Duplicate connection as script

[Gianluca Fadda]

Good morning,

As Tunnelblick shares few functionalities to facilitate ovpn file management, I've found out that Duplicate connection does the following actions:

1. Creates one copy of the .tlbk file where inside there is the config.ovpn file.

2. But also (most important) it clones the three Keychain applications password (username, password, privateKey).

Once you click Connect to the cloned connection from the Tunnelblick app, the usual username and password, privateKey second prompt is not asked as also the Keychain items are cloned.

Does anybody know how to perform the same action using bash or Applescript or if there is one way to inspect in terms of coding/script what exactly happens in Dupiicate connection? I managed to clone the connection and create the three cloned items with the security command, but it always asks for the same items.

Thanks!

[Tunnelblick Developer]

Tunnelblick doesn't use the existence of an item in the Keychain to determine whether or not to ask for the username/password/private key. Instead, it uses a "preference" (macOS "default") that tells it an item is saved. (I made that poor design decision years ago. It has never changed because it works and there is always something more urgent to work on. Fixing it to test directly if an item was present in the Keychain would be a good project for a pull request.)

So, if items (username, password, private key) are saved in the Keychain, "Duplicate connection" also creates a preference (macOS "default") indicating that for each item. It is a per-connection preference:

If you create the preferences appropriately, the prompt will not appear.

The preferences are named

• -keychainHasUsername
  
• -keychainHasUsernameAndPassword
  
• -keychainHasPrivateKey

The configuration name must be prepended to the preference name. For a configuration named FOO, the preference name would be "FOO-keychainHasUsernameAndPassword".

You can set these preferences using the macOS "defaults" command.

For the example above, if the username is saved in the Keychain but not the password is not:

     defaults write net.tunnelblick.tunnelblick "FOO-keychainHasUsername" -bool yes

If both the username and password are saved in the Keychain:

     defaults write net.tunnelblick.tunnelblick "FOO-keychainHasUsernameAndPassword" -bool yes

If the private key is saved in the Keychain:

     defaults write net.tunnelblick.tunnelblick "FOO-keychainHasPrivateKey" -bool yes

Note that if Tunnelblick is running and you add a configuration outside of Tunnelblick (which is what you are doing when you create a duplicate configuration yourself), you need to tell Tunnelblick you have added the configuration. You can do that with the following command:

     osascript -e "tell application \"/Applications/Tunnelblick.app\"" -e "added or removed configurations" -e "end tell"

[Gianluca Fadda]

Hi,

Thanks a lot for the clarify! The commands work successfully. The last thing I would ask if in some way there is one mechanism also to prevent this, instead to put MacOS password three times (one for the username, one for the password and the third one for the Private Key).

[Tunnelblick Developer]

Sorry, I forgot about that! (But there is a way around that problem.)

macOS remembers the program that stored a Keychain item, and only allows that program to access the item. If a different program attempts to access the item, macOS shows the dialog you posted to get permission for the different program to access the item.

Usually, Tunnelblick itself stores the item, so users never see that dialog. (If a different program is signed by the same "signing identity" as the program that stored the item, it isn't considered to be different, so a new version of Tunnelblick is allowed to access the item without the dialog because we sign all version of Tunnelblick with the same signing identity.)

So (sorry for not remembering this earlier): instead of having your program store the Keychain items (and set the preferences I wrote about earlier), you should be able to get around this restriction by using Tunnelblick's AppleScript commands to store the username, password, and/or private key. For example:

     osascript -e "tell application \"/Applications/Tunnelblick.app\"" -e "save username \"NAME\" for  \"CONFIG\" -e "end tell"

where NAME is the username and CONFIG is the configuration name.

The other commands are  "save password" and "save passphrase" (to save the private key).

That way Tunnelblick itself sets the Keychain items, so it will have permission to access them and avoid the "Tunnelblick wants to access key…" dialog. It also sets the preferences appropriately to take care of the original problem (always asking for the username/password/private key).

[Gianluca Fadda]

Hello, 

Despite using osascript -e "tell application \"/Applications/Tunnelblick.app\"" -e "save username \"NAME\" for  \"CONFIG\" -e "end tell"

The prompt below continues to appear when copied the new version of VPN connection:

But this is not a big deal, as I just need to put Always Allow with my Mac password three times.

