Highlighted Articles
News
Installing Tunnelblick
Uninstalling Tunnelblick
Setting up Configurations
Using Tunnelblick
Getting VPN Service
Common Problems
Configuring OpenVPN
Release Notes
Thanks
FAQ

Discussion Group
Read Before You Post

On This Page
Introduction
Creation and Modification
Installation
Automatic Installation
Nested Configurations
Format
Info.plist
Preferences
Up/Down Scripts
Tunnelblick Scripts
CFBundleIdentifier Conflicts
Name Conflicts During Installation
Name Conflicts After Installation
Example Script to Create .tblks with IP Address Checking Disabled

Introduction

A Tunnelblick VPN Configuration (a 'Configuration') is a folder with an extension of .tblk that contains information about one or more VPN configurations.

• Configurations provide a convenient way to distribute VPN configurations separately from the Tunnelblick application itself.
• Configurations may be installed to be private to a single user or shared by all users of the computer.
• Configurations may be automatically installed when Tunnelblick is installed.
• Configurations may contain identification and version information to assist in version control.
• Configurations may contain scripts that are run at particular points in the connection process.
• Installing a Configuration requires a computer administrator username/password (as does Tunnelblick installation).
• The configuration file of a Configuration that is private may be edited. The configuration file of a Configuration that is shared may only be examined.

Configurations are available in Tunnelblick 3.1 and up. Some features of Configurations described in this document may only be available on Tunnelblick 3.4beta30 and higher.

Configurations must be installed before they can be used. Install a Configuration by dragging it to the Tunnelblick icon in the menu bar. (The Tunnelblick application must have been installed before the Configuration is installed.)

Creation and Modification

See Creating and Installing a Tunnelblick VPN Configuration and Modifying a Tunnelblick VPN Configuration.

Installation

A Configuration is installed by dropping it on the Tunnelblick icon in the menu bar. A configuration can be installed automatically when Tunnelblick is installed from a disk image or a folder expanded from a .zip file (see Automatic Installation).

If there is only one OpenVPN configuration file inside a .tblk, a single Configuration will be installed and will have the name of the .tblk — the name of the configuration file will be ignored.

If there is more than one OpenVPN configuration file inside a .tblk, a Configuration will be installed for each configuration file, and will have the name of the configuration file.

When a Configuration is installed, it's contents are copied and arranged in a special way and the copy is secured by setting the ownership and permissions on the copy's contents.

Unless specified otherwise in an Info.plist, when a Configuration is installed the user will be asked whether the Configuration is to be shared or private (for only that user). Configurations to be shared are copied to /Library/Application Support/Tunnelblick/Shared; Configurations to be kept private are copied to ~/Library/Application Support/Tunnelblick/Configurations.

Automatic Installation

When Tunnelblick is installed by Control-clicking a Tunnelblick.app that is not in /Applications and clicking 'Open', all .tblk Configurations in the 'auto-install' and '.auto-install' folders that are in the same folder that contains the Tunnelblick.app being installed are installed (subject to CFBundleIdentifier Conflicts and Name Conflicts During Installation).

The 'auto-install' and '.auto-install' folders can also contain a file named 'preferences.plist'. It may contain a 'set-only-if-not-present' key and/or a 'always-set' key. The value for each key should be a dictionary containing preferences to be set under the specified conditions.

Thus, one can construct a disk image (or a .zipped folder) which contains Tunnelblick.app and an 'auto-install' folder containing configurations and preferences to be installed along with Tunnelblick.

Nested Configurations

'Nested' Configurations make it easy to distribute many configurations in a single file.

Configurations may be nested one level deep. That is, a Configuration may contain within it other Configurations (and may also contain OpenVPN configuration files that are not in a Configuration). When such a Configuration is installed, everything within it is installed. The Configurations within a Configuration may not themselves include Configurations, however — only one level of included Configurations is allowed.

If configurations are in subfolders, the structure of the subfolders will be replicated when the configurations are installed.

