SOLVED Openvpn tun interface issues in iocage

Brownz

Dabbler
Joined
Sep 5, 2017
Messages
23
Hi all Im new to freenas, Have recently tried transitioning my quick and easy warden plugins to iocage manual jails. I followed these guides to setup openvpn:

https://www.reddit.com/r/freenas/comments/41fhz3/configuration_guide_for_openvpn_and_ipfw_so_that/
https://forums.freenas.org/index.php?threads/openvpn-issues-in-new-jails-after-11-1.59828/

I have tried many different ways to install openvpn and followed many fixes that are meant to work to fix this error: "Cannot allocate TUN/TAP dev dynamically". I added devfs rule -s 4 add path 'tun*' unhide to preinit to try and fix the issue to no avail. When i looked at the ifconfig the interfaces looked a little odd.

Issues:
  • Openvpn states "Cannot allocate TUN/TAP dev dynamically" no matter what I do and despite the rules fix.
  • On host restart the jail listed 256 tun interfaces (tun0 - tun255).
  • On jail restart a single tun interface named tun256, this tun name increments on each subsequent restart.
  • On host restart the manually created tun0 interface on host is removed.
This seems irregular, I believe these issues are linked somehow, but my knowledge of network interfaces is limited.

Host Restart - Jail ifconfig (end section):
Code:
tun244: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
		options=80000<LINKSTATE>
		nd6 options=1<PERFORMNUD>
		groups: tun
tun245: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
		options=80000<LINKSTATE>
		nd6 options=1<PERFORMNUD>
		groups: tun
tun246: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
		options=80000<LINKSTATE>
		nd6 options=1<PERFORMNUD>
		groups: tun
tun247: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
		options=80000<LINKSTATE>
		nd6 options=1<PERFORMNUD>
		groups: tun
tun248: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
		options=80000<LINKSTATE>
		nd6 options=1<PERFORMNUD>
		groups: tun
tun249: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
		options=80000<LINKSTATE>
		nd6 options=1<PERFORMNUD>
		groups: tun
tun250: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
		options=80000<LINKSTATE>
		nd6 options=1<PERFORMNUD>
		groups: tun
tun251: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
		options=80000<LINKSTATE>
		nd6 options=1<PERFORMNUD>
		groups: tun
tun252: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
		options=80000<LINKSTATE>
		nd6 options=1<PERFORMNUD>
		groups: tun
tun253: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
		options=80000<LINKSTATE>
		nd6 options=1<PERFORMNUD>
		groups: tun
tun254: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
		options=80000<LINKSTATE>
		nd6 options=1<PERFORMNUD>
		groups: tun
tun255: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
		options=80000<LINKSTATE>
		nd6 options=1<PERFORMNUD>
		groups: tun


Jail Restart 1 - Jail ifconfig:
Code:
root@qbittorrent:~ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
		options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
		inet6 ::1 prefixlen 128
		inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
		inet 127.0.0.1 netmask 0xff000000
		nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
		groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
		options=8<VLAN_MTU>
		ether 02:ff:60:5b:ca:e6
		hwaddr 02:06:d0:00:06:0b
		inet 192.168.1.11 netmask 0xffffff00 broadcast 192.168.1.255
		nd6 options=1<PERFORMNUD>
		media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
		status: active
		groups: epair
tun256: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
		options=80000<LINKSTATE>
		nd6 options=1<PERFORMNUD>
		groups: tun


Jail Restart 2 - Jail ifconfig:
Code:
root@qbittorrent:~ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
		options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
		inet6 ::1 prefixlen 128
		inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
		inet 127.0.0.1 netmask 0xff000000
		nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
		groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
		options=8<VLAN_MTU>
		ether 02:ff:60:5b:ca:e6
		hwaddr 02:06:d0:00:06:0b
		inet 192.168.1.11 netmask 0xffffff00 broadcast 192.168.1.255
		nd6 options=1<PERFORMNUD>
		media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
		status: active
		groups: epair
tun257: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
		options=80000<LINKSTATE>
		nd6 options=1<PERFORMNUD>
		groups: tun


