# ocserv in jail: cannot open /dev/tun



## spmzt (Oct 2, 2022)

Hi,

I installed net/ocserv 1.1.3 on Freebsd 13.1 in jail. and I can create tun interface inside the jail.
The problem is the net/ocserv try to access the /dev/tun inside my jail and it obviously fails.

Here is my configuration:
/etc/devfs.conf:

```
[devfsrules_jail_overlay=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'tun*' unhide
add path 'vpns*' unhide
```

ezjail variables for vnet and devfs:

```
export jail_overlay_devfs_ruleset="5"
export jail_overlay_vnet_enable="YES"
export jail_overlay_vnet_interface="e0b_overlay"
export jail_overlay_exec_prestart0="/usr/local/sbin/jib addm overlay vtnet0 && /sbin/ifconfig e0a_overlay inet 172.16.1.1/30"
export jail_overlay_exec_poststop0="/usr/local/sbin/jib destroy overlay"
export jail_overlay_parameters="allow.raw_sockets=1"
```

ocserv debug (ip randomized):

```
ocserv 53654 - - sec-mod: initiating session for user 'user' (session: 98dgrj)
ocserv 53446 - - main[user]:172.16.1.1:58219 new user session
ocserv 53446 - - main[user]:172.16.1.1:58219 selected IP: 172.16.1.58
ocserv 53446 - - main[user]:172.16.1.1:58219 assigned IPv4: 172.16.1.58
ocserv 53446 - - main: cannot open /dev/tun; falling back to iteration: No such file or directory
ocserv 53446 - - main: tun.c:731: Can't open tun device: File exists
ocserv 53446 - - main[user]:172.16.1.1:58219 failed authentication attempt for user 'user'
ocserv 53446 - - main[user]:172.16.1.1:58219 sending message 'auth cookie reply' to worker
ocserv 53855 - - worker[user]: 172.16.1.1 received auth reply message (value: 3)
ocserv 53855 - - worker[user]: 172.16.1.1 error receiving cookie authentication reply
ocserv 53855 - - worker[user]: 172.16.1.1 failed cookie authentication attempt
ocserv 53446 - - main[user]:172.16.1.1:58219 worker terminated
ocserv 53446 - - main[user]:172.16.1.1:58219 sending msg sm: session close to sec-mod
ocserv 53654 - - sec-mod: received request sm: session close
ocserv 53654 - - sec-mod: cmd [size=42] sm: session close
ocserv 53446 - - main[user]:172.16.1.1:58219 user disconnected (reason: unspecified, rx: 0, tx: 0)
ocserv 53654 - - sec-mod: temporarily closing session for user (session: 98Twrj)
ocserv 53446 - - main: tun.c:781: /dev/tun254: Error destroying interface: Device not configured
```

Anyone has any idea to how to put /dev/tun in my jail to make the net/ocserv work?

*EDIT 1: add ocserv debug*


----------



## W.hâ/t (Oct 2, 2022)

I don't know much about that but don't you need a nat rule?
from pf.conf(5)

```
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
```


----------



## spmzt (Oct 2, 2022)

W.hâ/t said:


> I don't know much about that but don't you need a nat rule? from pf.conf(5)
> 
> ```
> nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
> ```


I have. It's definitely not about the firewall. I think it's must be related to the devfs or jail configuration itself.


----------



## W.hâ/t (Oct 2, 2022)

spmzt said:


> Can't open tun device: File exists


Destroy the device and restart the server.

Edit:
Or maybe in a config file there is a way to tell net/ocserv to use the existing/dev/tun0. Otherwise you can pretty much delete any configuration regarding this. Even the nat rule, ocserv will configure all this automatically.


----------



## spmzt (Oct 2, 2022)

W.hâ/t said:


> Destroy the device and restart the server.
> 
> Edit:
> Or maybe in a config file there is a way to tell net/ocserv to use the existing/dev/tun0. Otherwise you can pretty much delete any configuration regarding this. Even the nat rule, ocserv will configure all this automatically.


I created an issue in gitlab for ocserv project to do so.








						ocserv in jail: cannot open /dev/tun (#463) · Issues · OpenConnect VPN projects / ocserv · GitLab
					

Description of problem: Hi, I installed ocserv 1.1.6 on Freebsd 13.1 in jail. After authentication it will...




					gitlab.com


----------

