VPNs and Location Aware Settings on Mac OS X

Recently, a co-worker was asking about my configuration for connecting to the corporate VPN, and I thought the information might be useful for others as well — I use a combination of Tunnelblick; an OpenVPN client for Mac OS X, Sidekick; an application that changes Mac OS X settings based on your physical location (and/or network SSID, etc.), and a little shell script I wrote to start the VPN, define additional routes, and update my dynamic DNS hostname.


Tunnelblick is a free, open source graphic user interface for OpenVPN on Mac OS X. It installs itself in the menu bar, and provides a quick & easy way to connect and disconnect from one or more configured VPNs. Tunnelblick comes as a ready-to-use application, with all necessary binaries and drivers. To use Tunnelblick, you’ll need access to a VPN server — either a corporate VPN account, for example, or one of the many public VPN servers now available on the internet. The public VPN solutions are practical when you need to use a public WiFi service (airport, coffee shop, etc.) and would like to encrypt your traffic, get around transparent proxies, firewall rules, etc. — or maybe you’d just like to make sure your ISP isn’t tracking your activity.


Sidekick is not free and open source — it’s a $30 application, but well worth the expense if, for example, you travel back & forth from work with your laptop. You define a set of rules — a physical location, a network SSID, etc. — and actions Sidekick will perform when those rules are met. You might have “Home”, “Work”, “Corp VPN”, and “Public VPN” locations. The Home location could change your default printer and start a backup. The Corp VPN could start the appropriate Tunnelblick VPN, run a shell script to change some routes, and open a terminal window to a remote server.

As an example, in the Mac OS X System Preferences you could create a “Public” location, and in Sidekick, you could add a “Public VPN” place, setting it as the default. As it’s actions, you might set your default printer to CUPS-PDF, disable Time Machine, run vpn-public-connect.sh, and vpn-disconnect-all.sh “when leaving location“.

Custom Scripts

The vpn-public-connect.sh script is executed by Sidekick to start the VPN. It uses AppleScript to tell Tunnelblick to connect the VPN, then waits for a gateway host to be defined for the VPN device (either tun or tap), adds or removes custom routes, and updates a dynamic DNS hostname. The nsupdate-ddns.sh script used to update the dynamic DNS has been discussed in an earlier post.

Download the vpn-public-connect.sh script here.

The vpn-disconnect-all.sh script should be executed by Sidekick when leaving location (an optional checkbox when adding the script to Sidekick’s actions). The script simply tells Tunnelblick to close all VPNs, and then updates the dynamic DNS hostname.

download the vpn-disconnect-all.sh script here.