Jail Log:
Code:
Aug  3 11:34:49 qbittorrent openvpn[6093]: OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul  3 2018
Aug  3 11:34:49 qbittorrent openvpn[6093]: library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Aug  3 11:34:49 qbittorrent openvpn[6094]: LZO compression initializing
Aug  3 11:34:49 qbittorrent openvpn[6094]: Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Aug  3 11:34:49 qbittorrent openvpn[6094]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Aug  3 11:34:49 qbittorrent openvpn[6094]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Aug  3 11:34:49 qbittorrent openvpn[6094]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Aug  3 11:34:49 qbittorrent openvpn[6094]: TCP/UDP: Preserving recently used remote address: [AF_INET]89.238.154.120:1198
Aug  3 11:34:49 qbittorrent openvpn[6094]: Socket Buffers: R=[42080->42080] S=[9216->9216]
Aug  3 11:34:49 qbittorrent openvpn[6094]: UDP link local: (not bound)
Aug  3 11:34:49 qbittorrent openvpn[6094]: UDP link remote: [AF_INET]89.238.154.120:1198
Aug  3 11:34:49 qbittorrent openvpn[6094]: TLS: Initial packet from [AF_INET]89.238.154.120:1198, sid=bf11cff3 45e3bd08
Aug  3 11:34:49 qbittorrent openvpn[6094]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Aug  3 11:34:49 qbittorrent openvpn[6094]: VERIFY KU OK
Aug  3 11:34:49 qbittorrent openvpn[6094]: Validating certificate extended key usage
Aug  3 11:34:49 qbittorrent openvpn[6094]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug  3 11:34:49 qbittorrent openvpn[6094]: VERIFY EKU OK
Aug  3 11:34:49 qbittorrent openvpn[6094]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=34c4672cd66a088004c427b9803f865e, name=34c4672cd66a088004c427b9803f865e
Aug  3 11:34:49 qbittorrent openvpn[6094]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Aug  3 11:34:49 qbittorrent openvpn[6094]: [34c4672cd66a088004c427b9803f865e] Peer Connection Initiated with [AF_INET]89.238.154.120:1198
Aug  3 11:34:50 qbittorrent openvpn[6094]: SENT CONTROL [34c4672cd66a088004c427b9803f865e]: 'PUSH_REQUEST' (status=1)
Aug  3 11:34:50 qbittorrent openvpn[6094]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.83.10.1,topology net30,ifconfig 10.83.10.6 10.83.10.5,auth-token'
Aug  3 11:34:50 qbittorrent openvpn[6094]: auth-token received, disabling auth-nocache for the authentication token
Aug  3 11:34:50 qbittorrent openvpn[6094]: OPTIONS IMPORT: timers and/or timeouts modified
Aug  3 11:34:50 qbittorrent openvpn[6094]: OPTIONS IMPORT: compression parms modified
Aug  3 11:34:50 qbittorrent openvpn[6094]: OPTIONS IMPORT: --ifconfig/up options modified
Aug  3 11:34:50 qbittorrent openvpn[6094]: OPTIONS IMPORT: route options modified
Aug  3 11:34:50 qbittorrent openvpn[6094]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Aug  3 11:34:50 qbittorrent openvpn[6094]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:406 ET:0 EL:3 ]
Aug  3 11:34:50 qbittorrent openvpn[6094]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Aug  3 11:34:50 qbittorrent openvpn[6094]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug  3 11:34:50 qbittorrent openvpn[6094]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Aug  3 11:34:50 qbittorrent openvpn[6094]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug  3 11:34:50 qbittorrent openvpn[6094]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=epair0b HWADDR=02:ff:60:5b:ca:e6
Aug  3 11:34:50 qbittorrent openvpn[6094]: Cannot allocate TUN/TAP dev dynamically
Aug  3 11:34:50 qbittorrent openvpn[6094]: Exiting due to fatal error


What have I done wrong?
Do I need to create a tun interface on the host?
 
Last edited:

lopr

Explorer
Joined
Mar 19, 2015
Messages
71
there might be a bug somewhere that leads to the creation of the 256 tun devices, I encountered the same with tap devices and openvpn. however after a restart of the freenas, this did not happen again for me. after a host-restart, the tun devices should "restart" and start counting with 0 again. after that bug it was impossible to get the tun/tap devices to work. so check if the tun device is not bigger tan 255.
second: you don't need to create a tun device on the host just inside the jail (and that should be done automatically by openvpn)
also it seems openvpn creates a tun device, so thats strange it says it cannot allocate it.
you maybe also want to set the verb level to something higher in your *ovpn profile to get a more verbose log.
 

Brownz

Dabbler
Joined
Sep 5, 2017
Messages
23
Ok thanks for clarifying things.
What do you mean by this 'check if the tun device is not bigger tan 255' ?
I increased the openvpn.conf verb value to 5.
I'm not sure if there's another error log location. I have scanned through this, but apart from the initial warning and the final error I cant see what could be causing the issue, although I'm not sure what to be looking for. This is what the nano /var/log/mesages output looks like:

