SOLVED openvpn issues in new jails after 11.1

INCSlayer

Contributor
Joined
Apr 4, 2015
Messages
197
i was trying to setup a iocage jail with openvpn in it but kept running into
"Cannot allocate TUN/TAP dev dynamically"
i tried with VNET on and off behaved the same.
So i went back to the old ui and created a warden jail since i have done that before with openvpn and i actually still have a couple that works fine that was created earlier.
However creating a new jail using identical settings for my previously working jail it faces the same issue
and i have VIMAGE turned on in the warden jail which works fine for my older jail
anyone else with these issues after updateing to 11.1?
 

Kennyvb8

Contributor
Joined
Mar 18, 2017
Messages
112
I have issues aswell in iocage (The New jail system)
It seems also thqt it hoc The Main eth Mac id so you cant have a uniqe Mac address on your network


Sent from my iPhone using Tapatalk
 

Kennyvb8

Contributor
Joined
Mar 18, 2017
Messages
112
Make vnet in the iocage The it works


Sent from my iPhone using Tapatalk
 
Joined
Dec 22, 2017
Messages
13
My problem seem to have resolved itself with a reboot. What I noticed was that I could use openvpn with the tap interface. I also figured that I could use openvpn if I create the i-face manually and set the config to the specific device (e.g.: 'dev tun2'). I then rebooted and gave 'dev tun' another try and et voila, openvpn works as it used to be.
 

Pentaflake

Explorer
Joined
Jul 8, 2014
Messages
91
My problem seem to have resolved itself with a reboot. What I noticed was that I could use openvpn with the tap interface. I also figured that I could use openvpn if I create the i-face manually and set the config to the specific device (e.g.: 'dev tun2'). I then rebooted and gave 'dev tun' another try and et voila, openvpn works as it used to be.

Can you provide some clarification on what you did exactly to get it working under iocage? I have tried to replicate your steps manually creating the interface and setting that in the config for openvpn and it still fails. Additionally I couldn't get a tap device to work either. What are you using for your iocage settings for the jail for openvpn?
 
Joined
Dec 22, 2017
Messages
13
Sorry for the slow response. I am by no means a FreeBSD/FreeNAS expert. But let's dive into it:
  • first check that the kernel module is indeed loaded: kldload if_tun
  • then list the current tun devices: ll /dev/tun* (that shouldn't return anything at this point, if devices exist then my best bet is, that either something is already using a tun device or did not cleanup)
  • next check your jail config. I'm not 100% sure, but IMO mount_devfs must be enabled (1). Double check it w/ iocage get mount_devfs <<<jail>>>
  • now start the jail and console into it and run: ifconfig tun create. That should create an interface named tunX. When you configure that specific device in your openvpn config (dev tun0) you shouldn't get the error (Couldn't ... dynamic), you may, however, get some other error message.
  • finally switch back to dev tun and restart the openvpn service and check the logs again. What does it say?
 

Pentaflake

Explorer
Joined
Jul 8, 2014
Messages
91
That is exactly what I had done. When you are creating the jail are you using any other additional settings off the defaults? (mount_devfs is enabled by default). I see still the same "Cannot allocate TUN/TAP dev dynamically" after starting openvpn again after going to back to dev tun.
 
Last edited:

Pentaflake

Explorer
Joined
Jul 8, 2014
Messages
91
Solved it!

iocage can limit the devices that jails can access on the devfs mounted to them as it provides better security. The default that freenas applies to an iocage jail where you don't specify the devfs_ruleset option is ruleset 4 in /etc/defaults/devfs.rules (devfs_ruleset="4" option in iocage). This ruleset prevents the jail and in this case openvpn from accessing the tun device(s) and functioning properly.

This can be resolved in the simplest and shortest way by adding a rule to the default ruleset that is applied to jails to allow access to tun devices. This can be run as a preinit command under tasks in the freenas ui to make sure it is run before the iocage jails start so they can start up fine without any interaction.

