Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)

[T0MuX]

Is there a pinned issue for this?

• I have read the pinned issues and could not find my issue

Is there an existing or similar issue/discussion for this?

• I have searched the existing issues
• I have searched the existing discussions

Is there any comment in the documentation for this?

• I have read the documentation, especially the FAQ and Troubleshooting parts

Is this related to a provider?

• I have checked the provider repo for issues
• My issue is NOT related to a provider

Are you using the latest release?

• I am using the latest release

Have you tried using the dev branch latest?

• I have tried using dev branch

Docker run config used

I can't gather the docker command. All I see is dumb-init /etc/openvpn/start.sh, and the environment variables which I list below :

            "Env": [
                "TRANSMISSION_RPC_ENABLED=true",
                "TRANSMISSION_RPC_AUTHENTICATION_REQUIRED=true",
                "OPENVPN_CONFIG=seedbox",
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "OPENVPN_USERNAME=",
                "OPENVPN_PASSWORD=",
                "OPENVPN_PROVIDER=custom",
                "OPENVPN_OPTS=",
                "GLOBAL_APPLY_PERMISSIONS=true",
                "TRANSMISSION_HOME=/config/transmission-home",
                "TRANSMISSION_RPC_PORT=9091",
                "TRANSMISSION_RPC_USERNAME=t0mux",
                "TRANSMISSION_RPC_PASSWORD=********************",
                "TRANSMISSION_DOWNLOAD_DIR=/mnt/SEED",
                "TRANSMISSION_INCOMPLETE_DIR=/data/incomplete",
                "TRANSMISSION_WATCH_DIR=/data/watch",
                "CREATE_TUN_DEVICE=true",
                "ENABLE_UFW=false",
                "UFW_ALLOW_GW_NET=false",
                "UFW_EXTRA_PORTS=",
                "UFW_DISABLE_IPTABLES_REJECT=false",
                "PUID=",
                "PGID=",
                "PEER_DNS=true",
                "PEER_DNS_PIN_ROUTES=true",
                "DROP_DEFAULT_ROUTE=",
                "WEBPROXY_ENABLED=false",
                "WEBPROXY_PORT=8118",
                "WEBPROXY_USERNAME=",
                "WEBPROXY_PASSWORD=",
                "LOG_TO_STDOUT=false",
                "HEALTH_CHECK_HOST=google.com",
                "SELFHEAL=false",
                "REVISION=07f5a2b9aea5028c9bb75438c1552708e91dde71"
            ],

Current Behavior

The container starts, and then fail at the TUN/TAP opening step

Expected Behavior

I just expect this works normaly :) I mean, this was the case just before this happens (and I actually don't know why). It worked very well just before.

How have you tried to solve the problem?

I tried to force stop the container, and start again.
Tried to stop de Docker package on DSM, and restart.
Checked updates, DSM and packages are all up to date.
Restarted my entire NAS, no change.

Log output

HW/SW Environment

- NAS : Synology DS712+
- OS: DSM 6.2.4
- Docker: 20.10.3

Anything else?

No response

[ryant00000]

I also had this issue, and found that passing through a /dev/net/tun device and setting CREATE_TUN_DEVICE=false at least works around the problem. My setup worked for years at this point, I suspect some docker change is relevant but couldn't find it. Notably, setting cap_add to ALL did not solve the problem.

[sadsephiroth]

I also had this issue today, setting container to Privileged mode worked, but is not an actual solution.

[boxedbiscotti]

Also having the same issue, version 5.3.1, using NordVPN if providers matter in this instance is currently unclear.

[hypevhs]

I'm also affected by this, but my error message is slightly different. I was unable to determine which of the many changes that --privileged applies is what allows access to the /dev/net/tun that the start script creates.

[T0MuX]

I also had this issue, and found that passing through a /dev/net/tun device and setting CREATE_TUN_DEVICE=false at least works around the problem. My setup worked for years at this point, I suspect some docker change is relevant but couldn't find it. Notably, setting cap_add to ALL did not solve the problem.

I tried, but no success :

[T0MuX]

I also had this issue today, setting container to Privileged mode worked, but is not an actual solution.