Code:
Aug  3 15:51:31 qbittorrent openvpn[6056]: WARNING: file '/usr/local/etc/openvpn/pass.txt' is group or others accessible
Aug  3 15:51:31 qbittorrent openvpn[6056]: Current Parameter Settings:
Aug  3 15:51:31 qbittorrent openvpn[6056]:   config = '/usr/local/etc/openvpn/openvpn.conf'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   mode = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   show_ciphers = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   show_digests = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   show_engines = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   genkey = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   key_pass_file = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   show_tls_ciphers = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   connect_retry_max = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]: Connection profiles [0]:
Aug  3 15:51:31 qbittorrent openvpn[6056]:   proto = udp
Aug  3 15:51:31 qbittorrent openvpn[6056]:   local = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   local_port = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   remote = 'uk-london.privateinternetaccess.com'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   remote_port = '1198'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   remote_float = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   bind_defined = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   bind_local = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   bind_ipv6_only = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   connect_retry_seconds = 5
Aug  3 15:51:31 qbittorrent openvpn[6056]:   connect_timeout = 120
Aug  3 15:51:31 qbittorrent openvpn[6056]:   socks_proxy_server = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   socks_proxy_port = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   tun_mtu = 1500
Aug  3 15:51:31 qbittorrent openvpn[6056]:   tun_mtu_defined = ENABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   link_mtu = 1500
Aug  3 15:51:31 qbittorrent openvpn[6056]:   link_mtu_defined = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   tun_mtu_extra = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   tun_mtu_extra_defined = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   mtu_discover_type = -1
Aug  3 15:51:31 qbittorrent openvpn[6056]:   fragment = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   mssfix = 1450
Aug  3 15:51:31 qbittorrent openvpn[6056]:   explicit_exit_notification = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]: Connection profiles END
Aug  3 15:51:31 qbittorrent openvpn[6056]:   remote_random = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ipchange = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   dev = 'tun'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   dev_type = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   dev_node = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   lladdr = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   topology = 1
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_local = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_remote_netmask = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_noexec = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_nowarn = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_ipv6_local = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_ipv6_netbits = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_ipv6_remote = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   shaper = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   mtu_test = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   mlock = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   keepalive_ping = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   keepalive_timeout = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   inactivity_timeout = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ping_send_timeout = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ping_rec_timeout = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ping_rec_timeout_action = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ping_timer_remote = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   remap_sigusr1 = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   persist_tun = ENABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   persist_local_ip = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   persist_remote_ip = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   persist_key = ENABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   passtos = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   resolve_retry_seconds = 1000000000
Aug  3 15:51:31 qbittorrent openvpn[6056]:   resolve_in_advance = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   username = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   groupname = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   chroot_dir = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   cd_dir = '/usr/local/etc/openvpn'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   writepid = '/var/run/openvpn.pid'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   up_script = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   down_script = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   down_pre = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   up_restart = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   up_delay = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   daemon = ENABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   inetd = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   log = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   suppress_timestamps = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   machine_readable_output = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   nice = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   verbosity = 5
Aug  3 15:51:31 qbittorrent openvpn[6056]:   mute = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   gremlin = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   status_file = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   status_file_version = 1
Aug  3 15:51:31 qbittorrent openvpn[6056]:   status_file_update_freq = 60
Aug  3 15:51:31 qbittorrent openvpn[6056]:   occ = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   rcvbuf = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   sndbuf = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   sockflags = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   fast_io = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   comp.alg = 2
Aug  3 15:51:31 qbittorrent openvpn[6056]:   comp.flags = 1
Aug  3 15:51:31 qbittorrent openvpn[6056]:   route_script = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   route_default_gateway = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   route_default_metric = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   route_noexec = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   route_delay = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   route_delay_window = 30
Aug  3 15:51:31 qbittorrent openvpn[6056]:   route_delay_defined = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   route_nopull = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   route_gateway_via_dhcp = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   allow_pull_fqdn = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   management_addr = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   management_port = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   management_user_pass = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   management_log_history_cache = 250
Aug  3 15:51:31 qbittorrent openvpn[6056]:   management_echo_buffer_size = 100
Aug  3 15:51:31 qbittorrent openvpn[6056]:   management_write_peer_info_file = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   management_client_user = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   management_client_group = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   management_flags = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   shared_secret_file = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   key_direction = not set
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ciphername = 'aes-128-cbc'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ncp_enabled = ENABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   authname = 'sha1'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   prng_hash = 'SHA1'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   prng_nonce_secret_len = 16
Aug  3 15:51:31 qbittorrent openvpn[6056]:   keysize = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   engine = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   replay = ENABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   mute_replay_warnings = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   replay_window = 64
Aug  3 15:51:31 qbittorrent openvpn[6056]:   replay_time = 15
Aug  3 15:51:31 qbittorrent openvpn[6056]:   packet_id_file = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   use_iv = ENABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   test_crypto = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   tls_server = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   tls_client = ENABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   key_method = 2
