# OpenVPN client doesn't work;  no tun device created

## mounty1

Hello, I'm trying to set up an openvpn client on a systemd-based installation but it doesn't work.  The first point is that no tun interface exists.  My configuration is:

```
setenv UV_ID zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

setenv UV_NAME zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

client

dev tun0

dev-type tun

remote zzzzzzzzzzzzzzzzzzzzzzzzzzz 19209 udp

remote zzzzzzzzzzzzzzzzzzzzzzzzzzz 19209 udp

remote-random

nobind

persist-tun

cipher AES-256-CBC

auth SHA512

verb 2

mute 3

push-peer-info

ping 10

ping-restart 60

hand-window 70

server-poll-timeout 4

reneg-sec 2592000

sndbuf 393216

rcvbuf 393216

max-routes 1000

remote-cert-tls server

comp-lzo no

auth-user-pass

key-direction 1

ca /etc/openvpn/client/CS/ca.cert

cert /etc/openvpn/client/CS/client1.crt

key /etc/openvpn/client/CS/client1.key

tls-auth /etc/openvpn/client/CS/ta.key 1

auth-user-pass /etc/openvpn/client/CS/auth

up /etc/openvpn/up.sh

down /etc/openvpn/down.sh
```

and when I try:

```
● openvpn-client@CS.service - OpenVPN tunnel for CS

   Loaded: loaded (/lib/systemd/system/openvpn-client@.service; disabled; vendor preset: disabled)

   Active: active (running) since Sat 2019-05-11 12:38:14 AEST; 2s ago

     Docs: man:openvpn(8)

           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

           https://community.openvpn.net/openvpn/wiki/HOWTO

 Main PID: 3351 (openvpn)

   Status: "Pre-connection initialization successful"

   CGroup: /system.slice/system-openvpn\x2dclient.slice/openvpn-client@CS.service

           └─3351 /usr/sbin/openvpn --suppress-timestamps --nobind --config CS.conf

May 11 12:38:14 unesco openvpn[3351]: DEPRECATED OPTION: --max-routes option ignored.The number of routes is unlimited as of OpenVPN 2.4. This option will be removed in a future version, >

May 11 12:38:14 unesco openvpn[3351]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 10 2019

May 11 12:38:14 unesco openvpn[3351]: library versions: mbed TLS 2.17.0, LZO 2.10

May 11 12:38:14 unesco openvpn[3351]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables

May 11 12:38:14 unesco systemd[1]: Started OpenVPN tunnel for CS.

May 11 12:38:14 unesco openvpn[3351]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

May 11 12:38:14 unesco openvpn[3351]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

May 11 12:38:14 unesco openvpn[3351]: TCP/UDP: Preserving recently used remote address: [AF_INET]zzz.zzz.zzz.zzz:19209

May 11 12:38:14 unesco openvpn[3351]: UDP link local: (not bound)

May 11 12:38:14 unesco openvpn[3351]: UDP link remote: [AF_INET]zzz.zzz.zzz.zzz:19209

-- Logs begin at Tue 2019-04-30 09:23:00 AEST, end at Sat 2019-05-11 12:38:14 AEST. --

May 11 12:38:08 unesco openvpn[3324]: Server poll timeout, restarting

May 11 12:38:08 unesco openvpn[3324]: SIGUSR1[soft,server_poll] received, process restarting

May 11 12:38:08 unesco openvpn[3324]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables

May 11 12:38:08 unesco openvpn[3324]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

May 11 12:38:08 unesco openvpn[3324]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

May 11 12:38:08 unesco openvpn[3324]: TCP/UDP: Preserving recently used remote address: [AF_INET]zzz.zzz.zzz.zzz:19209

May 11 12:38:08 unesco openvpn[3324]: UDP link local: (not bound)

May 11 12:38:08 unesco openvpn[3324]: UDP link remote: [AF_INET]zzz.zzz.zzz.zzz:19209

May 11 12:38:12 unesco openvpn[3324]: Server poll timeout, restarting

May 11 12:38:12 unesco openvpn[3324]: SIGUSR1[soft,server_poll] received, process restarting

May 11 12:38:12 unesco openvpn[3324]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables

May 11 12:38:12 unesco openvpn[3324]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

May 11 12:38:12 unesco openvpn[3324]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

May 11 12:38:12 unesco openvpn[3324]: TCP/UDP: Preserving recently used remote address: [AF_INET]zzz.zzz.zzz.zzz:19209

May 11 12:38:12 unesco openvpn[3324]: UDP link local: (not bound)

May 11 12:38:12 unesco openvpn[3324]: UDP link remote: [AF_INET]zzz.zzz.zzz.zzz:19209

May 11 12:38:12 unesco openvpn[3324]: event_wait : Interrupted system call (code=4)

May 11 12:38:12 unesco openvpn[3324]: SIGTERM[hard,] received, process exiting

May 11 12:38:12 unesco systemd[1]: Stopping OpenVPN tunnel for CS...

May 11 12:38:12 unesco systemd[1]: openvpn-client@CS.service: Succeeded.

May 11 12:38:12 unesco systemd[1]: Stopped OpenVPN tunnel for CS.

May 11 12:38:14 unesco systemd[1]: Starting OpenVPN tunnel for CS...

May 11 12:38:14 unesco openvpn[3351]: DEPRECATED OPTION: --max-routes option ignored.The number of routes is unlimited as of OpenVPN 2.4. This option will be removed in a future version, >

May 11 12:38:14 unesco openvpn[3351]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 10 2019

May 11 12:38:14 unesco openvpn[3351]: library versions: mbed TLS 2.17.0, LZO 2.10

May 11 12:38:14 unesco openvpn[3351]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables

May 11 12:38:14 unesco systemd[1]: Started OpenVPN tunnel for CS.

May 11 12:38:14 unesco openvpn[3351]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

May 11 12:38:14 unesco openvpn[3351]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

May 11 12:38:14 unesco openvpn[3351]: TCP/UDP: Preserving recently used remote address: [AF_INET]zzz.zzz.zzz.zzz:19209

May 11 12:38:14 unesco openvpn[3351]: UDP link local: (not bound)

May 11 12:38:14 unesco openvpn[3351]: UDP link remote: [AF_INET]zzz.zzz.zzz.zzz:19209
```

