Bug: ERROR cannot Unix Open TUN device file: no such device

[iceball09]

Is this urgent?

Yes

Host OS

Rasbian + OMV5

CPU arch

RBI4

VPN service provider

NordVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2021-10-29T01:42:30.959Z (commit f398af1)

What's the problem 🤔

2021/11/01 13:21:49 ERROR cannot Unix Open TUN device file: no such device

Share your logs

========================================

========================================

=============== gluetun ================

========================================

=========== Made with ❤️ by ============

======= https://github.com/qdm12 =======

========================================

========================================

Running version latest built on 2021-10-29T01:42:30.959Z (commit f398af1)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new

🐛 Bug? https://github.com/qdm12/gluetun/issues/new

✨ New feature? https://github.com/qdm12/gluetun/issues/new

☕ Discussion? https://github.com/qdm12/gluetun/discussions/new

💻 Email? quentin.mcgaw@gmail.com

💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12

2021/11/01 13:21:49 INFO storage: creating /gluetun/servers.json with 11225 hardcoded servers

2021/11/01 13:21:49 INFO Alpine version: 3.14.2

2021/11/01 13:21:49 INFO OpenVPN 2.4 version: 2.4.11

2021/11/01 13:21:49 INFO OpenVPN 2.5 version: 2.5.2

2021/11/01 13:21:49 INFO Unbound version: 1.13.2

2021/11/01 13:21:49 INFO IPtables version: v1.8.7

2021/11/01 13:21:49 INFO Settings summary below:

|--VPN:

   |--Type: openvpn

   |--OpenVPN:

      |--Version: 2.5

      |--Verbosity level: 1

      |--Network interface: tun0

   |--Nordvpn settings:

      |--Regions: switzerland

      |--OpenVPN selection:

         |--Protocol: udp

|--DNS:

   |--Plaintext address: 1.1.1.1

   |--DNS over TLS:

      |--Unbound:

          |--DNS over TLS providers:

              |--Cloudflare

          |--Listening port: 53

          |--Access control:

              |--Allowed:

                  |--0.0.0.0/0

                  |--::/0

          |--Caching: enabled

          |--IPv4 resolution: enabled

          |--IPv6 resolution: disabled

          |--Verbosity level: 1/5

          |--Verbosity details level: 0/4

          |--Validation log level: 0/2

          |--Username: 

      |--Blacklist:

         |--Blocked categories: malicious

         |--Additional IP networks blocked: 13

      |--Update: every 24h0m0s

      
|--Firewall:

|--Log:

   |--Level: INFO

|--System:

   |--Process user ID: 1000

   |--Process group ID: 1000

   |--Timezone: NOT SET ⚠️ - it can cause time related issues

|--Health:

   |--Server address: 127.0.0.1:9999

   |--Address to ping: github.com

   |--VPN:

      |--Initial duration: 6s

      |--Addition duration: 5s

|--HTTP control server:

   |--Listening port: 8000

   |--Logging: enabled

|--Public IP getter:

   |--Fetch period: 12h0m0s

   |--IP file: /tmp/gluetun/ip

|--Github version information: enabled

2021/11/01 13:21:49 INFO routing: default route found: interface eth0, gateway 172.24.0.1

2021/11/01 13:21:49 INFO routing: local ethernet link found: eth0

2021/11/01 13:21:49 INFO routing: local ipnet found: 172.24.0.0/16

2021/11/01 13:21:49 INFO routing: default route found: interface eth0, gateway 172.24.0.1

2021/11/01 13:21:49 INFO routing: adding route for 0.0.0.0/0

2021/11/01 13:21:49 INFO firewall: firewall disabled, only updating allowed subnets internal list

2021/11/01 13:21:49 INFO routing: default route found: interface eth0, gateway 172.24.0.1

2021/11/01 13:21:49 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...

2021/11/01 13:21:49 INFO routing cleanup...

2021/11/01 13:21:49 INFO routing: default route found: interface eth0, gateway 172.24.0.1

2021/11/01 13:21:49 INFO routing: deleting route for 0.0.0.0/0

2021/11/01 13:21:49 ERROR cannot Unix Open TUN device file: no such device

2021/11/01 13:21:49 INFO Shutdown successful

Share your configuration

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPNSP=nordvpn
      - OPENVPN_USER=xxx
      - OPENVPN_PASSWORD=xxx
      - REGION=Switzerland

[qdm12]

Hey sorry I completely missed this issue.

