Bug: TUN device is not available: open /dev/net/tun: operation not permitted

GroteGehaktBal commented 2 months ago

Is this urgent?

Yes

Host OS

Debian Bookwurm

CPU arch

x86_64

VPN service provider

PureVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2024-04-25T10:47:11.146Z (commit c87c0e1)

What's the problem 🤔

It used to work before but without changing anything after a reboot it stopped working and gave me this error: creating TUN device file node: file exists

I have read the wiki on this: Wiki But unfortunately I was unable to fix it. I am using proxmox and passed the /dev/net/tun device through successfully with the 0666 permissions. I have tried removing the device from the docker compose file and running it in privileged mode.

The kernel module does also seem to be loaded and functioning:

root@proxmox:~# modinfo tun
name:           tun
filename:       (builtin)
alias:          devname:net/tun
alias:          char-major-10-200
license:        GPL
file:           drivers/net/tun
author:         (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
description:    Universal TUN/TAP device driver

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================
Running version latest built on 2024-04-25T10:47:11.146Z (commit c87c0e1)
🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-04-28T15:05:42+02:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v4
2024-04-28T15:05:42+02:00 INFO [routing] local ethernet link found: eth0
2024-04-28T15:05:42+02:00 INFO [routing] local ipnet found: 172.22.0.0/16
2024-04-28T15:05:42+02:00 INFO [firewall] enabling...
2024-04-28T15:05:42+02:00 INFO [firewall] enabled successfully
2024-04-28T15:05:43+02:00 INFO [storage] merging by most recent 19476 hardcoded servers and 19476 servers read from /gluetun/servers.json
2024-04-28T15:05:43+02:00 INFO Alpine version: 3.18.6
2024-04-28T15:05:43+02:00 INFO OpenVPN 2.5 version: 2.5.8
2024-04-28T15:05:43+02:00 INFO OpenVPN 2.6 version: 2.6.8
2024-04-28T15:05:43+02:00 INFO Unbound version: 1.19.3
2024-04-28T15:05:43+02:00 INFO IPtables version: v1.8.9
2024-04-28T15:05:43+02:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: purevpn
|   |   └── Server selection settings:
|   |       ├── VPN type: openvpn
|   |       ├── Countries: Netherlands
|   |       └── OpenVPN server selection settings:
|   |           └── Protocol: UDP
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.5
|       ├── User: [set]
|       ├── Password: [set]
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 0
|   ├── Process GID: 0
|   └── Timezone: Europe/Amsterdam
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
├── Server data updater settings:
|   ├── Update period: 24h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: purevpn
└── Version settings:
    └── Enabled: yes
2024-04-28T15:05:43+02:00 INFO using existing username root corresponding to user id 0
2024-04-28T15:05:43+02:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v4
2024-04-28T15:05:43+02:00 INFO [routing] adding route for 0.0.0.0/0
2024-04-28T15:05:43+02:00 INFO [firewall] setting allowed subnets...
2024-04-28T15:05:43+02:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v4
2024-04-28T15:05:43+02:00 INFO TUN device is not available: open /dev/net/tun: operation not permitted; creating it...
2024-04-28T15:05:43+02:00 INFO [routing] routing cleanup...
2024-04-28T15:05:43+02:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v4
2024-04-28T15:05:43+02:00 INFO [routing] deleting route for 0.0.0.0/0
2024-04-28T15:05:43+02:00 ERROR creating TUN device file node: file exists
2024-04-28T15:05:43+02:00 INFO Shutdown successful

Share your configuration

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    privileged: true
    ports:
      - 6881:6881
      - 6881:6881/udp
      - 8085:8085 # qbittorrent
      - 8989:8989 # Sonarr
      - 9696:9696 # Prowlarr
      - 8686:8686 # lidarr
      - 7878:7878 # Radarr
    volumes:
      - /opt/arr:/gluetun
    environment:
      # See https://github.com/qdm12/gluetun-wiki/tree/main/setup#setup
      - VPN_SERVICE_PROVIDER=purevpn
      # OpenVPN:
      - OPENVPN_USER="user"
      - OPENVPN_PASSWORD="..."
      - SERVER_COUNTRIES=Netherlands
      # Timezone for accurate log times
      - TZ=Europe/Amsterdam
      # Server list updater
      # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
      - UPDATER_PERIOD=24h
      - PGID=0
      - PUID=0
    restart: unless-stopped

github-actions[bot] commented 2 months ago

@qdm12 is more or less the only maintainer of this project and works on it in his free time. Please:

do not ask for updates, be patient
:+1: the issue to show your support instead of commenting @qdm12 usually checks issues at least once a week, if this is a new urgent bug, revert to an older tagged container image

qdm12 commented 2 months ago

The problem is

TUN device is not available: open /dev/net/tun: operation not permitted; creating it...

So it's a operation not permitted error when attempting to open the /dev/net/tun file. Maybe this: https://github.com/qdm12/gluetun-wiki/blob/main/errors/tun.md#cannot-unix-open-tun-device-file-operation-not-permitted-and-cannot-create-tun-device-file-node-operation-not-permitted

Otherwise, you can try running docker run -it --rm --device /dev/net/tun --privileged alpine:3.19 and try to access /dev/net/tun for example with cat /dev/net/tun to see if it works and debug this?

As a side note, I changed the gluetun behavior a bit in e07966f71e2150c61da809dd39542f691cd89383 so that it only attempts to create the tun device if it doesn't exist. If it already exists and cannot be accessed for some reason, it just terminates and logs the error. That was confusing at least for me reading your logs 😄

GroteGehaktBal commented 2 months ago

Thank you very much for the help. This has successfully resolved my issue. I found out my proxmox config was not configured correctly. My lxc config had this line: lxc.cgroup.devices.allow: c 10:200 rwm Instead of lxc.cgroup2.devices.allow: c 10:200 rwm

github-actions[bot] commented 2 months ago

Closed issues are NOT monitored, so commenting here is likely to be not seen. If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project which became too popular to monitor issues closed.

qdm12 / gluetun