 0 16688 -ptADGNWradsgnw 2.4.4
2023-10-02 19:41:17 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
     
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4/openvpn
          --daemon
          --log
          /Library/Application Support/Tunnelblick/Logs/-SUsers-S*****-SLibrary-SApplication Support-STunnelblick-SConfigurations-SXVPN -- I New York.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_16688.1337.openvpn.log
          --cd
          /Library/Application Support/Tunnelblick/Users/*****/XVPN - I New York.tblk/Contents/Resources
          --config
          /Library/Application Support/Tunnelblick/Users/*****/XVPN - I New York.tblk/Contents/Resources/config.ovpn
          --cd
          /Library/Application Support/Tunnelblick/Users/*****/XVPN - I New York.tblk/Contents/Resources
          --management
          127.0.0.1
          1337
          /Library/Application Support/Tunnelblick/dbclaljcnioiafhgcamjgbkhiadbemecdekejmnb.mip
          --management-query-passwords
          --management-hold
          --script-security
          2
          --up
          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw
          --down
          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw

2023-10-02 19:41:15 *Tunnelblick: openvpnstart starting OpenVPN
2023-10-02 19:41:16 OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] built on Sep 29 2018
2023-10-02 19:41:16 library versions: OpenSSL 0.9.8zg 14 July 2015, LZO 2.08
2023-10-02 19:41:16 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2023-10-02 19:41:16 Need hold release from management interface, waiting...
2023-10-02 19:41:17 *Tunnelblick: Established communication with OpenVPN
2023-10-02 19:41:17 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2023-10-02 19:41:17 MANAGEMENT: CMD 'pid'
2023-10-02 19:41:17 MANAGEMENT: CMD 'state on'
2023-10-02 19:41:17 MANAGEMENT: CMD 'state'
2023-10-02 19:41:17 MANAGEMENT: CMD 'bytecount 1'
2023-10-02 19:41:17 MANAGEMENT: CMD 'hold release'
2023-10-02 19:41:17 *Tunnelblick: Obtained VPN username and password from the Keychain
2023-10-02 19:41:17 MANAGEMENT: CMD 'username "Auth" "mnk5iofi8r1owy457vvhwzeu"'
2023-10-02 19:41:17 MANAGEMENT: CMD 'password [...]'
2023-10-02 19:41:17 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2023-10-02 19:41:17 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-10-02 19:41:17 MANAGEMENT: Client disconnected
2023-10-02 19:41:17 Cipher AES-256-GCM not supported
2023-10-02 19:41:17 Exiting due to fatal error
2023-10-02 19:41:19 *Tunnelblick: No 'post-disconnect.sh' script to execute
2023-10-02 19:41:19 *Tunnelblick: Expected disconnection occurred.

================================================================================

ifconfig output:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_HWTAGGING>
ether 40:6c:8f:bd:be:51
inet 192.168.200.100 netmask 0xffffff00 broadcast 192.168.200.255
media: autoselect (1000baseT <full-duplex>)
status: active
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_HWTAGGING>
ether 40:6c:8f:bd:bb:cc
media: autoselect (<unknown type>)
status: inactive
en2: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
ether a8:96:8a:f2:3a:8f
media: autoselect (<unknown type>)
status: inactive
p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304
ether 0a:96:8a:f2:3a:8f
media: autoselect
status: inactive
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
lladdr 70:cd:60:ff:fe:9c:d1:12
media: autoselect <full-duplex>
status: inactive
vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:50:56:c0:00:01
inet 172.16.151.1 netmask 0xffffff00 broadcast 172.16.151.255
vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:50:56:c0:00:08
inet 172.16.165.1 netmask 0xffffff00 broadcast 172.16.165.255

================================================================================

Console Log:

