/
[VPN] Tunnelblick (macOS) installation and configuration)

[VPN] Tunnelblick (macOS) installation and configuration)

Preparation: VPN Access & Moja PG Password Validity

Before beginning configuration, ensure the following:

  • You have VPN access (see details here).

  • Your password for the Moja PG portal is valid.

Step-by-Step instructions

Preparation

1. Log in to Moja PG

  • Connect from any network (including a home network).

  • Go to the Moja PG portal and log in using your credentials.

2. Check Password Status

After logging in:

  • You will see the Moja PG homepage.

    image-20250430-091527.png

  • Go to My Account in the top right corner and look for a notification indicating that your password has expired.

    image-20250430-091701.png

    • If the password has expired:
      Go to My Account → Password Change and set a new one.

3. No notification & last password change over 3 months ago?

  • If no expiration notice is displayed, but it has been over 3 months since your last password change,
    it is strongly recommended to change your password anyway.

Step 1: Installing Tunnelblick

To use VPN connections on macOS, you need to install a program called Tunnelblick. This application acts as a VPN client.

Installation Instructions

  1. Go to the Tunnelblick website
    Visit tunnelblick.net/downloads.html.
    In the Release Downloads section, find the link to the Stable version and download the installer file.

    osx9-20250430-092545.png

  2. Run the downloaded installer
    Launch the file with the .dmg extension.
    In the next window, confirm that you want to open the file.

  3. Enter administrator password if prompted
    macOS may request your computer's administrator password. Enter it to proceed.

    osx10-20250430-092917.png

  4. Respond to the feature update message
    A message about new functionality may appear. Select Check for changes.

    osx11-20250430-092953.png

  5. Enable automatic updates
    Click Check Automatically to allow the application to update itself.

    osx13-20250430-093008.png

  6. Confirm you don't have configuration files
    When asked, click I do not have configuration files to let the app know no VPN settings are yet provided.

    osx14-20250430-093018.png

  7. Installation complete
    Tunnelblick is now installed on your system.

Step 2: Preparing the Tunnelblick configuration

To allow Tunnelblick to establish VPN connections, you must prepare a configuration consisting of specific files and a dedicated folder. Follow the steps below:

Configuration Instructions

1. Download the configuration file

Choose the appropriate version based on your affiliation with the university:

2. Generate and download your personal certificate

Use the certificate management tool at https://ca.cui.pg.edu.pl/
(Log in using your Moja PG credentials.)

3. Download the PG Root certificate

Download the file pg-ca.pem.

4. Create a configuration folder

On your Desktop, create a new folder and name it, for example, PG_VPN.

5. Rename the configuration file

Go to your Downloads folder and rename the previously downloaded .ovpn file (whether for employee or student) to:

client.ovpn

Note: macOS may automatically add a .txt extension, changing the name to client.ovpn.txt.
If this happens, rename the file back to client.ovpn (removing the .txt).

6. Move the necessary files

Copy the following three files from your Downloads folder to the PG_VPN folder on your Desktop:

  • client.ovpn

  • your personal certificate file (e.g., user_certificate.p12)

  • pg-ca.pem

    osx16-20250430-094442.png

7. Open the Terminal Application

Launch the Terminal app on your Mac (use Finder if needed to locate it).
A black-and-white text window will appear, allowing you to enter keyboard commands.
The command prompt will look something like this:

Note whether the header of the terminal window says ZSH or BASH

image-20240724-090030-20250430-095142.png

Expand the following section.

  1. Open Terminal and enter the following command, then press Enter:

    cat /etc/shells

    This will display a list of shells available on your system.

    image-20240724-091821.png

  2. Open Terminal settings

  • Click Terminal in the top menu bar (next to the Apple menu).

  • From the drop-down menu, select Settings.

  1. Change default shell settings

  • Go to the General tab (if not taken there automatically).

  • In the Shells open with section, select Command (complete path) instead of the Default login shell option.

  • Replace the existing path (likely /bin/zsh) with:

/bin/bash

  • Press Enter to confirm. This sets Bash as your default shell.

    image-20240724-093840.png

  1. Switch to bash manually (optional step)

If you're still in Terminal, run the following command and press Enter:

/bin/bash

You should now see the Terminal prompt using the Bash shell.

image-20240724-094358.png

  1. Restart Terminal

  • Press Cmd + Q to quit Terminal.