Format

Tunnelblick Configurations are folders with an extension of '.tblk'. The extension causes macOS to treat the folder as a 'package' — in most cases it is treated as if it were a single file. To look at the contents of a package (i.e. inside what was the folder), Control-click the package and select 'Show Package Contents'.

Before installation, a Tunnelblick VPN Configuration can contain files and folders including:

• An Info.plist file (see Info.plist).
• One or more 'nested' Tunnelblick VPN Configurations.
• One or more OpenVPN configurations (files with .ovpn or .conf extensions).
• One or more key, certificate, or script files.

After installation, the contents of a Tunnelblick VPN Configuration are arranged as follows. Before installation all files can be arranged this way, or all files can be at the top level of the .tblk (that is, without the 'Contents/Resources' structure).

Info.plist

Info.plist is optional. If it exists, it must be a macOS property list file, with keys from the following table. The only mandatory key is TBPackageVersion; all others are optional.

Preferences

A Configuration's Info.plist may also optionally contain entries (strings, numbers, and booleans) with keys that start with 'TBPreference' or 'TBAlwaysSetPreference'. The entries are preferences for the configuration. Each entry will be copied to the user's regular preferences each time Tunnelblick loads or uses the Configuration (when Tunnelblick is launched or the Configuration is installed or connected). 'TBPreference' items are copied only if the preference is not already set, so they are for initial settings that a user is allowed to override. 'TBAlwaysSetPreference' items always are copied, so the user is, in effect, not allowed to override them. When the entries are copied, 'TBPreference' or 'TBAlwaysSetPreference'is replaced with the display name of the Configuration. Note that the 'autoConnect' option triggers a connection when Tunnelblick is started, so a configuration with 'TBPreferenceautoConnect' is not connected automatically when it is installed, but is connected automatically the next time Tunnelblick is launched. Note: 'TBAlwaysSetPreference' is only available in Tunnelblick 3.3beta10 and later.

In a Deployed version of Tunnelblick, the forced-preferences in Deploy will override any Configuration-specified preferences.

Up/Down Scripts

If the Configuration contains up.tunnelblick.sh, down.tunnelblick.sh, up.sh, down.sh, nomonitor.up.sh, and/or nomonitor.down.sh, those scripts will be used instead of Tunnelblick's standard scripts, or scripts in Deploy, when connecting with the Configuration and 'Set nameserver' is selected for the Configuration's configuration.

For backward compatibility, scripts other than up.tunnelblick.sh and down.tunnelblick.sh will be used if they exist.

In a Deployed version of Tunnelblick, a Configuration's up/down scripts will override the corresponding scripts in Deploy.

Tunnelblick Scripts

If the Configuration includes pre-connect.sh, post-tun-tap-load.sh, connected.sh, reconnecting.sh, post-disconnect.sh scripts, they will be executed (as root) at the corresponding point in the connection process. This allows manipulation of kexts and/or the network configuration and user notification of events. (If the scripts load special kexts, you can use the '-doNotLoadTapKext' and '-doNotLoadTunKext' preferences to cause Tunnelblick to not try to load its own kexts.) post-tun-tap-load.sh, connected.sh, and reconnecting.sh are available in Tunnelblick 3.2beta02 and later only. See Using Scripts for more details.

CFBundleIdentifier Conflicts

On automatic or manual installation of a Configuration, if a Configuration with an identical CFBundleIdentifier is already installed:

• If the new Configuration's 'TBReplaceIdentical' is 'no', the Configuration will not be installed.
• If the new Configuration's 'TBReplaceIdentical' is 'yes', the existing Configuration will be replaced without notifying the user if it has an equal or higher 'CFBundleVersion' than the existing installed Configuration. If it has a lower 'CFBundleVersion', the Configuration will not be installed.
• If the new Configuration's 'TBReplaceIdentical' is 'force', the existing Configuration will be replaced without notifying the user.
• If the new Configuration's 'TBReplaceIdentical' is 'ask', the existing Configuration will be replaced only after getting the user's consent.

When an existing Configuration is replaced, the new copy takes the display name of the existing version, regardless of the name of the new Configuration. Thus, the new version will inherit the existing version's preferences and Keychain items.