2023-10-02 19:41:04 Tunnelblick[658] Set program update feedURL to https://www.tunnelblick.net/appcast-s.rss
2023-10-02 19:41:15 Tunnelblick[658] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-02 19:41:15 Tunnelblick[658] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-02 19:41:15 tunnelblickd[674] Status = 0 from tunnelblick-helper command 'compareShadowCopy XVPN - I New York'
2023-10-02 19:41:15 Tunnelblick[658] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-02 19:41:15 Tunnelblick[658] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-02 19:41:15 tunnelblickd[674] Status = 0 from tunnelblick-helper command 'printSanitizedConfigurationFile XVPN - I New York.tblk 0'
2023-10-02 19:41:15 Tunnelblick[658] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-02 19:41:15 Tunnelblick[658] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-02 19:41:16 Tunnelblick[658] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...
2023-10-02 19:41:16 Tunnelblick[658] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.800000 seconds...
2023-10-02 19:41:16 tunnelblickd[674] Status = 0 from tunnelblick-helper command 'start XVPN - I New York.tblk 1337 1 0 1 0 16688 -ptADGNWradsgnw 2.4.4'
2023-10-02 19:41:17 Tunnelblick[658] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-Group-Common' account = 'username'
2023-10-02 19:41:17 Tunnelblick[658] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-Group-Common' account = 'password'
2023-10-02 19:41:18 Tunnelblick[658] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-02 19:41:18 Tunnelblick[658] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-02 19:41:19 tunnelblickd[674] Status = 0 from tunnelblick-helper command 'postDisconnect XVPN - I New York.tblk 1'
2023-10-02 19:41:21 Tunnelblick[658] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-02 19:41:21 Tunnelblick[658] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-02 19:41:22 tunnelblickd[674] Status = 0 from tunnelblick-helper command 'printSanitizedConfigurationFile XVPN - I New York.tblk 0'

================================================================================

Non-Apple kexts that are loaded:

Index Refs Address            Size       Wired      Name (Version) <Linked Against>
   53    0 0xffffff7f808e1000 0x47000    0x47000    at.obdev.nke.LittleSnitch (4098) <5 4 3 1>
  109    0 0xffffff7f825ce000 0x7000     0x7000     expressvpn.tun (1.0) <7 5 4 1>
  110    0 0xffffff7f808cd000 0x3000     0x3000     com.paceap.kext.pacesupport.snowleopard (5.9.1) <7 5 4 3 1>
  114    1 0xffffff7f825d5000 0x12000    0x12000    com.vmware.kext.vmci (90.4.18) <10 5 4 3 1>
  115    0 0xffffff7f825e7000 0x10000    0x10000    com.vmware.kext.vsockets (90.4.23) <114 7 5 4 3 1>
  116    0 0xffffff7f825f7000 0xa000     0xa000     com.vmware.kext.vmnet (0104.03.86) <5 4 3 1>
  117    0 0xffffff7f82601000 0xd000     0xd000     com.vmware.kext.vmx86 (0104.03.86) <7 5 4 3 1>
  118    0 0xffffff7f8260e000 0x6000     0x6000     com.vmware.kext.vmioplug.10.1.24 (10.1.24) <32 5 4 3 1>

Tunnelblick developer

unread,
Oct 2, 2023, 9:14:48 PM10/2/23
to tunnelblick-discuss
The problem is that the version of OpenSSL you are using (0.9.8zg) does not support the encryption that ExpressVPN uses (AES-256-GCM).

I don't know if OpenSSL 1.0.2p supports it, but it's worth trying, so try OpenVPN 2.4.4 with OpenSSL 1.0.2p. (Tunnelblick "VPN Details" >> Configurations panel >> Settings tab.)

After connecting, make sure OpenSSL 1.0.2p was used: In the log, look for:

                library versions: OpenSSL 0.9.8zg 14 July 2015, LZO 2.08

but with OpenSSL 1.0.2p instead of 0.9.8zg.