The kernel has CBC support, and /dev/net/tun exists.  So why is there no tun0 device, and does it matter to getting the client working?

----------

## Anon-E-moose

This is what I see before the tun shows up (ip's omitted)

```
UDP link remote: [AF_INET]

Peer Connection Initiated with [AF_INET]

TUN/TAP device tun0 opened
```

If you don't get the remote link and peer connection the tun won't show.

----------

## szatox

 *Quote:*   

>  persist-tun 

 Doesn't this option require you to create tun device manually before starting your VPN?

 *Quote:*   

> 
> 
> May 11 12:38:12 unesco openvpn[3324]: Server poll timeout, restarting 

 

A firewall blocking your connection?

 *Quote:*   

> May 11 12:38:12 unesco openvpn[3324]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables 

 You have some scripts linked in your config, what do they do?

----------

## Anon-E-moose

 *szatox wrote:*   

>  *Quote:*    persist-tun  Doesn't this option require you to create tun device manually before starting your VPN?

 

I have that option, it will create it if it doesn't exist or reuse one if had been started in the past.

Edit to add:

```
       --persist-tun

              Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts.
```

----------

## mounty1

Been working with some of the sysops ... apparently I am connecting, but disconnecting after 60 seconds owing to failing to respond to 'pings' (which are not real pings but openvpn keepalive packets).  No tun interface is created.

----------

## Anon-E-moose

My openvpn.conf 

```
$ cat /etc/openvpn/openvpn.conf 

client

dev tun

proto udp

remote xxxxxxxxxxxxxxxxxxxx xxxx

resolv-retry infinite

nobind

persist-key

persist-tun

cipher aes-128-cbc

auth sha1

tls-client

remote-cert-tls server

#auth-user-pass

auth-user-pass /etc/openvpn/openvpn.up

#comp-lzo

compress

verb 1

reneg-sec 0

crl-verify crl.pem

ca ca.crt

#disable occ

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/openvpn.rte.down"

route-up "/etc/openvpn/openvpn.rte.up"

route-delay 2

route-noexec

log-append /var/log/openvpn/openvpn.log

user openvpn

group openvpn
```

ETA: If you run "verb 4" you'll get lots more info (I use it when troubleshooting, then turn it off)

----------

## Anon-E-moose

I see you use "dev tun0" instead of "dev tun", in that case I'm not sure if it has to exist before you try and use it or not

```
       --dev tunX | tapX | null

              TUN/TAP virtual network device ( X can be omitted for a dynamic device.)
```

I use tun without the number, and I know it's created.

What does "ls -la /dev/net" show

----------

