Tunnelblick ovpn client for Mac os High Sierra
This weekend I was playing around with Openvpn to a new site. I use Tunnelblick for this, but this time was the first time after I had upgraded my Mac to High Sierra (10.13.5). Suddenly my vpn connections didn’t want to load anymore.
Tunnelblick threw these errors to me:
1 2 3 4 5 6 7 8 9 10 11 |
Could not start OpenVPN (openvpnstart returned with status #247) Contents of the openvpnstart log: *Tunnelblick: openvpnstart log: Loading tap-signed.kext stderr from kextload: /Applications/Tunnelblick.app/Contents/Resources/tap-signed.kext failed to load - (libkern/kext) kext (kmod) start/stop routine failed; check the system/kernel logs for errors or try kextutil(8). stderr from kextload: /Applications/Tunnelblick.app/Contents/Resources/tap-signed.kext failed to load - (libkern/kext) kext (kmod) start/stop routine failed; check the system/kernel logs for errors or try kextutil(8). stderr from kextload: /Applications/Tunnelblick.app/Contents/Resources/tap-signed.kext failed to load - (libkern/kext) kext (kmod) start/stop routine failed; check the system/kernel logs for errors or try kextutil(8). stderr from kextload: /Applications/Tunnelblick.app/Contents/Resources/tap-signed.kext failed to load - (libkern/kext) kext (kmod) start/stop routine failed; check the system/kernel logs for errors or try kextutil(8). stderr from kextload: /Applications/Tunnelblick.app/Contents/Resources/tap-signed.kext failed to load - (libkern/kext) kext (kmod) start/stop routine failed; check the system/kernel logs for errors or try kextutil(8). Unable to load net.tunnelblick.tun and/or net.tunnelblick.tap kexts in 5 tries. Status = 71 |
I was running a beta, so first thing was to install the stable release, but the message remained.
This link: https://tunnelblick.net/cKextLoadError.html helped me. In high sierra to use or add modules in your kernel, sometimes it is necessary to give user consent.
These kernel extensions don’t require approval:
- Extensions that were installed before upgrading to macOS High Sierra
- Extensions that are replacing previously approved extensions
- Extensions that are allowed to load without user consent by using the
spctl
command while started up from macOS Recovery - Extensions that are allowed to load via the Kernel Extension Policy
So in my case, I was using Tunnelblick before, so it had to be something else. That meant, that I was in situation (2) “There may be incompatible kexts already loaded”.
To find that out on mac you open a terminal and use this:
1 2 3 4 5 6 7 |
mbp-vanpupi:~ pieter$ kextstat |grep tun 167 0 0xffffff7f80fae000 0x7000 0x7000 net.sf.tuntaposx.tun (1.0) 95DD963D-E23D-3B0F-8DE8-A4D2F6BFA5CC <7 5 4 1> 171 0 0xffffff7f80b1f000 0x7000 0x7000 net.sf.tuntaposx.tap (1.0) 23FDB715-3D0D-3A26-ACBA-E3794C231CB7 <7 5 4 1> mbp-vanpupi:~ pieter$ kextstat |grep tap 167 0 0xffffff7f80fae000 0x7000 0x7000 net.sf.tuntaposx.tun (1.0) 95DD963D-E23D-3B0F-8DE8-A4D2F6BFA5CC <7 5 4 1> 171 0 0xffffff7f80b1f000 0x7000 0x7000 net.sf.tuntaposx.tap (1.0) 23FDB715-3D0D-3A26-ACBA-E3794C231CB7 <7 5 4 1> mbp-vanpupi:~ pieter$ |
Tunnelblick uses customized versions of the kexts from tuntaposx, so this must have been a leftover from previous versions. I like the next sentence on the tunnelblick website so I want to share it with you “Recent versions of Tunnelblick try to be “good citizens” by loading kexts only when needed, and unloading them when they are no longer needed.”.
This means, that I (most likely) don’t need these modules, so I unloaded them:
1 2 3 4 5 6 |
mbp-vanpupi:~ pieter$ sudo kextunload -b net.sf.tuntaposx.tun Password: mbp-vanpupi:~ pieter$ sudo kextunload -b net.sf.tuntaposx.tap mbp-vanpupi:~ pieter$ kextstat |grep tap mbp-vanpupi:~ pieter$ kextstat |grep tun mbp-vanpupi:~ pieter$ |
And there we go. After doing this, the vpn tunnel came up and everything worked as before.
As always, questions, remarks? find me on twitter @vanpupi