Running openvpn on Mac OS X has always been a bit cumbersome, on account of the lack of native tun/tap devices. A third-party kernel extension exists, but, in addition to being a barrier in itself, it can only be installed once, leading to a collection of mutually incompatible OS X apps competing to have their version installed. Also it occasionally gets broken by OS X upgrades. It's kind of a big hairball of despair.
As it happens, Apple quietly introduced native user tunnels (utun) for their own purposes in OS X 10.6. The APIs are public, although not what you would call documented. Thanks to some scraps on the wide Internet and a nudge from an Apple engineer at WWDC, I've been able to add utun support to openvpn. I have a fork on Github with a complete working implementation: https://github.com/bbits/openvpn/tree/utun. What I would love now is to find some more intrepid OS X users to take it for a whirl. I've been testing it in the context of the OS X Cloak client without so much as a hiccup. Of course, that still leaves plenty of scenarios to test, especially covering IPv6 and non-default topologies. Use "--dev tunX --dev-impl-osx utun" to switch to the utun implementation. In terms of the code, the only significant addition is a version of open_tun that creates a utun device. This is accomplished through a mystical socket incantation rather than opening a character device, but after that it's the same deal. Not surprisingly, read/write behavior matches the Free/OpenBSD implementations, so that code is the same. The only other addition is a new option to activate it; the default behavior is unchanged. I've been working primarily on 10.8, but I'm also able to build and run on 10.7 and 10.6, which is as far back as my archive currently goes. The changes will definitely break the build on 10.5 and earlier. I don't know what your deprecation policy is, but if anyone cares about supporting such old systems, I'm sure utun support could be turned into a configure-time option. Looking forward to feedback and next steps. Thanks, Peter Founder, GetCloak.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
