mknod: /dev/net/tun: Operation not permitted

[besendorf]

When I run docker-compose up I get the error: mknod: /dev/net/tun: Operation not permitted The tun module is not enabled in my kernel:

alpine:~/openvpn$ docker-compose run --rm openvpn lsmod
Module                  Size  Used by    Not tainted
veth                   20480  0 
xt_nat                 16384 30 
xt_tcpudp              16384 34 
ipt_MASQUERADE         16384 11 
nf_conntrack_netlink    40960  0 
nfnetlink              16384  2 nf_conntrack_netlink
xfrm_user              36864  1 
xfrm_algo              16384  1 xfrm_user
iptable_nat            16384  8 
nf_nat_ipv4            16384  2 ipt_MASQUERADE,iptable_nat
xt_addrtype            16384  2 
iptable_filter         16384  1 
ip_tables              24576  2 iptable_nat,iptable_filter
xt_conntrack           16384  9 
x_tables               36864  7 xt_nat,xt_tcpudp,ipt_MASQUERADE,xt_addrtype,iptable_filter,ip_tables,xt_conntrack
nf_nat                 36864  2 xt_nat,nf_nat_ipv4
nf_conntrack          122880  6 xt_nat,ipt_MASQUERADE,nf_conntrack_netlink,nf_nat_ipv4,xt_conntrack,nf_nat
nf_defrag_ipv6         16384  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
libcrc32c              16384  2 nf_nat,nf_conntrack
crc32c_generic         16384  0 
br_netfilter           20480  0 
bridge                147456  1 br_netfilter
stp                    16384  1 bridge
llc                    16384  2 bridge,stp
overlay                94208  7 
nls_utf8               16384  1 
nls_cp437              20480  1 
vfat                   20480  1 
fat                    65536  1 vfat
ipv6                  413696 117 bridge,[permanent]
af_packet              40960  0 
hid_generic            16384  0 
usbmouse               16384  0 
usbhid                 28672  0 
hid                   106496  2 hid_generic,usbhid
mousedev               20480  0 
psmouse                40960  0 
i2c_core               61440  1 psmouse
e1000                 106496  0 
crct10dif_pclmul       16384  0 
ghash_clmulni_intel    16384  0 
pcbc                   16384  0 
aesni_intel           200704  0 
aes_x86_64             20480  1 aesni_intel
crypto_simd            16384  1 aesni_intel
cryptd                 24576  3 ghash_clmulni_intel,aesni_intel,crypto_simd
glue_helper            16384  1 aesni_intel
evdev                  20480  4 
button                 16384  0 
efivarfs               16384  1 
crc32_pclmul           16384  0 
crc32c_intel           24576  3 
xhci_pci               16384  0 
xhci_hcd              192512  1 xhci_pci
loop                   32768  0 
ext4                  614400  1 
crc16                  16384  1 ext4
mbcache                16384  1 ext4
jbd2                  106496  1 ext4
usb_storage            61440  0 
usbcore               208896  5 usbmouse,usbhid,xhci_pci,xhci_hcd,usb_storage
usb_common             16384  1 usbcore
sd_mod                 45056  4 

Is used the docker-compose instruction from: https://github.com/kylemanna/docker-openvpn/blob/master/docs/docker-compose.md

[besendorf]

I added the tun module on my host. (I didn't know that host and containe use the same kernel). Now Its enabled also in the container but the error is still the same:

alpine:~/openvpn$ docker-compose up
Creating network "openvpn_default" with the default driver
Creating openvpn ... done
Attaching to openvpn
openvpn    | mknod: /dev/net/tun: Operation not permitted

alpine:~/openvpn$ docker-compose run --rm openvpn lsmod
Creating network "openvpn_default" with the default driver
Module                  Size  Used by    Not tainted
tun                    36864  0 
veth                   20480  0 
xt_nat                 16384 26 
xt_tcpudp              16384 30 
ipt_MASQUERADE         16384 11 
nf_conntrack_netlink    40960  0 
nfnetlink              16384  2 nf_conntrack_netlink
xfrm_user              36864  1 
xfrm_algo              16384  1 xfrm_user
iptable_nat            16384  7 
nf_nat_ipv4            16384  2 ipt_MASQUERADE,iptable_nat
xt_addrtype            16384  2 
iptable_filter         16384  1 
ip_tables              24576  2 iptable_nat,iptable_filter
xt_conntrack           16384  9 
x_tables               36864  7 xt_nat,xt_tcpudp,ipt_MASQUERADE,xt_addrtype,iptable_filter,ip_tables,xt_conntrack
nf_nat                 36864  2 xt_nat,nf_nat_ipv4
nf_conntrack          122880  6 xt_nat,ipt_MASQUERADE,nf_conntrack_netlink,nf_nat_ipv4,xt_conntrack,nf_nat
nf_defrag_ipv6         16384  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
libcrc32c              16384  2 nf_nat,nf_conntrack
crc32c_generic         16384  0 
br_netfilter           20480  0 
bridge                147456  1 br_netfilter
stp                    16384  1 bridge
llc                    16384  2 bridge,stp
overlay                94208  6 
nls_utf8               16384  1 
nls_cp437              20480  1 
vfat                   20480  1 
fat                    65536  1 vfat
ipv6                  413696 101 bridge,[permanent]
af_packet              40960  0 
hid_generic            16384  0 
usbmouse               16384  0 
usbhid                 28672  0 
hid                   106496  2 hid_generic,usbhid
mousedev               20480  0 
psmouse                40960  0 
i2c_core               61440  1 psmouse
e1000                 106496  0 
crct10dif_pclmul       16384  0 
ghash_clmulni_intel    16384  0 
pcbc                   16384  0 
aesni_intel           200704  0 
aes_x86_64             20480  1 aesni_intel
crypto_simd            16384  1 aesni_intel
cryptd                 24576  3 ghash_clmulni_intel,aesni_intel,crypto_simd
glue_helper            16384  1 aesni_intel
evdev                  20480  4 
button                 16384  0 
efivarfs               16384  1 
crc32_pclmul           16384  0 
crc32c_intel           24576  3 
xhci_pci               16384  0 
xhci_hcd              192512  1 xhci_pci
loop                   32768  0 
ext4                  614400  1 
crc16                  16384  1 ext4
mbcache                16384  1 ext4
jbd2                  106496  1 ext4
usb_storage            61440  0 
usbcore               208896  5 usbmouse,usbhid,xhci_pci,xhci_hcd,usb_storage
usb_common             16384  1 usbcore
sd_mod                 45056  4 