  • Reopen Terminal — Bash should now be your default shell.

computer_name:~ account_name$

8. Navigate to the desktop

Open Terminal and enter the following command, then press Enter:

cd Desktop

9. Confirm you’re in the correct directory

The command line prompt should now appear like this:

computer_name:Desktop account_name$

10. Enter the VPN folder

Now enter the folder containing the three necessary files (client.ovpn, user_certificate.p12, pg-ca.pem).
If you followed the naming convention from earlier instructions, enter:

cd PG_VPN

Press Enter.

11. Confirm directory change

The command prompt should now look like this:

computer_name:PG_VPN account_name$

12. Extract the certificate from the .p12 file

In Terminal, type the following command and press Enter:
(Note: The part -nokeys might visually wrap to a new line in Terminal, but enter the whole command on a single line.)

openssl pkcs12 -in user_certificate.p12 -out user_certificate.crt -nodes -nokeys

13. Enter certificate password

When prompted, enter the password used to protect your .p12 certificate file.
Note: Characters will not be visible as you type.
Then press Enter.

14. Password confirmation

If the password is correct, the following message will appear:

MAC verified OK

15. Extract the private key

Now enter the following command and press Enter:
(Again, be sure to enter it all on a single line, even if it appears split visually.)

openssl pkcs12 -in user_certificate.p12 -out user_certificate.key -nodes -nocerts

16. Enter certificate password again

You will be prompted once more to enter the certificate password. Type it in and press Enter.

17. Final confirmation

If successful, you will again see the message:

MAC verified OK

Now, you can close the Terminal window.

If you encounter the message: permission denied.

Expand the following section.

  1. Type the following command into Terminal and press Enter.
    Note: The last part of the command, -nokeys, may appear on a second line due to visual line wrapping. However, the entire command must be entered on a single line in Terminal:

sudo openssl pkcs12 -in user_certificate.p12 -out user_certificate.crt -nodes -nokeys

  1. In response, you will be prompted to enter the password protecting your user certificate. Type the password (characters will not be visible as you type) and press Enter.

  2. If the password is correct, the system will display the message:
    MAC verified OK

  3. Then, type the following command into Terminal and press Enter.
    Note: The final part of the command, -nocerts, may also wrap to the next line visually, but you must enter the entire command on a single line:

sudo openssl pkcs12 -in user_certificate.p12 -out user_certificate.key -nodes -nocerts

  1. Again, you will be prompted to enter the password protecting your user certificate. Type it in (characters will not be visible) and press Enter.

  2. If the password is correct, the system will display the message:
    MAC verified OK

  3. Close the Terminal window.

18. Verify and finalize configuration files

Go to the previously created folder PG_VPN (on the Desktop). Verify that the following files are present in the folder:

  • user_certificate.crt

  • user_certificate.key

  • user_certificate.p12

  • client.ovpn

  • pg-ca.pem

19. Rename folder to .tblk

Exit the folder and return to the Desktop. Right-click on the PG_VPN folder and select Get Info from the menu.
In the Name & Extension section, add the extension .tblk to the folder name — as shown in the illustration.

20. Confirm extension change

In the pop-up window, confirm adding the .tblk extension by clicking Add.

21. Choose installation scope

The system will then ask whether to install the configuration for all users of the computer. Choose the option that best suits your needs.
The typical choice is to save the configuration for your user account only.

22. Enter administrator password

In the next step, macOS may request the Mac administrator password. Enter the password when prompted.

23. Configuration ready

If the entire procedure has been completed correctly, the configuration files are now ready for use.

Establishing a VPN Connection

  1. Ensure that your Apple Mac computer has access to the Internet.

  2. On the Desktop, locate the Tunnelblick icon in the top right corner of the screen.

  3. Right-click on the icon. A menu will appear; select Connect PG_VPN.

  4. If a warning window appears stating that the computer's IP address has not changed after connecting to PG_VPN, confirm the message by clicking OK.

  5. The VPN connection to the PG network should be established within a few moments (approximately 30 seconds).

Disconnecting the VPN Connection

  1. After finishing work with PG's IT systems (requiring the VPN), log out from them.

  2. Next, right-click on the Tunnelblick icon.

  3. From the displayed menu, select Disconnect PG_VPN.

  4. The VPN connection will be closed.

Powiązane artykuły



Centrum Usług Informatycznych Politechniki Gdańskiej 2024