SOLVED Openvpn tun interface issues in iocage

Sparx

Contributor
Joined
Apr 18, 2017
Messages
107
+1 on the issue. 11.2 RC. Problem came for me on RC. No issues in the beta releases. Had to avoid autostart and run the devfs rule to get openvpn to start.
 

leafyeh7

Cadet
Joined
Aug 28, 2018
Messages
5
I am seeing the same issue, even with jails that were working just fine and have made no changes. I tried what Leafyah7 suggested (thanks for that) however my openvpn still gets the dynamic tun cannot be created issue. 11.2 is being a pain so far :(

My current solution is:

1. Disable Transmission autostart on boot. 2. Run the devfs command once the system booted. 3. Start Transmission manually.

It seems like they are still working on it.
https://ftp.freenas.org/issues/40872
 

odragon

Dabbler
Joined
Nov 9, 2016
Messages
28
Also having the exact same issue with 11.2RC1. Anyone else open a case about this? Might be worth having more than one instance open to make it more obvious that this is a fairly common problem.
 

Derkades

Dabbler
Joined
Aug 6, 2018
Messages
16
Having exactly the same issue. Adding the pre-init command fixes it for the first boot of the jail/openvpn, but if I restart openvpn (or the jail) it stops working until I reboot the host. In my case it happened when updating from BETA3 to RC1.

For anyone finding this using Google, someone posted a fix here: https://ftp.freenas.org/issues/40872#note-44 (haven't tried it yet)
 

rmccullough

Patron
Joined
May 17, 2018
Messages
269
Any idea when the next RC or release will be? I would rather not run a pull request version of iocage if I can help it. It seems like this is a significant enough issue it would be worth releasing an RC1a to address.
 

Sparx

Contributor
Joined
Apr 18, 2017
Messages
107
Installed RC2. No fix for the issue. And now running "devfs rule -s 4 add path 'tun*' unhide" before starting the jail doesnt resolve the issue. What gives?
Edit: I had missed the previous updates. I ran "iocage set allow_tun=1" with a reboot after. Seems to be working as intended now.
 
Last edited:

rmccullough

Patron
Joined
May 17, 2018
Messages
269
Confirmed here as well with 11.2 RC2, issue seems to be fixed.
 

pbo10

Cadet
Joined
Nov 1, 2018
Messages
6
Could someone just confirm the exact steps that need to be done for this now after updating to 11.2 RC2?

I've removed the previous "devfs rule -s 4 add path 'tun*' unhide" pre init command from startup, I've done "iocage set allow_tun=1 <jail name>" and then rebooted the whole FreeNAS system but when I try to run OpenVPN in the jail I'm still getting:

Sun Nov 18 00:09:00 2018 GDG: problem writing to routing socket
Sun Nov 18 00:09:00 2018 Cannot allocate TUN/TAP dev dynamically
Sun Nov 18 00:09:00 2018 Exiting due to fatal error

I also tried "ifconfig tun0 create" in the jail and that gives me an error as well "ifconfig: SIOCIFCREATE2: Operation not permitted", but it works on the FreeNAS host.

Do I need to recreate the jail from scratch now I'm on 11.2 RC2?
 

rmccullough

Patron
Joined
May 17, 2018
Messages
269
I originally created my OpenVPN jail on 11.2 Beta 1 or 2 (I think it was Beta 2). I did not have to re-create it. It started working again after I upgraded to RC2. While running RC1 I did set allow_tun=1, and after I upgraded to RC2, I was able to start the jail and the service started successfully.

So, unless you created your jail on an older version than 11.2 Beta 2, I don't think you need to do anything else special.

What shows up in your /var/log/messages in the jail when you execute service openvpn start inside of the jail?


Could someone just confirm the exact steps that need to be done for this now after updating to 11.2 RC2?