However the file does not exist:

alpine:~/openvpn$ docker-compose run --rm openvpn ls -l /dev/net/tun
ls: /dev/net/tun: No such file or directory

[Paraidomat]

My guess is, that you need to run the docker-compose as root (or with sudo) so you get the permission to create /dev/net/tun.

[terraisoliert]

docker run -v $OVPN_DATA:/etc/openvpn -v /dev/net/tun:/dev/net/tun -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn

Result:

docker logs competent_davinci
mknod: /dev/net/tun: Operation not permitted

But

docker run -v $OVPN_DATA:/etc/openvpn -v /dev/net/tun:/dev/net/tun -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn

works well.

Maybe this help?

[kylemanna]

Yes, you need to look at cap_add in the docker-compose container to create device nodes within. Alternatively you could run it as privileged, but I wouldn't recommend give it more privilege then needed.

[kylemanna]

Reference: https://docs.docker.com/compose/compose-file/#cap_add-cap_drop

[mmh0000]

Just an FYI, if running this image on RHEL8 with Podman, it is required to add the mknod capability:

podman container run -ti --log-driver=journald --log-opt tag="openvpn" --name openvpn \
  -v '/tank/container-volumes/openvpn:/etc/openvpn' \
  -p 1194:1194/udp \
  --cap-add=net_admin,mknod \
  kylemanna/openvpn:latest

[qibinchen]

I run this on Fedona 34, Linux wwfhome 5.13.19-200.fc34.x86_64 #1 SMP Sat Sep 18 16:32:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux, with "--cap-add=net_admin,mknod" $ sudo podman run -v ./openvpn-data/conf:/etc/openvpn -p 1194:1194/udp --cap-add=NET_ADMIN,mknod kylemanna/openvpn Result: iptables v1.8.4 (legacy): can't initialize iptables table `nat': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded.

[SabaSCP]

Had a similar problem with iptables and ended up adding the NET_RAW capability to the cap-add. The way I figured it out, was to remove the privileged capabilities (sudo podman top -l capeff) one by one, until the the command failed again/

[taoeffect]

On Fedora 37, I could not get this to run no matter what I tried (using docker, not podman).

Am also using docker-compose, have added all capabilities. Tried with docker run too, that didn't work either. Can't run privileged because that requires host network, and I want to use the ports option to bind it to a specific IP and port, and that doesn't allow privileged/host.

Here's the command I tried:

sudo docker run -it --rm --security-opt label=disable
  -v $(pwd)/vol/openvpn:/etc/openvpn:Z
  -v $(pwd)/cache/localtime:/etc/localtime:ro
  --security-opt seccomp=unconfined --cap-add NET_ADMIN
  --cap-add mknod --cap-add net_raw --cap-add ALL
  --cap-add chown
  -p <IP>:<PORT>:1194/tcp openvpn:latest

No matter what I do:

mknod: /dev/net/tun: Operation not permitted

Any suggestions/advice appreciated!

EDIT: with -e DEBUG=1 it spits outs a bunch of stuff, ending in:

++ OVPN_PUSH=()
++ declare -x OVPN_PUSH
++ OVPN_ROUTES=(['0']='192.168.254.0/24')
++ declare -x OVPN_ROUTES
++ declare -x OVPN_SERVER=192.168.255.0/24
++ declare -x OVPN_SERVER_URL=tcp://<domain>:443
++ declare -x OVPN_TLS_CIPHER=
+ mkdir -p /dev/net
+ '[' '!' -c /dev/net/tun ']'
+ mknod /dev/net/tun c 10 200
mknod: /dev/net/tun: Operation not permitted

I'm using the build from this commit: 1228577d4598762285958ad98724ab37e7b11354

[nitwhiz]

@taoeffect it doesn't work for me, either, but the port needs to be udp: <PORT>:1194/udp, not tcp.

[Eraph]

For anyone else struggling with this on Fedora, I found that adding --privileged to the podman run... command works, as hinted on here.

Beware that this may have unintended consequences.