Is there by the way one osascript single script that mimics:

- Duplicate

- Rename?

I would like to script it, if feasible. Especially because using Duplicate inside Tunnelblick, clones also the three Keychain items.

Please let me know, thanks a lot!

[Tunnelblick Developer]

(1) I don't get that prompt with Tunnelblick 8.0 (build 6300) on macOS Sequoia 15.6.1. If you do, that may be a bug that we should fix.

What version of Tunnelblick and macOS are you using? Was it downloaded from the official Tunnelblick site (https://tunnelblick.net)?

Did you add the password, too, and if needed, the passkey (private key)? Or just the username?

After running the osascript commands, please post the output from:

     defaults read net.tunnelblick.tunnelblick | grep keychainHas

(Replace your configuration name with "XYZ").

and make sure the Keychain actually includes the username and password.

(2) We don't have AppleScript commands to duplicate or rename configurations because those operations require authorization by a computer administrator.

[Tunnelblick Developer]

There was an error in the command I wrote earlier, a missing double-quote character after the \"CONFIG\" :

osascript -e "tell application \"/Applications/Tunnelblick.app\"" -e "save username \"NAME\" for  \"CONFIG\"" -e "end tell"

I assume you fixed that; otherwise Terminal would have complained about the missing quote..

[Gianluca Fadda]

Hi,

At the end your script was not incorrect because the missing quote comes before "tell application.

    "john.doe.v2-keychainHasUsernameAndPassword" = 1;

    "john.doe.v2-keychainHasPrivateKey" = 1;

I found out that despite the results are like this, if you launch one script from one MDM (like JAMF or NinjaOne) and get = 1, every MDM for some reason (probably MacOS security policies), returns back:

So if you launch from your Mac, the popup above will not do anything:

     defaults write net.tunnelblick.tunnelblick "john.doe.v2-keychainHasUsernameAndPassword" -bool yes

     defaults write net.tunnelblick.tunnelblick "john.doe.v2-keychainHasUsername" -bool yes

But if you launch from one MDM, it will in some case get what you want to do:

    "john.doe.v2-keychainHasUsernameAndPassword" = 1;

    "john.doe.v2-keychainHasPrivateKey" = 1;

But the popup still appears. So some internal mechanics interferes between Tunnelblick and the MacOS if you launch the commands by MDM.

[Tunnelblick Developer]

(1) If the following command is run in Terminal while logged in as the user using Tunnelblick 8.0 (build 6300) on macOS Sequoia 15.6.1:

     osascript -e "tell application \"/Applications/Tunnelblick.app\"" -e "save username \"NAME\" for  \"CONFIG\"" -e "end tell"

this popup appears:

If you click "Allow", the following two commands will run without that popup appearing:

     osascript -e "tell application \"/Applications/Tunnelblick.app\"" -e "save password \"NAME\" for  \"CONFIG\"" -e "end tell"

     osascript -e "tell application \"/Applications/Tunnelblick.app\"" -e "save passkey  \"NAME\" for  \"CONFIG\"" -e "end tell"

And, after those three commands have been executed, the popup asking for access to the "Tunnelblick-auth…" key does not appear.

Does that work the same for you?

Notes:

1. If at some point you have clicked the "Don't Allow" button, you can change that setting in System Settings >> Privacy & Security >> Automation >> Terminal >> Tunnelblick.
   
2. The output in Terminal for each of the three commands should be "true", indicating that the command executed properly. If the output is "false" or an error message the command did not execute properly. (For example, if the CONFIG configuration does not exist, the output will be "false".) 

===========

(2) I don't know how to get MDM or Jamf to avoid the "Terminal wants access…" popup but a quick search turned up the following, from https://stackoverflow.com/questions/65665161/running-apple-script-from-bash:

      "Since you're using an MDM, such as Jamf, you should be able to create a Privacy Preferences Policy Control (PPPC) configuration profile and deploy it to the Mac prior to running the script.

(I think you'd want to set the PPPC so that Terminal (or MDM/Jamf?) has access to control Tunnelblick.)