Attempting to start openvpn fails as it's unable to create /dev/net/tun

[unclebobuk]

Hi, attempting to get VPN tunnel up. ovpn config downloaded from provider and added. Container running inside synology (docker version 18.09.0-0506). When openvpn starts fails with the following error.

2020-05-12 09:59:06 | stdout | Tue May 12 09:59:06 2020 ERROR: Cannot open TUN/TAP dev /dev/net/tun 2020-05-12 09:59:06 | stdout | Tue May 12 09:59:06 2020 Exiting due to fatal error

I've attempted to make the device file manually and then reboot but it looks as though it's re-created at each reboot and the file disappears. I am guessing it's a permissions issue according to the post I've read here

https://discuss.linuxcontainers.org/t/openvpn-error-cannot-open-tun-tap-dev-dev-net-tun-no-such-file-or-directory-errno-2-solved/1614/4

which can be resolved by adding some config into the container config file.

As I'm using these within a NAS i don't have the environment to pull and build directly otherwise I'd do some testing.

Anyway thought I'd flag it.

thanks Adam

[triksmelb]

Seeing the same error in the logs...

ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2) Exiting due to fatal error

Followed the great instructions in setting up the container, even tried running the container with PGID and PUID as 0 (root) and with high privilege for the container but still the same error.

Synology DSM DSM 6.2.2-24922 4 Synology Docker 18.09.0-0513

[astocode]

I also try to deploy this on a NAS (terramaster) and I came across the same issue. doing some googling I found that the solution would be to include the "--device=/dev/net/tun" parameter in the docker run command.

however, because i'm running the container from the web management tool, I cannot include this parameter.

can someone help me on how to include this parameter as an optional variable like "DEVICES" that can take the values like "/dev/net/tun" and to be appended in the run command ?

[Montblac]

@unclebobuk @triksmelb This helped me resolve that issue running it on a Synology NAS. https://ruimarinho.github.io/post/fix-tun-tap-not-available-on-a-synology-nas/

[triksmelb]

@stroskl depending on the container, you will most likely have to edit the environmental settings manually. I did it in a text file, SSH into my NAS, sudo -i and paste the script in there.

I used this guide (had to modify it for NordVPN but the principle is the same).

http://haugene.github.io/docker-transmission-openvpn/synology-nas/

docker run \ --cap-add=NET_ADMIN \ --device=/dev/net/tun \ -d \ -v /volume1/docker/transmission-openvpn/resolv.conf:/etc/resolv.conf \ -v /volume1/downloads/transmission/:/data \ -e "OPENVPN_PROVIDER=NORDVPN" \ -e "NORDVPN_COUNTRY=AU" \ -e "NORDVPN_PROTOCOL=TCP" \ -e "NORDVPN_CATEGORY=P2P” \ -e "OPENVPN_USERNAME=#######@gmail.com" \ -e "OPENVPN_PASSWORD=##########” \ -e "LOCAL_NETWORK=10.0.1.0/24" \ -e "OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60" \ -e "PGID=100" \ -e "PUID=1026" \ -p 9091:9091 \ --sysctl net.ipv6.conf.all.disable_ipv6=0 \ --name "transmission-openvpn-syno" \ haugene/transmission-openvpn:latest

In my opinion Synology Docker Web UI is great but limited for requirements like this.

[ragnarwessels]

I ran into the same issue on my Synology DS918+ this afternoon.

In my case /dev/net/tun exists. Since it's only accesible to the root user, running the container with "high privilege" (in the Docker UI) solved the problem for me.

[Caedendi]

Thanks. I tried again today, even though I had it running before with high privilege on, and the TUN/TAP device is no longer the issue, but I have another one:

Linux ip -6 addr add failed: external program exited with error status: 2

I have no idea what I'm doing wrong.

I tried adding VPN_USERNAME and VPN_PASSWORD to the environment but that just quickly loops it in starting and crashing. BTW I have a .ovpn file in my config.

