How does Tunnelblick know whether to look in the keychain for credentials?

Skip to first unread message

Aug 28, 2016, 2:35:41 PM8/28/16
to tunnelblick-discuss
I have a large (~100) number of configurations which I am trying to migrate from one Mac to another.  I made a copy of the keychain file from the old Mac, and loaded it on the new Mac, and copied all the Tunnelblick items into my login keychain on the new Mac.  On the new Mac, I am allowing Tunnelblick (version 3.6.5) to install the VPN config files (I am not trying to manually copy them from the old Mac).

When I try to connect, it doesn't get the credentials from the keychain, it asks me to manually enter the user name and password, which I would have to do for a hundred different configurations.  Once I have manually entered and stored the credentials, I see the following in the connection log:

2016-08-28 11:40:14 *Tunnelblick: Established communication with OpenVPN
2016-08-28 11:40:14 *Tunnelblick: Obtained VPN username and password from the Keychain
2016-08-28 11:40:14 OpenVPN 2.3.11 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jul 18 2016

However, before I have re-entered the password for a configuration, the connection log looks like this (if I choose to cancel instead of typing in the login info):

2016-08-28 11:37:24 *Tunnelblick: Established communication with OpenVPN
2016-08-28 11:37:24 OpenVPN 2.3.11 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jul 18 2016
2016-08-28 11:37:24 library versions: OpenSSL 1.0.2h  3 May 2016, LZO 2.09
2016-08-28 11:37:24 MANAGEMENT: TCP Socket listening on [AF_INET]
2016-08-28 11:37:24 Need hold release from management interface, waiting...
2016-08-28 11:37:24 MANAGEMENT: Client connected from [AF_INET]
2016-08-28 11:37:24 MANAGEMENT: CMD 'pid'
2016-08-28 11:37:24 MANAGEMENT: CMD 'state on'
2016-08-28 11:37:24 MANAGEMENT: CMD 'state'
2016-08-28 11:37:24 MANAGEMENT: CMD 'bytecount 1'
2016-08-28 11:37:24 MANAGEMENT: CMD 'hold release'
2016-08-28 11:37:24 *Tunnelblick: openvpnstart starting OpenVPN
2016-08-28 11:37:29 *Tunnelblick: Disconnecting; user cancelled authorization

What I can't tell from the second log entry is whether Tunnelblick tried to get the credentials from the keychain and failed (ie, I did something wrong migrating my keys), or whether it didn't even try looking in the keychain at all, because it thinks this is a new configuration for which I have not previously stored credentials.  There isn't anything I see in the log that says anything about interacting with the keychain.

Does anybody know if Tunnelblick automatically looks in the keychain all the time, or does there have to be some flag set for each configuration that tells it to look in the keychain... and if there is flag that has to be set, can I do it manually so I don't have to re-enter my credentials a hundred times?


Tunnelblick developer

Aug 28, 2016, 6:01:41 PM8/28/16
to tunnelblick-discuss,
If all of your configurations have the same username and password ("credentials"), you can save yourself a lot of trouble by telling that to Tunnelblick on the "VPN Credentials" tab of the "Advanced" settings window. Just put a check in "All configurations use Common credentials.

If groups of your configurations have the same username/password (for example, ten configs with one username/password, five with another, and fourteen with another) you can create named credentials (type the name in the box and click the  "Add Credentials" button) and tell Tunnelblick that particular configs use the credentials with that name (click on the drop-down list that by default says "This configuration has its own separate credentials", and select the name. You can add as many names as you want, and any number of configurations can use any particular named credentials.

If you really have 100 configs with 100 different usernames and passwords, you could tell Tunnelblick that the username (only) for configuration "XYZ" is saved in the Keychain using the following command typed into Terminal (all on one line):

defaults  write  net.tunnelblick.tunnelblick  XYZ-keychainHasUsername  -bool  YES

Similarly, if the Keychain contains both the username and the password:
defaults  write  net.tunnelblick.tunnelblick  XYZ-
keychainHasUsernameAndPassword  -bool  YES
and if the Keychain has the private key (passphrase):
defaults  write  net.tunnelblick.tunnelblick  XYZ-keychainHasPrivateKey  -bool  YES
(These commands set "preferences" for Tunnelblick. They are used is because under certain circumstances Tunnelblick cannot find out if the Keychain has a particular item without triggering a user interaction. By tracking with a preference, Tunnelblick avoids that interaction. It is something left over from earlier versions of OS X, and at some point Tunnelblick may be able to check the Keychain directly and these preferences will no longer be used.)

As an alternative, you could copy the preference file from the old computer to the new computer. The file is located at


That will set up the preferences the way they were on the old computer.

Aug 28, 2016, 9:32:13 PM8/28/16
to tunnelblick-discuss
There are a mix of credential types; in the future I may take advantage of the shared group credentials but in this case copying the plist was faster and worked fine, with the added benefit of keeping some of the other changes I had made to some of the default settings so I didn't have to go back and change those manually.  Thanks for the fast reply.  Also, I'd like to give a shout out to whoever decided to introduce adminstrator mode in the recent versions.  That also saves a lot of password typing.  :-)

Tunnelblick developer

Aug 28, 2016, 11:28:45 PM8/28/16
to tunnelblick-discuss,
I'm glad copying the .plist worked well for you.

Important note for everyone/anyone about changing settings: When changing settings for configurations, the changes are applied to all configurations selected on the left side of the Configurations tab of the VPN Details window. That's true both for changes made in the VPN Details window and changes made in the Advanced window. Use the usual OS X (now macOS) methods to select multiple items: , Command-A to select all, or the Command key and the Shift key while clicking to select multiple items.
Reply all
Reply to author
0 new messages