Openvpn not starting

matt11601

Dabbler
Joined
Jul 17, 2017
Messages
24
FreeNAS version: FreeNAS-11.3-U3
Iocage version: 11.2-RELEASE-p15

Problem: I updated FreeNAS from 11.3-U2 to 11.3-U3 this morning and now my jail does not connect to my PIA VPN. It was working prior to the update. I used the following guide to set up Transmission + PIA VPN: https://www.ixsystems.com/community...g-up-transmission-with-openvpn-and-pia.24566/

I researched the term "Cannot allocate TUN/TAP dev dynamically" but got varying results. Some users reported a bug while others reported issues with their specific jail. Because of the varying root cause, I did not attempt their fixes for fear of messing something up. The only solution I tried was restoring my prior CONFIG file that FreeNAS made me save prior to the U3 update.

I know I'm presenting this as a problem with the update, but I really don't know. The timing seemed to make sense, but there's was also an OpenVPN recently which could be the issue.

Can anyone offer any help on how to proceed? I copied the logs below (shortened due to character limit in the post).

Thanks,
Matt

Code:
May 20 10:03:28 Media openvpn[38517]: event_wait : Interrupted system call (code=4)
May 20 10:03:28 Media openvpn[38517]: /sbin/ifconfig tun0 destroy
May 20 10:03:28 Media openvpn[38517]: SIGTERM[hard,] received, process exiting
May 20 10:03:33 Media syslogd: exiting on signal 15
May 20 12:12:34 Media syslogd: kernel boot file is /boot/kernel/kernel
May 20 12:12:41 Media transmission-daemon[2803]: UDP Failed to set receive buffer: No buffer space available (/wrkdirs/usr/ports/net-p2p/transmission-daemon/work/transmission-3ef10de6d97d8cf181fdef81cc435d6a84c86000/libtransmission/tr-udp.c:68)
May 20 12:12:41 Media transmission-daemon[2803]: UDP Failed to set receive buffer: requested 4194304, got 42080 (/wrkdirs/usr/ports/net-p2p/transmission-daemon/work/transmission-3ef10de6d97d8cf181fdef81cc435d6a84c86000/libtransmission/tr-udp.c:97)
May 20 12:12:49 Media openvpn[2874]: WARNING: file 'pass.txt' is group or others accessible
May 20 12:12:49 Media openvpn[2874]: OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May  9 2020
May 20 12:12:49 Media openvpn[2874]: library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
May 20 12:12:49 Media openvpn[2875]: CRL: loaded 1 CRLs from file [[INLINE]]
May 20 12:12:49 Media openvpn[2875]: TCP/UDP: Preserving recently used remote address: [AF_INET]45.12.220.194:1198
May 20 12:12:49 Media openvpn[2875]: UDP link local: (not bound)
May 20 12:12:49 Media openvpn[2875]: UDP link remote: [AF_INET]45.12.220.194:1198
May 20 12:12:49 Media openvpn[2875]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 20 12:12:50 Media openvpn[2875]: [ce92ad16a4527c0d99fe8bd6e9261175] Peer Connection Initiated with [AF_INET]45.12.220.194:1198
May 20 12:12:51 Media openvpn[2875]: Cannot allocate TUN/TAP dev dynamically
May 20 12:12:51 Media openvpn[2875]: Exiting due to fatal error
May 20 12:46:28 Media syslogd: exiting on signal 15
May 20 12:46:31 Media syslogd: kernel boot file is /boot/kernel/kernel
May 20 12:46:32 Media openvpn[13053]: WARNING: file 'pass.txt' is group or others accessible
May 20 12:46:32 Media openvpn[13053]: OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May  9 2020
May 20 12:46:32 Media openvpn[13053]: library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
May 20 12:46:32 Media openvpn[13054]: CRL: loaded 1 CRLs from file [[INLINE]]
May 20 12:46:33 Media openvpn[13054]: TCP/UDP: Preserving recently used remote address: [AF_INET]45.12.220.180:1198
May 20 12:46:33 Media openvpn[13054]: UDP link local: (not bound)
May 20 12:46:33 Media openvpn[13054]: UDP link remote: [AF_INET]45.12.220.180:1198
May 20 12:46:33 Media openvpn[13054]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 20 12:46:33 Media transmission-daemon[12999]: UDP Failed to set receive buffer: No buffer space available (/wrkdirs/usr/ports/net-p2p/transmission-daemon/work/transmission-3ef10de6d97d8cf181fdef81cc435d6a84c86000/libtransmission/tr-udp.c:68)
May 20 12:46:33 Media transmission-daemon[12999]: UDP Failed to set receive buffer: requested 4194304, got 42080 (/wrkdirs/usr/ports/net-p2p/transmission-daemon/work/transmission-3ef10de6d97d8cf181fdef81cc435d6a84c86000/libtransmission/tr-udp.c:97)
May 20 12:46:33 Media openvpn[13054]: [9f899706e5b76f17e8b7bea9c01fbde6] Peer Connection Initiated with [AF_INET]45.12.220.180:1198
May 20 12:46:34 Media openvpn[13054]: Cannot allocate TUN/TAP dev dynamically
May 20 12:46:34 Media openvpn[13054]: Exiting due to fatal error

 

matt11601

Dabbler
Joined
Jul 17, 2017
Messages
24
Run this in the main shell

iocage set allow_tun=1 [jailname]

Thanks for replying. Yes, tun is checked. Meaning, in the GUI settings of the jail, "allow_tun" is checked under custom properties.

