You can use the MacOS Network settings to connect to most types of VPN (hit "+" and fill in the forms to add a new connection). For free, open-source clients, Tunnelblick is very common.
macOS and iOS don't support OpenVPN with the built-in client. You can use strongSwan-based VPNs (e.g., as would be deployed through Algo) or Cisco, but for OpenVPN you'll need a custom client which, unfortunately, very likely brings along its own .kext.
TunnelBlick comes with a tun/tap kext that is signed. This is not required on systems where Apple already has tun/tap support compiled in (not sure when that started, but it's been a long time)
From the known issues page:
"If you are running on OS X 10.6.8 or higher and using OpenVPN 2.3.4 or higher and using a TUN device, the default Tunnelblick setting to "Load Tun Automatically" (on the "Advanced" settings window) will avoid this problem by not loading the tun kext — OS X's built-in "utun" device will be used instead of a "tun" device."
Is a .kext actually required for a vpn client? My understanding is that TunnelBlick just creates a tun network in user-space. Why would it need to be in the kernel?
NetworkManager is pretty much the default GUI for most distros and DEs, and has built-in support for OpenVPN, PPTP, L2TP, IPsec, SSH, etc... And it also integrates well with the Wifi setup, so you can easily set it up to automatically connect to the VPN when you connect to certain networks.