There may be a Tunnelblick bug that causes 0.9.8zg to be used instead of 1.0.2p even when 1.0.2p is chosen. It is possible that the bug was fixed in Tunnelblick 3.5.26, which you can download from Tunnelblick's Deprecated Downloads page.


xxVOXxx

unread,
Oct 3, 2023, 4:43:25 PM10/3/23
to tunnelblick-discuss
That sounds like it could be the culprit.  I checked the Settings tab and in that version there is no option to select the OpenSSL version that I can see, here is a screenshot
Screen Shot 2023-10-03 at 4.18.59 PM.png
I successfully updated to 3.5.26, but it was still saying Cipher AES-256-GCM not supported in the Log.  I'll include the full log below here.  The OpenSSL version it's saying in the log is OpenSSL 0.9.8zg 14 July 2015.  10.8.5 Mountain Lion's last update was around that year.  Is it possible Tunnelblick is using whatever is on the OS instead of a specific SSL version in the OpenVPN version included in the Tunnelblick.app bundle?  In newer versions of Tunnelblick I noticed the OpenVPN versions look like this: "openvpn-2.5.9-openssl-1.1.1v" where in 3.5.26 they look like this "openvpn-2.4.4" which seems to not specify that it includes SSL if I'm not mistaken here.  If this is the case, can I just somehow update the SSL version in OSX 10.8 wherever it is trying to use it from?  If not, could OpenVPN versions that are included in newer Tunnelblick app bundles be transferred backwards to older versions of the app?  I did try this already but it throws an error that TB was tampered with and then the app refuses to load until I remove it so if it's possible I was doing it wrong.  Here is the full log from 3.5.26:


*Tunnelblick: OS X 10.8.5; Tunnelblick 3.5.26 (build 4270.5161); prior version 3.5.25 (build 4270.5160); Admin user
placeIconInStandardPositionInStatusBar = 0
launchAtNextLogin = 1
notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
tunnelblickVersionHistory = (
    "3.5.26 (build 4270.5161)",
    "3.5.25 (build 4270.5160)"
)
lastLaunchTime = 718057305.6928231

doNotShowSplashScreen = 1
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
installationUID (not shown)
keyboardShortcutIndex = 1
namedCredentialsThatAllConfigurationsUse = Common
updateCheckAutomatically = 0
updateSendProfileInfo = 0
NSWindow Frame ConnectingWindow = 605 519 389 187 0 0 1600 878
detailsWindowFrameVersion = 4270.5160
detailsWindowFrame = {{231, 179}, {896, 468}}
detailsWindowLeftFrame = {{0, 0}, {175, 350}}

leftNavSelectedDisplayName = XVPN - I New York
haveDealtWithSparkle1dot5b6 = 1
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
SUEnableAutomaticChecks = 0
SUFeedURL = https://www.tunnelblick.net/appcast-s.rss
SUScheduledCheckInterval = 86400
SUSendProfileInfo = 0
SULastCheckTime = 2023-10-01 15:04:13 +0000
SULastProfileSubmissionDate = 2023-10-01 14:48:46 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 16
WebKitStandardFont = Times

================================================================================

Tunnelblick Log:

