I'm using the native, built-in OS X (El Capitan) VPN client and it works. It's L2TP, which is okay, but Open VPN is better. My question is whether Open VPN is enough better to warrant moving to Tunnelblick, the open source VPN client. Thanks.
MacBook Pro with Retina display, OS X El Capitan (10.11.1)
They're not comparable. The built-in VPN client can't connect to an OpenVPN server at all, nor can "Tunnelblick" connect to anything other than an OpenVPN server. If you're asking whether OpenVPN is inherently a better a protocol than L2TP over IPSec, I don't have an opinion.
Thanks, I wasn't clear.
I use Private Internet Access (PIA) VPN service, which provides both L2PT and Open VPN. Using the native OS X VPN client I'm limited to L2Pt; if I download Tunnelblick I can get Open VPN through PIA.
To rephrase - the native OS X client works, but is limited to L2PT. Is it worth trying Tunnelblick in order to get Open VPN?
I believe that "Tunnelblick" depends on kernel extensions, which I avoid, but as it's free, you don't risk anything by testing it yourself. Just make sure you know how to remove it if it causes problems. That goes for all third-party software.
Thanks. Uninstall looks pretty involved, so I'll stay native/L2TP for now. It looks as if it's more involved than "which is better?"
Linc Davis wrote:
I believe that "Tunnelblick" depends on kernel extensions, which I avoid, but as it's free, you don't risk anything by testing it yourself. Just make sure you know how to remove it if it causes problems. That goes for all third-party software.
Tunnelblick normally only uses a kernel extension (which is built into Tunnelblick) for "tap" connections. For "tun" connections, Tunnelblick uses the "utun" driver (built into OS X since 10.6.8) unless the OpenVPN configuration specifies that a "tun" connection should be used, which is possible but exceedingly rare.
Most VPN service providers supply "tun" connections, so usually Tunnelblick does not use any of its kernel extensions.
In any case, Tunnelblick never installs kernel extensions; it dynamically loads them only while they are needed (when a VPN is connected) and unloads them when they are no longer needed (i.e. when the VPN is disconnected).
jfromhelotes wrote:
To rephrase - the native OS X client works, but is limited to L2PT. Is it worth trying Tunnelblick in order to get Open VPN?
A Internet search for l2tp vs openvpn will yield lots of results -- take a look yourself. The consensus seems to be that OpenVPN is better than L2TP/IPSec (L2TP by itself does no encryption but often when people talk about "L2TP" they mean "L2TP/IPSec").
Is a better VPN worth an hour of your time to try it out? Only you can decide that.
Thanks. Uninstall looks pretty involved, so I'll stay native/L2TP for now. It looks as if it's more involved than "which is better?"
The instructions for uninstalling Tunnelblick are complicated because they deal with several unusual situations.
If you installed Tunnelblick normally, to uninstall it all you do is the following:
The best place for help with Tunnelblick is the Tunnelblick Discussion Group.
Thanks, I did try it, primarily because L2TP/IPSec is potentially compromised. I did say "potentially."
OpenVPN installed easily enough, but the config file supplied by my VPN service would not load, so it was useless, at least for now. It also uninstalled easily, given that I installed normally.
OTOH, I'm doing nothing NSA would care about and native L2TP/IPSec is good enough for Starbucks and motels. Irritating, though.
When I get the energy to research and write my own config files I'll try it again. I have no hope the VPN service help desk will be able to figure this out by themselves.
ETA: The discussion group jkbull cited had had a recent citation of the same problem: https://stackoverflow.com/questions/32976160/unable-to-add-a-config-file-to-tunn elblick
They suggest clicking that they DO NOT have config files, then replacing the sample on with the one I've been supplied by my VPN service, while others suggest that installing the beta version will fix the issue. I wonder what the underlying problem actually is...
jfromhelotes wrote:
OpenVPN installed easily enough, but the config file supplied by my VPN service would not load, so it was useless, at least for now. It also uninstalled easily, given that I installed normally.
When I get the energy to research and write my own config files I'll try it again. I have no hope the VPN service help desk will be able to figure this out by themselves.
ETA: The discussion group jkbull cited had had a recent citation of the same problem: https://stackoverflow.com/questions/32976160/unable-to-add-a-config-file-to-tunn elblick
They suggest clicking that they DO NOT have config files, then replacing the sample on with the one I've been supplied by my VPN service, while others suggest that installing the beta version will fix the issue. I wonder what the underlying problem actually is...
Tunnelblick's latest beta version fixes the problem for most users:
One problem was that Tunnelblick would ignore double-clicks until the user closed Tunnelblick's "how to add a configuration" window. That problem was fixed more than a year ago; the current stable version of Tunnelblick includes the fix.
The second problem was usually caused by a change in the way that Finder responds to double-clicks. There used to be an order to the programs that Finder would use when you double-click a file: first, any currently-running application that accepted the file, then any application in /Applications that accepted the file, then others. In El Capitan, Finder picks a program to use seemingly at random. If you installed Tunnelblick and left the disk image mounted, Finder would sometimes launch the copy of Tunnelblick on that volume instead of using the currently-running copy of the Application. That would cause Finder to display the "this is something downloaded from the Internet, do you want to open it?" dialog. If you clicked "yes", that copy of Tunnelblick would offer to install itself in "Applications", which the use had just done!
Tunnelblick 3.6beta09 fixed that second problem last September by ejecting the Tunnelblick volume after an install (which also saves the user from having to do it manually).