Name Conflicts During Installation

If the display name of a Configuration is the same as the name of an existing .ovpn or .conf file or an existing Configuration that has a different CFBundleIdentifier, the user will be asked to rename the Configuration or cancel the installation.

Name Conflicts After Installation

Image size for mac wallpaper. Configurations are displayed from

• Tunnelblick.app/Contents/Resources/Deploy
• /Library/Application Support/Tunnelblick/Shared/*.tblk
• /Library/Application Support/Tunnelblick/Shared/.ovpn and .conf
• ~/Library/Application Support/Tunnelblick/Configurations/*.tblk
• ~/Library/Application Support/Tunnelblick/Configurations/.ovpn and .conf

in that order. If a display name matches an earlier display name, the later configuration will be ignored and only the earlier display name will be displayed, making only the earlier configuration available.

Example Script to Create .tblks with IP Address Checking Disabled

Below is a bash script that creates .tblks from OpenVPN configuration files. Each .tblk includes an Info.plist that disables IP address checking. (The script can be modified to set different preferences for the configuration so IP address checking is enabled, or to enable or disable some other feature.)

The .tblks can be installed (as usual) by dragging/dropping them onto the Tunnelblick icon in the menu bar. They may be dragged/dropped individually or as a group.

Or the .tblks can be copied into a folder, and the folder renamed with an extension of .tblk. That (outer) .tblk can be compressed and sent to users as a single .zip file. After decompressing the .zip file, users could then drag/drop the (outer) .tblk onto the Tunnelblick icon in the menu bar to install all of the configurations at once.

(To create a subfolder structure to group configurations together, arrange the inner .tblks in folders as desired before renaming the outer folder to have a .tblk extension.)

Note: the script looks long and complicated but almost all of it is dealing with the command line arguments. The part of the script that actually creates the .tblk are these three commands near the end, which create the .tblk, copy the OpenVPN file, and create the Info.plist.

'no_ipa_check.sh':

Highlighted Articles
News
Installing Tunnelblick
Uninstalling Tunnelblick
Setting up Configurations
Using Tunnelblick
Getting VPN Service
Common Problems
Configuring OpenVPN
Release Notes
Thanks
FAQ

Discussion Group
Read Before You Post

On This Page
Setting Up and Installing Configurations
Converting OpenVPN Configurations to Tunnelblick VPN Configurations
Creating and Installing a Tunnelblick VPN Configuration
Modifying a Tunnelblick VPN Configuration
Files Contained in a Tunnelblick VPN Configuration
The 'Set Nameserver' Check Box and DNS & WINS Settings
The OpenVPN --user and --group options and openvpn-down-root.so

Stop if you have a 'Deployed' version of Tunnelblick. It comes already set up — you do no need to do anything more. Just start using it and enjoy!

Stop if you have purchased VPN service from a VPN service provider. They should provide you with configuration files and instructions on how to use them with Tunnelblick.

Stop if you have VPN service from a corporate or other network provided by your employer. Your network manager or IT department should provide you with configuration files and instructions on how to use them with Tunnelblick.

Stop if want details about the structure of a Tunnelblick VPN Configuration, see '.tblk' Details.

Otherwise, continue!

Setting Up and Installing Configurations

First, install Tunnelblick and launch it so it is running.

It is not enough to install Tunnelblick: you also need to tell Tunnelblick how to connect to a VPN.

You tell Tunnelblick how to connect to a VPN with a configuration file.

If you already have configuration files you can install them by dragging and dropping them onto the Tunnelblick icon in the menu bar.

After installing your configurations, continue with 'Set Nameserver' Check Box and DNS & WINS Settings, below.

If you don't have configuration files or you want more information about them continue reading.