2023-10-03 16:25:52 OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] built on Jun 27 2023
2023-10-03 16:25:52 library versions: OpenSSL 0.9.8zg 14 July 2015, LZO 2.10
2023-10-03 16:25:52 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1338
2023-10-03 16:25:52 Need hold release from management interface, waiting...
2023-10-03 16:25:52 *Tunnelblick: openvpnstart starting OpenVPN
2023-10-03 16:25:53 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1338
2023-10-03 16:25:53 MANAGEMENT: CMD 'pid'
2023-10-03 16:25:53 MANAGEMENT: CMD 'state on'
2023-10-03 16:25:53 MANAGEMENT: CMD 'state'
2023-10-03 16:25:53 MANAGEMENT: CMD 'bytecount 1'
2023-10-03 16:25:53 *Tunnelblick: Established communication with OpenVPN
2023-10-03 16:25:53 MANAGEMENT: CMD 'hold release'
2023-10-03 16:25:53 *Tunnelblick: Obtained VPN username and password from the Keychain
2023-10-03 16:25:53 MANAGEMENT: CMD 'username "Auth" "mnk5iofi8r1owy457vvhwzeu"'
2023-10-03 16:25:53 MANAGEMENT: CMD 'password [...]'
2023-10-03 16:25:53 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2023-10-03 16:25:53 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-10-03 16:25:53 MANAGEMENT: Client disconnected
2023-10-03 16:25:53 Cipher AES-256-GCM not supported
2023-10-03 16:25:53 Exiting due to fatal error
2023-10-03 16:25:55 *Tunnelblick: No 'post-disconnect.sh' script to execute
2023-10-03 16:25:55 *Tunnelblick: Expected disconnection occurred.
2023-10-03 16:18:30 Tunnelblick[678] Set program update feedURL to https://www.tunnelblick.net/appcast-s.rss
2023-10-03 16:21:28 Tunnelblick[775] Tunnelblick cannot run when it is on /Volumes because the volume has the MNT_NOSUID statfs flag set.
2023-10-03 16:21:33 coreservicesd[45] Application App:"Tunnelblick" [ 0x0/0x3b03b]  @ 0x0x7fcafbe30cc0 tried to be brought forward, but isn't in fPermittedFrontASNs ( ( ASN:0x0-0x45045:) ), so denying.
2023-10-03 16:21:33 WindowServer[117] [cps/setfront] Failed setting the front application to Tunnelblick, psn 0x0-0x3b03b, securitySessionID=0x186a4, err=-13066
2023-10-03 16:21:38 Tunnelblick[678] applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes
2023-10-03 16:21:39 Tunnelblick[678] Finished shutting down Tunnelblick; allowing termination
2023-10-03 16:21:40 Tunnelblick[775] Beginning installation or repair
2023-10-03 16:21:40 authexec[785] executing /Volumes/Tunnelblick/Tunnelblick.app/Contents/Resources/installer
2023-10-03 16:21:41 Tunnelblick[775] Installation or repair succeeded; Log:
2023-10-03 16:21:44 Tunnelblick[775] applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes
2023-10-03 16:21:44 Tunnelblick[775] Finished shutting down Tunnelblick; allowing termination
2023-10-03 16:21:45 Tunnelblick[791] Set program update feedURL to https://www.tunnelblick.net/appcast-s.rss
2023-10-03 16:22:04 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-03 16:22:04 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-03 16:22:05 tunnelblickd[803] Status = 0 from tunnelblick-helper command 'compareShadowCopy XVPN - I New York'
2023-10-03 16:22:05 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-03 16:22:05 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-03 16:22:05 tunnelblickd[803] Status = 0 from tunnelblick-helper command 'printSanitizedConfigurationFile XVPN - I New York.tblk 0'
2023-10-03 16:22:05 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-03 16:22:05 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-03 16:22:05 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...
2023-10-03 16:22:06 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.800000 seconds...
2023-10-03 16:22:06 tunnelblickd[803] Status = 0 from tunnelblick-helper command 'start XVPN - I New York.tblk 1337 1 0 1 0 16688 -ptADGNWradsgnw 2.4.4'
2023-10-03 16:22:07 Tunnelblick[791] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-Group-Common' account = 'username'
2023-10-03 16:22:07 Tunnelblick[791] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-Group-Common' account = 'password'
2023-10-03 16:22:08 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-03 16:22:08 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-03 16:22:08 tunnelblickd[803] Status = 0 from tunnelblick-helper command 'postDisconnect XVPN - I New York.tblk 1'
2023-10-03 16:22:37 Tunnelblick[791] currentIPInfo(Name): IP address info could not be fetched within 536870912.0 seconds; the error was 'Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=0x7be4c50 {NSErrorFailingURLStringKey=https://www.tunnelblick.net/ipinfo, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSErrorFailingURLKey=https://www.tunnelblick.net/ipinfo, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSUnderlyingError=0x9081ed0 "An SSL error has occurred and a secure connection to the server cannot be made."}'; the response was '(null)'
2023-10-03 16:25:37 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-03 16:25:37 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-03 16:25:37 tunnelblickd[882] Status = 0 from tunnelblick-helper command 'compareShadowCopy XVPN - I New York'
2023-10-03 16:25:37 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-03 16:25:38 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-03 16:25:38 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...
2023-10-03 16:25:38 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.800000 seconds...
2023-10-03 16:25:38 tunnelblickd[882] Status = 0 from tunnelblick-helper command 'start XVPN - I New York.tblk 1337 1 0 1 0 16688 -ptADGNWradsgnw 2.3.18'
2023-10-03 16:25:39 Tunnelblick[791] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-Group-Common' account = 'username'
2023-10-03 16:25:39 Tunnelblick[791] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-Group-Common' account = 'password'
2023-10-03 16:25:40 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-03 16:25:41 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-03 16:25:41 tunnelblickd[882] Status = 0 from tunnelblick-helper command 'postDisconnect XVPN - I New York.tblk 1'
2023-10-03 16:25:51 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-03 16:25:52 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-03 16:25:52 tunnelblickd[882] Status = 0 from tunnelblick-helper command 'compareShadowCopy XVPN - I New York'
2023-10-03 16:25:52 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-03 16:25:52 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-03 16:25:52 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...
2023-10-03 16:25:52 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.800000 seconds...
2023-10-03 16:25:52 tunnelblickd[882] Status = 0 from tunnelblick-helper command 'start XVPN - I New York.tblk 1338 1 0 1 0 16688 -ptADGNWradsgnw 2.4.4'
2023-10-03 16:25:53 Tunnelblick[791] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-Group-Common' account = 'username'
2023-10-03 16:25:53 Tunnelblick[791] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-Group-Common' account = 'password'
2023-10-03 16:25:55 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-03 16:25:55 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-03 16:25:55 tunnelblickd[882] Status = 0 from tunnelblick-helper command 'postDisconnect XVPN - I New York.tblk 1'
2023-10-03 16:26:10 Tunnelblick[791] currentIPInfo(Name): IP address info could not be fetched within 536870912.0 seconds; the error was 'Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=0xa3bb5d0 {NSErrorFailingURLStringKey=https://www.tunnelblick.net/ipinfo, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSErrorFailingURLKey=https://www.tunnelblick.net/ipinfo, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSUnderlyingError=0x12152570 "An SSL error has occurred and a secure connection to the server cannot be made."}'; the response was '(null)'
2023-10-03 16:26:24 Tunnelblick[791] currentIPInfo(Name): IP address info could not be fetched within 536870912.0 seconds; the error was 'Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=0x7bc7400 {NSErrorFailingURLStringKey=https://www.tunnelblick.net/ipinfo, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSErrorFailingURLKey=https://www.tunnelblick.net/ipinfo, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSUnderlyingError=0xa3b8800 "An SSL error has occurred and a secure connection to the server cannot be made."}'; the response was '(null)'
2023-10-03 16:26:54 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...
2023-10-03 16:26:54 Tunnelblick[791] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...
2023-10-03 16:26:54 tunnelblickd[906] Status = 0 from tunnelblick-helper command 'printSanitizedConfigurationFile XVPN - I New York.tblk 0'