I've removed the previous "devfs rule -s 4 add path 'tun*' unhide" pre init command from startup, I've done "iocage set allow_tun=1 <jail name>" and then rebooted the whole FreeNAS system but when I try to run OpenVPN in the jail I'm still getting:

Sun Nov 18 00:09:00 2018 GDG: problem writing to routing socket
Sun Nov 18 00:09:00 2018 Cannot allocate TUN/TAP dev dynamically
Sun Nov 18 00:09:00 2018 Exiting due to fatal error

I also tried "ifconfig tun0 create" in the jail and that gives me an error as well "ifconfig: SIOCIFCREATE2: Operation not permitted", but it works on the FreeNAS host.

Do I need to recreate the jail from scratch now I'm on 11.2 RC2?
 

Baenwort

Explorer
Joined
Feb 19, 2015
Messages
93
Just moved from 11.1-U6 to 11.2-RC2. The fix posted at: https://ftp.freenas.org/issues/40872#note-44 worked for me. I only had to remove the old hack and follow along to step 5. After that my portforward script worked and my IP address was that of my VPN and not the WAN IP.
 

pbo10

Cadet
Joined
Nov 1, 2018
Messages
6
What shows up in your /var/log/messages in the jail when you execute service openvpn start inside of the jail?

I just get that same message, this is the whole log from the jail:

Nov 18 09:03:34 Transmission-VPN openvpn[6436]: OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 2 2018
Nov 18 09:03:34 Transmission-VPN openvpn[6436]: library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Nov 18 09:03:34 Transmission-VPN openvpn[6437]: TCP/UDP: Preserving recently used remote address: [AF_INET]{IP ADDRESS REMOVED}:1198
Nov 18 09:03:34 Transmission-VPN openvpn[6437]: UDP link local: (not bound)
Nov 18 09:03:34 Transmission-VPN openvpn[6437]: UDP link remote: [AF_INET]{IP ADDRESS REMOVED}:1198
Nov 18 09:03:34 Transmission-VPN openvpn[6437]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 18 09:03:35 Transmission-VPN openvpn[6437]: [a222743srhe38nds9djkcn9a2ns82psj29s16a] Peer Connection Initiated with [AF_INET]{IP ADDRESS REMOVED}:1198
Nov 18 09:03:41 Transmission-VPN openvpn[6437]: GDG: problem writing to routing socket
Nov 18 09:03:41 Transmission-VPN openvpn[6437]: Cannot allocate TUN/TAP dev dynamically
Nov 18 09:03:41 Transmission-VPN openvpn[6437]: Exiting due to fatal error

I've also just now gone through and created the jail from scratch under 11.2 RC2 just in case that was the issue.

So I created the jail, installed and configured OpenVPN, set allow_tun=1 for the jail, rebooted the whole FreeNAS system to be sure, checked using "iocage get allow_tun {jailname}" to make sure it's still set to 1 which it is, then started the jail and I get the error above when starting the service.

I must be missing a step somewhere, but I'm not sure where exactly.
 

pbo10

Cadet
Joined
Nov 1, 2018
Messages
6
I've also done the other part of that guide where they checked the new rule was in place on the jail.

Code:
# Find its associated "devfs" ruleset ID.
$ jls -j <id> devfs_ruleset

# Examine its "devfs" ruleset. You are looking for "path tun* unhide".
$ devfs rule -s <id> show
...
<rule-id> path tun* unhide


and at the bottom of a long list of rules for that jail I see:

4800 path tun* unhide

So as far as I can tell the rules are all set to allow the jail to create the devices, but it still just doesn't seem to have permission to do it.
 

rmccullough

Patron
Joined
May 17, 2018
Messages
269
Very strange. I would open a new ticket on this and attach a debug log. I would also mention the previous issue #, but highlight you are still getting the problem after upgrading to 11.2 RC2.
 

