Tunnelblick Advanced Settings Window
Tunnelblick's Advanced Settings Window contains less-used settings for the configuration(s) that are selected in the VPN Details Window.
Most users do not need to change the settings in this window -- Tunnelblick's default settings work best for most situations.
This window has four tabs:
- Connecting & Disconnecting specifies actions to take when connecting or disconnecting from a configuration.
- While Connected specifies actions to take while connected to a configuration.
- VPN Credentials lets the user manage groups of credentials (usernames, passwords, and passphrases) for configurations.
- Sounds lets the user specify sounds to signal a configuration connecting or unexpectedly disconnecting.
Connecting and Disconnecting Tab
Several settings in this tab are controlled by a checkbox:
- Flush DNS cache after connecting or disconnecting: When checked, Tunnelblick will flush the system's DNS cache after connecting and after disconnecting. This allows the system to use the appropriate DNS settings while the VPN connection is active and after it is disconnected. (Due to limitations in the security program Hands Off!, flushing the DNS cache is skipped on macOS 10.7 ("Lion") and higher if Hands Off! is running.)
- Prepend domain name to search domains: This checkbox is only available when the default DNS/WINS setting of 'Set nameserver' is selected. When checked, Tunnelblick will add the domain name to the start of the search domain list if the list has not been specified manually. If the search domain list has been specified manually, then nothing is done. When not checked on macOS 10.4 and 10.5, the domain name is added to the end of the search domains list. When not checked on macOS 10.6 and higher, the domain name replaces the search domains list unless search domains were entered manually, in which case nothing is done.
- Set DNS after routes are set instead of before routes are set: When checked, Tunnelblick will run the standard "up" script using the OpenVPN --route-up option instead of the --up option.
- Enable IPv6 (tap only) determines whether or not Tunnelblick will enable IPv6 on the tap interface while the selected configuration(s) is connected.
- Keep connected determines whether or not Tunnelblick will attempt to connect after an unexpected disconnection.
Two popup menus control what whether Tunnelblick loads the tun and/or tap kexts (device drivers). Tunnelblick always unloads kexts when they are no longer needed.
Note that on macOS 10.6.8 and higher, recent versions of OpenVPN may use the system's 'utun' driver. The "Load Tun driver automatically" setting is aware of this behavior and loads the tun driver only if it is needed.
- Load Tun driver automatically. When selected, Tunnelblick will load the tun kext only if it is needed.
- Always load Tun driver. When selected, Tunnelblick will always load the tun kext when connecting the selected configuration(s).
- Never load Tun driver. When selected, Tunnelblick will not load the tun kext when connecting the selected configuration(s).
- Load Tap driver automatically. When selected, Tunnelblick will load the tap kext only if it is needed.
- Always load Tap driver. When selected, Tunnelblick will always load the tap kext when connecting the selected configuration(s).
- Never load Tap driver. When selected, Tunnelblick will not load the tap kext when connecting the selected configuration(s).
Two checkboxes control what Tunnelblick does when the computer goes to sleep:
- Disconnect when computer goes to sleep. When checked, Tunnelblick will disconnect the selected configuration(s) when the computer goes to sleep.
- Reconnect when computer wakes up. When checked, Tunnelblick will reconnect the selected configuration(s) when computer the wakes up if they were connected before the computer went to sleep.
Two checkboxes control what Tunnelblick does when a system "Fast User Switch" occurs:
- Disconnect when user switches out. When checked, Tunnelblick will disconnect the selected configuration(s) when the user is switched out.
- Reconnect when user switches in. When checked, Tunnelblick will reconnect the selected configuration(s) when the user is switched back in if they were connected before the user switched out.
While Connected Tab
This tab contains two checkboxes:
- Run MTU maximum size test after connecting. When checked, an '--mtu-test' option is sent to OpenVPN, causing OpenVPN to run a test to determine the maximum MTU size that the path to the VPN server supports. The test takes about three minutes, and test results are reported in the Tunnelblick log. The results of this test can be used to determine parameters for "--tun-mtu", "--fragment", and "--mssfix" options that can be included in the configuration file. (See the descriptions for these options in the OpenVPN documentation.) If this is not checked, the "--mtu-test" option is not sent to OpenVPN, and no such test is performed.
- Monitor network settings. When checked, Tunnelblick will monitor network settings for changes while the selected configuration(s) are connected and restore settings or restart the VPN if necessary. This may be done to react to DHCP renewals or other network changes. The actions that Tunnelblick takes when various network changes occur may be specified in the two sets of actions that will be taken when particular network settings change in the following ways:
- When changes to pre-VPN value. These actions are taken when a network setting changes to the value it was before the VPN was established.
- When changes to anything else. These actions are taken when a network setting changes to any other value.
One of three actions may be selected for each change:
- Ignore. The network setting change will be ignored.
- Restore. The network setting will be restored to the value it had after establishing the VPN.
- Restart connection. The network setting change will cause the connection to be restarted.
VPN Credentials Tab
This tab deals with the credentials (username and password or private key) that configurations ask the user for. By default, each configuration uses its own credentials, separate from each other configuration. If the user saves the credentials for one configuration in the Keychain, they will need to enter credentials for each of their other configurations (and save them in the keychain) separately.
This tab contains a checkbox that allows the user to specify that all configurations should share the same credentials -- so the user can enter the credentials once, save them in the Keychain, and they will be used to for all configurations.
This tab also contains controls for "named" credentials. If all configurations do not share the same credentials, the user can create named credentials and specify the configurations that use them. For example, if a user has two sets of configurations, one from VPN service provider A, and one from VPN service provider B, the user can create two credential names (for example, "VPN A" and "VPN B"), and then specify that each of the configurations can be assigned to one or the other named credentials. So, for example, ten configurations for VPN service provider A can be set to use the "VPN A" credentials, and twenty-three configurations for VPN service provider B can be set to use "VPN B" credentials. The user then only needs to enter the "VPN A" credentials once and save them to the Keychain, and enter the "VPN B" credentials once and save them to the Keychain, instead of needing to enter the credentials for each of the thirty-two configurations and save each of them to the Keychain.
Sounds Tab
This tab determines the sounds that Tunnelblick plays when the selected configuration connects or unexpectedly disconnects. The "speak" setting speaks the name of the configuration and whether or not it is being connected or unexpectedly disconnected.