================================================================================

Non-Apple kexts that are loaded:

Index Refs Address            Size       Wired      Name (Version) <Linked Against>
  109    0 0xffffff7f825ce000 0x7000     0x7000     expressvpn.tun (1.0) <7 5 4 1>
  110    0 0xffffff7f808cd000 0x3000     0x3000     com.paceap.kext.pacesupport.snowleopard (5.9.1) <7 5 4 3 1>
  114    1 0xffffff7f825d5000 0x12000    0x12000    com.vmware.kext.vmci (90.4.18) <10 5 4 3 1>
  115    0 0xffffff7f825e7000 0x10000    0x10000    com.vmware.kext.vsockets (90.4.23) <114 7 5 4 3 1>
  116    0 0xffffff7f825f7000 0xa000     0xa000     com.vmware.kext.vmnet (0104.03.86) <5 4 3 1>
  117    0 0xffffff7f82601000 0xd000     0xd000     com.vmware.kext.vmx86 (0104.03.86) <7 5 4 3 1>
  118    0 0xffffff7f8260e000 0x6000     0x6000     com.vmware.kext.vmioplug.10.1.24 (10.1.24) <32 5 4 3 1>

Tunnelblick developer

unread,
Oct 3, 2023, 6:10:40 PM10/3/23
to tunnelblick-discuss
On Tuesday, October 3, 2023 at 4:43:25 PM UTC-4 xxVOXxx wrote:
Is it possible Tunnelblick is using whatever is on the OS instead of a specific SSL version in the OpenVPN version included in the Tunnelblick.app bundle?