Run the following on the FreeNAS host:
devfs rule -s 4 add path 'tun*' unhide

While you could likely make another ruleset for just jails with tun devices above is the simplest way to make it work and keep the security of not having jails have access to things such as raw disks.
 
Last edited:

JoeB

Contributor
Joined
Oct 16, 2014
Messages
121
Run the following on the FreeNAS host:
devfs rule -s 4 add path 'tun*' unhide

I've run this on fn host.

Do I need to reboot? Or recreate the jail? Openvpn still cannot create tun.
 

INCSlayer

Contributor
Joined
Apr 4, 2015
Messages
197
i added it as a pre-init command and rebooted and after that my jails could create tun as expected
 

JoeB

Contributor
Joined
Oct 16, 2014
Messages
121
It doesn't seem to have worked for me :/

Code:

root@vpngateway:~ # tail /var/log/messages
Dec 30 00:33:06 vpngateway openvpn[16832]: Data Channel MTU parms [ L:1557 D:1300 EF:57 EB:407 ET:0 EL:3 ]
Dec 30 00:33:06 vpngateway openvpn[16832]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Dec 30 00:33:06 vpngateway openvpn[16832]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Dec 30 00:33:06 vpngateway openvpn[16832]: GDG: problem writing to routing socket
Dec 30 00:33:06 vpngateway openvpn[16832]: ROUTE: default_gateway=UNDEF
Dec 30 00:33:06 vpngateway openvpn[16832]: GDG6: remote_host_ipv6=n/a
Dec 30 00:33:06 vpngateway openvpn[16832]: GDG6: problem writing to routing socket
Dec 30 00:33:06 vpngateway openvpn[16832]: ROUTE6: default_gateway=UNDEF
Dec 30 00:33:06 vpngateway openvpn[16832]: Cannot allocate TUN/TAP dev dynamically
Dec 30 00:33:06 vpngateway openvpn[16832]: Exiting due to fatal error


 

INCSlayer

Contributor
Joined
Apr 4, 2015
Messages
197
what are the settings for that jail?
could you include the content of the config.json file for that jail within code tags?
 

JoeB

Contributor
Joined
Oct 16, 2014
Messages
121
Yes, here is the config.json file for the jail:

Code:
{
	"CONFIG_VERSION": "9",
	"allow_chflags": "0",
	"allow_mount": "0",
	"allow_mount_devfs": "0",
	"allow_mount_nullfs": "0",
	"allow_mount_procfs": "0",
	"allow_mount_tmpfs": "0",
	"allow_mount_zfs": "0",
	"allow_quotas": "0",
	"allow_raw_sockets": "1",
	"allow_set_hostname": "1",
	"allow_socket_af": "0",
	"allow_sysvipc": "0",
	"available": "readonly",
	"basejail": "no",
	"boot": "off",
	"bpf": "no",
	"children_max": "0",
	"cloned_release": "11.1-RELEASE",
	"comment": "none",
	"compression": "lz4",
	"compressratio": "readonly",
	"coredumpsize": "off",
	"count": "1",
	"cpuset": "off",
	"cputime": "off",
	"datasize": "off",
	"dedup": "off",
	"defaultrouter": "192.168.1.1",
	"defaultrouter6": "none",
	"depends": "none",
	"devfs_ruleset": "4",
	"dhcp": "off",
	"enforce_statfs": "2",
	"exec_clean": "1",
	"exec_fib": "0",
	"exec_jail_user": "root",
	"exec_poststart": "/usr/bin/true",
	"exec_poststop": "/usr/bin/true",
	"exec_prestart": "/usr/bin/true",
	"exec_prestop": "/usr/bin/true",
	"exec_start": "/bin/sh /etc/rc",
	"exec_stop": "/bin/sh /etc/rc.shutdown",
	"exec_system_jail_user": "0",
	"exec_system_user": "root",
	"exec_timeout": "60",
	"host_domainname": "none",
	"host_hostname": "vpngateway",
	"host_hostuuid": "vpngateway",
	"host_time": "yes",
	"hostid": "841a1818-63f1-11e6-9549-9cb6540ca823",
	"interfaces": "vnet0:bridge0",
	"ip4": "new",
	"ip4_addr": "bge0|192.168.1.30/24",
	"ip4_saddrsel": "1",
	"ip6": "new",
	"ip6_addr": "none",
	"ip6_saddrsel": "1",
	"jail_zfs": "off",
	"jail_zfs_dataset": "iocage/jails/vpngateway/data",
	"jail_zfs_mountpoint": "none",
	"last_started": "2017-12-30 00:33:05",
	"login_flags": "-f root",
	"mac_prefix": "02ff60",
	"maxproc": "off",
	"memorylocked": "off",
	"memoryuse": "off",
	"mount_devfs": "1",
	"mount_fdescfs": "1",
	"mount_linprocfs": "0",
	"mount_procfs": "0",
	"mountpoint": "readonly",
	"msgqqueued": "off",
	"msgqsize": "off",
	"nmsgq": "off",
	"notes": "none",
	"nsemop": "off",
	"nshm": "off",
	"nthr": "off",
	"openfiles": "off",
	"origin": "readonly",
	"owner": "root",
	"pcpu": "off",
	"priority": "99",
	"pseudoterminals": "off",
	"quota": "none",
	"release": "11.1-RELEASE-p6",
	"reservation": "none",
	"resolver": "/etc/resolv.conf",
	"rlimits": "off",
	"securelevel": "2",
	"shmsize": "off",
	"stacksize": "off",
	"stop_timeout": "30",
	"swapuse": "off",
	"sync_state": "none",
	"sync_target": "none",
	"sync_tgt_zpool": "none",
	"sysvmsg": "new",
	"sysvsem": "new",
	"sysvshm": "new",
	"template": "no",
	"type": "jail",
	"used": "readonly",
	"vmemoryuse": "off",
	"vnet": "off",
	"vnet0_mac": "none",
	"vnet1_mac": "none",
	"vnet2_mac": "none",
	"vnet3_mac": "none",
	"wallclock": "off"
}


 

INCSlayer

Contributor
Joined
Apr 4, 2015
Messages
197
i also had to change the line
"ip4_addr": "bge0|192.168.1.30/24",
to
"ip4_addr": "vnet0|192.168.1.30/24",

when i was running multiple jails with vnet turned on or none of them would get any interfaces
 

lopr

Explorer
Joined
Mar 19, 2015
Messages
71
Thanks, that did work for me with tun interfaces (although only when manually creating a tun device and specifying that device inside the openvpn.conf), but I can't get it to work with tap trying a bridged solution. Is this possible within FreeNAS?
the /dev/tap* devices don't appear if created, even if ifconfig is showing them.

edit: well, after a reboot it showed up.
 
Last edited:

clusty

Dabbler
Joined
Dec 21, 2017
Messages
25
This is driving me insane. I am having the same problem and rebooting fixes it (no extra config needed).
Anybody knows if there a bug logged for this ?
 

lopr

Explorer
Joined
Mar 19, 2015
Messages
71
the ticket for this bug was https://redmine.ixsystems.com/issues/40872
It is fixed for tun devices in 11.2 (enable the allow_tun option in the GUI) but not for tap devices. If you need a tap device edit
/usr/local/lib/python3.6/site-packages/iocage_lib/ioc_common.py
on the host and around line 700 search for
Code:
    if conf['allow_tun'] == '1':
        devfs_dict['tun*'] = None
        devfs_dict['tap*'] = None     # add this to also enable tap devices

and edit as above
 

Junicast

Patron
Joined
Mar 6, 2015
Messages
206
I'm on 11.2U6 and even though I set allow_tun in the GUI I still get
Code:
Mon Nov 11 21:57:14 2019 Cannot allocate TUN/TAP dev dynamically
Mon Nov 11 21:57:14 2019 Exiting due to fatal error

Code:
iocage get allow_tun myjail
1

I'm using vnet.
 
Top