But there are other reasons that Tunnelblick may fail to respond to double-clicks and Tunnelblick can't do anything about them:
For any problem having to do with double-clicks not working, the easiest solution is to use drag-and-drop instead of a double-click: drag the configuration file and drop it onto the Tunnelblick icon in a Finder window showing the contents of the "Applications" folder. Note that (A) the configuration file must have an extension of ".ovpn", ".conf", or ".tblk", and (B) the extension may or may not be visible, depending on Finder preferences.
As a side note: Tunnelblick betas are actually pretty stable, as noted on Tunnelblick's Stable vs. Beta page. The stable version usually only gets security fixes, so it usually has problems that have been fixed in a beta version (e.g., the problem describe above). Tens of thousands of people use the beta version, so problems in it tend to get fixed quickly.
jkbull,
Many thanks - that's fascinating. I'll do it.
All right, I'm now hooked up with Open VPN through a VPN service.
For posterity, here's what worked:
1. The beta version: Tunnelblick_3.6beta16_build_4461.dmg
2. Obtained VPN service's config files, replaced ".zip" with ".tblk" and drag/dropped that file onto Tunnelblick in Applications from a finder window - nothing.
3. Quit Tunnelblick and drag/dropped file onto Tunnelblick in Applications from a finder window - nothing.
4. Quit Tunnelblick and expanded .zip file into a folder, then added ".tblk" extension to the folder, then drag/dropped folder/file onto Tunnelblick in Applications from a finder window - nothing.
5. Tried it again: Quit Tunnelblick and expanded .zip file into a folder, then added ".tblk" extension to the folder, then drag/dropped folder/file onto Tunnelblick in Applications from a finder window and it installed! (I didn't expand it twice, I just dropped it twice, but for clarity wanted to ensure it was clear that it was an expanded folder with .tblk extension.)
There's one minor glitch, which doesn't affect function, I believe, but is curious. Cursor over the tunnel icon brings up two boxes: first, the one I chose to connect to, Texas, along with connection data. Second, it also brings up a box below Texas for Australia, which shows as disconnected, but which I can't get rid of. The "x" closes it and Texas, but Australia's right back there the next time I cursor over the icon. Australia, BTW, was the first of the config files the install program offered me, along with a choice for "all." I suspect it assumes I'll want Australia plus whatever else I choose to open. It doesn't appear to alter function yet, but it is an appearance thing.
Thanks.
ETA: After a couple of restarts, I do find some functional problems.
1. Though I chose to add username and password to keychain, it requires me to manually add them each time.
2. Tunnelblick Connect on both "When Tunnelblick launches" and "Manually" starts anyway, pending password.
3. Tunnelblick tries to connect both to the Australia (see above) and my default, Texas, at the same time. I'll remove the Australia config and see if that works.
Odd, I can't edit. Removing one Australia config and restart worked. It connected default to Texas and didn't require manually adding the username or password to connect. I'm fixed - thanks, jkbull.
Thanks for your input. If Private Internet Access had given you proper instructions I don't think you would have had any of these problems.
1. You can't drag/drop a ".zip" onto Tunnelblick because Tunnelblick doesn't understand ".zip" files. (For the same reason it doesn't understand ".docx" Microsoft Word file or Microsoft Word doesn't understand ".tblk" files).
2. Renaming a ".zip" to be a ".tblk", or just adding ".tblk" to the end of a filename doesn't help because it doesn't change what the file is (it is still a ".zip" file, for example, no matter what it's name says it is). This is the same as changing the name of a ".docx" file to ".xlsx" -- that doesn't change it from a Microsoft Word file to a Microsoft Excel file.)
So, as you found, you first must "expand" the ".zip" file by double-clicking it.
In your case, the ".zip" expanded into a folder (because Private Internet Access created it to do that).
3. You can't "install" a folder of configurations into Tunnelblick (just like you can't double-click a folder of ".docx" files and expect Microsoft Word to open the files).
But as you saw, you can rename the folder by adding ".tblk" to the end of the name -- then Tunnelblick will allow you to install it.
Or you can open the folder in Finder, use Edit | Select All to select all of the configuration files in the folder, and then drag all of them to the Tunnelblick icon in a Finder window showing "Applications".
------
As to the second "status" window: "it's a feature, not a bug" : ) Tunnelblick shows the status window for all configurations that you have tried to connect to since launching Tunnelblick so you can reconnect to them easily. If you quit Tunnelblick and then relaunch it, you should only see a status window for the last configuration that you used.
Ah, I see, thanks. Should it try to connect to both sites at the same time? It does.
Tunnelblick does what you tell it to do.
If what you mean is that Tunnelblick tries to connect both configurations as soon as you launch it (without you doing anything else), I suspect that you have set both configurations to connect "when Tunnelblick launches" instead of "manually". So both of them try to connect when you launch Tunnelblick.
See the "Settings" tab of the "VPN Details" window, and note that the settings apply to the configuration(s) that are selected in the list on the left of the window.
That seems backwards, or else I'm misunderstanding it.
If I want OpenVPN to connect automatically, it will auto connect to both the one I want (Texas, this time) and the one I recently connected to (the "Feature," not a bug) at the same time. If I want to connect to only one, I need to set it to "Manually." It seems the feature really might be considered a bug, since I can't use "When Tunnelblick launches" if I'm using different servers, which I frequently do.
VPN - Built-In or Tunnelblick?
