This tutorial guides you on how to install OpenVPN on Mac using Tunnelblick, Viscosity, or the OpenVPN Connect Client.
As the OpenVPN project only offers a Mac client application for their business server (named OpenVPN Access Server), an alternative solution needs to be discovered to be able to connect to an OpenVPN server (Community Edition).
This article briefly explains what OpenVPN is, what are its advantages, what are the differences between the OpenVPN Access Server and the Community Edition server, what is an ovpn file, and how to set up an OpenVPN client on Mac.
How to connect to an OpenVPN server from Mac [Summary]
There are several ways to set up a VPN on Mac. However, if you need to use OpenVPN, depending on the type of VPN server you need to connect to (OpenVPN Access Server or OpenVPN Community Edition server), you have the following options:
- Connect to an OpenVPN Access Server:
- Connect to an OpenVPN Community Edition server:
- Option 1: Install and configure Tunnelblick (free).
- Option 2: Install and configure Viscosity (commercial, but reasonably priced).
- Option 3: If you try to connect to an OpenVPN server offered by a VPN provider you may use its VPN native app (if available).
What is OpenVPN and what are its advantages?
OpenVPN is a VPN protocol that is considered to be a standard and a model for future protocols.
As an open-source project, it was built to overcome the drawbacks of classical VPN protocols (PPTP, L2TP, IPSec) and to provide an easy to use VPN client to connect to OpenVPN servers.
OpenVPN uses either UDP (User Datagram Protocol) or TCP (Transmission Control Protocol) as transmission protocols and the OpenSSL library for encryption.
The OpenVPN client can be set up on Windows, Linux, iOS, Android. However, on macOS, only a client application that is able to connect to an OpenVPN Access Server is provided.
OpenVPN has some important benefits:
- The OpenVPN project is open-source. Thus, it is free and constantly updated.
- OpenVPN is fast (especially on UDP).
- It is considered to be very secure. Its level of security is provided by the 256-bit encryption and high-end ciphers.
- It is stable and reliable.
- OpenVPN fully supports IPv6.
Do you want to learn more about the OpenVPN protocol? Here is a comprehensive article on what OpenVPN is and how you can use it.
OpenVPN Access Server vs OpenVPN Community Edition
It is important to know the difference between the two types of servers that OpenVPN offers:
- OpenVPN Access Server is the commercial version of the OpenVPN server, it is designed for businesses, and it provides a user interface for administration.
- OpenVPN Community Edition (CE) server is the well-known open-source project that is used by many servers all over the World and by many companies to offer reliable VPN connections to their employees and users. Most of the VPN providers use OpenVPN on their servers as the primary connection protocol.
Since the purpose of this article is to explain how to connect an OpenVPN server from Mac, you may find more information on the differences between the Access Server and the Community Edition here.
Why use OpenVPN on Mac and what do you need?
There are several use-cases that require connecting your Mac to an OpenVPN server. Consider, for example, the following circumstances:
- You work from home and you need to connect to a VPN in order to access the company network and resources;
- You are using a VPN service that does not offer a custom-built, native VPN software;
- You are subscribed to a VPN service, but you prefer to connect using a light, open-source OpenVPN Mac client;
- You need to connect to various OpenVPN servers (exposed by your company, by several VPN providers, built by you, etc.) and you prefer to manage them from a single place.
All these scenarios require manually setting up the OpenVPN connections and the access to the .ovpn files that contain the connection settings.
What is an ovpn file?
An ovpn file (OpenVPN file) contains the settings necessary to initiate a connection for an OpenVPN session. It includes OpenVPN commands for the OpenVPN server and certificates or credentials for user authentication.
Here is a template of an ovpn file:
client remote myvpnserver.name auth RSA-SHA512 comp-lzo yes dev tun proto udp nobind auth-nocache script-security 2 persist-key persist-tun user nobody group nogroup <ca> -----BEGIN CERTIFICATE----- # insert content of your ca.crt -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- # insert content of your user.crt -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- # insert content of your user.key -----END PRIVATE KEY----- </key>
Most of the time you will receive the ovpn file from the VPN administrator or from the VPN provider. However, you may create the OpenVPN file yourself and type in the required commands. You may even implement split tunneling on Mac. Of course, this is an advanced approach.
How to use OpenVPN on Mac
Connecting to an OpenVPN server depends on the type of server you want to connect to OpenVPN Access Server or OpenVPN CE server.
On macOS, you may use the OpenVPN Connect Client to connect to the Access Server, but you need to use a third-party VPN client to be able to create VPN connections to an OpenVPN CE server.
Connect using the OpenVPN Connect Client
In case you need to connect to an OpenVPN Access Server simply download and install the OpenVPN Connect Client for Mac. All the information on this OpenVPN client can be found here.
Connect using Tunnelblick
Tunnelblick is an open-source VPN client for Mac that creates secure tunnels to OpenVPN servers. Tunnelblick installs all necessary drivers (TUN/TAP) and binaries and it offers an easy-to-use GUI (graphical user interface) for the connection management.
Tunnelblick runs on OS X 10.4 and higher, including the latest versions: High Sierra, Mojave, Catalina, and Big Sur.
Before you proceed with the installation make sure you have access to the .ovpn file(s). For example, if you have a NordVPN subscription load this page, click on Show available protocols, and download the OpenVPN config file corresponding to the desired location and protocol (UDP or TCP).
To connect to an OpenVPN server from Mac using Tunnelblick you need to:
- Download Tunneblick. It is recommended to choose the Stable version.
- Click on the Tunnelblick image file (.dmg) in your browser or navigate to the Downloads folder.
