Netgate is offering COVID-19 aid for pfSense software users, learn more.

Mac OSX Clients and Installation

OpenVPN Client Options

  1. The commercial Viscosity client. At the time of this writing, it costs $14 USD for a single seat. If OpenVPN is used frequently, Viscosity is well worth the cost.

  2. Tunnelblick, a free option available for download.

  3. The OpenVPN command line client. Most endusers prefer a graphical client, so this option will not be covered.

Both Tunnelblick and Viscosity are easily installed, with no configuration options during installation.

Installing Viscosity

When using the Viscosity client, configuration can be imported using the OpenVPN Client Export pfSense package or it can be configured manually.


It won’t be covered here, but Viscosity provides a GUI configuration tool that can be used to generate the underlying OpenVPN client configuration. The CA and certificates can be imported manually, and all of the parameters can be set manually.

Import Viscosity Bundle From Export Package

  • Download a copy of the Viscosity bundle for the client from the OpenVPN Client Export pfSense package.

  • Locate the saved file, which will end in indicating that it is a compressed archive.

  • Copy this exported bundle to a folder on the enduser’s Mac.

  • Double click this file and it will expand to Viscosity.visc.

  • Double click Viscosity.visc and Viscosity will open and import the connection as shown in Figure Viscosity Import.


    Viscosity Import

  • Delete the Viscosity.visc directory and the .zip archive.

  • Viscosity will be running after import, and may be found as a lock icon in the menu bar at the top of the screen.

Verify Connection Was Imported

  • Click the lock icon added to the menu bar at the top of the screen.

  • Click Preferences to check that the configuration was imported as shown in Figure Viscosity Preferences.


    Viscosity Preferences

  • Check the Connections area to see if the connection imported successfully as shown in Figure Viscosity View Connections.


    Viscosity View Connections

  • Close the Preferences screen.

Connect the VPN

  • Click the lock icon in the menu bar again.

  • Click the name of the VPN connection to connect as shown in Figure Viscosity Connect. After a few seconds, the lock icon in the menu bar will turn green to show it connected successfully.


    Viscosity Connect

Check Connection Details

  • Click the lock icon in the menu bar again.

  • Click Details as shown in Figure Viscosity Menu to see connection information.


    Viscosity Menu

On the first screen (Figure Viscosity Details), the connection status, connected time, the IP assigned to the client, and the IP of the server are all displayed. A bandwidth graph is displayed at the bottom of the screen, showing the throughput in and out of the OpenVPN interface.


Viscosity Details

Clicking the up/down arrow button in the middle of the details screen displays additional network traffic statistics. This shows the traffic sent within the tunnel (TUN/TAP In and Out), as well as the total TCP or UDP traffic sent including the overhead of the tunnel and encryption.


For connections using primarily small packets the overhead is considerable with all VPN solutions.

The stats shown in Figure Viscosity Details: Traffic Statistics are from only a few pings traversing the connection. The traffic sent in bringing up the connection is also counted here, so the initial overhead is higher than what it will be after being connected for some time. Also, the typical VPN traffic will have larger packet sizes than 64 byte pings, making the total overhead and difference between these two numbers considerably less.


Viscosity Details: Traffic Statistics

Clicking on the third icon in the middle of the Details screen shows the OpenVPN log file (Figure Viscosity Details: Logs). If there is any trouble connecting, review the logs here to help determine the problem.


Viscosity Details: Logs

See also

For more information on how to troubleshoot the connection, see Troubleshooting OpenVPN.