Viscosity, OpenVPN and the "Cannot allocate TUN/TAP dev dynamically" Error.

I like to keep my software up to date, particularly when it's something security related.  So when Spark Labs' Viscocity 1.4.3 told me 1.4.4 was available, I went ahead and let it update.

And thus began my several weeks of not being able to connect to the company VPN.

The Error

I got to looking at the logs and found the message openvpn error message: "Cannot allocate TUN/TAP dev dynamically"

The Path to a Fix

A friend linked me to this help topic on Spark Labs' Support pages: http://www.sparklabs.com/support/error_cannot_allocate_tun_tap/

I tried all their steps for fixing this error twice, to no avail.

Next I started searching the web for why this wasn't working.  I ended up on TunnelBlick's support pages.  TunnelBlick is a free open source GUI interface to openvpn, similar to Viscosity.  I read though all their associated suggestions here: https://code.google.com/p/tunnelblick/wiki/cCommonProblems#An_OpenVPN_log_entry_says_"Cannot_allocate_TUN/TAP_dev_dyna

The suggestion that some other driver could be conflicting with their TUN/TAP driver was interesting, and I checked the output of "kextstat  | grep -v com\.apple" for likely drivers, but found nothing related to vpns.

However, that gave me the idea to search for the .kext tun drivers and try to load them manually.  I located them with "locate tun | grep kext" and then started trying to load the likely ones:

> sudo kextload /Applications/Viscosity.app/Contents/Resources/tuntap/tun.kext
/Applications/Viscosity.app/Contents/Resources/tuntap/tun.kext failed to load - (libkern/kext) authentication failure (file ownership/permissions); check the system/kernel logs for errors or try kextutil(8).

This one seemed like a different error, so I passed it up for the moment.

> sudo kextload /Library/ViscosityHelperTools/tun.kext
/Library/ViscosityHelperTools/tun.kext failed to load - (libkern/kext) validation failure (plist/executable); check the system/kernel logs for errors or try kextutil(8).

This seemed more like the issue I was seeing.  I took it's suggestion and tried kextutil:

> sudo kextutil /Library/ViscosityHelperTools/tun.kext
No kernel file specified, using '/mach_kernel'
/Library/ViscosityHelperTools/tun.kext is invalid; can't resolve dependencies.
/Library/ViscosityHelperTools/tun.kext is invalid; can't resolve dependencies.
/Library/ViscosityHelperTools/tun.kext is invalid; can't resolve dependencies.
Diagnostics for /Library/ViscosityHelperTools/tun.kext:
Validation Failures:
    Kext has a CFBundleExecutable property but the executable can't be found:
        tun

No tun executable?  I checked:

> ls /Library/ViscosityHelperTools/tun.kext/Contents/MacOS
>

Yep, that directory was empty.  I surmise that when I did my update, the drivers in /Library/ViscosityHelperTools didn't get completely installed and since they aren't a part of the application folder, following the Spark Labs instructions did not affect their state.  

The Fix

I removed Viscosity and also removed the corrupted /Library/ViscosityHelperTools folder.  Next, I downloaded and installed a fresh copy of Viscosity.  When I executed Viscosity this time, it prompted me for elevated privileges to install drivers.  Finally, I checked for that previously missing file:

> ls /Library/ViscosityHelperTools/tun.kext/Contents/MacOS
tun
>

Success!  I tried my connection to the company VPN, and it worked perfectly!

Hopefully someone with a similar problem finds this information helpful in fixing it.  (Thanks for the suggestion Jeff!)