Tunnelblick can use two types of configuration files:

• Tunnelblick VPN Configurations. A Tunnelblick VPN Configuration contains all of the information Tunnelblick needs to connect to one or more VPNs. A Tunnelblick VPN Configuration contains one or more OpenVPN configuration files, and may contain key, certificate, and script files. Everything needed is contained within the Tunnelblick VPN Configuration. Tunnelblick VPN Configurations may also contain other information, including information about default preferences for the configuration and identification and version information for the configuration itself that make managing widespread distribution easier. For details, see Tunnelblick VPN Configurations Details.

• OpenVPN configuration files. These are plain text files with extensions of .ovpn or .conf. These files usually contain only the configuration information; keys and certificates may be held in separate files. When installed, they are converted to Tunnelblick VPN Configurations. For more information about setting up Tunnelblick using OpenVPN configuration files, see Configuring OpenVPN.

Converting OpenVPN Configurations to Tunnelblick VPN Configurations

You can drag and drop OpenVPN configurations onto the Tunnelblick icon in the menu bar and they will be installed as Tunnelblick VPN Configurations.

Creating and Installing a Tunnelblick VPN Configuration

To create a Tunnelblick VPN Configuration:

1. Create a folder anywhere (on your Desktop works well);
2. If you have only one OpenVPN configuration file, name the folder with the name you want the configuration known by in Tunnelblick. (Otherwise, each configuration will be known in Tunnelblick by the name of the OpenVPN configuration file that it is based on);
3. Copy all the files related to the configuration(s) into the folder (see Files Contained in a Tunnelblick VPN Configuration, below);
4. Add an extension of '.tblk' at the end of the folder name. When you do this the icon for the folder will change to an icon for a Tunnelblick VPN Configuration.
5. Drag and drop the folder's new icon onto the Tunnelblick icon in the menu bar to install it.

When you install, you will be asked if you want each configuration to be private or shared. A private configuration may only be used when you are logged onto the computer. A shared configuration may be used by anyone who is logged into the computer. If the name you have given conflicts with the name of an existing installed configuration, you will be given the opportunity to change the name.

The process of installation will copy the .tblk to a special location on your computer (see File Locations) and make changes to it so it can be used securely. You can then delete the original .tblk you created, or move it somewhere convenient as a backup, or copy or move it to another computer and install it on that computer.

That's it! You are done. The configuration(s) will be available immediately in Tunnelblick.

Modifying a Tunnelblick VPN Configuration

You can modify a Tunnelblick VPN Configuration two ways:

• If you want to change the contents of an installed OpenVPN configuration file that is installed as a Private configuration, you should select the configuration in Tunnelblick's VPN Details window, then click the 'gear' button at the bottom of the list and select 'Edit OpenVPN Configuration File..'. That will open the installed OpenVPN configuration file in TextEdit. Changes take effect as soon as the file is saved in TextEdit. Note that this does not modify your original .tblk; it modifies the installed copy only.

  Sound Forge Pro for Mac comes with stacks of great features, including easy audio recording processes, deep editing tools, 64-bit AU and VST plug-in compatibility. Sound forge for macbook pro.

• You can't change the contents of an installed OpenVPN configuration file that is installed as a Shared configuration. (You can convert it to be a Private configuration, edit it, and then change it back to be Shared.)

• If you want to make other changes (to the key/certificate files, for example), you'll have to

1. Modify your original .tblk to include the changes (rename it to not end in '.tblk', then make the changes, then rename it to end in '.tblk' again);
2. Drag and drop the modified .tblk onto the Tunnelblick icon in the menu bar to install it.

Files Contained in a Tunnelblick VPN Configuration

The files that should be contained in a Tunnelblick VPN Configuration (the 'files related to the connection' above) should all be 'plain text' files:

• One or more OpenVPN configuration files (.ovpn or .conf files).
• Any certificate or key files for the configurations (.key, .crt, .pem, .cer, .der, .p12, .p7b, .p7c, and .pfx files); and
• Any script files for the configurations. Script files must must have a .sh extension so that Tunnelblick can secure them and use them properly.

The 'Set Nameserver' Check Box and DNS & WINS Settings

If you are using DHCP, wish to use DNS and WINS servers at the far end of the tunnel when connected, and the VPN server you are connecting to 'pushes' DNS and WINS settings to your client, select 'Set nameserver'. (This is the situation for most users.)