EDIT: I solved the issue. The problem was my .ovpn file generated by my VPN provider. I had to select IP layer exit: IPV4 only and connect with IP layer IPV4. My ISP doesnt provide ipv6 so i guess thats why it didnt work and my bridge shows IPV6 is disabled. The container is now running and i can access the web GUI.

[Dinth]

@Caedendi Please open a new issue.

[MYeager1967]

I'm getting this issue after moving my NAS to a different VLAN. I'm sure it's something simple, but I'd appreciate if someone were to offer a hand here...

2020-12-14 16:31:05.774150 [info] VPN_ENABLED defined as 'yes'
2020-12-14 16:31:05.870919 [info] OpenVPN config file (ovpn extension) is located at /config/openvpn/my_expressvpn_usa_-_tampa_-_1_udp.ovpn
dos2unix: converting file /config/openvpn/my_expressvpn_usa_-_tampa_-_1_udp.ovpn to Unix format...
2020-12-14 16:31:05.955809 [info] VPN remote line defined as 'usa-tampa-1-ca-version-2.expressnetw.com 1195'
2020-12-14 16:31:06.012969 [info] VPN_REMOTE defined as 'usa-tampa-1-ca-version-2.expressnetw.com'
2020-12-14 16:31:06.068881 [info] VPN_PORT defined as '1195'
2020-12-14 16:31:06.127987 [warn] VPN_PROTOCOL not found in /config/openvpn/my_expressvpn_usa_-_tampa_-_1_udp.ovpn, assuming udp
2020-12-14 16:31:06.184817 [info] VPN_DEVICE_TYPE defined as 'tun0'
2020-12-14 16:31:06.238666 [info] LAN_NETWORK defined as '192.168.10.0/24'
2020-12-14 16:31:06.292417 [info] NAME_SERVERS defined as '8.8.8.8,8.8.4.4'
2020-12-14 16:31:06.346474 [info] VPN_OPTIONS not defined (via -e VPN_OPTIONS)
2020-12-14 16:31:06.402608 [info] Adding 8.8.8.8 to resolv.conf
2020-12-14 16:31:06.457090 [info] Adding 8.8.4.4 to resolv.conf
2020-12-14 16:31:06.508152 [info] PUID not defined. Defaulting to root user
2020-12-14 16:31:06.561781 [info] PGID not defined. Defaulting to root group
2020-12-14 16:31:06.612374 [info] Starting OpenVPN...
Mon Dec 14 16:31:06 2020 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Mon Dec 14 16:31:06 2020 WARNING: file 'credentials.conf' is group or others accessible
Mon Dec 14 16:31:06 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Mon Dec 14 16:31:06 2020 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Mon Dec 14 16:31:06 2020 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Mon Dec 14 16:31:06 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Dec 14 16:31:06 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Dec 14 16:31:06 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]104.238.58.34:1195
Mon Dec 14 16:31:06 2020 Socket Buffers: R=[212992->425984] S=[212992->425984]
Mon Dec 14 16:31:06 2020 UDP link local: (not bound)
Mon Dec 14 16:31:06 2020 UDP link remote: [AF_INET]104.238.58.34:1195
Mon Dec 14 16:31:06 2020 TLS: Initial packet from [AF_INET]104.238.58.34:1195, sid=e4f73799 e3d8a2cb
Mon Dec 14 16:31:06 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Dec 14 16:31:06 2020 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Mon Dec 14 16:31:06 2020 VERIFY OK: nsCertType=SERVER
Mon Dec 14 16:31:06 2020 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2337-0a, emailAddress=support@expressvpn.com
Mon Dec 14 16:31:06 2020 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2337-0a, emailAddress=support@expressvpn.com
Mon Dec 14 16:31:06 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Mon Dec 14 16:31:06 2020 [Server-2337-0a] Peer Connection Initiated with [AF_INET]104.238.58.34:1195
Mon Dec 14 16:31:07 2020 SENT CONTROL [Server-2337-0a]: 'PUSH_REQUEST' (status=1)
Mon Dec 14 16:31:07 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.134.0.1,comp-lzo no,route 10.134.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.134.1.50 10.134.1.49,peer-id 79,cipher AES-256-GCM'
Mon Dec 14 16:31:07 2020 OPTIONS IMPORT: timers and/or timeouts modified
Mon Dec 14 16:31:07 2020 OPTIONS IMPORT: compression parms modified
Mon Dec 14 16:31:07 2020 OPTIONS IMPORT: --ifconfig/up options modified
Mon Dec 14 16:31:07 2020 OPTIONS IMPORT: route options modified
Mon Dec 14 16:31:07 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Dec 14 16:31:07 2020 OPTIONS IMPORT: peer-id set
Mon Dec 14 16:31:07 2020 OPTIONS IMPORT: adjusting link_mtu to 1629
Mon Dec 14 16:31:07 2020 OPTIONS IMPORT: data channel crypto options modified
Mon Dec 14 16:31:07 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Dec 14 16:31:07 2020 NCP: overriding user-set keysize with default
Mon Dec 14 16:31:07 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Dec 14 16:31:07 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Dec 14 16:31:07 2020 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:03
Mon Dec 14 16:31:07 2020 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Mon Dec 14 16:31:07 2020 Exiting due to fatal error

