How to fix "no tun option in conf file" issue with Tunnelblick client on OS X



  • I ran into an issue connecting to VPN on pfSense using the Tunnelblick client on OS X.  Tunnelblick failed to connect with "Tunnelblick could not find a 'tun' or 'tap' option in the OpenVPN configuration file".  I added a line "dev tun" (without the quotes) to the start of the ovpn file and now it works.

    I'm not sure if this is a Tunnelblick issue, or an OpenVPN client export issue as maybe that line should have been put there automagically, but I"m posting here so hopefully any affected pfSense users will find it.


  • Rebel Alliance Global Moderator

    so what version of pfsense are you running?  what version of export package? What is your vpn server settings?  Which config are you grabbing?  I just grabbed the inline ovpn file that would be used by viscosity or tunnelblick client and sure looks like dev tun is right there

    2.3.2-RELEASE (amd64)
    built on Tue Jul 19 12:44:43 CDT 2016
    FreeBSD 10.3-RELEASE-p5

    openvpn-client-export 1.3.10

    edit: did you grab the ios/android export - it does not contain a dev statement because it only support dev tun and not tap, etc.  So client doesn't need to be told so its missing..




  • did you grab the ios/android export

    This is the main cause of the OP error message, simply choose the "Others" option on the OpenVPN Client Export page when exporting for TunnelBlick and all will be good.


  • Rebel Alliance Global Moderator

    or grab the viscosity one that says for os x mac clients, etc..



  • @johnpoz:

    so what version of pfsense are you running?  what version of export package? What is your vpn server settings?  Which config are you grabbing?  I just grabbed the inline ovpn file that would be used by viscosity or tunnelblick client and sure looks like dev tun is right there

    2.3.2-RELEASE (amd64)
    built on Tue Jul 19 12:44:43 CDT 2016
    FreeBSD 10.3-RELEASE-p5

    openvpn-client-export 1.3.10

    edit: did you grab the ios/android export - it does not contain a dev statement because it only support dev tun and not tap, etc.  So client doesn't need to be told so its missing..

    I'm running:
    pfSense 2.3.2-RELEASE (amd64) and openvpn-client-export v1.3.10.

    I did grab the ios/android export version, as I first tested on my iPhone.  Looking at the list of export options, it isn't obvious which option to select if you want to use the Tunnelblick client on OS X, so I attempted to use the iOS inline export, which had worked great on the iPhone.  It may be useful to append some text to "Tunnelblick - Free client for OS X".  Perhaps it should be "Tunnelblick - Free client for OS X (use Inline Configurations Other)".

    Thanks for the explanation on why I was missing the "dev tun" line.  Obviously it was "user error", rather than a bug in the SW.  But, it may be useful to append some text to "Tunnelblick - Free client for OS X" on the VPN -> OpenVPN -> Client Export page.  Perhaps it should be "Tunnelblick - Free client for OS X (select Inline Configurations 'Other')".

    @johnpoz:

    or grab the viscosity one that says for os x mac clients, etc..

    The way the text on the page is worded, it reads as if the Viscosity one is only for the Viscosity client.  If the Viscosity one is intended to be used with other clients, the text should be changed to state that.

    All this is simple enough once you know what the author of the page really meant, but the user initially only knows what the page actually states, and he assumes that the words were chosen carefully.


  • Rebel Alliance Global Moderator

    While I agree with the statement they could prob add tunnelblick to the wording for which ones are best used for that one.. I don't see how ios/android would be best choice for clearly something that is not ios/android ;)

    But I admit I have had many years experience compared to your typical user.

    So are you using the one listed for viscosity and all is working good?  If so you may want to put request on redmine to get the wording changed.  While many of the developers do read the forums and pick up on stuff here and add it/fix stuff because of threads its always best to put it in redmine so its sure to get attention at some point, etc.

    Glad you got it all sorted.



  • @johnpoz:

    While I agree with the statement they could prob add tunnelblick to the wording for which ones are best used for that one.. I don't see how ios/android would be best choice for clearly something that is not ios/android ;)

    But I admit I have had many years experience compared to your typical user.

    So are you using the one listed for viscosity and all is working good?  If so you may want to put request on redmine to get the wording changed.  While many of the developers do read the forums and pick up on stuff here and add it/fix stuff because of threads its always best to put it in redmine so its sure to get attention at some point, etc.

    Glad you got it all sorted.

    Yes, I tried the Viscosity conf, and it works with Tunnelblick, at least during my very limited initial testing, using a connection to the iPhone to get to the WAN (I was sitting at home).  I'll get a proper test done when away from the house later this week.  I'll put a change request on redmine once I've satisfied myself that the Viscosity conf truly is satisfactory with Tunnelblick.

    Thanks for the help.



  • I just did a line by line compare between the "Viscosity Inline" and the "iOS/android Inline" "Inline Others" export files.

    The only difference is a set of "commented out" directives at the start of the config, specific to Viscosity.
    They are commented out so they shouldn't affect a typical install, but I would suggest the cleaner "iOS/android Inline" "Inline Others" version, just to keep crud out of your configs.

    I agree the wording on the export screen could be handled more clearly, I bump into getting the wrong config on a semi-irregular basis.
    Luckily no harm done, just get the correct config and delete the wrong one.
    OpenVPN is nice that way.


  • Rebel Alliance Global Moderator

    but the ios/android does not list dev tun.. Should it?  I have no issues using this config on my ios devices.  Guess it couldn't hurt but when I export ios/android config while it lists persist tun I do not see any dev statement.



  • but the ios/android does not list dev tun.. Should it?

    Sorry, my bad I meant "Inline -Others" where I originally typed iOS/android
    The iOS/android version is indeed missing the "dev tun" entry as it's not required as you mentioned (and have worked well every time I've needed them)

    Didn't mean to confuse, I edited the previous post.


  • Rebel Alliance Developer Netgate

    The "dev tun" line is left out of the IOS/Android one because the OpenVPN connect app would choke on it. Not sure if it still does, though.