[SOLVED] OpenVPN server (Docker) fails to start up due to TUN error

Burner · 2024-11-10 13:19:18

Hi,
I am running an OpenVPN server via Docker since some years. It worked so far since yesterday. I did not change the OpenVPN settings or the docker setup. But I think I updated and rebooted the system (pacman -Syu).
Since this I am getting the following message when starting up the docker container:

2024-11-10 13:45:20 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)

My docker container is setup via a docker compose file with the following entry:

 openvpn:
    image: martin/openvpn
    restart: always
    cap_add:
     - NET_ADMIN
    ports:
     - "1195:1194/udp"
    volumes:
     - ${LOCAL_OPENVPN}/data:/etc/openvpn
     - ${LOCAL_OPENVPN}/openvpn.conf:/etc/openvpn/openvpn.conf
     - /etc/localtime:/etc/localtime:ro

So far I have found as a solution to restart the machine which did not help. I have checked if the tun module is enabled and loaded in the kernel, via:

lsmod | grep tun

which returns

tun                    69632  0

So I assume everthing is in order, isn't it? As far as I understood the setting cap_add with NET_ADMIN should enable the docker container to get the correct priviliges.

Any suggestions are appreciated, thank you!

Last edited by Burner (2024-11-12 09:24:47)

-thc · 2024-11-10 15:04:51

Burner wrote:

But I think I updated and rebooted the system (pacman -Syu).

Make sure your running kernel matches the version under "/lib/modules" (missing reboot).

cat /proc/version
ls -l /lib/modules

Burner · 2024-11-10 22:01:25

Seems to be matching:

cat /proc/version
Linux version 6.6.60-1-lts (linux-lts@archlinux) (gcc (GCC) 14.2.1 20240910, GNU ld (GNU Binutils) 2.43.0) #1 SMP PREEMPT_DYNAMIC Fri, 08 Nov 2024 16:03:02 +0000

ls -l /lib/modules
drwxr-xr-x 3 root root 4096  9. Nov 22:16 6.6.60-1-lts
drwxr-xr-x 3 root root 4096  2. Nov 18:52 6.11.6-arch1-1

Forgot to tell that I already checked prior via:

uname -a
Linux james 6.6.60-1-lts #1 SMP PREEMPT_DYNAMIC Fri, 08 Nov 2024 16:03:02 +0000 x86_64 GNU/Linux

pacman -Q linux linux-lts
linux 6.11.6.arch1-1
linux-lts 6.6.60-1

gid10t · 2024-11-11 04:56:34

It's a permission issue. Try adding privileged: true to your compose file. Edit below.

 openvpn:
    image: martin/openvpn
    privileged: true
    restart: always
    cap_add:
     - NET_ADMIN
    ports:
     - "1195:1194/udp"
    volumes:
     - ${LOCAL_OPENVPN}/data:/etc/openvpn
     - ${LOCAL_OPENVPN}/openvpn.conf:/etc/openvpn/openvpn.conf
     - /etc/localtime:/etc/localtime:ro

Burner · 2024-11-11 10:10:22

Thanks gid10t, adding "priviliged: true" gets the container running and my VPN working again!

Do you have any idea why this setting is necessary now but was not like a week ago? As I understood this setting will allow my container more than just connect to the TUN module (like access to all my devices, I found in a quick search). I assume this is a potential security risk?

gid10t · 2024-11-11 15:24:14

Burner wrote:

Do you have any idea why this setting is necessary now but was not like a week ago? As I understood this setting will allow my container more than just connect to the TUN module (like access to all my devices, I found in a quick search). I assume this is a potential security risk?

Unsure on what changed but I encountered this very recently after an update as well. After verifying permissions on the docker container and various other troubleshooting, the privileged setting resolved my issue.

Disclaimer:
It does grant the docker container rights outside the scope of what you need in your use case. I would worry about this less as a remote exploit (though still possible) and one more tangible on a shared workstation. If you have a user that doesn't have root access but uses a container with those settings, it could be abused. That being said, always be cautious using compose files you didn't write yourself or from sources you can't verify.

Burner · 2024-11-12 09:23:23

Marking the thread as resolved.

If someone finds this thread and knows what changed to make the privileged setting necessary please leave an explanation.

Thanks!

Asuranceturix · 2024-11-13 16:44:05

There's no need to go that far: it works for me without the privileged setting if I pass the /dev/net/tun device from the host. However, it's a mystery to me as well, because it used to work fine for me too without passing this device, just creating it inside the container with mknod, and now it does not.

Burner · 2024-11-13 22:05:38

Asuranceturix can you post how to pass the tun device into the docker container?

I would like to apply this method to avoid using the privileged setting.

minh2134 · 2024-11-14 07:55:11

Burner wrote:

Asuranceturix can you post how to pass the tun device into the docker container?

I would like to apply this method to avoid using the privileged setting.

Assuming you are using docker compose, add this to your compose.yml:

services:
  your-container:
    ...
    devices:
      - /dev/net/tun
    ...

Arch Linux

#1 2024-11-10 13:19:18

[SOLVED] OpenVPN server (Docker) fails to start up due to TUN error

#2 2024-11-10 15:04:51

Re: [SOLVED] OpenVPN server (Docker) fails to start up due to TUN error

#3 2024-11-10 22:01:25

Re: [SOLVED] OpenVPN server (Docker) fails to start up due to TUN error

#4 2024-11-11 04:56:34

Re: [SOLVED] OpenVPN server (Docker) fails to start up due to TUN error

#5 2024-11-11 10:10:22

Re: [SOLVED] OpenVPN server (Docker) fails to start up due to TUN error

#6 2024-11-11 15:24:14

Re: [SOLVED] OpenVPN server (Docker) fails to start up due to TUN error

#7 2024-11-12 09:23:23

Re: [SOLVED] OpenVPN server (Docker) fails to start up due to TUN error

#8 2024-11-13 16:44:05

Re: [SOLVED] OpenVPN server (Docker) fails to start up due to TUN error

#9 2024-11-13 22:05:38

Re: [SOLVED] OpenVPN server (Docker) fails to start up due to TUN error

#10 2024-11-14 07:55:11

Re: [SOLVED] OpenVPN server (Docker) fails to start up due to TUN error

Board footer