# OpenVPN 'Operation not permitted' when destroying tun device



## mumu (Aug 1, 2021)

Hi, I'm seeing this in my openvpn logs. First some info:

OS: FreeBSD 13.0-RELEASE amd64
OpenVPN: 2.5.3 (installed via ports)

Output from the log:


```
2021-08-02 05:30:31 event_wait : Interrupted system call (code=4)
2021-08-02 05:30:33 Closing TUN/TAP interface
2021-08-02 05:30:33 /sbin/ifconfig tun0 destroy
ifconfig: SIOCIFDESTROY: Operation not permitted
2021-08-02 05:30:33 FreeBSD 'destroy tun interface' failed (non-critical): external program exited with error status: 1
2021-08-02 05:30:33 SIGTERM[hard,] received, process exiting
```

Is this normal ?


----------



## fbsd_ (Aug 2, 2021)

`Try it with root.`
If you dont set root account while installing FreeBSD, you can install sudo or add user to wheel group by going to recovery and mounting root fs.


----------



## mumu (Aug 2, 2021)

fbsd_ said:


> If you dont set root account while installing FreeBSD, you can install sudo or add user to wheel group by going to recovery and mounting root fs.


The error I got was when I ran `/usr/local/etc/rc.d/openvpn restart` as user root.


----------



## SirDice (Aug 2, 2021)

Are you running OpenVPN in a jail perhaps?


----------



## mumu (Aug 2, 2021)

SirDice said:


> Are you running OpenVPN in a jail perhaps?


Nope.


----------



## SirDice (Aug 2, 2021)

Can you post your openvpn.conf? (Make sure to remove any identifying addresses or accounts).


----------



## covacat (Aug 2, 2021)

its probably the expected behaviour if you run it as a non privileged user;. once it does its init stuff it switches to openvpn/nobody/whatever


----------



## mumu (Aug 2, 2021)

covacat said:


> its probably the expected behaviour if you run it as a non privileged user;. once it does its init stuff it switches to openvpn/nobody/whatever


It's probably this. I have it running as nobody:nobody


----------



## jamie (Aug 2, 2021)

Yep, it's expected behaviour.

As you say, it drops privs once the network is configured.

To "Mumu", you can use the "persist-tun" option so that openvpn can recover from a restart caused by SIGUSR1 or a network interruption by never trying to close/open the tunnel.

You can also configure it to not attempt to destroy the interface on exit - that will stop the error message, but it's in itself harmless.

All this info is in "man openvpn"

Personally, I run openvpn entirely from a non-privileged user right from the start, but allow it to use a privileged wrapper to alter the network settings.


----------



## mumu (Aug 3, 2021)

jamie said:


> To "Mumu", you can use the "persist-tun" option so that openvpn can recover from a restart caused by SIGUSR1 or a network interruption by never trying to close/open the tunnel.


Yep I have this already in the server config.



jamie said:


> You can also configure it to not attempt to destroy the interface on exit - that will stop the error message, but it's in itself harmless.


Can't find this in the man page. What's the keyword to search for ?


----------

