You are not logged in.

#1 2020-01-04 12:13:30

gr211
Member
Registered: 2020-01-04
Posts: 5

nm-openvpn ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted

Hello

When the VPN is up using NetworkManager, this happens intermittently

Jan 03 17:42:27 chillblast nm-openvpn[3904559]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Jan 03 17:42:27 chillblast NetworkManager[1139]: <info>  [1578073347.7732] device (tun0): state change: activated -> unmanaged (reason 'unmanaged', sys-iface-state: 'removed')
Jan 03 17:42:27 chillblast NetworkManager[1139]: <info>  [1578073347.7790] manager: NetworkManager state is now CONNECTED_SITE
Jan 03 17:42:28 chillblast nm-openvpn[3904559]: ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Jan 03 17:42:28 chillblast nm-openvpn[3904559]: Exiting due to fatal error
Jan 03 17:42:28 chillblast NetworkManager[1139]: <warn>  [1578073348.7903] vpn-connection[0x55f332138120,9dc7bcac-3e5b-4ba0-aa91-6d7f9143e841,"aaa.com",28:(tun0)]: VPN plugin: failed: connect-failed (1)
Jan 03 17:42:28 chillblast NetworkManager[1139]: <info>  [1578073348.7904] vpn-connection[0x55f332138120,9dc7bcac-3e5b-4ba0-aa91-6d7f9143e841,"aaa.com",28:(tun0)]: VPN plugin: state changed: stopping (5)
Jan 03 17:42:28 chillblast NetworkManager[1139]: <info>  [1578073348.7904] vpn-connection[0x55f332138120,9dc7bcac-3e5b-4ba0-aa91-6d7f9143e841,"aaa.com",28:(tun0)]: VPN plugin: state changed: stopped (6)

This is preventing the ping-restart directive to function as expecting (ie. it does see it's down, but it's powerless to re-created the vpn tunnel).

I found a suggestion to create the tun0 (or whatever name your heart fancies) statically first specifically for the nm-openvpn user, ie:

sudo ip tuntap add tun0 mode tun user nm-openvpn

It's not been up for not too long yet, 24h or so but sure it seems the vpn is staying up. 

I therefore added (locally) a systemd unit to do just that:

cat /usr/lib/systemd/system/nm-openvn@.service 
[Unit]
Description=Creates tun %i interface statically
Requires=network.target
After=network.target

[Service]
Type=oneshot
ExecStart=ip tuntap add %i mode tun user nm-openvpn
ExecStop=ip tuntap delete %i mode tun
RemainAfterExit=true

[Install]
WantedBy=multi-user.target

and then

sudo systemctl start nm-openvn@tun0

and in the VPN NetworkManager settings:

Set virtual device type -> tun -> tun0
Specify exit or restart ping -> ping-restart -> 30

And it appears to be ok.

So the questions are:

  • is someone more expert would have an educated opinion on the security aspects of statically creating tun interfaces (with that in mind this is intended for personal desktop usage).

  • anyone sees anything wrong with the Unit itself ?

  • I'd be more than happy to create an aur pkg for this if someone other than me would find this solution interesting ?

I should also add I did try creating the tun0 interface via https://wiki.archlinux.org/index.php/VP … d-networkd but to no avail.

Last edited by gr211 (2020-01-05 00:04:17)

Offline

#2 2020-01-05 13:04:27

gr211
Member
Registered: 2020-01-04
Posts: 5

Re: nm-openvpn ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted

Correction

Actually creating tun0 via systemd is working, ie

cat /etc/systemd/network/90-tun0.netdev 
[NetDev]
Name=tun0
Kind=tun

[Tun]
Group=nm-openvpn
User=nm-openvpn

And then

sudo systemctl restart systemd-networkd

ip tuntap list
tun0: tun one_queue persist user 976 group 976

Note: one_queue is added with the vpn tunnel coming up

The rest is the same, telling NM to specifically use that tun0 interface in the advance config settings for the VPN connection.

Last edited by gr211 (2020-01-05 13:05:09)

Offline

Board footer

Powered by FluxBB