Yes that's exactly what's happening.

 
In newer versions of Tunnelblick I noticed the OpenVPN versions look like this: "openvpn-2.5.9-openssl-1.1.1v" where in 3.5.26 they look like this "openvpn-2.4.4" which seems to not specify that it includes SSL if I'm not mistaken here.

It's built with a newer version of OpenSSL but for some reason is not using it and is instead using the version included in the OS. 

We used to build only one version of OpenSSL, so we didn't indicate that in the list shown to the user, but recent versions of Tunnelblick can include multiple versions of OpenVPN built with different versions of OpenSSL, so we include that in the list.


If this is the case, can I just somehow update the SSL version in OSX 10.8 wherever it is trying to use it from?

Yes, that would probably work, and it is probably your best option. You probably can find out where it comes from by using the 'which" command – i.e., which openssl

 
If not, could OpenVPN versions that are included in newer Tunnelblick app bundles be transferred backwards to older versions of the app?  I did try this already but it throws an error that TB was tampered with and then the app refuses to load until I remove it so if it's possible I was doing it wrong.

My understanding is that because the more recent versions of OpenVPN/OpenSSL are "fat" binaries (with both x86 and arm architectures) they don't work on old versions of macOS. Or it could be that they specify that they must run on a newer version of macOS. You could play around with them, but as I wrote above, you're probably better off replacing the old version of OpenSSL.

As to the app refusing to run if it has been tampered with, you should be given the option to continue anyway, but that may only be available in newer versions of Tunnelblick. You can try the following command, to reset the preference (if there is one):  defaults delete net.tunnelblick.tunnelblick skipWarningAboutInvalidSignature

xxVOXxx

unread,
Oct 4, 2023, 10:47:26 PM10/4/23
to tunnelblick-discuss
Ok after doing some digging with your suggestion I found if I used the "openssl version -a" command in Terminal it gave me all this info:

OpenSSL 0.9.8zg 14 July 2015
built on: Jul 20 2015
platform: darwin64-x86_64-llvm
options:  bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(idx)
compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs -fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS -DZLIB -mmacosx-version-min=10.6
OPENSSLDIR: "/System/Library/OpenSSL"

I searched pretty hard about how to upgrade OpenSSL but there seems to be no basic layman end user way to upgrade it like a pkg/dmg file and some comments are saying it could mess up other components of OSX trying to replace the file in /usr/bin.  This is all pretty over my head.  Is there a simplified and safe way that you know of to upgrade the OpenSSL for older Macs?  I'm comfortable using Terminal but have no clue about Homebrew or compiling and don't want to mess anything up but I'm willing to work to get it done.  Thank you again for the help on trying to solve this, it's very appreciated and any users on 10.6-10.9 will most likely need to do the same to keep using OpenVPN/Tunnelblick.

Tunnelblick developer

unread,
Oct 4, 2023, 11:13:38 PM10/4/23
to tunnelblick-discuss
Sorry, but I don't know anything about building the OpenSSL command.

We only use the libraries, but maybe the command is built and then discarded. Building the old versions of Tunnelblick is done on a computer I don't have access to at the moment, but I will check within the next few days and see if that's the case, and reply when I know. If it is built, you could probably use it without having to build it yourself. However, as you noted, it's possible that replacing /usr/bin/openssl will cause problems for other programs.

xxVOXxx

unread,
Nov 1, 2023, 9:00:04 PM11/1/23
to tunnelblick-discuss
Hi, just following up from 10/4/23.  Were you able to find anything out regarding this?  Thanks so much

Tunnelblick developer

unread,
Nov 5, 2023, 5:32:45 AM11/5/23
to tunnelblick-discuss
I've been able to create the openssl 1.0.2p command but am unable to digitally sign it properly.