- Double-click on the Tunnelblick.app icon.
- You will be asked: Tunnelblick is an app downloaded from the Internet. Are you sure you want to open it? Click the Open button.
- In order to have the Tunnelblick installed in the Applications folder, you will be asked to enter your Mac password. Enter it and click OK.
- Next, you will see a notification window: Installation succeeded. Tunnelblick was successfully installed. Do you wish to launch Tunnelblick now? (An administrator username and password will be required so Tunnelblick can be secured.). Click the Launch button.
- To proceed with the setup click on I have configuration files.
- Further, you will see instructions on how to import configuration files:
- Drag and drop the .ovpn file you have prepared, to the Configurations tab on the Tunnelblick.
- Next, select if you want the configuration profile installed for all users, or only for your current user. If you don’t know what to choose, then pick the Only Me option.
- Enter your Mac password again.
- A warning message will show up about the comp-lzo deprecation. You may safely check the Do not warn about this again and click OK.
- Select the configuration and click Connect.
- If the file does not contain a certificate you will need to enter your user credentials (VPN username and password), check the Save in Keychain option, and click OK.
- Hurray, you are now connected to the VPN.
To disconnect from the VPN, click on the Tunnelblick icon in your menu bar and select Disconnect from the drop-down menu.
When you no longer need to use Tunnelblick to connect to a VPN server, you may delete the VPN client from your Mac:
- Disconnect and quit Tunnelblick.
- Download the Tunnelblick Uninstaller.
- Run the Uninstaller and provide the necessary permissions.
- Restart your Mac.
Connect using Viscosity
Viscosity is a paid alternative ($14 for the permanent license) to Tunnelblick with a more user-friendly interface. Additionally, Viscosity is also available on Windows.
To connect to a connect to an OpenVPN server from Mac using Tunnelblick you have to:
- Download Viscosity. It offers a 30-day trial.
- Click on the Viscosity image file (.dmg) in your browser or navigate to the Downloads folder.
- Drag and drop the Viscosity.app to the Applications folder.
- Next, from Finder or the Launchpad start Viscosity.
- You will be asked if you are sure you want to open it. Click Open.
- As it is the first time you run Viscosity it needs to install a helper tool to allow VPN connections to be created. Click the Install button.
- Enter your Mac password and click Install Helper.
- Now, you are ready to set up the first VPN connection with Viscosity.
- If you have Tunnelblick already installed, Viscosity will ask if you want to import VPN configurations from Tunnelblick.
- To add a new connection, click on the Viscosity icon in your menu bar, and select Preferences.
- Further, you may create a completely new connection or import one from a .ovpn file. As you probably have the OpenVPN file ready, click on the “+” button, Import Connection, and From File…
- Select the .ovpn file from your drive, and if it successfully imported you will see the following message:
- To connect to the OpenVPN server, right-click on the connection name and click Connect.
- If the connection requires authentication, you will be asked to enter the OpenVPN username and password. Check the Remember details in my Keychain and click OK.
- Hurray, you are now connected to Open VPN using the Viscosity app.
To disconnect, click on the Viscosity icon in your menu bar and select the name of the active VPN connection from the drop-down menu.
Connect using native VPN client apps
If you simply prefer the OpenVPN protocol (as it is more secure and reliable than the other VPN protocols) to hide your IP address and you don’t have a specific server to connect to, then you may pick a VPN provider that uses Open VPN.
In this case, you need to subscribe to the VPN service, download the custom-built VPN application, choose the OpenVPN protocol (UDP or TCP), select the desired location, and connect. It is the simplest way to use a VPN as you don’t have to perform any manual settings.
Most of the top VPN providers give access to the OpenVPN protocol these days. However, here are the ones that we recommend (as we test them regularly and we consider to offer excellent value): NordVPN, ExpressVPN, CyberGhost, ibVPN.
Accessing an OpenVPN server from Mac depends on the type of OpenVPN server you need to connect to. In the case of the OpenVPN Access Server, the OpenVPN Connect for Mac is available. For OpenVPN Community Edition, you need to use Tunnelblick or Viscosity as explained above.
Additionally, if you are simply interested in a OpenVPN connection you may install a VPN app provided by one of the above-mentioned services and connect with a click.
Don’t you more VPN tips? You are at the right place! Subscribe to our bat-iful newsletter (below)! It would make a Transylvanian baby-bat 🦇happy.
Hello Adrian, just a few corrections & additions,
1. ANY OpenVPN-compatible client should be able to connect to any OpenVPN service or server. OpenVPN Connect can connect to community or third-party servers (but it’s of course most convenient with our Access Server or OpenVPN Cloud-generated profiles.) Likewise Tunnelblick and open source clients can connect to Access Server or OpenVPN Cloud.
2. OpenVPN Cloud is our SAAS offering which is gaining in popularity, because it frees the VPN administrator from having to deal with OS and hardware issues on the server. It also provides built-in high availability features.
3. There are third-party distributions of software for Mac OS which provide the community openvpn(8) software. These include Macports and Homebrew.
4. Mac OS is a complete Unix OS, and fully capable of compiling the community openvpn software from source code, if the user is so inclined.
5. The link on our web site, “Comparing OpenVPN Access Server with OpenVPN Community Edition” datasheet, is outdated. Mostly still correct and relevant, but it made no mention of OpenVPN Cloud.
6. If a third-party OpenVPN provider is distributing their own client software, it is based on the GPL community software. To comply with GPL they must also give you access to their source code. If they do not, you should avoid that service and report the GPL violation to us.
Thank you and best regards from OpenVPN, Inc.