If you are using DHCP, wish to use your original DNS and WINS servers when connected, and the VPN server you are connecting to does not 'push' DNS or WINS settings to your client, select 'Do not set nameserver'.

If you are using manual settings, different versions of macOS behave differently. This is due to a change in network behavior in Snow Leopard and is beyond the scope of this project to fix.

If you're using Leopard (OS X 10.5) or Tiger (OS X 10.4), then it is possible to use the VPN-server-supplied DNS and WINS settings in addition to your manual settings by selecting 'Set nameserver'. However, your manual settings will always take precedence over any VPN server-supplied settings. If 'Do not set nameserver' is selected, you will continue to use only your manually-configured settings and any VPN server-supplied settings will be ignored. 'Take precedence' means that the manual DNS server will be used for all DNS queries unless it fails to answer, in which case the VPN server-supplied DNS server will be used.

If you are using Snow Leopard (OS X 10.6) or later, then your usual DNS and WINS settings will always be used, and no aggregation of configurations will be performed.

• If you set your DNS servers manually, then regardless of the state of 'Set nameserver', your manual DNS servers, Search Domains, and WINS servers will always be the only ones used unless you set the configuration to 'Allow changes to manually-set network settings'.

• Each of these settings is independent of the others: if 'Set nameserver' is selected, those settings not configured manually will be replaced by the settings obtained from the VPN server. If 'Do not set nameserver' is selected, then as with Leopard/Tiger, no DNS/WINS settings will be applied unless you set the configuration to 'Allow changes to manually-set network setttings'.

If your situation is not described above (e.g., if you use manual DNS settings and wish to use DNS servers at the far end of a tunnel when connected, or you wish to use the macOS ability to use different nameservers for different domains), you must create your own up/down scripts and select 'Set nameserver'.

The OpenVPN --user and --group options and openvpn-down-root.so

When using 'Set nameserver' or your own down script for OpenVPN, it is usually necessary to avoid using the OpenVPN 'user' and 'group' options in the configuration file. These options cause OpenVPN to drop root privileges and take the privileges of the specified user and group (usually, 'nobody'). If this is done, then the down script that handles restarting connections when there is a transient problem fails, because it is run without root privileges. OpenVPN usually fails, too, if your configuration performs any routing (most configurations do).

When buying Apple items outside the U.S., ensure there aren't major differences on the products (like keyboard layouts on a Mac). While other retailers like Amazon and Best Buy have recently discounted products like Apple Airpods to $145, MassGenie has the best prices we’ve seen on similar items. MacBook Case and covers to protect your mac from dust, water and any damages. Shop our beautiful hardshell cases and covers and get free, fast shipping! FALL FOR IT SALE 25% Off. SLICK CASE IS PROVIDING A FREE STANDARD AND EXPRESS SHIPPING PROMOTION TO QUALIFIED ORDERS. I have an old macbook from mid 2008 that is slow and tired and would like to slick it and reload. I've upraded to a macbook pro about a year ago and the older macbook is for my wife., Mac OS X (10.6.8) Posted on Nov 9, 2013 10:32 PM. Reply I have this question too (13) I have this question too Me too (13) Me too. All replies Drop Down menu. Download Slack for free for mobile devices and desktop. Keep up with the conversation with our apps for iOS, Android, Mac, Windows and Linux. Slick for mac.

However, Tunnelblick includes the 'openvpn-down-root.so' plugin for OpenVPN. When this plugin is activated, OpenVPN still drops root privileges and runs as the specified user:group after a connection is made, but runs the down script run as root:wheel, so reconnecting after transient network problems can work if OpenVPN does not need to restore any routes.

When you connect with a configuration that includes the 'user' and/or 'group' options in the configuration file, Tunnelblick will ask if you wish to use the openvpn-down-root plugin. Answer 'yes' and Tunnelblick will use the plugin each time it makes a connection. OpenVPN will still be unable to make route changes after the initial connection; they have to be made in the your own customized scripts.