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ca_file = '/usr/local/etc/openvpn/ca.crt'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ca_path = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   dh_file = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   cert_file = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   extra_certs_file = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   priv_key_file = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   pkcs12_file = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   cipher_list = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   tls_cert_profile = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   tls_verify = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   tls_export_cert = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   verify_x509_type = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   verify_x509_name = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   crl_file = '/usr/local/etc/openvpn/crl.pem'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ns_cert_type = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   remote_cert_ku = 65535
Aug  3 15:51:31 qbittorrent openvpn[6056]:   remote_cert_ku = 0
Aug  3 15:51:31 qbittorrent last message repeated 14 times
Aug  3 15:51:31 qbittorrent openvpn[6056]:   remote_cert_eku = 'TLS Web Server Authentication'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ssl_flags = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   tls_timeout = 2
Aug  3 15:51:31 qbittorrent openvpn[6056]:   renegotiate_bytes = -1
Aug  3 15:51:31 qbittorrent openvpn[6056]:   renegotiate_packets = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   renegotiate_seconds = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   handshake_window = 60
Aug  3 15:51:31 qbittorrent openvpn[6056]:   transition_window = 3600
Aug  3 15:51:31 qbittorrent openvpn[6056]:   single_session = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   push_peer_info = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   tls_exit = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   tls_auth_file = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   tls_crypt_file = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   server_network = 0.0.0.0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   server_netmask = 0.0.0.0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   server_network_ipv6 = ::
Aug  3 15:51:31 qbittorrent openvpn[6056]:   server_netbits_ipv6 = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   server_bridge_ip = 0.0.0.0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   server_bridge_netmask = 0.0.0.0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   server_bridge_pool_start = 0.0.0.0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   server_bridge_pool_end = 0.0.0.0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_pool_defined = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_pool_start = 0.0.0.0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_pool_end = 0.0.0.0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_pool_netmask = 0.0.0.0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_pool_persist_filename = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_pool_persist_refresh_freq = 600
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_ipv6_pool_defined = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_ipv6_pool_base = ::
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ifconfig_ipv6_pool_netbits = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   n_bcast_buf = 256
Aug  3 15:51:31 qbittorrent openvpn[6056]:   tcp_queue_limit = 64
Aug  3 15:51:31 qbittorrent openvpn[6056]:   real_hash_size = 256
Aug  3 15:51:31 qbittorrent openvpn[6056]:   virtual_hash_size = 256
Aug  3 15:51:31 qbittorrent openvpn[6056]:   client_connect_script = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   learn_address_script = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   client_disconnect_script = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   client_config_dir = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   ccd_exclusive = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   tmp_dir = '/tmp'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   push_ifconfig_defined = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   push_ifconfig_local = 0.0.0.0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   push_ifconfig_remote_netmask = 0.0.0.0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   push_ifconfig_ipv6_defined = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   push_ifconfig_ipv6_local = ::/0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   push_ifconfig_ipv6_remote = ::
Aug  3 15:51:31 qbittorrent openvpn[6056]:   enable_c2c = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   duplicate_cn = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   cf_max = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   cf_per = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   max_clients = 1024
Aug  3 15:51:31 qbittorrent openvpn[6056]:   max_routes_per_client = 256
Aug  3 15:51:31 qbittorrent openvpn[6056]:   auth_user_pass_verify_script = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   auth_user_pass_verify_script_via_file = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   auth_token_generate = DISABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   auth_token_lifetime = 0
Aug  3 15:51:31 qbittorrent openvpn[6056]:   port_share_host = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   port_share_port = '[UNDEF]'
Aug  3 15:51:31 qbittorrent openvpn[6056]:   client = ENABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   pull = ENABLED
Aug  3 15:51:31 qbittorrent openvpn[6056]:   auth_user_pass_file = '/usr/local/etc/openvpn/pass.txt'
Aug  3 15:51:31 qbittorrent openvpn[6056]: OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul  3 2018
Aug  3 15:51:31 qbittorrent openvpn[6056]: library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Aug  3 15:51:31 qbittorrent openvpn[6057]: LZO compression initializing
Aug  3 15:51:31 qbittorrent openvpn[6057]: Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Aug  3 15:51:31 qbittorrent openvpn[6057]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Aug  3 15:51:31 qbittorrent openvpn[6057]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Aug  3 15:51:31 qbittorrent openvpn[6057]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Aug  3 15:51:31 qbittorrent openvpn[6057]: TCP/UDP: Preserving recently used remote address: [AF_INET]89.238.154.170:1198
Aug  3 15:51:31 qbittorrent openvpn[6057]: Socket Buffers: R=[42080->42080] S=[9216->9216]
Aug  3 15:51:31 qbittorrent openvpn[6057]: UDP link local: (not bound)
Aug  3 15:51:31 qbittorrent openvpn[6057]: UDP link remote: [AF_INET]89.238.154.170:1198
Aug  3 15:51:31 qbittorrent openvpn[6057]: TLS: Initial packet from [AF_INET]89.238.154.170:1198, sid=788075c9 57a2ed15
Aug  3 15:51:31 qbittorrent openvpn[6057]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Aug  3 15:51:31 qbittorrent openvpn[6057]: VERIFY KU OK
Aug  3 15:51:31 qbittorrent openvpn[6057]: Validating certificate extended key usage
Aug  3 15:51:31 qbittorrent openvpn[6057]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug  3 15:51:31 qbittorrent openvpn[6057]: VERIFY EKU OK
Aug  3 15:51:31 qbittorrent openvpn[6057]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=85103e266cd284fa574729196f545fd0, name=85103e266cd284fa574729196f545fd0
Aug  3 15:51:31 qbittorrent openvpn[6057]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Aug  3 15:51:31 qbittorrent openvpn[6057]: [85103e266cd284fa574729196f545fd0] Peer Connection Initiated with [AF_INET]89.238.154.170:1198
Aug  3 15:51:32 qbittorrent openvpn[6057]: SENT CONTROL [85103e266cd284fa574729196f545fd0]: 'PUSH_REQUEST' (status=1)
Aug  3 15:51:37 qbittorrent openvpn[6057]: SENT CONTROL [85103e266cd284fa574729196f545fd0]: 'PUSH_REQUEST' (status=1)
Aug  3 15:51:37 qbittorrent openvpn[6057]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.27.10.1,topology net30,ifconfig 10.27.10.6 10.27.10.5,auth-token'
Aug  3 15:51:37 qbittorrent openvpn[6057]: auth-token received, disabling auth-nocache for the authentication token
Aug  3 15:51:37 qbittorrent openvpn[6057]: OPTIONS IMPORT: timers and/or timeouts modified
Aug  3 15:51:37 qbittorrent openvpn[6057]: OPTIONS IMPORT: compression parms modified
Aug  3 15:51:37 qbittorrent openvpn[6057]: OPTIONS IMPORT: --ifconfig/up options modified
Aug  3 15:51:37 qbittorrent openvpn[6057]: OPTIONS IMPORT: route options modified
Aug  3 15:51:37 qbittorrent openvpn[6057]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Aug  3 15:51:37 qbittorrent openvpn[6057]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:406 ET:0 EL:3 ]
Aug  3 15:51:37 qbittorrent openvpn[6057]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Aug  3 15:51:37 qbittorrent openvpn[6057]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug  3 15:51:37 qbittorrent openvpn[6057]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Aug  3 15:51:37 qbittorrent openvpn[6057]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug  3 15:51:37 qbittorrent openvpn[6057]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=epair0b HWADDR=02:ff:60:5b:ca:e6
Aug  3 15:51:37 qbittorrent openvpn[6057]: Cannot allocate TUN/TAP dev dynamically
Aug  3 15:51:37 qbittorrent openvpn[6057]: Exiting due to fatal error
 
