openvpn tun/tap dev problem

[LSD]

I am trying to connect to a VPN using OpenVPN on FreeBSD on a Raspberry pi.

I run the command:

$ openvpn vpn_server.ovpn

It prompts for the username and password, looks like it is connecting but then gives an error (even if I try another vnp_server.ovpn file, that I know is working since I am using it on another computer.)
The error:

Sun Jun 28 21:02:12 2020 us=747373 Cannot allocate TUN/TAP dev dynamically
Sun Jun 28 21:02:12 2020 us=747428 Exiting due to fatal error

I am still a newbie when it comes to FreeBSD, but does this have something to do with the device drivers for tun and tap? How do I fix this problem?

Thanks for any help.

 

[a6h]

By default, OpenVPN runs as root. Here is what I think you should consider as a kluge. I don't use openvpn any more, thus you have to do your own research to find out how to run openvpn as a Normal user.

Create a file, to store username and password
vpn_server.dat

username
password

There's going to be some warning, suppress it by adding --mute-replay-warnings. (Research for the origin of this warning, on your own time)
Run openvpn as root/sudo:

sudo openvpn --mute-replay-warnings --config ./vpn_server.ovpn --auth-user-pass ./vpn_server.dat

 

[Lamia]

You need create a cloned interface tun0 and setup an IP address (ifconfig_tun0) in rc.conf. The IP address will act as a gateway when vpn network exists.
Your devfs.rules need contain:

add path tun0 unhide
add path tun1 unhide

It's important you create a new rule [number] in there.
There are a few other things to consider - pf rules

 

[LSD]

I tried

# kldload if_tun

but tun was already loaded


then I added

dev tun0

to the openvpn_server.ovpn file


then

# ifconfig tun create

This gave a new error:

Mon Jun 29 14:45:24 2020 us=383329 TUN/TAP device tun0 exists previously, keep at program end
Mon Jun 29 14:45:24 2020 us=383549 Cannot open TUN/TAP dev /dev/tun0: Permission denied (errno=13)
Mon Jun 29 14:45:24 2020 us=383593 Exiting due to fatal error

then ran

$ sudo openvpn openvpn_server.ovpn

And it finally works!
But I don't want it running under sudo right? That isn't safe?
How can I make this safer, or does it need to be? Can I just create a new user and make a special group for openvpn etc? I'm still learning FreeBSD so I would like to avoid fiddling with jails and pf for now.

 

[SirDice]

It's supposed to run as root. Use service openvpn start.

 

[Lamia]

For increased security, deploy it into a jail.

 

[VladiBG]

For increased security, deploy it into a jail.

For max security turn off the power and remove the power plug.

 

[Lamia]

For max security turn off the power and remove the power plug.

And for absolute security, let go of all your electronics and return to the stone age.

Caveman!

 

[LSD]

For increased security, deploy it into a jail.

I do plan on doing this eventually. I am about halfway through the book Absolute FreeBSD 3rd Edition, but the stuff about jails is towards the back. Right now I just want to get everything working before I try securing it.