Try adding

  devices:
    - /dev/net/tun:/dev/net/tun

to your configuration?

[YanisKyr]

May I hop on this thread and ask about my issue too? The device line suggested in the previous comment wasn't there so I added it, but the issue persists.

I'm running Docker on Synology if that is relevant..

2021/12/05 15:10:41 INFO routing: default route found: interface eth0, gateway 172.17.0.1,
2021/12/05 15:10:41 INFO routing: local ethernet link found: eth0,
2021/12/05 15:10:41 INFO routing: local ipnet found: 172.17.0.0/16,
2021/12/05 15:10:41 INFO routing: default route found: interface eth0, gateway 172.17.0.1,
2021/12/05 15:10:41 INFO routing: adding route for 0.0.0.0/0,
2021/12/05 15:10:41 INFO firewall: firewall disabled, only updating allowed subnets internal list,
2021/12/05 15:10:41 INFO routing: default route found: interface eth0, gateway 172.17.0.1,
---> 2021/12/05 15:10:41 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...,
2021/12/05 15:10:41 INFO routing cleanup...,
2021/12/05 15:10:41 INFO routing: default route found: interface eth0, gateway 172.17.0.1,
2021/12/05 15:10:41 INFO routing: deleting route for 0.0.0.0/0,
2021/12/05 15:10:41 ERROR cannot Unix Open TUN device file: no such device,
2021/12/05 15:10:41 INFO Shutdown successful,

[qdm12]

@YanisKyr cannot Unix Open TUN device file happens if the previous mknod command failed to create the tun file at /dev/net/tun.

Try on your host to run

docker run -it --rm --cap-add=NET_ADMIN alpine:3.14

ls -alh /dev/net/

mknod -m 8192 /dev/net/tun c 10 200
ls -alh /dev/net/

exit

(8192 is the mode S_IFCHR, c is the device type character device, 10 is the major and 200 is the minor)

What does this log out?

[OkanEsen]

I think this is related, even though I'm using Podman, instead of Docker:

podman run -it --rm --cap-add=NET_ADMIN --device /dev/net/tun -e VPNSP=mullvad -e VPN_TYPE=wireguard -e WIREGUARD_PRIVATE_KEY="..." -e WIREGUARD_ADDRESS="..." -e COUNTRY=switzerland,sweden qmcgaw/gluetun:latest

Error:

2021/12/17 12:37:50 INFO routing: default route found: interface tap0, gateway 10.0.2.2
2021/12/17 12:37:50 INFO routing: local ethernet link found: tap0
2021/12/17 12:37:50 INFO routing: local ipnet found: 10.0.2.0/24
2021/12/17 12:37:50 INFO routing: default route found: interface tap0, gateway 10.0.2.2
2021/12/17 12:37:50 INFO routing: adding route for 0.0.0.0/0
2021/12/17 12:37:50 INFO firewall: firewall disabled, only updating allowed subnets internal list
2021/12/17 12:37:50 INFO routing: default route found: interface tap0, gateway 10.0.2.2
2021/12/17 12:37:50 INFO TUN device is not available: open /dev/net/tun: permission denied; creating it...
2021/12/17 12:37:50 INFO routing cleanup...
2021/12/17 12:37:50 INFO routing: default route found: interface tap0, gateway 10.0.2.2
2021/12/17 12:37:50 INFO routing: deleting route for 0.0.0.0/0
2021/12/17 12:37:50 ERROR cannot create TUN device file node: file exists
2021/12/17 12:37:50 INFO Shutdown successful

Also trying to run mknod as described here https://github.com/qdm12/gluetun/issues/700#issuecomment-993441112 doesn't work as expected:

❯ podman run -it --rm --cap-add=NET_ADMIN alpine:3.14
/ # ls -alh /dev/net
ls: /dev/net: No such file or directory
/ # mkdir /dev/net
/ # mknod -m 8192 /dev/net/tun c 10 200
mknod: /dev/net/tun: Invalid argument
/ # exit

System: Fedora 35 (selinux enabled)

Should I file a new issue or is this possibly related?

