Tunnelblick Was Not Able To Load A System Extension



Tunnelblick will be able to load 'tun' and 'tap' system extensions for any configuration without user interaction, and that ability will persist after computer restarts, 'safe boots', and updates to Tunnelblick. Note: If you are using a 'tun' VPN, you can avoid needing to load the 'tun' system extension. Double Click the Tunnelblick dmg from your downloads folder to mount the image. Double Click on the Tunnelblick icon to install. If you get a notice that 'Tunnelblick is an Application downloaded from the Internet' Click Open to confirm that you want to Open it.

  1. Proctorio Minimum System Requirements. Proctorio offers a flexible service, which may include recording of video, audio, and screen activity or none of the above. The system requirements are dependent on the exam settings. Test takers are encouraged to use a practice exam to test their systems prior to taking an exam.
  2. Group under the name 'Tunnelblick-Not-load-tuntap.app.zip'. If this works for you, I could make this controlled by a preference, or perhaps 'see' that the Cisco kexts are loaded and go on from there. If it doesn't work (i.e., if OpenVPN can't work with the Cisco kexts), I don't think there's much more Tunnelblick can do.

Highlighted Articles
News
Installing Tunnelblick
Uninstalling Tunnelblick
Setting up Configurations
Using Tunnelblick
Getting VPN Service
Common Problems
Configuring OpenVPN
Release Notes
Thanks
FAQ

Discussion Group
Read Before You Post

Important: See The Future of Tun and Tap VPNs on macOS for information about changes to future versions of macOS.

If you have an M1 Mac, also see Tunnelblick and Apple Silicon.

If you are using macOS Big Sur, you should use the latest beta version of Tunnelblick. You should allow Tunnelblick to automatically check for updates on the 'Preferences' panel of Tunnelblick's 'VPN Details' window. Be sure to put a check in 'Check for updates to beta versions'.

The following is the current status of issues that have been seen using Tunnelblick on macOS Big Sur.

To report an issue, please follow the instructions at Tunnelblick Issues.

FIXED in Tunnelblick 3.8.5beta03: Tunnelblick's Tun and Tap system extensions do not load.

If your configuration requires a Tun or Tap system extension, connecting to your VPN will fail if an appropriate system extension is not installed.

  • If you are using a Tun VPN, you can — and should — modify your OpenVPN configuration file so it will work without the 'Tun' system extension. See Errors Loading System Extensions for instructions.
  • If you are using a Tap VPN, your configuration requires a Tap system extension.

A future version of macOS will not allow the use of Tunnelblick's system extensions. See The Future of Tun and Tap VPNs on macOS.

See Installing System Extensions for detailed instructions on installing Tunnelblick's system extensions.

FIXED in Tunnelblick 3.8.5beta03: Tunnelblick disables loading of Tun and Tap system extensions.

When running on macOS Big Sur 11.0.1 or later, some versions of Tunnelblick force the settings on Tunnelblick's 'Advanced' settings window to 'never load' system extensions.

WON'T FIX: Sidecar does not work when a VPN is connected using Tunnelblick's default for a configuration.

(This issue is not specific to Big Sur. It is present in all versions of Sidecar.)

Sidecar does not work if IPv6 is disabled. By default, Tunnelblick disables IPv6 while a VPN is connected. This is done to prevent information leaks in common VPN setups (see A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients).

To fix this problem:

  1. Verify with your VPN service provider that no information is leaked if IPv6 traffic is allowed. If you cannot confirm that, you should not proceed and you will not be able to use Sidecar when your VPN is connected.
  2. Launch Tunnelblick.
  3. Click the Tunnelblick icon in the menu bar and then click 'VPN Details'.
  4. Click on the large 'Configurations' button at the top of the window.
  5. Select the configuration(s) you wish to modify.
  6. Remove the check from 'Disable IPv6 unless the server is accessed via IPv6'.
Skip to content