The output of "iocage set allow_tun=1 [jailname]" is

Code:
allow_tun: 1 -> 1


After running the above command, I restarted the jail from the GUI and openvpn still does not start.
 

NasKar

Guru
Joined
Jan 8, 2016
Messages
739
check the output of ifconfig and see if a tun interface was created. If not ifconfig tun create .
 

matt11601

Dabbler
Joined
Jul 17, 2017
Messages
24
check the output of ifconfig and see if a tun interface was created. If not ifconfig tun create .

ifconfig shows:

Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:ff:60:94:ba:c9
    hwaddr 02:c5:d2:00:08:0b
    inet 192.168.1.201 netmask 0xffffff00 broadcast 192.168.1.255
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair 


Running ifconfig tun create adds the following entry to ifconfig

Code:
tun257: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    nd6 options=1<PERFORMNUD>
    groups: tun
 

NasKar

Guru
Joined
Jan 8, 2016
Messages
739
That was the problem no tun interface in the jail. I don’t know why it’s not created when creating the jail with that option. Try to start open vpn. If u have a firewall you need to specify tun257
 

matt11601

Dabbler
Joined
Jul 17, 2017
Messages
24
That was the problem no tun interface in the jail. I don’t know why it’s not created when creating the jail with that option. Try to start open vpn. If u have a firewall you need to specify tun257

Got it. My understanding is openvpn is failing so the tunnel never gets created. Or is it the other way around? Meaning, the tunnel does not get created so openvpn fails.

I can start openvpn with "service openvpn start" but it stops running after ~5 seconds.
 

NasKar

Guru
Joined
Jan 8, 2016
Messages
739
it the other way around? Meaning, the tunnel does not get created so openvpn fails.
Without a tun interface openvpn won’t start. You could post a copy of your openvpn.conf file (redacted).
 

colmconn

Contributor
Joined
Jul 28, 2015
Messages
174
I've recently been bitten by this problem as well.

OpenVPN is hard coded to automatically try to open the first 256 tun devices. This mode of operation is indicated to OpenVPN by the "dev tun" line in your config file. If it fails to open any one of these devices, openvpn gives up in the manner you experienced. You have two choices at this point:
1. reboot to refresh the /dev/tun* devices (I find it hard to believe you have use for 256 tun devices).
2. edit your openvpn config and replace the "dev tun" with "dev tun257" and restart openvpn in your jail.
 

matt11601

Dabbler
Joined
Jul 17, 2017
Messages
24
Without a tun interface openvpn won’t start. You could post a copy of your openvpn.conf file (redacted).

Ahhh I see. Did not know the tunnel needs to be created first. Contents of openvpn are:

Code:
client
dev tun
proto udp
remote ***REDACTED***
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

auth-user-pass ***REDACTED***.txt
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
***REDACTED***
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
***REDACTED***
-----END CERTIFICATE-----
</ca>

disable-occ
 

matt11601

Dabbler
Joined
Jul 17, 2017
Messages
24
I've recently been bitten by this problem as well.

OpenVPN is hard coded to automatically try to open the first 256 tun devices. This mode of operation is indicated to OpenVPN by the "dev tun" line in your config file. If it fails to open any one of these devices, openvpn gives up in the manner you experienced. You have two choices at this point:
1. reboot to refresh the /dev/tun* devices (I find it hard to believe you have use for 256 tun devices).
2. edit your openvpn config and replace the "dev tun" with "dev tun257" and restart openvpn in your jail.

I rebooted FreeNAS and logged into my jail immediately. Looks like several tunnels 0-255 are in fact created. The output of ifconfig right after FreeNAS reboot is:

Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:ff:60:94:ba:c9
    hwaddr 02:c5:d2:00:07:0b
    inet 192.168.1.201 netmask 0xffffff00 broadcast 192.168.1.255
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    nd6 options=1<PERFORMNUD>
    groups: tun
tun1: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    nd6 options=1<PERFORMNUD>
    groups: tun

***Tunnels 2-254 also created but deleted due to post character limit***

tun255: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    nd6 options=1<PERFORMNUD>
    groups: tun
 

matt11601

Dabbler
Joined
Jul 17, 2017
Messages
24
Thank you @Jawbone @NasKar @colmconn for your continued help.

As an update for anyone following along and to summarize the previous posts: The tunnel is not created on startup so I manually create one using ifconfig tun create. I confirm the tunnel name with ifconfig then use this tunnel name in openvpn.conf and ipfw rules. I can confirm my IP address changes with curl ifconfig.me. This workaround is currently working and transmission traffic is routed thru my VPN.
 

NasKar

Guru
Joined
Jan 8, 2016
Messages
739
Thank you @Jawbone @NasKar @colmconn for your continued help.

As an update for anyone following along and to summarize the previous posts: The tunnel is not created on startup so I manually create one using ifconfig tun create. I confirm the tunnel name with ifconfig then use this tunnel name in openvpn.conf and ipfw rules. I can confirm my IP address changes with curl ifconfig.me. This workaround is currently working and transmission traffic is routed thru my VPN.
That’s what I’ve done. Glad it’s working.
 
Top