[Vendetta1985]

Hello @OkanEsen,

I have the same problem. Do you have a solution ?

2022/02/13 00:10:40 INFO routing: default route found: interface eth0, gateway 172.17.0.1
2022/02/13 00:10:40 INFO routing: adding route for 0.0.0.0/0
2022/02/13 00:10:40 INFO firewall: setting allowed subnets through firewall...
2022/02/13 00:10:40 INFO routing: default route found: interface eth0, gateway 172.17.0.1
2022/02/13 00:10:40 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2022/02/13 00:10:40 INFO routing cleanup...
2022/02/13 00:10:40 INFO routing: default route found: interface eth0, gateway 172.17.0.1
2022/02/13 00:10:40 INFO routing: deleting route for 0.0.0.0/0
2022/02/13 00:10:40 ERROR cannot create TUN device file node: operation not permitted
2022/02/13 00:10:40 INFO Shutdown successful

The path /dev/net/tun not exist in my host. I think the problem is here.

[qdm12]

Ok that seems like a problem for several people so let's try to get it fixed :wink:

@OkanEsen it looks like your problem is using the existing /dev/net/tun instead of creating it, but it might be related to each other.

1. Try to create tun from a container

Please try

docker run -it --rm --cap-add=NET_ADMIN alpine:3.15
# or with
# podman run -it --rm --cap-add=NET_ADMIN alpine:3.15\

mkdir -p /dev/net
mknod /dev/net/tun c 10 200

exit

Does mknod work?

If not try with --privileged when running the alpine container?

2. Create tun from host

If 1. doesn't work, can you try

mkdir -p /dev/net
mknod /dev/net/tun c 10 200

And then run gluetun with --device /dev/net/tun, does it work?

[qdm12]

You can also try perhaps bind mounting with -v /dev/net/tun:/dev/net/tun if it's there on your host?

[OkanEsen]

First, thanks for helping out! Just tried it on my environment:

ad 1) Didn't work out, unfortunately.

❯ podman run -it --rm --cap-add=NET_ADMIN alpine:3.15
/ # mkdir -p /dev/net
/ # mknod /dev/net/tun c 10 200
mknod: /dev/net/tun: Operation not permitted
/ # sudo mknod /dev/net/tun c 10 200
/bin/sh: sudo: not found
/ #

~ took 31s
❯ podman run -it --rm --cap-add=NET_ADMIN --privileged alpine:3.15
Error: invalid config provided: CapAdd and privileged are mutually exclusive options

~
❮ podman run -it --rm --privileged alpine:3.15
/ # mkdir -p /dev/net
/ # mknod /dev/net/tun c 10 200
mknod: /dev/net/tun: File exists
/ #

So I tried to create tun from host but /dev/net/tun was already available on my end, which is used by tailscale so I tried a different name (tun2), though I'm not sure that works. Anyway, I tried to run gluetun with --device /dev/net/tun2 but the error was unfortunately the same:

2022/02/13 22:37:26 INFO routing: default route found: interface tap0, gateway 10.0.2.2
2022/02/13 22:37:26 INFO routing: local ethernet link found: tap0
2022/02/13 22:37:26 INFO routing: local ipnet found: 10.0.2.0/24
2022/02/13 22:37:26 INFO routing: default route found: interface tap0, gateway 10.0.2.2
2022/02/13 22:37:26 INFO routing: adding route for 0.0.0.0/0
2022/02/13 22:37:26 INFO firewall: firewall disabled, only updating allowed subnets internal list
2022/02/13 22:37:26 INFO routing: default route found: interface tap0, gateway 10.0.2.2
2022/02/13 22:37:26 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2022/02/13 22:37:26 INFO routing cleanup...
2022/02/13 22:37:26 INFO routing: default route found: interface tap0, gateway 10.0.2.2
2022/02/13 22:37:26 INFO routing: deleting route for 0.0.0.0/0
2022/02/13 22:37:26 ERROR cannot create TUN device file node: operation not permitted
2022/02/13 22:37:26 INFO Shutdown successful

Seems like gluetun still tries to use /dev/net/tun which I'm not sure is correct.

