My favorite VPN server had maintenance last night and this morning my Mac would no longer connect. The error message told me the username and password were incorrect, but this was not true. After opening Tunnelblick’s log, I quickly found that there were TLS errors – yes, seems the VPN server operator renewed the certificates!
Easy fix, I downloaded the latest certificate and profile by logging into my provider’s WatchGuard VPN website, downloaded the latest profile, cleaned out my previous passwords in Keychain, and logged back in. Note: to log in, I had to use the username “MFA\bcs”, where MFA\ represents the domain for multi factor logins. I’ve got more detailed notes on this, but until people request the details in the comments I’ll stop here. Also, for those just wanting to delete their cached Keychain credentials to start over, check out these instructions, and in my case it was useful to use these to see what domain I had logged into when my credentials and TLS certificate had previously worked.