WookieCookie

Dabbler
Joined
Nov 22, 2017
Messages
13
Ran into this same problem the other day and after some searching found this bug report https://ftp.freenas.org/issues/40872#note-44

-TLDR

If you're running 11.2 RC2 this fixed the issue for me.
  1. Remove any existing openvpn support hacks, such as the devfs pre-init command.
  2. Stop all of the jails that are using OpenVPN
    iocage stop <jail-name>

  3. Update your openvpn jail(s) to include the allow_tun=1 setting. FreeNAS should support this via UI eventually, but as of now I'm unaware of a way to do this with UI. This can be done by running:
    iocage set allow_tun=1 <jail-name>

  4. Reboot your NAS, to clear any resident state from previous hack(s).
  5. Start the jail again.
    iocage start <jail-name>
 

Robert ikin

Cadet
Joined
May 1, 2015
Messages
9
Has this thing progressed any further, I'm running 11.2 RC2 and have tried the fix above. I have all the right results as far as iocage get allow_tun transmission which is "1", the devfs ruleset returns "4800 path tun* unhide" which looks ok, but I'm still not able the start openvpn with the usual "Cannot allocate TUN/TAP dev dynamically" line (I get the same results as pbo10 when running
Code:
openvpn --config /usr/local/etc/openvpn/openvpn.conf
). I've installed transmission via the plugin and it all looks good, this tun dev allocation issue though has really put the brakes on.
 

Robert ikin

Cadet
Joined
May 1, 2015
Messages
9
I've got two Freenas platforms running one running ver 9.3 the other 11.2 RC2, the 9.3 box is running openvpn on transmission, the 11.2 box is having the "tun" issues. I've stopped and started openvpn on both boxes and compared the config logs, on the 9.3 box there is no problem writing to the routing socket and opening a vpn, but the 11.2 box throws up the "GDG: problem writing to routing socket" line and won't start the vpn service. I realise that the jail properities (iocage etc) on the boxes differ, but could there be a problem with the 11.2 box accessing and writing to the routing tables. I've checked the netstats on the 11.2 box and there's only the iocage link up in the transmission jail, so there can't be a clash. I looked back at most of the "tun" issue posts and all have the problem routing socket line in their logs, looks ify.
 

JTBTek

Dabbler
Joined
Dec 1, 2018
Messages
32
Ran into this same problem the other day and after some searching found this bug report https://ftp.freenas.org/issues/40872#note-44

-TLDR

If you're running 11.2 RC2 this fixed the issue for me.
  1. Remove any existing openvpn support hacks, such as the devfs pre-init command.
  2. Stop all of the jails that are using OpenVPN
    iocage stop <jail-name>

  3. Update your openvpn jail(s) to include the allow_tun=1 setting. FreeNAS should support this via UI eventually, but as of now I'm unaware of a way to do this with UI. This can be done by running:
    iocage set allow_tun=1 <jail-name>

  4. Reboot your NAS, to clear any resident state from previous hack(s).
  5. Start the jail again.
    iocage start <jail-name>

This is the correct fix... I was having the same issue and this fixed it. wish i would have found this first. I read thru so many bug reports till i found this same answer buried deep in all the replies in the bug report.

NOTE: Any previous work-a-rounds you had tried have to be undone first, otherwise this will not work and you will continue to get the same error.
 

Brownz

Dabbler
Joined
Sep 5, 2017
Messages
23
I updated to 11.2-RELEASE recently and guess what broke again...Decided to take a look at fixing this issue again.
I tried the above and IT FINALLY WORKS...Thank you all for getting me through this, great community :)

Cheers for finding this WookieCookie - I have marked as solved, this seems to be a real fix at last (just needs that UI checkbox)!
 
Last edited:

ric

Contributor
Joined
Dec 22, 2013
Messages
180
I have an openVPN currently setup on my Freenas jail (Transmission). The issue that Im having is... Tun1 interface can't get an IP address using the command below:

https://myriad.ca/index.php/2018/01/29/set-up-vpn-transmission-on-freenas-11-1/

root@transmission:/ # ifconfig tun1
tun1: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
nd6 options=1<PERFORMNUD>
groups: tun


root@transmission:/ # service openvpn restart
Stopping openvpn.
Waiting for PIDS: 6457, 6457.
Starting openvpn.
root@transmission:/ #

root@transmission:/ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:ff:60:03:aa:47
hwaddr 02:05:d0:00:08:0b
inet 192.168.1.115 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=1<PERFORMNUD>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
groups: epair
tun1: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
nd6 options=1<PERFORMNUD>
groups: tun
root@transmission:/ #
 
Top