No DNS resolution when importing tunnelblick configuration

Got a problem with Viscosity or need help? Ask here!
Posts:6
Joined: Thu Jul 05, 2012 7:06 pm
Hi,
I have been a long-time user of tunnelblick, but have just purchased Viscosity for it's advanced feature set. My problem is that when I imported the tunnelblick configuration files, which have specific DNS server entries in them, and start Viscosity, I can connect to my VPN provider, but have no DNS resolution.
I have tried deleting and re-importing the configurations, with no success with DNS resolution.
The DNS server entries show up in Viscosity for the VPN server I want to connect to and the box is ticked in 'Preferences', 'Networking' 'Enable DNS Support'. I get no DNS resolution either way; ticked not ticked, also even though the VPN server pushes a DNS server address as it is connecting.
The 'Apply DNS settings simultaneously' in the 'Advanced' tab of 'Preferences' doesn't make any difference either ticked or unticked.
I couldn't find any other post that had this issue, so I hope someone will have some suggestions for anything else I could try or what I might be doing wrong. Please advise if any other information would help resolve the issue.
Thanks in advance and Best Regards,
jz
Extension
Posts:2065
Joined: Thu Sep 04, 2008 9:27 pm
Hi jz,
Would you be able to post a copy of your OpenVPN log? It should allow us to figure out what is going on.
http://www.thesparklabs.com/support/vie ... envpn_log/
Cheers,
James
James Bekkema
Viscosity Developer
Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
Posts:6
Joined: Thu Jul 05, 2012 7:06 pm
Hi James,
Thanks for the quick reply. I've attached the OpenVPN log, although there's not much in it compared to the logs that tunnelblick produces. Hopefully it'll tell you more than I'm seeing in it. I do notice that in the pffirewall.log there is one entry that doesn't show up in the OpenVPN log, which is related to DNS:
viscosity_foreign_option_3=dhcp-option DNS 10.5.0.1
The address there is the VPN providers DNS server.
I've posted both logs, thanks again for your help,
jz
Posts:6
Joined: Thu Jul 05, 2012 7:06 pm
Hi, I added the logs as attached files, but don't see the attachments in my last post, so here they are pasted into this post instead.
OpenVPN:
Jul 05 14:02:33: Viscosity 1.3.5 (1051)
Jul 05 14:02:33: Checking reachability status of connection...
Jul 05 14:02:33: Connection is reachable. Starting connection attempt.
Jul 05 14:02:36: OpenVPN 2.2.1 x86_64-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Aug 1 2011
Jul 05 14:02:36: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jul 05 14:02:36: LZO compression initialized
Jul 05 14:02:36: Attempting to establish TCP connection with X.X.X.X:443 [nonblock]
Jul 05 14:02:39: TCP connection established with X.X.X.X:443
Jul 05 14:02:39: TCPv4_CLIENT link local: [undef]
Jul 05 14:02:39: TCPv4_CLIENT link remote: X.X.X.X:443
Jul 05 14:02:55: [server] Peer Connection Initiated with X.X.X.X:443
Jul 05 14:02:58: TUN/TAP device /dev/tun0 opened
Jul 05 14:02:58: /sbin/ifconfig tun0 delete
Jul 05 14:02:58: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Jul 05 14:02:58: /sbin/ifconfig tun0 10.5.0.138 10.5.0.137 mtu 1500 netmask 255.255.255.255 up
Jul 05 14:02:58: Initialization Sequence Completed
pffirewall:
Jul 5 14:02:21 constellation Viscosity[6116]: Loading Viscosity's Tap driver
Jul 5 14:02:21 constellation Viscosity[6116]: Loading Viscosity's Tun driver
Jul 5 14:02:21 constellation kernel[0]: Viscosity tap kernel extension initialized
Jul 5 14:02:21 constellation kernel[0]: http://www.thesparklabs.com/viscosity
Jul 5 14:02:21 constellation kernel[0]: Tun/tap extensions by Mattias Nissler <[email protected]>
Jul 5 14:02:21 constellation kernel[0]: Viscosity tun kernel extension initialized
Jul 5 14:02:21 constellation kernel[0]: http://www.thesparklabs.com/viscosity
Jul 5 14:02:21 constellation kernel[0]: Tun/tap extensions by Mattias Nissler <[email protected]>