Full command I used: podman run -it --rm --cap-add=NET_ADMIN --device /dev/net/tun2 -e VPNSP=mullvad -e VPN_TYPE=wireguard -e WIREGUARD_PRIVATE_KEY=... -e WIREGUARD_ADDRESS=10.64.222.21/32 -e COUNTRY=switzerland,sweden qmcgaw/gluetun:latest

[OkanEsen]

You can also try perhaps bind mounting with -v /dev/net/tun:/dev/net/tun if it's there on your host?

Sorry, just saw this. :-)

Mounting it doesn't seem to work either:

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2021-12-14T18:21:24.225Z (commit ca82fcb)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2022/02/13 22:43:08 INFO storage: creating /gluetun/servers.json with 11120 hardcoded servers
2022/02/13 22:43:08 INFO Alpine version: 3.15.0
2022/02/13 22:43:08 INFO OpenVPN 2.4 version: 2.4.11
2022/02/13 22:43:08 INFO OpenVPN 2.5 version: 2.5.4
2022/02/13 22:43:08 INFO Unbound version: 1.13.2
2022/02/13 22:43:08 INFO IPtables version: v1.8.7
2022/02/13 22:43:08 INFO Settings summary below:
|--VPN:
   |--Type: wireguard
   |--Wireguard:
      |--Network interface: wg0
      |--Private key is set
      |--Addresses: 
         |--10.64.222.21/32
   |--Mullvad settings:
      |--Countries: switzerland, sweden
      |--Wireguard selection:
|--DNS:
   |--Plaintext address: 1.1.1.1
   |--DNS over TLS:
      |--Unbound:
          |--DNS over TLS providers:
              |--Cloudflare
          |--Listening port: 53
          |--Access control:
              |--Allowed:
                  |--0.0.0.0/0
                  |--::/0
          |--Caching: enabled
          |--IPv4 resolution: enabled
          |--IPv6 resolution: disabled
          |--Verbosity level: 1/5
          |--Verbosity details level: 0/4
          |--Validation log level: 0/2
          |--Username: 
      |--Blacklist:
         |--Blocked categories: malicious
         |--Additional IP networks blocked: 13
      |--Update: every 24h0m0s
|--Firewall:
|--Log:
   |--Level: INFO
|--System:
   |--Process user ID: 1000
   |--Process group ID: 1000
   |--Timezone: NOT SET ⚠️ - it can cause time related issues
|--Health:
   |--Server address: 127.0.0.1:9999
   |--Address to ping: github.com
   |--VPN:
      |--Initial duration: 6s
      |--Addition duration: 5s
|--HTTP control server:
   |--Listening port: 8000
   |--Logging: enabled
|--Public IP getter:
   |--Fetch period: 12h0m0s
   |--IP file: /tmp/gluetun/ip
|--Github version information: enabled
2022/02/13 22:43:08 INFO routing: default route found: interface tap0, gateway 10.0.2.2
2022/02/13 22:43:08 INFO routing: local ethernet link found: tap0
2022/02/13 22:43:08 INFO routing: local ipnet found: 10.0.2.0/24
2022/02/13 22:43:08 INFO routing: default route found: interface tap0, gateway 10.0.2.2
2022/02/13 22:43:08 INFO routing: adding route for 0.0.0.0/0
2022/02/13 22:43:08 INFO firewall: firewall disabled, only updating allowed subnets internal list
2022/02/13 22:43:08 INFO routing: default route found: interface tap0, gateway 10.0.2.2
2022/02/13 22:43:08 INFO TUN device is not available: open /dev/net/tun: permission denied; creating it...
2022/02/13 22:43:08 INFO routing cleanup...
2022/02/13 22:43:08 INFO routing: default route found: interface tap0, gateway 10.0.2.2
2022/02/13 22:43:08 INFO routing: deleting route for 0.0.0.0/0
2022/02/13 22:43:08 ERROR cannot create TUN device file node: file exists
2022/02/13 22:43:08 INFO Shutdown successful

Full command:

podman run -it --rm --cap-add=NET_ADMIN -v /dev/net/tun2:/dev/net/tun -e VPNSP=mullvad -e VPN_TYPE=wireguard -e WIREGUARD_PRIVATE_KEY="..." -e WIREGUARD_ADDRESS="10.64.222.21/32" -e COUNTRY=switzerland,sweden qmcgaw/gluetun:latest

[qdm12]

In your particular case @OkanEsen it looks like gluetun would work with --privileged instead of --cap-add=NET_ADMIN. You could also perhaps try with --cap-add=NET_ADMIN --device /dev/net/tun --security-opt="label=disable" and that may work. If one these two work, then this is due to podman or SELinux being more restrictive than docker I guess.

