Openvpnusers Tun Tap Driver For Mac

The Problem

Type in sudo kextunload -b 'name of tun or tap found in kextstat' (For example, if foo.tun or foo.tap are found, type in sudo kextunload -b foo.tun or sudo kextunload -b foo.tap) This fix will likely be undone if you reboot the computer as the conflicting software will likely reload the kexts again. Generally, tun and tap devices are most commonly used in two distinct application scenarios: The first one is VPN software (such as OpenVPN). In this scenario, the kernel sends its network packets to the tun or tap devices.

You want to run an OpenVPN Client on Mac OS X. Your OpenVPN server will be serving DHCP, as well as pushing down DNS server addresses. You’ve tried connecting, and it just doesn’t seem to work. Perhaps you even see a large number of errors of the type:

write to TUN/TAP : Input/output error (code=5)

The Solution

When you connect via OpenVPN, it is the responsibility of the client to process pushed dhcp-options (including the DNS server rules), and do something useful with them. On a linux system, you could, for example, incorporate these into /etc/resolv.conf. Consult your distro’s openvpn documentation for more information.

However, this does not work on a Mac, because Mac software (even down to ssh and ping) doesn’t use /etc/resolv.conf under OS X 10.4… Oops. The solution? A combination of two tools: ipconfig and scutil. These together can manage 10.4’s new DNS configuration system, and set the tap device to obtain an address via DHCP. The problem is discussed further on nicholas riley’s blog, though his solution, a python script, a) is complicated to install, and b) did not actually work for me once installed, though I didn’t dig deep enough to understand why.

The best solution is to run an “up” script as part of the OpenVPN connection process, which will handle the necessary configuration for you. The script is provided on the Openvpn-users mailing list, by Ben Low.

Here’s how to use it with the excellent OpenVPN client Tunnelblick:

Install Tunnelblick, and create your OpenVPN config. I’ll assume that you know how to do this, or you wouldn’t be here. If not, consult the documentation for OpenVPN.
Download this script (copied from the openvpn-users mailing list). Save it to ~/Library/openvpn, the folder where your Tunnelblick OpenVPN configuration lives.
OpenVPN TAP up-down Script: tap-up-down.sh
Now, make the script executable, by running:
chmod +x ~/Library/openvpn/tap-up-down.sh
Edit your configuration file to include these lines:
up ./tap-up-down.sh
down ./tap-up-down.sh
Changing your configuration file will have disconnected Tunnelblick if it was connected. Tunnelblick will also prompt you again for your administrator password, since security-sensitive files have been modified.
Time to test! Open a Terminal window, and run the command:
scutil –dns
to see the current configuration of DNS resolvers. Then connect to your VPN in Tunnelblick, and run the command again:
scutil –dns
If all goes as planned, you will see your VPN DNS resolver properly included in the configuration. Congratulations!
You should now be able to ping internal hosts by their internal DNS names, e.g.:
ping internal-server

Good luck!

Updated 11/30/2007 to add chmod +x. Thanks Karel!

In computer networking, TUN and TAP are kernelvirtual network devices. Being network devices supported entirely in software, they differ from ordinary network devices which are backed by physical network adapters.

The Universal TUN/TAP Driver originated in 2000 as a merger of the corresponding drivers in Solaris, Linux and BSD.^[1] The driver continues to be maintained as part of the Linux^[2] and FreeBSD^[3]^[4] kernels.

Design[edit]

TUN and TAP in the network stack

Though both are for tunneling purposes, TUN and TAP can't be used together because they transmit and receive packets at different layers of the network stack. TUN, namely network TUNnel, simulates a network layer device and operates in layer 3 carrying IP packets. TAP, namely network TAP, simulates a link layer device and operates in layer 2 carrying Ethernet frames. TUN is used with routing. TAP can be used to create a user spacenetwork bridge.^[2]

Packets sent by an operating system via a TUN/TAP device are delivered to a user space program which attaches itself to the device. A user space program may also pass packets into a TUN/TAP device. In this case the TUN/TAP device delivers (or 'injects') these packets to the operating-system network stack thus emulating their reception from an external source.^[2]

Applications[edit]

Virtual private networks

OpenVPN, Ethernet/IP over TCP/UDP; encrypted, compressed
ZeroTier, Ethernet/IP over TCP/UDP; encrypted, compressed, cryptographic addressing scheme
FreeLAN, open-source, free, multi-platform IPv4, IPv6 and peer-to-peer VPN software over UDP/IP.
n2n, an open source Layer 2 over Layer 3 VPN application which uses a peer-to-peer architecture for network membership and routing
Tinc, Ethernet/IPv4/IPv6 over TCP/UDP; encrypted, compressed
VTun, Ethernet/IP/serial/Unix pipe over TCP; encrypted, compressed, traffic-shaping
coLinux, Ethernet/IP over TCP/UDP

Virtual-machine networking