Tunnelblick Mac Scripts
I'd like to run a script on my Mac whenever OpenVPN connects. I've checked the config on my Mac and I don't see a place for scripts anywhere. I'm running the most recent Tunnelblick (3.7.0).
Where can I set scripts on Tunnelblick for Mac?
Solution 1:
This answer is a little late, but there are actually hooks within Tunnelblick that you can use simply by putting properly named scripts in certain directories.
The documentation for this is not all that much fun to read (or put into practice), so here's a summary*:
- Create
pre-connect.sh
,post-tun-tap-load.sh
,connected.sh
,reconnecting.sh
and/orpost-disconnect.sh
as is your need. - As root, put these files in
/Library/Application Support/Tunnelblick/Shared/<gateway>.tblk/Contents/Resources
, where<gateway>.tblk
is a directory named after an OpenVPN configuration you've imported into Tunnelblick previously. - Change ownership and ACLs:
bash$ sudo chown root:wheel reconnecting.sh bash$ sudo chmod 700 reconnecting.sh
*Note that the directories I refer to might be different on your setup--I'm running macOS 10.12.6, and these steps assume you've already imported OpenVPN configurations into Tunnelblick.
Solution 2:
Based on the other (great) answer to this question, i wrote this based on Tunnelblick 3.8.1 build 5400
and macOS Mojave 10.14.6
with a simple example.
Open terminal.
sudo -s
-
cd /Users/<user>/Library/Application Support/Tunnelblick/Configurations/<profile>.tblk/Contents/Resources
where
<user>
is your username on mac and<profile>
is a VPN profile configuration you've imported into TunnelblickComplete path is something like
/Users/andrea/Library/Application Support/Tunnelblick/Configurations/vpncorporate.tblk/Contents/Resources
-
connected.sh
nano connected.sh
Paste following lines e.g. if you want to add routing rule when connected
#!/bin/sh route add -host 172.16.10.7/32 -gateway 192.168.0.244
Reference: route man page
-
post-disconnect.sh
nano post-disconnect.sh
Paste following lines e.g. if you want to delete previous added rule
#!/bin/sh route delete -host 172.16.10.7/32 -gateway 192.168.0.244
Reference: route man page
-
Set the right permission
chmod 700 connected.sh chmod 700 post-disconnect.sh
In my case
-rwx------ 1 root admin 63 23 Ott 11:47 connected.sh -rwx------ 1 root admin 66 23 Ott 13:43 post-disconnect.sh
A more useful and complex example about connected.sh and post-disconnect.sh may be the follow
The idea is to get default gateway and route through that for specific IP.
-
connected.sh
#!/bin/sh DEFAULTGATEWAY="$(netstat -nar | sed -n -e '/^default/p' | head -1 | awk '{print $2}')" route add -host 172.16.10.7/32 -gateway $DEFAULTGATEWAY
-
post-disconnect.sh
#!/bin/sh route delete -host 172.16.10.7/32