For the others, that's also likely a similar problem, but I'll wait for people to test out the commands mentioned above (like --device /dev/net/tun).

[Vendetta1985]

You can also try perhaps bind mounting with -v /dev/net/tun:/dev/net/tun if it's there on your host?

Hello,

Sorry for my late reply and thank you very much for your help 😃

Adding "--device=/dev/net/tun:/dev/net/tun" solved my problem.

But before I also had to share my host's "tun" resource in my LXC container... Sorry, I forgot to specify that my system was a container under Proxmox 😁

For those who have the case, I added in /etc/pve/lxc/numContainer.conf : lxc.cgroup.devices.allow: c 10:200 rwm lxc.mount.entry: /dev/net dev/net none bind,create=dir 0 0 lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file 0 0

Thanks again for your help and your quick and efficient feedback 😎

[qdm12]

Awesome thanks @Vendetta1985

I'll add all the information here in the repo wiki. If any of you stumble on something different please feel free to share your story too.

[OkanEsen]

In your particular case @OkanEsen it looks like gluetun would work with --privileged instead of --cap-add=NET_ADMIN.

Thanks for your help and my late reply. I'm probably too tired right now but things seem to work now. :-)

I tried to run the command with --privileged instead of --cap-add=NET_ADMIN though this didn't seem to change anything in my case.

podman run -it --rm --privileged -v /dev/net/tun2:/dev/net/tun -e VPNSP=mullvad -e VPN_TYPE=wireguard -e WIREGUARD_PRIVATE_KEY="..." -e WIREGUARD_ADDRESS="10.64.222.21/32" -e COUNTRY=switzerland,sweden qmcgaw/gluetun:latest

I checked the permissions on /dev/net/tun2 and adjusted it from 644 to 666 (same as /dev/net/tun) and then the previous command worked successfully:

2022/02/14 22:22:34 INFO routing: default route found: interface tap0, gateway 10.0.2.2
2022/02/14 22:22:34 INFO routing: local ethernet link found: tap0
2022/02/14 22:22:34 INFO routing: local ipnet found: 10.0.2.0/24
2022/02/14 22:22:34 INFO routing: default route found: interface tap0, gateway 10.0.2.2
2022/02/14 22:22:34 INFO routing: adding route for 0.0.0.0/0
2022/02/14 22:22:34 INFO firewall: firewall disabled, only updating allowed subnets internal list
2022/02/14 22:22:34 INFO routing: default route found: interface tap0, gateway 10.0.2.2
2022/02/14 22:22:34 INFO firewall: enabling...
2022/02/14 22:22:34 INFO firewall: enabled successfully
2022/02/14 22:22:34 INFO healthcheck: listening on 127.0.0.1:9999
2022/02/14 22:22:34 INFO http server: listening on :8000
2022/02/14 22:22:34 INFO dns over tls: using plaintext DNS at address 1.1.1.1

You could also perhaps try with --cap-add=NET_ADMIN --device /dev/net/tun --security-opt="label=disable" and that may work. If one these two work, then this is due to podman or SELinux being more restrictive than docker I guess.

I also tried the other command as well and that didn't work initially but changing --cap-add=NET_ADMIN to --privileged worked without adjusting the permission for /dev/net/tun2 from 644 to 666, which is expected:

Didn't work: podman run -it --rm --cap-add=NET_ADMIN --device /dev/net/tun2 --security-opt=label=disable -e VPNSP=mullvad -e VPN_TYPE=wireguard -e WIREGUARD_PRIVATE_KEY=... -e WIREGUARD_ADDRESS=10.64.222.21/32 -e COUNTRY=switzerland,sweden qmcgaw/gluetun:latest

Worked: podman run -it --rm --privileged --device /dev/net/tun2 --security-opt=label=disable -e VPNSP=mullvad -e VPN_TYPE=wireguard -e WIREGUARD_PRIVATE_KEY=... -e WIREGUARD_ADDRESS=10.64.222.21/32 -e COUNTRY=switzerland,sweden qmcgaw/gluetun:latest

If there is anything else I can assist you with, please let me know. Thanks again for your help. :-)

[qdm12]

So.. I'm adding all this to a Wiki page and there seems to be various problems.