Last edited:

lopr

Explorer
Joined
Mar 19, 2015
Messages
71
Restart your freenas box. Enter jail and see if openvpn still created 256 tun devices. There should be only one named tun0

Edit : Also you are missing a ' when you posted your devfs rule.
 
Last edited:

Brownz

Dabbler
Joined
Sep 5, 2017
Messages
23
Yeah the 256 tun device problem happens EVERY time I reset host/freenas box, but disappears and leaves me with a single one named 'tun256' device when I reset jail.
Thanks for noticing typo...unfortunately just a forum typo (wish it was that simple to fix).

I'm wondering if this openvpn bug arrises because the iocage jail is using a new 11.2 release. I might try a fresh 11.1 iocage and see if the problem persists.
 
Last edited:

lopr

Explorer
Joined
Mar 19, 2015
Messages
71
You could try creating the tun device manually and change the config file to use that interface ('dev tunX' instead of 'dev tun' in the ovpn config file)
 

alantagne

Cadet
Joined
Aug 6, 2018
Messages
1
I have the same configuration and the very same problem . Followed the same guide. Running Freenas 11.1-U5, iocage jail is running Freenas 11.1-RELEASE.

Did you resolve the problem?
 

Brownz

Dabbler
Joined
Sep 5, 2017
Messages
23
Still no luck.

I did try creating a 11.1 iocage and 11.0 iocage and installed to no avail, same issue each time.
I believe I did try making a manual tun device, but the following issues make it tricky and completely useless as a long term solution. There are (0-255) tun devices already, this issue causes me to make it named 'tun256', it is then renamed to 'tun257' on jail restart, thus making it inconststant with the config file.

Im away from home at the moment, so cant be specific on the details, but I will double check and create a manual tun when i get back at the weekend. I dont suppose anyone/lopr can post any commands needed to create a manual tun interface incase I screwed it up or left anything out the first time?
 

lopr

Explorer
Joined
Mar 19, 2015
Messages
71
just ifconfig tun create
but maybe try to disable openvpn on startup and start it manually to see whats going on?

also I am posting my jailconfig, maybe I have some settings that I added for other purposes initially but are vital?
Code:
root@host:~ # iocage get all openvpn
CONFIG_VERSION:11
allow_chflags:0
allow_mount:0
allow_mount_devfs:1
allow_mount_nullfs:0
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
allow_quotas:0
allow_raw_sockets:1
allow_set_hostname:1
allow_socket_af:0
allow_sysvipc:1
available:readonly
basejail:no
boot:eek:ff
bpf:no
children_max:0
cloned_release:11.1-RELEASE-p6
comment:none
compression:lz4
compressratio:readonly
coredumpsize:eek:ff
count:1
cpuset:eek:ff
cputime:eek:ff
datasize:eek:ff
dedup:eek:ff
defaultrouter:192.168.1.1
defaultrouter6:none
depends:none
devfs_ruleset:4
dhcp:eek:ff
enforce_statfs:2
exec_clean:1
exec_fib:0
exec_jail_user:root
exec_poststart:/usr/bin/true
exec_poststop:/usr/bin/true
exec_prestart:/usr/bin/true
exec_prestop:/usr/bin/true
exec_start:/bin/sh /etc/rc
exec_stop:/bin/sh /etc/rc.shutdown
exec_system_jail_user:0
exec_system_user:root
exec_timeout:60
host_domainname:none
host_hostname:eek:penvpn
host_hostuuid:eek:penvpn
host_time:yes
hostid:e2900934-1514-11e5-861a-d050995176b8
hostid_strict_check:eek:ff
interfaces:vnet0:bridge0
ip4:new
ip4_addr:vnet0|192.168.1.111/24
ip4_saddrsel:1
ip6:new
ip6_addr:none
ip6_saddrsel:1
jail_zfs:eek:ff
jail_zfs_dataset:iocage/jails/openvpn/data
jail_zfs_mountpoint:none
last_started:2018-08-02 16:24:42
login_flags:-f root
mac_prefix:02ff60
maxproc:eek:ff
memorylocked:eek:ff
memoryuse:eek:ff
mount_devfs:1
mount_fdescfs:1
mount_linprocfs:0
mount_procfs:0
mountpoint:readonly
msgqqueued:eek:ff
msgqsize:eek:ff
nmsgq:eek:ff
notes:none
nsemop:eek:ff
nshm:eek:ff
nthr:eek:ff
openfiles:eek:ff
origin:readonly
owner:root
pcpu:eek:ff
priority:99
pseudoterminals:eek:ff
quota:none
release:11.1-RELEASE-p6
reservation:none
resolver:/etc/resolv.conf
rlimits:eek:ff
securelevel:2
shmsize:eek:ff
stacksize:eek:ff
state:up
stop_timeout:30
swapuse:eek:ff
sync_state:none
sync_target:none
sync_tgt_zpool:none
sysvmsg:new
sysvsem:new
sysvshm:new
template:no
type:jail
used:readonly
vmemoryuse:eek:ff
vnet:eek:n
vnet0_mac:02ff60363831,02ff60363832
vnet1_mac:none
vnet2_mac:none
vnet3_mac:none
vnet_interfaces:none
wallclock:eek:ff
 

