# OpenVPN and tun device

## mounty1

Hello, can't get this working.  I've modprobed tun.

```
crw-rw-rw- 1 root root 10, 200 Sep 25 19:44 /dev/net/tun
```

so that is present.  First I tried just relying on the system to create the device:

```
● openvpn-client@NGV.service - OpenVPN tunnel for NGV

   Loaded: loaded (/lib/systemd/system/openvpn-client@.service; enabled; vendor preset: disabled)

   Active: failed (Result: exit-code) since Wed 2019-09-25 19:54:01 AEST; 921ms ago

     Docs: man:openvpn(8)

           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

           https://community.openvpn.net/openvpn/wiki/HOWTO

  Process: 973914 ExecStart=/usr/sbin/openvpn --suppress-timestamps --script-security 2 --nobind --config NGV.conf (code=exited, status=1)

 Main PID: 973914 (code=exited, status=1)

   Status: "Pre-connection initialization successful"

      CPU: 17ms

Sep 25 19:54:01 ida openvpn[973914]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:393 ET:0 EL:3 ]

Sep 25 19:54:01 ida openvpn[973914]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysiz>

Sep 25 19:54:01 ida openvpn[973914]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth S>

Sep 25 19:54:01 ida openvpn[973914]: failed to find UID for user ngv\michael

Sep 25 19:54:01 ida openvpn[973914]: Exiting due to fatal error

Sep 25 19:54:01 ida openvpn[973914]: Closing TUN/TAP interface

Sep 25 19:54:01 ida openvpn[973914]: /etc/openvpn/down.sh tun0 1500 1544   init

Sep 25 19:54:01 ida openvpn[973914]: Unknown interface 'tun0': No such device

Sep 25 19:54:01 ida systemd[1]: openvpn-client@NGV.service: Main process exited, code=exited, status=1/n/a

Sep 25 19:54:01 ida systemd[1]: openvpn-client@NGV.service: Failed with result 'exit-code'.
```

so I tried

```
Set 'tun0' persistent and owned by uid 573 gid 100
```

to force creation of the device but that didn't help much:

```
● openvpn-client@NGV.service - OpenVPN tunnel for NGV

   Loaded: loaded (/lib/systemd/system/openvpn-client@.service; enabled; vendor preset: disabled)

   Active: failed (Result: exit-code) since Wed 2019-09-25 19:58:07 AEST; 737ms ago

     Docs: man:openvpn(8)

           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

           https://community.openvpn.net/openvpn/wiki/HOWTO

  Process: 974132 ExecStart=/usr/sbin/openvpn --suppress-timestamps --script-security 2 --nobind --config NGV.conf (code=exited, status=1)

 Main PID: 974132 (code=exited, status=1)

   Status: "Pre-connection initialization successful"

      CPU: 10ms

Sep 25 19:58:07 ida openvpn[974132]: Incoming Static Key Encryption: HMAC KEY: 37900e14 f23225e4 7c5d4753 70c64e9c 9a43ab3a

Sep 25 19:58:07 ida openvpn[974132]: Incoming Static Key Encryption: HMAC size=20 block_size=20

Sep 25 19:58:07 ida openvpn[974132]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 44 bytes

Sep 25 19:58:07 ida openvpn[974132]: MTU DYNAMIC mtu=1450, flags=2, 1544 -> 1450

Sep 25 19:58:07 ida openvpn[974132]: GETADDRINFO flags=0x0901 ai_family=0 ai_socktype=2

Sep 25 19:58:07 ida openvpn[974132]: RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 sig=-1 status=0

Sep 25 19:58:07 ida openvpn[974132]: ERROR: Cannot ioctl TUNSETIFF tun0: Invalid argument (errno=22)

Sep 25 19:58:07 ida openvpn[974132]: Exiting due to fatal error

Sep 25 19:58:07 ida systemd[1]: openvpn-client@NGV.service: Main process exited, code=exited, status=1/n/a

Sep 25 19:58:07 ida systemd[1]: openvpn-client@NGV.service: Failed with result 'exit-code'.
```

My config looks like this:

```
dev tun0

dev-type tun

remote (redacted) 19209 udp

nobind

persist-tun

persist-key

verb 9

ping 10

ping-restart 60

server-poll-timeout 4

sndbuf 393216

rcvbuf 393216

# auth-user-pass /etc/openvpn/client/NGV/auth

user (redacted)

secret /etc/openvpn/client/NGV/static-key

up /etc/openvpn/up.sh

down /etc/openvpn/down.sh
```

The device certainly exists:

```
tun0: flags=4098<BROADCAST,MULTICAST>  mtu 1500

        ether 62:9a:0c:57:a9:36  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
```

So what is causing the above error?  and am I right in thinking that I shouldn't have to create the device?

----------

## Anon-E-moose

```
$ grep tun /etc/openvpn/openvpn.conf 

dev tun

persist-tun
```

from my openvpn.conf 

I don't think you should have tun0 in your config file, it will create it from /dev/net/tun directly.

