I only need tap, not the whole VPN setup

[Galen Tackett]

I have MacOS Mojave 10.14.6.

I want to set up a virtual bridge on this Mac and judging from the instructions for the application I need to connect, a VM called simh,  I need to provide it a tap device to connect to the virtual bridge.

I only need a tap driver on this Mac to connect to the virtual bridge. I don't need a complete VPN setup.

I used to have tuntaposx installed, so I removed its kexts and LaunchDaemon files.

Then I installed tunnelblick but that alone didn't create a /dev/tap0

Can I simply get tunnelblick to create tap0 for me? I can set the ifconfig parameters myself, although if tunnelblick can do that for me, that would also be okay.

Thanks!

Galen

[Tunnelblick developer]

Tunnelblick loads and unloads its kexts dynamically as it connect and disconnects VPNs, so it won't create a tap0 for you to use unless you can use "simh" while a VPN is connected.

However, you can load and unload Tunnelblick's kexts using a command included in Tunnelblick. Tunnelblick's kexts are signed and notarized, so they can be used on all recent versions of macOS.

You don't need to be running Tunnelblick to load a kext, but you need to have installed Tunnelblick (once). Installing Tunnelblick will install its "daemon" (tunnelblickd), which allows non-privileged users to perform certain privileged operations.

After installing Tunnelblick, you can load a tap kext with the following command in Terminal (or a script):

/Applications/Tunnelblick.app/Contents/Resources/openvpnstart loadKexts 2

(The "2" is a bitmask consisting of a "1" in bit 1, which indicates a tap kext should be loaded.)

The command to unload a tap kext is similar:

/Applications/Tunnelblick.app/Contents/Resources/openvpnstart unloadKexts 2

Notes:

• These commands load and unload tap0...tap15.
• The unload command always tries to unload "foo.tap", which will fail; you can simply ignore that error.
• The "openvpnstart" command is used to interface with tunnelblickd,
• Recent versions of macOS require additional user input the first time a kext is loaded; see Tunnelblick on macOS High Sierra and macOS Mojave, Tunnelblick on macOS Catalina, or Tunnelblick on macOS Big Sur.
  
• To load or unload Tunnelblick's tun kext, replace the "2" in the commands with a "1". Note that there are no known circumstances when this needs to be done; the macOS "utun" device driver included in macOS 10.6.8 and higher should be used instead.

[Galen Tackett]

Thanks!

I’m looking forward to trying this out when I can get back to my system, but it’s along the lines of wha I expected to learn here, so Iv no doubt it will do the trick.

[Galen Tackett]

I now have my simh VM connecting its simulated ethernet "eth0" to tap0.

I notice that the MAC address that gets assigned to tap0  is random. I assume that's being assigned by the kext each time it creates tap0.

Is there any way to control the MAC address that gets used, like designating a pool or range of addresses for tap devices, or specifying that tap device number "n" always should use a MAC address?

[Tunnelblick developer]

There isn't a way to set it in advance, but there may be a way to dynamically change it (an "ioctl", maybe?). Although tuntaposx (which is the source of Tunnelblick's tun and tap kexts) is no longer maintained, you might try asking on their mailing list; see the tuntaposx home page.

[Die Google]

Pardon my ignorance, and my apologies for resurrecting an old thread, but isn't the tap device supposed to be visible in System Preferences -> Network? I entered this command (which completed successfully), but there isn't a new interface in the GUI (which I think is necessary if I want to use an IP on that interface as the router). 

[Tunnelblick developer]

TUN and TAP devices do not appear in System Preferences >> Network.

There are three parts to getting a TAP or TUN device ready for use:

1. On macOS Big Sur and higher, you must install the kext.
   
2. You must load the kext.
   
3. You must create the specific device or devices (tap0, tap1, etc.) and then destroy it when you are finished using it.
   

#1 is initiated by Tunnelblick automatically (if necessary). The user must then manually approve the installation, which is a complex process. See Installing System Extensions for details.

#2 is done by Tunnelblick automatically (if necessary) each time a VPN is connected. You can load the kext with the openvpnstart command described earlier.

#3 is done by OpenVPN. The source code for OpenVPN is publicly available. You can read the code to find out how it creates/destroys the tun and tap device.

[Die Google]

I've also been trying to get Monterey to route to the gateway on a virtual network and using route add doesn't work like it does in Mohave. Other machines on the network have no problem using the router, and I can ping to the router. tcpdump confirms that the router receives pings but no attempt to route. 

[Die Google]

I attempted to create the Network Service by editing /Library/Preferences/SystemConfiguration/preferences.plist to no avail 

[Dead Ballo]

I managed to create the Network Service for my virtual network by editing:

/Library/Preferences/SystemConfiguration/preferences.plist

Unfortunately, the settings which worked in Mojave do not work in Monterey. Now the routing table is created automatically (and look identical to how I set them manually), but it still won't route. The only curious difference is 

route get 8.8.8.8

takes a lot longer now for whatever reason. Same result, however. 

--
You received this message because you are subscribed to a topic in the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/tunnelblick-discuss/v5wnQCRZ8HY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to tunnelblick-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tunnelblick-discuss/c36ac68b-61e7-4e46-9ef2-429f0e5e7b81n%40googlegroups.com.