To get a copy, email devel...@tunnelblick.net and I'll send it to you.

xxVOXxx

unread,
May 9, 2025, 3:57:05 AMMay 9
to tunnelblick-discuss
UPDATE 2025:
When using Express VPN OpenVPN configurations, I am now finally able to connect again using 3.5.25 & 3.5.26 on Mac OSX 10.8.5.  This should apply to 10.4-10.9 systems that this version covers also but I have not tested it on any of those.

In order to do this, edit the configuration file of your choice (.ovpn) with TextEdit, or add the configuration to TunnelBlick first then edit it from there.  Look in the config file for "AES-256-GCM" and change it to "AES-256-CBC" and save the file.  You should now be able to connect without errors.  If anyone has feedback on this please let me know.

shot1.pngshot2.pngShot3.png

Shot4.png

Tunnelblick Developer

unread,
May 9, 2025, 7:40:40 AMMay 9
to tunnelblick-discuss
Thank you!

xxVOXxx

unread,
Aug 8, 2025, 12:48:10 AMAug 8
to tunnelblick-discuss
ANOTHER UPDATE AUGUST 2025:

ExpressVPN is not working again for me under OSX 10.8.5 running Tunnelblick 3.5.26.  Seems like a short lived workaround...  However, I tried using a different service, AirVPN, and they let you configure your own custom .ovpn profiles very specifically so I gave it a shot and after a ton of trial and error it works!  If you are currently running a machine on OSX 10.6.8 Snow Leopard through OS X 10.9 Mavericks and Tunnelblick 3.5.25/3.5.26 here's what you have to do:

  • Go to https://airvpn.org and grab a plan (3 day trial is only a few bucks to see if it works).  If you don't like this VPN just look for another one that provides access to profiles that still support OpenVPN 2.3.18.
  • If using AirVPN, sign in and go to https://airvpn.org/generator/ to genereate your own custom VPN profiles for different locations.
  • Select ADVANCED to open up the side panel.

airvpnconfig1.png

  • In the OpenVPN Profile dropdown box select 2.4.  If you choose 2.5 it will not work.

airvpnconfig2.png

  • The top default top selections are going to be OpenVPN UDP or TCP with the specs TLS-CRYPT, TLS1.2.  You do NOT want this. Instead:
airvpnconfig3.png

  • Scroll down to OpenVPN UDP or TCP with the specs of TLS-AUTH, FOR 2.3 and toggle the switch next to the one you want based on description.  I'm using the defualt UDP/443 profile.
airvpnconfig4.png

  • Now choose your server/s.  Either pick a continent, country, or city and flip the switch next to it and click GENERATE.
airvpnconfig5.png
  • Download the .ovpn file/s and load them up in to Tunnelblick.  Set OpenVPN to 2.3.18 and connect!  These profiles require no account credentials as they're built into the profiles for you.

For the record I know little about how this all works and why ExpressVPN's profiles stopped connecting for me this year, but it seems that it has something to do with them forcing a different type of security with the "auth SHA512" line that doesn't work with OpenVPN 2.3.18 or 2.4.4 on older systems, even though their profiles still use "</tls-auth>" instead of "<tls-crypt>" whch I see does not work with the AirVPN profiles (when TLS-CRYPT, TLS1.2 specs are selected).

The AirVPN configuration profiles when set the way I outlined above use "cipher AES-256-CBC" instead of "cipher AES-256-GCM" and "key-direction 1" instead of "auth SHA512" and that still seems to play nice with Tunnelblick 3.5.26 for now.  If someone else who understands why this works exactly, feel free to jump in and explain and maybe that will help us figure out how we can keep this functioning on older OSX versions for the forseeable future. Cheers all.
Reply all
Reply to author
Forward
0 new messages