TUN device is not available: open /dev/net/tun: permission denied

@OkanEsen that's for you. A few questions/notes

1. Does it work with --privileged --device /dev/net/tun --security-opt=label=disable?
2. Does it work with --privileged --device /dev/net/tun2:/dev/net/tun --security-opt=label=disable?
3. Does it work with --privileged --device /dev/net/tun2?
4. Does it work with --privileged --device /dev/net/tun2 --security-opt=label=disable and VPN_TYPE=openvpn?
5. I'm also confident using /dev/net/tun2 won't work with Wireguard in userspace mode due to some hardcoded constant in the Go Wireguard library unfortunately.

cannot Unix Open TUN device file: operation not permitted and cannot create TUN device file node: operation not permitted

That's @Vendetta1985 problem with LXC containers and I found another discussion here with the same solution, so this is the Way ™️

cannot Unix Open TUN device file: no such device

@YanisKyr @iceball09 I don't think your issue is resolved, is it?

That looks like gluetun runs the mknod command successfully but the /dev/net/tun file is still not accessible somehow... Not sure why. Did adding --device /dev/net/tun solve it?

[YanisKyr]

@qdm12 my issue was resolved, but I have to admit I don't remember what exactly fixed it!

[qdm12]

@iceball09 is your issue fixed? I'll close this soon and add the information I have in the wiki.

[iceball09]

Sry for my late response. Unfortunately I won't be able to check it any time soon -.-

[OkanEsen]

1. Does it work with `--privileged --device /dev/net/tun --security-opt=label=disable`?

Works.

2. Does it work with `--privileged --device /dev/net/tun2:/dev/net/tun --security-opt=label=disable`?

Works.

3. Does it work with `--privileged --device /dev/net/tun2`?

Works.

4. Does it work with `--privileged --device /dev/net/tun2 --security-opt=label=disable` and `VPN_TYPE=openvpn`?

Works.

5. I'm also confident using `/dev/net/tun2` won't work with Wireguard in userspace mode due to some hardcoded constant in the Go Wireguard library unfortunately.

I don't know why but this actually works in my case, as I was using Wireguard exclusively, instead of OpenVPN. The way I am using gluetun right now is with --privileged -v /dev/net/tun2:/dev/net/tun and manually creating /dev/net/tun2 via sudo mknod /dev/net/tun2 c 10 200 and setting the permissions to 666. I think I'm going to run it with --privileged --device /dev/net/tun2 instead, which makes it a little easier to run, instead of running mknod and chmod manually to create /dev/net/tun2. What do you think?

And of course, sorry for my late response. :-)

[qdm12]

I think I'm going to run it with --privileged --device /dev/net/tun2 instead

Do you mean --privileged --device /dev/net/tun instead? If so, yes definitely use the same existing tun. It's also odd it works with /dev/net/tun2 that I don't understand 😄 How about with only --privileged? It might just be that flag that does the trick? Although it's not ideal, since it gives a lot of permissions to gluetun which is still network-connected all over the place 😄 (well running as root and NET_ADMIN is not so great either I guess)

And of course, sorry for my late response. :-)

No worry at all, not in a hurry here 👍

[OkanEsen]

Do you mean --privileged --device /dev/net/tun instead?

Oh yeah, sorry, I just copy and pasted the stuff around. :-) Funny thing is, I just tried it with /dev/net/tun2 and this worked as well, which is confusing to me, since /dev/net/tun2 isn't even available on my host machine. I went ahead and removed --device /dev/net/tun and just ran it with --privileged and this seems to work too. So I think you're on the money with just running podman --privileged, without the other stuff, for Fedora with selinux anyways.