The command used to kick this off is:

sudo docker run --privileged  --name="qbittorrent-vpn2" -itd -v /volume1/docker/qbittorrent-vpn/config:/config -v /volume1/docker/qbittorrent-vpn/downloads:/downloads -e "VPN_ENABLED=yes" -e "LAN_NETWORK=192.168.10.0/24" -e "NAME_SERVERS=8.8.8.8,8.8.4.4" -p 8080:8080 -p 8999:8999 -p 8999:8999/udp markusmcnugen/qbittorrentvpn

and it's running on a Synology NAS. It was running just beautifully until I moved it to the new address... The new address is 192.168.10.10.

[just-simon]

I found a solution that worked for me in this post by @blacky14 https://github.com/kylemanna/docker-openvpn/issues/39#issuecomment-158498935

One option was to run as privileged, another was:

1. Grant the NET_ADMIN capability In Docker run --cap-add=NET_ADMIN In Portainer -> Capabilities tab -> turn on NET_ADMIN and;
2. Add the device In Docker run --device=/dev/net/tun In Portainer -> Runtime & Resources tab -> Devices -> host=/dev/net/tun container=/dev/net/tun

I hope that helps others in this thread!

[irobot73]

I found a solution that worked for me in this post by @blacky14 kylemanna/docker-openvpn#39 (comment)

One option was to run as privileged, another was:

1. Grant the NET_ADMIN capability In Docker run --cap-add=NET_ADMIN In Portainer -> Capabilities tab -> turn on NET_ADMIN and;
2. Add the device In Docker run --device=/dev/net/tun In Portainer -> Runtime & Resources tab -> Devices -> host=/dev/net/tun container=/dev/net/tun

I hope that helps others in this thread!

Docker-compose that finally got running:

...
image: markusmcnugen/qbittorrentvpn
cap_add:
  - NET_ADMIN
devices:
  - /dev/net/tun
environment:...

[prizemail0]

I have an Asustor NAS and I'm getting the same issue. I cannot correct the issue by adding the suggested lines:

• NET_ADMIN devices:
• /dev/net/tun environment:

The docker container is created by running the following command: sudo docker create --name qbittorrentvpn --privileged -v /volume1/Docker/qbittorrentvp n/config:/config -v /volume1/Public:/downloads -e "VPN_ENABLED=yes" -e "VPN_USERNAME=XXX" -e "VPN_PASS WORD=XXX" -e "LAN_NETWORK=192.168.1.0/24" -e "NAME_SERVERS=8.8.8.8,8.8.4.4" -e "PUID=999" -e "PGID=999 " -p 8080:8080 -p 8999:8999 -p 8999:8999/udp --cap-add=NET_ADMIN --device=/dev/net/tun markusmcnugen/qbittorrentvpn

[Floki-78]

For Asustor Nas users on the latest firmware, simply install the VPN Server app via App Central and it will create this directory for you. May also work for Synology users if there is a similar app.

[200h]

Resurrecting this with a resolution I found.