Edit to add: and no you shouldn't have to or even try to create tun devices. 

I don't use systemd so I can't speak to that aspect or whether it affects it.

ETA2: even though I reference tun in the config this is from the log file

```
 TUN/TAP device tun0 opened
```

----------

## mounty1

tun0 -> tun just changes the error.  I also fixed the 'user' line in my config. and now

```
● openvpn-client@NGV.service - OpenVPN tunnel for NGV

   Loaded: loaded (/lib/systemd/system/openvpn-client@.service; enabled; vendor preset: disabled)

   Active: active (running) since Wed 2019-09-25 20:58:13 AEST; 1s ago

     Docs: man:openvpn(8)

           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

           https://community.openvpn.net/openvpn/wiki/HOWTO

 Main PID: 976537 (openvpn)

   Status: "Pre-connection initialization successful"

      CPU: 12ms

   CGroup: /system.slice/system-openvpn\x2dclient.slice/openvpn-client@NGV.service

           └─976537 /usr/sbin/openvpn --suppress-timestamps --script-security 2 --nobind --config NGV.conf

Sep 25 20:58:13 ida openvpn[976537]: PO_CTL rwflags=0x0000 ev=3 arg=0x55c65aa5f7ec

Sep 25 20:58:13 ida openvpn[976537]: I/O WAIT Tr|Tw|SR|SW [1/110844]

Sep 25 20:58:13 ida openvpn[976537]: PO_WAIT[0,0] fd=4 rev=0x00000004 rwflags=0x0002 arg=0x55c65aa5fea8

Sep 25 20:58:13 ida openvpn[976537]:  event_wait returned 1

Sep 25 20:58:13 ida openvpn[976537]: I/O WAIT status=0x0002

Sep 25 20:58:13 ida openvpn[976537]: UDP WRITE [60] to [AF_INET]139.130.85.54:19209:  DATA 56a418db 7f808965 ab5d34ff 038d2b4f d81be851 0fc1afe7 d4ec0c55 >

Sep 25 20:58:13 ida openvpn[976537]: UDP write returned 60

Sep 25 20:58:13 ida openvpn[976537]: PO_CTL rwflags=0x0001 ev=4 arg=0x55c65aa5fea8

Sep 25 20:58:13 ida openvpn[976537]: PO_CTL rwflags=0x0001 ev=3 arg=0x55c65aa5f7ec

Sep 25 20:58:13 ida openvpn[976537]: I/O WAIT TR|Tw|SR|Sw [1/110844]
```

However:

```
...

tun0: flags=4098<BROADCAST,MULTICAST>  mtu 1500

        ether 62:9a:0c:57:a9:36  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun1: flags=4240<POINTOPOINT,NOARP,MULTICAST>  mtu 1500

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

...
```

so no IP address.  One thing wrong is that nowhere am I supplying the username and password I've been given.  What am I missing?  If I add the line auth-user-pass /etc/openvpn/client/NGV/auth to the config., when I restart the service it complains, Options error: --auth-user-pass requires --pull but if add the line pull to the config., restart complains, Options error: Parameter --pull can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.  And I don't have a CA file etc. so can't go down that route.

BTW, the server is of type PPTP.

----------

## Anon-E-moose

for my remote line I just have the ip/name and port number nothing after, but I use proto udp so that it works.

I don't use sndbuf/rcvbuf

I modified the openvpn script that was provided by my vpn server, that way I use things they expect cipher, auth, etc.

I'll post my script anyway, maybe it will help.

```
client

dev tun

proto udp

remote <vpn name> <vpn port #>

resolv-retry infinite

nobind

persist-key

persist-tun

cipher aes-128-cbc

auth sha1

tls-client

remote-cert-tls server

#auth-user-pass

auth-user-pass /etc/openvpn/openvpn.up

#comp-lzo

compress

verb 1

reneg-sec 0

crl-verify crl.pem

ca ca.crt

#disable occ

# partial network vpn - bittorrent

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/openvpn.route.down"

route-up "/etc/openvpn/openvpn.route.up"

# full network vpn

#plugin /usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/openvpn.rte.down"

#route-up "/etc/openvpn/openvpn.rte.up"

route-delay 2

route-noexec

log-append /var/log/openvpn/openvpn.log

user openvpn

group openvpn
```

Edit to add: the ca file should be provided by the server end.

----------

## mounty1

My sysadmin doesn't know Linux but he assures me that a CA file is not required.

----------

## Anon-E-moose

I don't know if it's needed but I do know it would be provided by the server end if used.

https://openvpn.net/community-resources/how-to/ might have more info for you

----------

## mike155

Are you sure that OpenVPN is the right tool? Does your provider recommend OpenVPN? Does he provide a sample configuration file or a howto/tutorial?

----------

## Anon-E-moose

There is pptpclient in the gentoo repo (although not to sure if it will work for you)

I'm not sure that openvpn will ever work with a pptp server

Edit to add: https://wiki.archlinux.org/index.php/PPTP_Client

http://pptpclient.sourceforge.net/

----------