It might just be that flag that does the trick? Although it's not ideal, since it gives a lot of permissions to gluetun which is still network-connected all over the place smile (well running as root and NET_ADMIN is not so great either I guess)

Yeah, I would've liked it to work with NET_ADMIN but that's fine I guess. The funny thing is, that the error message kind of changed the last time I tried to run podman with NET_ADMIN:

2022/02/20 15:10:50 ERROR failed enabling firewall: cannot enable firewall: cannot set iptables policies: failed iptables command "iptables --policy INPUT DROP": iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)

I think that's not related to this issue though and running podman with sudo instead of --privileged feels like a downgrade so I'm gonna stick with --privileged for now.

Thank you for your support, much appreciated!

[qdm12]

Thanks to you all, I compiled this in https://github.com/qdm12/gluetun/wiki/TUN-device-errors

@iceball09 feel free to comment back here with your solution whenever you have the time.

Closing the issue for now, thanks!

[BillButter]

I just had cannot Unix Open TUN device file: no such device

Solution was to restart my server.

[Bai-Chiang]

In podman run document https://docs.podman.io/en/latest/markdown/podman-run.1.html#device-host-device-container-device-permissions

In rootless mode, the new device is bind mounted in the container from the host rather than Podman creating it within the container space. Because the bind mount retains its SELinux label on SELinux systems, the container can get permission denied when accessing the mounted device. Modify SELinux settings to allow containers to use all device labels via the following command:

$ sudo setsebool -P container_use_devices=true

Note: if the user only has access rights via a group, accessing the device from inside a rootless container will fail. Use the --group-add keep-groups flag to pass the user’s supplementary group access into the container.

After run the command sudo setsebool -P container_use_devices=true, I cound start the container using podman run --cap-add=NET_ADMIN --cap-add=NET_RAW --device=/dev/net/tun ... without --privileged.

Edit:

I also need to run command sudo setsebool -P domain_kernel_load_modules=true. Otherwise SELinux will prevent iptables from module_request access on the system labeled kernel_t, which generate audit message

type=AVC msg=audit(1667656886.757:347): avc: denied { module_request } for pid=3552 comm="iptables-nft" kmod="nft-expr-match" scontext=system_u:system_r:container_t:s0:c674,c768 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0

[shooln]

Had a similar issue I was able to solve it via

--cap-add=NET_ADMIN --cap-add=MKNOD

Of course if you run container privileged then this is a non issue...however other security implications there!

[marcw]

I have struggled with a similar issue for a couple of hours. I managed to fix it by running:

sudo chmod 0666 /dev/net/tun

The 0666 permission seems to be the default on some distributions but might not be for others. You can check for yourself what is the default rule on your distribution by running:

grep -nri '"tun"' /etc/udev/rules.d/ /lib/udev/rules.d/ /run/udev/rules.d /var/run/udev/rules.d

As the kernel’s documentation on Universal TUN/TAP device driver states:

There’s no harm in allowing the device to be accessible by non-root users, since CAP_NET_ADMIN is required for creating network devices or for connecting to network devices which aren’t owned by the user in question. If you want to create persistent devices and give ownership of them to unprivileged users, then you need the /dev/net/tun device to be usable by those users.

[Kylar514]

So I want to add that I ran into this exact same issue on a synology DS220+, running DSM7.1. At first gluetun had worked perfect for me, and upon rebooting my NAS, and upgrading my ram, booting backup gave me this error... The container was unable to boot up, the network was dead, and all subsequent containers were not functional.

For me, the /dev/net directory was missing and the subsequent tun file. so running the following commands in host fixed the issue, with no editing to my docker-compose file.

sudo mkdir -p /dev/net

sudo mknod /dev/net/tun c 10 200

Just make sure to "restart" the container after entering this command.

edit: I just reset my Synology NAS, and had the same issue happen. Seems for some reason Synology keeps deleted it again when I shut down the NAS. I believe it was because both shutdowns were due to power loss, because forcing a reboot of the NAS through the software did not create the same issue.....

note: One might think that this bug is covered in the following link, but the following link did not fix it for me. https://github.com/qdm12/gluetun/wiki/Synology-prerequisites instead it yielded the following everytime I attempted to run it, both prior and post setting up gluetun.

insmod: ERROR: could not insert module /lib/modules/tun.ko: File exists