I tried implementing the suggestions above via docker CLI, with no positive outcome. I'm still on DSM 6, BTW (I put off upgrading to DSM 7 long enough). Anyway, I found a post on a site for a different setup (not this repo as I was considering other alternatives), and the method to include TUN in that setup fixed the issue I was having with a vanilla installation per the instructions of this repo.

https://drfrankenstein.co.uk/2022/09/26/qbittorrent-with-gluetun-vpn-in-docker-on-a-synology-nas/

The process requires creating a scheduled task to run at boot with the below code snippet. Since I haven't upgraded to DSM 7, I'm not sure if this will correct the issue. I haven't run this through its paces to understand if the scheduled task will run prior to my docker container spooling up, but for now, this has corrected my problem.

#!/bin/sh -e

insmod /lib/modules/tun.ko

[MYeager1967]

I forget what I did but this particular container seems to have been abandoned. I'm still using it because it works well and isn't that far out of date on the qbittorrent version. I tried another container based on this one and got a warning for torrenting from my ISP. With this one, I've never had any issues. That said, make sure you bind it to the tun interface.....

On Sat, Sep 9, 2023, 1:58 PM Robert Longo @.***> wrote:

Resurrecting this with a resolution I found.

I tried implementing the suggestions above via docker CLI, with no positive outcome. I'm still on DSM 6, BTW (I put off upgrading to DSM 7 long enough). Anyway, I found a post on a site for a different setup (not this repo as I was considering other alternatives), and the method to include TUN in that setup fixed the issue I was having with a vanilla installation per the instructions of this repo.

https://drfrankenstein.co.uk/2022/09/26/qbittorrent-with-gluetun-vpn-in-docker-on-a-synology-nas/

The process requires creating a scheduled task to run at boot with the below code snippet. Since I haven't upgraded to DSM 7, I'm not sure if this will correct the issue. I haven't run this through its paces to understand if the scheduled task will run prior to my docker container spooling up, but for now, this has corrected my problem.

!/bin/sh -e

insmod /lib/modules/tun.ko

— Reply to this email directly, view it on GitHub https://github.com/MarkusMcNugen/docker-qBittorrentvpn/issues/53#issuecomment-1712566710, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGBF5XT4KL7JL3EPSGGJVLXZSU3BANCNFSM4M6WIWNA . You are receiving this because you commented.Message ID: @.***>

[MYeager1967]

I'm running a TUN.sh script that looks like this...

# Create the necessary file structure for /dev/net/tun
if ( [ ! -c /dev/net/tun ] ); then
    if ( [ ! -d /dev/net ] ); then
        mkdir -m 755 /dev/net
    fi
    mknod /dev/net/tun c 10 200
fi

# Load the tun module if not already loaded
if ( !(lsmod | grep -q "^tun\s") ); then
    insmod /lib/modules/tun.ko

fi

Running DSM7 on a DS418Play....

[tux86]

If you are using qBittorrentVPN with Synology DSM 7.x and want to set up a VPN, utilize this Docker Compose template:

version: '3.3'
services:
  qbittorrentvpn:
    image: markusmcnugen/qbittorrentvpn
    container_name: qbittorrentvpn
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    volumes:
      - /volume1/docker/qbittorrentvpn:/config
      - /volume2/Downloads/__torrents:/downloads
    environment:
      - PUID=1026
      - PGID=100
      - TZ=Europe/Paris
      - WEBUI_PORT_ENV=8080
      - INCOMING_PORT_ENV=8999
      - VPN_ENABLED=yes
      - VPN_USERNAME=xxxxxxxx
      - VPN_PASSWORD=xxxxxxxx
      - LAN_NETWORK=192.168.1.0/24
      - NAME_SERVERS=8.8.8.8,1.1.1.1
    ports:
      - "8080:8080" # Web interface
      - "6881:6881" # BitTorrent port
      - "8999:8999/udp" # BitTorrent port (UDP)
    restart: unless-stopped

# To verify that the VPN is functioning, access the container console and 
# execute the following command to determine the external IP address: curl ipconfig.io