Koozali.org: home of the SME Server

changes to macOS affecting use of openvpn-bridge - tap

Offline warren

  • *
  • 291
  • +0/-0
changes to macOS affecting use of openvpn-bridge - tap
« on: August 24, 2020, 01:41:03 PM »
Apple has made announcement that the will be  Deprecated Kernel Extensions and System Extension Alternatives https://developer.apple.com/support/kernel-extensions/

This will / can have impact on users on MAC using Tunnelblick to connect to SME servers with the OpenVPN Bridge.

Here is the notice from Tunnelblick  : https://tunnelblick.net/cTunTapConnections.html

Quote
If you have a 'tap' VPN, a future version of macOS will cause your VPN to stop working. (Apple's announcement to developers is worded differently and may mean that users will be able to use some mechanism to enable 'tap' VPNs to continue to work, but that interpretation is contradicted by the warning shown above. See What Apple announced, below.) On macOS Big Sur you may be able to allow 'tap' VPNs to continue to work by disabling SIP. You may be able to convert your 'tap' VPN to a 'tun' VPN which will work. However, that requires being able to change the OpenVPN configurations on both your computer and on the VPN server, and it may not provide all of the networking facilities that you are currently using. Consult OpenVPN experts and support for help with doing this.

they go on to say the vpn's using tun interface users using Tunnelblick should still be able to connect.

Quote
If you have a 'tun' VPN, your configurations may continue to work in future version of macOS without you doing anything, or you might need to make a simple change to the OpenVPN configuration file so that the configuration will continue to work. If your OpenVPN configuration file does not contain a "dev-node" option, you do not need to do anything and the configuration will continue to work. If your OpenVPN configuration file does contain a "dev-node" option, you will need to remove that option so the configuration continues to work (see below).

From my understanding, SME servers running OpenVPN Bridge with Mac clients connecting, may well have to install the
OpenVPN Routed contrib as well, and set up the Mac users to use the OpenVPN Routed contrib.

OR, Install alternative vpn solutions ( Libreswan , SoftEther ect ).

Thoughts ...

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: changes to macOS affecting use of openvpn-bridge - tap
« Reply #1 on: August 24, 2020, 04:48:53 PM »
OR, Install alternative vpn solutions ( Libreswan , SoftEther ect ).

Thoughts ...

Yup, that's about it.

If Apple decide to remove TAP then you have no other choice really. At least you have some time to plan round it.

As far as I remember TAP is better for bridges so if you want to join two networks together on the same 10.0.0.0/24 network. The OpenVPN Bridge contrib is there to join two SME servers in this mode. Personally I use ipsec/libreswan for net-net anyway.

I have always favoured Openvpn routed for dial in as I have never wanted to browse network services etc when I am remote, but clearly YMMV.

I would have to check how it all works in ipsec/l2tpd.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation