Can I use OpenVPN w/ plain Mac OS X (not Tunnelblick)?

Question

Level 1

0 points

Can I use OpenVPN w/ plain Mac OS X (not Tunnelblick)?

I have an OpenVPN server, and would like to configure my MBA as an OpenVPN client. I see that the Mac OS X (Mountain Lion) supports VPN, and in particular supports L2TP/IPSec. I believe this is what OpenVPN uses (or can be configured to use) - so is there a way to avoid using Tunnelblick (the open source client generally suggested for Mac OS X)? I'd prefer to have less rather than more third-party software involved.

If I can configure Mountain Lion as an OpenVPN client, please point me to a link for documentation (searches haven't been successful so far) or include the proper settings.

If it is not possible, just out of curiosity, I'd apprecate an explanation of why not?

Thanks.

MacBook Air, OS X Mountain Lion (10.8.4)

Posted on Mar 17, 2014 2:58 PM

Reply

Answer 1

Nov 21, 2017 12:31 PM in response to Linc Davis

Linc,

So fast forwarding three+ years is this still true or does MacOS now support OpenVPN natively?

Reply

Answer 2

Linc Davis

Level 10

209,739 points

Mar 17, 2014 4:18 PM in response to ags000

OpenVPN works via a completely different mechanism than L2TP/IPSec, and requires a kernel extension that is not included in OS X. If you don't like "Tunnelblick," there's a commercial client called "Viscosity."

Reply

Answer 3

jkbull

Level 1

86 points

Mar 17, 2014 8:12 PM in response to ags000

Linc Davis is correct. The kernel extension (kext) that is needed is either a "tun" or a "tap" kext, depending on which type of VPN you are creating (it is something specified in the OpenVPN configuration file, and must be the same on the server and the client).

The kexts used by Tunnelblick [1] are from the tuntaposx project [2]. Tunnelblick includes several versions of each of the tun and tap kexts (one for OS X 10.4 and 10.5, one for 10.6 - 10.8, and one for 10.9) and loads/unloads the appropriate version dynamically as the VPN is created/destroyed.

Tunnelblick also includes binaries of two versions of OpenVPN with the latest version of the OpenSSL [3] library imbedded in each. If you use a version of OpenVPN that does not imbed OpenSSL, OpenVPN will use the command-line version of OpenSSL included in your version of OS X. That is almost always an old version and will not include some high-key-length ciphers, which means they wiil be unavailable.

If you use Tunnelblick, that's all you need -- it contains everything you need. If you want to "do it yourself", you'll need OpenVPN and either a tun or a tap kext (or both, depending on your configurations), and you may want a newer version of OpenVPN.

Viscosity [4] also includes the necessary kexts and I believe it also imbeds an OpenSSL library in its OpenVPN binary. Viscosity has a version for Windows, too.

1. https://tunnelblick.net

2. http://tuntaposx.sourceforge.net

3. https://www.openssl.org

4. http://www.sparklabs.com/viscosity

Reply

Answer 4

Jul 13, 2014 12:40 AM in response to ags000

Hello!

You can use the original OpenVPN Connect app original from your Openvpn server, just maintain the control key pressed when install the app and this will avoid the third party restriction because it is not developed to Apple App Store.

It worked fine for me

Good Luck

Reply