Mine is already on Priviliged mode :/

[sagefarrenholz]

Seeing the same with NORDVPN

[sagefarrenholz]

I was able to fix by adding

  privileged: true

to my container config in my compose file

[niemtec]

Started happening to me too after pulling latest image.

[realdeeguy]

Same issue. I don't want to run the container in privileged mode, so I manually added the TUN device by including the following in the compose file. Hope this helps.

devices:
  - /dev/net/tun:/dev/net/tun

[T0MuX]

Same issue. I don't want to run the container in privileged mode, so I manually added the TUN device by including the following in the compose file. Hope this helps.

devices:
  - /dev/net/tun:/dev/net/tun

How can I do that on DSM 6.2.4 ? I looked for it, didn't found anything :(

[thewanka]

When I include the following in my docker-compose file:

devices:  
  - /dev/net/tun:/dev/net/tun  

I get the error:

ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)

However, if I set privileged: true, the error disappears.

I would prefer to resolve the issue without granting Docker privileged access. If anyone has suggestions, I’d greatly appreciate your help.

[realdeeguy]

When I include the following in my docker-compose file:

devices:  
  - /dev/net/tun:/dev/net/tun  

I get the error:

ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)

However, if I set privileged: true, the error disappears.

I would prefer to resolve the issue without granting Docker privileged access. If anyone has suggestions, I’d greatly appreciate your help.

Share your compose file, this should work

[AdamLMark]

devices:
  - /dev/net/tun:/dev/net/tun

Thank you, this worked for me. Here's my entire compose Portainer stack for anyone interested:

version: "3.3"
services:
  transmission-openvpn:
    container_name: transmission-openvpn
    cap_add:
      - NET_ADMIN
    volumes:
      - /docker/transmission-openvpn/config:/config
      - /mnt/data/torrents:/data/torrents
    logging:
      driver: json-file
      options:
        max-size: 10m
    ports:
      - '9091:9091'
    devices:
      - /dev/net/tun:/dev/net/tun
    image: haugene/transmission-openvpn
    env_file:
      - stack.env # Lets you use Portainer's environment variables (file doesn't need to exist)
    restart: unless-stopped

[thewanka]

When I include the following in my docker-compose file:

devices:  
  - /dev/net/tun:/dev/net/tun  

I get the error:
ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
However, if I set privileged: true, the error disappears.
I would prefer to resolve the issue without granting Docker privileged access. If anyone has suggestions, I’d greatly appreciate your help.

Share your compose file, this should work

I made a mistake and when I corrected my compose it worked. Thanks

devices:
  - /dev/net/tun:/dev/net/tun

[realdeeguy]

Same issue. I don't want to run the container in privileged mode, so I manually added the TUN device by including the following in the compose file. Hope this helps.

devices:
  - /dev/net/tun:/dev/net/tun

How can I do that on DSM 6.2.4 ? I looked for it, didn't found anything :(

I don't use DSM but you should be able to modify the docker compose to add it.

[KnuffigerMaxi]

Ich habe den gleichen Fehler:

starting container with revision: 07f5a2b9aea5028c9bb75438c1552708e91dde71
TRANSMISSION_HOME is currently set to: /config/transmission-home
Creating TUN device /dev/net/tun
Using OpenVPN provider: CUSTOM
Running with VPN_CONFIG_SOURCE auto
CUSTOM provider specified but not using default.ovpn, will try to find a valid config mounted to /etc/openvpn/custom
Starting OpenVPN using config vpngate_92.124.161.186_udp_1809.ovpn
Modifying /etc/openvpn/custom/vpngate_92.124.161.186_udp_1809.ovpn for best behaviour in this container
Modification: Point auth-user-pass option to the username/password file
Modification: Change ca certificate path
Modification: Change ping options
Modification: Update/set resolv-retry to 15 seconds
Modification: Change tls-crypt keyfile path
Modification: Set output verbosity to 3
Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
Modification: Updating status for config failure detection
Setting OpenVPN credentials...
adding route to local network 192.168.0.0/24 via 172.19.0.1 dev eth0
2024-12-03 21:15:40 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2024-12-03 21:15:40 OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 29 2023
2024-12-03 21:15:40 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2024-12-03 21:15:40 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-12-03 21:15:40 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-12-03 21:15:40 TCP/UDP: Preserving recently used remote address: [AF_INET]92.124.161.186:1809
2024-12-03 21:15:40 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-12-03 21:15:40 UDP link local: (not bound)
2024-12-03 21:15:40 UDP link remote: [AF_INET]92.124.161.186:1809
2024-12-03 21:15:40 TLS: Initial packet from [AF_INET]92.124.161.186:1809, sid=6727c523 2a8463ea
2024-12-03 21:15:40 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
2024-12-03 21:15:40 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R11
2024-12-03 21:15:40 VERIFY OK: depth=0, CN=opengw.net
2024-12-03 21:15:40 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2024-12-03 21:15:40 [opengw.net] Peer Connection Initiated with [AF_INET]92.124.161.186:1809
2024-12-03 21:15:42 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1)
2024-12-03 21:15:42 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.29 10.211.1.30,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.30,redirect-gateway def1'
2024-12-03 21:15:42 OPTIONS IMPORT: timers and/or timeouts modified
2024-12-03 21:15:42 OPTIONS IMPORT: --ifconfig/up options modified
2024-12-03 21:15:42 OPTIONS IMPORT: route options modified
2024-12-03 21:15:42 OPTIONS IMPORT: route-related options modified
2024-12-03 21:15:42 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-12-03 21:15:42 Using peer cipher 'AES-128-CBC'
2024-12-03 21:15:42 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2024-12-03 21:15:42 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2024-12-03 21:15:42 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2024-12-03 21:15:42 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2024-12-03 21:15:42 net_route_v4_best_gw query: dst 0.0.0.0
2024-12-03 21:15:42 net_route_v4_best_gw result: via 172.19.0.1 dev eth0
2024-12-03 21:15:42 ROUTE_GATEWAY 172.19.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:13:00:02
2024-12-03 21:15:42 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
2024-12-03 21:15:42 Exiting due to fatal error

[mdlaat]

@KnuffigerMaxi I had the same error. Fixed with #2883 (comment)

[j2ali]

I tried both privileged and devices

transmissionvpn:
    cap_add:
      - NET_ADMIN
    container_name: transmissionvpn
    privileged: true
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      LOCAL_NETWORK: 192.168.0.0/16
      OPENVPN_PASSWORD: XX
      OPENVPN_PROVIDER: PIA
      OPENVPN_USERNAME: XX
      PGID: "1000"
      PUID: "1000"
      TRANSMISSION_DOWNLOAD_DIR: /storage/downloads/completed
      TRANSMISSION_HOME: /config
      TRANSMISSION_INCOMPLETE_DIR: /storage/downloads/incomplete
      TRANSMISSION_WATCH_DIR: /storage/downloads/watch
      TZ: America/Toronto
    hostname: DockSTARTer
    image: haugene/transmission-openvpn:latest
    networks:
      default: null
    ports:
      - mode: ingress
        target: 9091
        published: "9091"
        protocol: tcp
    restart: unless-stopped
    ```

[utdrmac]

Just confirming that adding devices: - /dev/net/tun:/dev/net/tun to my compose file made this work again.

[Aginarikar]

Also, for anyone having portainer running, the container can easily be edited/re-created with the workaround like this instead of docker-compose:

[glukose]

Thanks for the tip. I don't have a docker compose for this one, but use a service with this kind of command :

usr/bin/docker run \
        --name transmission-openvpn \
        --cap-add=NET_ADMIN \
        -v /mnt/user/home:/data \
        -v /home/user/config:/config \
        -v /etc/localtime:/etc/localtime:ro \
        -e CREATE_TUN_DEVICE=true \
        -e OPENVPN_PROVIDER=NORDVPN \
        ...

Does someone has the syntax to add devices: - /dev/net/tun:/dev/net/tun to this command line ?

[mdlaat]

Before the last line, add a line:
--device=/dev/net/tun:/dev/net/tun \

[BarrRedKola]

you don't need the mapping inside the container if it is the same path, meaning

devices:
  - /dev/net/tun

is sufficient.

And it indeed solves the issue.

The main issue is probably related to an update of container.io qdm12/gluetun#2606