Brownz

Dabbler
Joined
Sep 5, 2017
Messages
23
MANUAL TUN0

I tried again creating a tun interface manually, each time renaming the interface with ifconfig tun256 name tun0 to reset the name.... openvpn seems to ignore it and still get the error. On restart I get a single one with the inceremented number... as if the were still 256 of them and is why I rename it.

MANUAL TUN256

I have since tried making a manual tun device and leaving the default name 'tun256' and renaming the 'openvpn.conf' file to include dev tun256, although I'm not sure this is the right way to specifiy an interface. The message logs now have this:

Code:
Aug 19 09:40:02 qbittorrent openvpn[85022]: TUN/TAP device tun256 exists previously, keep at program end
Aug 19 09:40:02 qbittorrent openvpn[85022]: Cannot open TUN/TAP dev /dev/tun256: No such file or directory (errno=2)
Aug 19 09:40:02 qbittorrent openvpn[85022]: Exiting due to fatal error


This first error log makes me think a manual tun device will never work with openvpn.
I also think the custom tun interface is incorrectly creating a directory, (I believe for drivers) because whenever I customize the 'conf' and add a custom number to identify the tun it returns with the second error.

JAIL CONFIG

I compared the config you provided, it looks almost identical, I changed the few settings that where diferent with no success. There must be something different that we have done, but I'm at a loss....I have no idea where to continue.
 
Last edited:

Brownz

Dabbler
Joined
Sep 5, 2017
Messages
23
UPDATE
I have been investigating many settings for the jail and then tried a few things and then noticed something that worked briefly, although incredibly sketchy way of getting it to work, and with one major issue, I cannot connect externally to the internet.

1. Restarted Jail - In order to remove 256 tun devices,
2. ifconfig tun256 name tun0 - to rename the automatically generated tun device by openvpn on jail initialization.
3. service openvpn start - Restart openvpn which then successfully uses the correct tun device 'tun0' and initializes.