Jul 5 14:02:35 constellation openvpn[6139]: OpenVPN 2.2.1 x86_64-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Aug 1 2011
Jul 5 14:02:36 constellation openvpn[6140]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jul 5 14:02:36 constellation openvpn[6140]: LZO compression initialized
Jul 5 14:02:36 constellation openvpn[6140]: Attempting to establish TCP connection with X.X.X.X:443 [nonblock]
Jul 5 14:02:39 constellation openvpn[6140]: TCP connection established with X.X.X.X:443
Jul 5 14:02:39 constellation openvpn[6140]: TCPv4_CLIENT link local: [undef]
Jul 5 14:02:39 constellation openvpn[6140]: TCPv4_CLIENT link remote: X.X.X.X:443
Jul 5 14:02:55 constellation openvpn[6140]: [server] Peer Connection Initiated with X.X.X.X:443
Jul 5 14:02:58 constellation openvpn[6140]: viscosity_foreign_option_3=dhcp-option DNS 10.5.0.1
Jul 5 14:02:58 constellation openvpn[6140]: TUN/TAP device /dev/tun0 opened
Jul 5 14:02:58 constellation openvpn[6140]: /sbin/ifconfig tun0 delete
Jul 5 14:02:58 constellation openvpn[6140]: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Jul 5 14:02:58 constellation openvpn[6140]: /sbin/ifconfig tun0 10.5.0.138 10.5.0.137 mtu 1500 netmask 255.255.255.255 up
Jul 5 14:02:58 constellation kernel[0]: Failed to add membership to all-hosts multicast address on interface tun0
Jul 5 14:02:58 constellation openvpn[6140]: Initialization Sequence Completed
Regards,
jz
Posts:6
Joined: Thu Jul 05, 2012 7:06 pm
Hi,
I've figured this out myself, but Thanks again for the help.
It seems Viscosity requires there to be a DNS entry in the System Preferences, Network, < applicable connection>, Advanced, DNS tab. This is something that tunnelblick does not require, and I had nothing in there.
After adding a DNS server address to the OSX System Preferences, all is working fine.
I also checked with my favorite packet analyzer and all traffic is being routed though the VPN connection, and also checked with dnsleaktest.com and no leaks either, so that works for me.
Best regards, and sorry I didn't figure that out before I posted this.
jz
Posts:2065
Joined: Thu Sep 04, 2008 9:27 pm
Hi jz,
Glad to hear you solved the issue. I imagine you shouldn't need to set a manual DNS entry with the latest 1.4 beta version, as it contains a number of DNS improvements. You're welcome to give it a try at:
http://www.thesparklabs.com/forum/viewt ... p=134#p134
Cheers,
James
James Bekkema
Viscosity Developer
Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
Posts:6
Joined: Thu Jul 05, 2012 7:06 pm
Thank you James, I'll give the beta version a test run and report my findings.
Best Regards, and Thanks also for a great product at an excellent price.
jz
Posts:1
Joined: Sat Jul 21, 2012 8:51 pm
This also happens for me with the beta; 1.4b11 under 10.8. It only happens when the server pushes more than one DNS address and adding static DNS servers to the system Network prefpane seems to fix it. I didn't import anything from tunnelblick.

Tunnelblick Was Not Able To Load A System Extension That Is Needed To Connect To Openvpn

Posts:2065
Joined: Thu Sep 04, 2008 9:27 pm

Tunnelblick Was Not Able To Load A System Extension Cable

Hi Guys,
The latest beta (1.4b12) now includes a fix for this. Please give it a try and let us know if you run into any issues with it:
http://www.thesparklabs.com/forum/viewt ... p=134#p134
Cheers,
James
James Bekkema
Viscosity Developer
Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
Posts:6
Joined: Thu Jul 05, 2012 7:06 pm
Hi James, Thanks for the update.
I have tested the latest beta today, and it works perfectly.
No DNS or Search Domain entries in system prefs.
In Viscosity/Preferences/Advanced/DNS; Apply DNS Simultaneously - unchecked.
For each specific server listed in Viscosity/Connections/ the box for 'Enable DNS support' on the Networking tab checked, with the 'DNS servers' and 'Domains' fields blank.
Viscosity is now picking up the DNS server form the VPN service, and no errors in the logs.
Thanks again, and Best Regards,
jz
  • 1
Return to “Viscosity Support (Mac Version)”