# openvpn tun/tap dev problem



## LSD (Jun 28, 2020)

I am trying to connect to a VPN using OpenVPN on FreeBSD on a Raspberry pi.

I run the command:

```
$ openvpn vpn_server.ovpn
```
It prompts for the username and password, looks like it is connecting but then gives an error (even if I try another vnp_server.ovpn file, that I know is working since I am using it on another computer.)
The error:

```
Sun Jun 28 21:02:12 2020 us=747373 Cannot allocate TUN/TAP dev dynamically
Sun Jun 28 21:02:12 2020 us=747428 Exiting due to fatal error
```
I am still a newbie when it comes to FreeBSD, but does this have something to do with the device drivers for tun and tap?  How do I fix this problem?

Thanks for any help.


----------



## a6h (Jun 28, 2020)

By default, OpenVPN runs as root. Here is what I think you should consider as a kluge. I don't use openvpn any more, thus you have to do your own research to find out how to run openvpn as a Normal user.

Create a file, to store username and password
vpn_server.dat

```
username
password
```

There's going to be some warning, suppress it by adding `--mute-replay-warnings`. (Research for the origin of this warning, on your own time)
Run openvpn as root/sudo:

`sudo openvpn --mute-replay-warnings --config ./vpn_server.ovpn --auth-user-pass ./vpn_server.dat`


----------



## Lamia (Jun 29, 2020)

You need create a cloned interface tun0 and setup an IP address (ifconfig_tun0) in rc.conf. The IP address will act as a gateway when vpn network exists.
Your devfs.rules need contain:

```
add path tun0 unhide
add path tun1 unhide
```
It's important you create a new rule [number] in there.
There are a few other things to consider - pf rules


----------



## LSD (Jun 29, 2020)

I tried

```
# kldload if_tun
```
but tun was already loaded


then I added

```
dev tun0
```
to the openvpn_server.ovpn file


then

```
# ifconfig tun create
```


This gave a new error:

```
Mon Jun 29 14:45:24 2020 us=383329 TUN/TAP device tun0 exists previously, keep at program end
Mon Jun 29 14:45:24 2020 us=383549 Cannot open TUN/TAP dev /dev/tun0: Permission denied (errno=13)
Mon Jun 29 14:45:24 2020 us=383593 Exiting due to fatal error
```


then ran

```
$ sudo openvpn openvpn_server.ovpn
```


And it finally works!
But I don't want it running under sudo right?  That isn't safe?
How can I make this safer, or does it need to be?  Can I just create a new user and make a special group for openvpn etc?  I'm still learning FreeBSD so I would like to avoid fiddling with jails and pf for now.


----------



## SirDice (Jun 29, 2020)

It's supposed to run as root. Use `service  openvpn start`.


----------



## Lamia (Jun 29, 2020)

For increased security, deploy it into a jail.


----------



## VladiBG (Jun 29, 2020)

Lamia said:


> For increased security, deploy it into a jail.


For max security turn off the power and remove the power plug.


----------



## Lamia (Jun 29, 2020)

VladiBG said:


> For max security turn off the power and remove the power plug.


And for absolute security, let go of all your electronics and return to the stone age.

Caveman!


----------



## LSD (Jun 29, 2020)

Lamia said:


> For increased security, deploy it into a jail.



I do plan on doing this eventually.  I am about halfway through the book Absolute FreeBSD 3rd Edition, but the stuff about jails is towards the back.  Right now I just want to get everything working before I try securing it.


----------