Code:
Aug 24 12:49:47 qbittorrent openvpn[14705]: OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul  3 2018
Aug 24 12:49:47 qbittorrent openvpn[14705]: library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Aug 24 12:49:47 qbittorrent openvpn[14706]: Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Aug 24 12:49:47 qbittorrent openvpn[14706]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Aug 24 12:49:47 qbittorrent openvpn[14706]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Aug 24 12:49:47 qbittorrent openvpn[14706]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Aug 24 12:49:47 qbittorrent openvpn[14706]: TCP/UDP: Preserving recently used remote address: [AF_INET]89.238.154.23:1198
Aug 24 12:49:47 qbittorrent openvpn[14706]: Socket Buffers: R=[42080->42080] S=[9216->9216]
Aug 24 12:49:47 qbittorrent openvpn[14706]: UDP link local: (not bound)
Aug 24 12:49:47 qbittorrent openvpn[14706]: UDP link remote: [AF_INET]89.238.154.23:1198
Aug 24 12:49:47 qbittorrent openvpn[14706]: TLS: Initial packet from [AF_INET]89.238.154.23:1198, sid=48369a80 a84b530e
Aug 24 12:49:47 qbittorrent openvpn[14706]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Aug 24 12:49:47 qbittorrent openvpn[14706]: VERIFY KU OK
Aug 24 12:49:47 qbittorrent openvpn[14706]: Validating certificate extended key usage
Aug 24 12:49:47 qbittorrent openvpn[14706]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug 24 12:49:47 qbittorrent openvpn[14706]: VERIFY EKU OK
Aug 24 12:49:47 qbittorrent openvpn[14706]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=ef1e353e4bca0a9ce87a3406c76e390c, name=ef1e353e4bca0a9ce87a3406c76e390c
Aug 24 12:49:47 qbittorrent openvpn[14706]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Aug 24 12:49:47 qbittorrent openvpn[14706]: [ef1e353e4bca0a9ce87a3406c76e390c] Peer Connection Initiated with [AF_INET]89.238.154.23:1198
Aug 24 12:49:49 qbittorrent openvpn[14706]: SENT CONTROL [ef1e353e4bca0a9ce87a3406c76e390c]: 'PUSH_REQUEST' (status=1)
Aug 24 12:49:49 qbittorrent openvpn[14706]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.35.10.1,topology net30,ifconfig 10.35.10.6 10.35.10.5,auth-token'
Aug 24 12:49:49 qbittorrent openvpn[14706]: auth-token received, disabling auth-nocache for the authentication token
Aug 24 12:49:49 qbittorrent openvpn[14706]: OPTIONS IMPORT: timers and/or timeouts modified
Aug 24 12:49:49 qbittorrent openvpn[14706]: OPTIONS IMPORT: compression parms modified
Aug 24 12:49:49 qbittorrent openvpn[14706]: OPTIONS IMPORT: --ifconfig/up options modified
Aug 24 12:49:49 qbittorrent openvpn[14706]: OPTIONS IMPORT: route options modified
Aug 24 12:49:49 qbittorrent openvpn[14706]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Aug 24 12:49:49 qbittorrent openvpn[14706]: Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:406 ET:0 EL:3 ]
Aug 24 12:49:49 qbittorrent openvpn[14706]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Aug 24 12:49:49 qbittorrent openvpn[14706]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 24 12:49:49 qbittorrent openvpn[14706]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Aug 24 12:49:49 qbittorrent openvpn[14706]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 24 12:49:49 qbittorrent openvpn[14706]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=epair0b HWADDR=02:ff:60:5b:ca:e6
Aug 24 12:49:49 qbittorrent openvpn[14706]: TUN/TAP device /dev/tun0 opened
Aug 24 12:49:49 qbittorrent openvpn[14706]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Aug 24 12:49:49 qbittorrent openvpn[14706]: /sbin/ifconfig tun0 10.35.10.6 10.35.10.5 mtu 1500 netmask 255.255.255.255 up
Aug 24 12:49:49 qbittorrent openvpn[14706]: /sbin/route add -net 89.238.154.23 192.168.1.1 255.255.255.255
Aug 24 12:49:49 qbittorrent openvpn[14706]: /sbin/route add -net 0.0.0.0 10.35.10.5 128.0.0.0
Aug 24 12:49:49 qbittorrent openvpn[14706]: /sbin/route add -net 128.0.0.0 10.35.10.5 128.0.0.0
Aug 24 12:49:49 qbittorrent openvpn[14706]: /sbin/route add -net 10.35.10.1 10.35.10.5 255.255.255.255
Aug 24 12:49:49 qbittorrent openvpn[14706]: Initialization Sequence Completed


As soon as a start the service I dont have access to the outside world.

Code:
root@qbittorrent:~ # ping google.com
PING google.com (216.58.210.46): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- google.com ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss



4. service openvpn stop - As soons as I end the service I can access everything again. This also removes the tun interface.

Code:
root@qbittorrent:~ # ping google.com
PING google.com (216.58.204.14): 56 data bytes
64 bytes from 216.58.204.14: icmp_seq=0 ttl=54 time=11.855 ms
64 bytes from 216.58.204.14: icmp_seq=1 ttl=54 time=11.791 ms
64 bytes from 216.58.204.14: icmp_seq=2 ttl=54 time=11.952 ms
64 bytes from 216.58.204.14: icmp_seq=3 ttl=54 time=11.642 ms
64 bytes from 216.58.204.14: icmp_seq=4 ttl=54 time=11.804 ms
^C
--- google.com ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 11.642/11.809/11.952/0.101 ms


5. service openvpn start - When I start the service again, it seems unable to initilise with a different error, no tun interface is created.

Code:
Aug 24 13:21:21 qbittorrent openvpn[18706]: TUN/TAP device /dev/tun0 opened
Aug 24 13:21:21 qbittorrent openvpn[18706]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Aug 24 13:21:21 qbittorrent openvpn[18706]: /sbin/ifconfig tun0 10.84.10.6 10.84.10.5 mtu 1500 netmask 255.255.255.255 up
Aug 24 13:21:21 qbittorrent openvpn[18706]: FreeBSD ifconfig failed: external program exited with error status: 1
Aug 24 13:21:21 qbittorrent openvpn[18706]: Exiting due to fatal error


This is the only way I prevent a 'Cannot allocate TUN/TAP dev dynamically' error...
Anyone got ideas whats going on?
 
Last edited:

linit

Cadet
Joined
Aug 25, 2018
Messages
9
I am getting a similar issue but after restarting jail I see no tun interfaces and cannot create any
# ifconfig tun256 name tun0
ifconfig: interface tun256 does not exist

I see no tun interfaces with ifconfig and cannot create any new ones without getting the error above.
I was also seeing the same error "Brownz" sees with the dynamic issue when I did have all the 256 tun interfaces before.

