CGarvey.ie

7 OpenVPN on an Intel based Apple MacBook or MacBook Pro

Dec 22nd, 2006   3:52 am

If you’re a casual OpenVPN user, you’ll probably use a GUI to manage your connections when acting as a “Road Warrior”. If you’re a PowerBook / PPC-based Apple user, then Tunnelblick to the rescue.

I use an IPCop firewall with the Zerina plugin, which wraps the OpenVPN management in an (relatively) easy to use GUI within IPCop. So create your Road Warrior users, assign a password, and the new GUI will let you download cert and OpenVPN .conf file to hand to your Road Warrior user (don’t email the freakin’ thing, if you go to all that trouble to be secure!).

So, all’s well so far. Que the Intel based MacBook and MacBook Pro. I’d previously used the easy installer from Tunnelblick on my G4 PowerBook, and within a minute or 2, I was up and running. Not so with my new MacBook (yes, I paid the extra for the cool black!). So if you’ve read this far, you’re probably keenly aware that it’s not as simple on the Intel-based Macs.

The problem lies not within the Tunnelblick software but, rather, the TUN/TAP devices it ships with. Some kind soul, by the name of Matt Mead has come to the rescue. He’s taken the open source TUN/TAP drivers from Mattias Nissler, and compiled them under Intel/i386 architecture. Read his blog post. Cheers Matt!

What he hasn’t got around to doing just yet is fixing up the installer (that, too, gets shipped with Tunnelblick), so here’s how I manage to get Tunnelblick up and running:

  • Download, and extract, the binaries from Matt’s blog post. If you get stuck here, don’t read on 😉
  • Because the installer is broken, you’ll have to manually extract the kernel extensions, and manually install them
  • First, right-click (or a two-fingered tap on your trackpad if you’ve configured it like so!) on tap_kext.pkg, and choose to “Show Package Contents”. Browse to the Contents folder, and then double click Archive.pax.gz to extract it. It’ll create an Archive folder. In there go in to the Library/Extensions folder (not System/…) and copy the tap.ext file to /Library/Extensions folder on your system. You’ll probably be asked to “Authenticate” yourself.
  • Do the same for tun_kext.pkg (copy tun.ext to /Library/Extensions)
  • Before we manually register them, we need to fix up file permissions. In a Terminal window (as an Administrator, obviously), change ownership by sudo chown -R root:wheel /Library/Extensions/tun.kext /Library/Extensions/tap.kext, and then change permissions by sudo chmod -R go-w /Library/Extensions/tap.kext /Library/Extensions/tun.kext When asked for a password at the command prompt, you simply enter your own login password again (assuming you are an administrator).
  • Now, we’ve to register them (think regsvr32 from Windows). Do so by typing sudo kextload
    /Library/Extensions/tun.kext     and sudo kextload /Library/Extensions/tun.kext in a Terminal window
  • That’s the hard part over! Now we go ahead with the rest of the Tunnelblick install. When you’ve mounted the .dmg Tunnelblick download, you’ll notice a Packages folder. Don’t run the Tunnelblick-Complete.mpkg installer! In the Packages folder, run the startup_item.pkg, the OpenVPN.pkg and the Tunnelblick.pkg installers (because you’ve already manually installed modified versions of the other two installers).
  • One restart later, and you should have a Tunnelblick sitting pretty beside your Sherlock icon now. You’ll still need to copy a working config/certificate file into your ~/Library/openvpn (as per regular Tunnelblick instructions), but at least it now runs!

Hopefully that’ll save you a couple of minutes Googling!

Comments:

Ernie
Jan 30th, 2007   8:40 am

Hi! So, your page is super useful, especially to a newbie like me, but I still have some problems, even with the instructions you pointed out. I seem to get the following error in my console: Options error: You must define TUN/TAP device (--dev) Use --help for more information. But I do have a specific "dev tun" line in my openvpn.conf file. Any advice would be totally appreciated.

Author

cgarvey
Jan 30th, 2007   1:10 pm

I don't know, is the simple answer! Have you rebooted after the install? Are you definitely on an Intel Mac? Do you have tun0 and tap0 in your /dev folder (should do after your 1st reboot since install). Other than attempt another re-install, I'd suggest contacting the author (webpage linked above). Sorry I can't be of more help!
Ernie
Jan 31st, 2007   7:51 pm

No prob. Turns out I had gotten a .conf file and the line breaks converted into ^M's. D'oh.
Richar Scott
Mar 22nd, 2007   1:43 pm

I had a the "You must define TUN/TAP device" problem and found out that it was due to my config file having windows line ends. I edited the config file on my mac and replaced the line ends and all worked! :-)
Richar Scott
Mar 22nd, 2007   1:55 pm

BTW, its funny because the exact same config file that I had an issue with on a Power PC worked fine on an intel powerbook. It needed no modification to work! How strange is that! ;-)
Steve
Mar 31st, 2008   1:34 pm

Hi, Im having a strange problem with tunnelblick, but its not the config files... I set up everything and connected fine, but after I connect, the server I am connected to does not show up in the finder! I cant find it! Its a PC server, does anyone know where I can look for it??? Thanks

Author

cgarvey
Apr 8th, 2008   5:03 pm

Can you ping its IP address? Windows-based machines take a while to appear in Finder (because of how they advertise themselves), but you can make a direct connection to it if you know its IP address. To do so, in the Finder menu choose Go > Connect to Server.., type smb://192.168.1.1/ in the server address (replacing the IP address with your server address, obviously) and click Connect. If you can't ping / still can't connect, then you'd best Google a bit more (it might be a firewall problem, for example).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

css.php