I hope more eyes on this will find the issue, this was working for me too in 11.2
 

Scentle5S

Explorer
Joined
Sep 9, 2016
Messages
74
I never had this problem with FreeNAS 11.2 BETA 2. I just updated to BETA 3 because I needed other bugs fixed, and now I suffer from this one... I tried the pre-init trick but it didn't work. I have the same logs :
Code:
Tue Sep 11 03:08:03 2018 TUN/TAP device tun0 exists previously, keep at program end
Tue Sep 11 03:08:03 2018 Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2)
Tue Sep 11 03:08:03 2018 Exiting due to fatal error

The tun interface exists both for the host and the jail :
Code:
# ifconfig
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	nd6 options=1<PERFORMNUD>
	groups: tun

Code:
# ll /dev/tun*
crw-------  1 uucp  dialer  0xfa Sep 11 03:01 /dev/tun0

Any more ideas on how to solve this ?
 

Scentle5S

Explorer
Joined
Sep 9, 2016
Messages
74
Update : By manually creating a tun device from the jail with ifconfig tun create and editing my OpenVPN config to use that newly created interface (e.g. : dev tun4), it works. But it simply doesn't want to use the one that was automatically created beforehand. This trick may be useful to fix the jail(s) after initial boot, but this isn't a long term solution since after every reboot it'll break.
 

memel.parduin

Dabbler
Joined
Feb 13, 2012
Messages
42
I'm experiencing the same behaviour. After a reboot + OpenVPN jail autostart ifconfig returns tun0 through tun255. Stopping and restarting the jail ifconfig only lists tun0, but ifconfig tun create then adds a tun257 device to the list.
 

esolma

Cadet
Joined
Sep 17, 2018
Messages
3
Hi guys,

I got exactely yhe same problem :
Code:
Cannot allocate TUN/TAP dev dynamically


I create a tun device manually on the host because on the jail i don't have a permission :
Code:
ifconfig: SIOCIFCREATE2: Operation not permitted


but I got another issue when i try to start vpn :
Code:
Wed Sep 19 16:57:21 2018 TUN/TAP device /dev/tun0 opened
Wed Sep 19 16:57:21 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Wed Sep 19 16:57:21 2018 /sbin/ifconfig tun0 100.120.40.176 100.120.40.1 mtu 1500 netmask 255.255.255.0 up
ifconfig: ioctl SIOCSIFMTU (set mtu): Operation not permitted
Wed Sep 19 16:57:21 2018 FreeBSD ifconfig failed: external program exited with error status: 1
Wed Sep 19 16:57:21 2018 Exiting due to fatal error


I'm missing something ?


Thank you
 

leafyeh7

Cadet
Joined
Aug 28, 2018
Messages
5
I encountered the same issue running version 11.2-BETA3.

The issue has been reported at https://redmine.ixsystems.com/issues/45919, but was closed (set to private) due to "sensitive information".

My temporary solution is to disable 'auto-start' of the transmission jail, reboot freenas (to get rid of tun0-tun255), and then run
Code:
devfs rule -s 4 add path 'tun*' unhide
in shell before starting the transmission jail.

I am relatively new to Freenas and unix-like systems, below are a few simple tests I did with transmission jail auto-start disabled.

Preinit script enabled, freenas reboot, start transmission jail manually >> Fail
Preinit script disabled, run the devfs command after freenas rebooted, start transmission jail manually >> Success
Preinit script enabled, run the devfs command after freenas rebooted, start transmission jail manually >> Success

This leads me to the conclusion that for whatever reasons, the devfs script does not work as intended.

I also tried to sneak in the devfs command in the start_precmd (assuming these are the commands executed before jail start) function under /mnt/iocage/jails/transmission/root/usr/local/etc/rc.d/transmission, but it does not solve the problem.

Maybe some experienced users can show us how to properly run the devfs command before transmission jail start.

Edit:
Can confirm that the preinit devfs is not run properly. Here's what I have when I enabled the preinit script, then use "devfs rule -s 4 show" to see what's under ruleset #4.

100 include 1
200 include 2
300 include 3
400 path zfs unhide


Here's what it looks like after running the devfs command unhiding tun* after system rebooted.

100 include 1
200 include 2
300 include 3
400 path zfs unhide
500 path tun* unhide


Edit 2: wording
 
Last edited:

KenNashua

Explorer
Joined
Feb 24, 2012
Messages
62
I encountered the same issue running version 11.2-BETA3.

Edit:
Can confirm that the preinit devfs is not run properly. Here's what I have when I enabled the preinit script, then use "devfs rule -s 4 show" to see what's under ruleset #4.

100 include 1
200 include 2
300 include 3
400 path zfs unhide

Has anyone figured out a workaround for this?
 

Brownz

Dabbler
Joined
Sep 5, 2017
Messages
23
Well thanks for all the help, I feel stupid not trying this sooner.
Strange I got this issue during 11.2-BETA2 when everyone was fine.
At least manually setting the devfs rules can be used as a workaround untill they fix.
 
Last edited:

linit

Cadet
Joined
Aug 25, 2018
Messages
9
I am seeing the same issue, even with jails that were working just fine and have made no changes. I tried what Leafyah7 suggested (thanks for that) however my openvpn still gets the dynamic tun cannot be created issue. 11.2 is being a pain so far :(
 
Top