Help: Failed to read packet from TUN device: read /dev/net/tun: not pollable

[juanbretti]

Hello,
I am trying to bring back to work gluetun.
I recently installed https://github.com/cloudflare/cloudflared, and gluetun stopped working.

My system is a Synology NAS running DSM 7.2.2-72806 Update 2.
I am running gluetun and cloudflared, using Docker.

My docker-compose.yml for gluetun is:

services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    hostname: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 6881:6881
      - 6881:6881/udp
    volumes:
      - /volume1/docker/vpn_torrent/gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=nordvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=xxxxxxxxxxxxxx 
      - WIREGUARD_ADDRESSES=10.5.0.2/32
      - TZ=Europe/Madrid
      - SERVER_COUNTRIES=Spain
      - UPDATER_PERIOD=24h

  service_x:
    image: lscr.io/linuxserver/xxxx
    xxxx

networks:
  default:
    ipam:
      driver: default
      config:
        - subnet: "172.18.0.0/16"
          gateway: "172.18.0.1"

My docker-compose.yml for cloudflared is:

services:
  cloudflare_tunnel:
    container_name: cloudflare_tunnel
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    environment:
      - TUNNEL_TOKEN=xxxxxxxxxxxxxxxx
    command: tunnel --no-autoupdate run
    networks:
      - exposed

networks:
  exposed:
    external: false
    ipam:
      driver: default
      config:
        - subnet: "172.21.0.0/16"
          gateway: "172.21.0.1"

The problem I have is:

2025/01/17 11:38:26	stdout	2025-01-17T11:38:26+01:00 ERROR [wireguard] Failed to load updated MTU of device: failed to get MTU of TUN device: no such device
2025/01/17 11:38:26	stdout	2025-01-17T11:38:26+01:00 ERROR [vpn] cannot listen on UAPI socket: no space left on device
2025/01/17 11:38:26	stdout	2025-01-17T11:38:26+01:00 INFO [wireguard] Using userspace implementation since Kernel support does not exist
2025/01/17 11:38:17	stdout	2025-01-17T11:38:17+01:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 172.18.0.2:47043->1.1.1.1:53: write: operation not permitted)
2025/01/17 11:38:11	stdout	2025-01-17T11:38:11+01:00 ERROR [wireguard] Failed to load updated MTU of device: failed to get MTU of TUN device: no such device
2025/01/17 11:38:11	stdout	2025-01-17T11:38:11+01:00 ERROR [wireguard] Failed to read packet from TUN device: read /dev/net/tun: not pollable
2025/01/17 11:38:11	stdout	2025-01-17T11:38:11+01:00 ERROR [vpn] cannot listen on UAPI socket: no space left on device

Below, the full log.

Things I tried:

• Restarting the NAS
  • Works, as long as I don't turn on cloudflared or anything else
• Turning on and off an OpenVPN connection from the NAS OS (Synology DSM)
  • The OpenVPN connection works
  • gluetun, does not work after that
• The following steps:
  • Turn off/down the docker from cloudflared
  • Turn on an OpenVPN connection from DSM
  • Turn off the OpenVPN connection from DSM
  • Turn on glueton
  • And I have the same issue
• Changed the WIREGUARD_MTU to 1300, using what's describe at https://github.com/qdm12/gluetun-wiki/blob/main/setup/options/wireguard.md
• I read https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
  • Have not found my issue
• Using the mknod /dev/net/tun c 10 200 command, as described on:
  • https://memoryleak.dev/post/fix-tun-tap-not-available-on-a-synology-nas/
  • https://www.reddit.com/r/docker/comments/18khceu/synology_error_gathering_device_information_while/
  • Does not work
  • I must add, I get the correct response from cat of File descriptor in bad state
• Setting privileged: true and removing the attribute.
• Setting user and user group to 0 and 0 (what's in my case), following the options listed on https://blog.giovannidemizio.eu/2021/05/24/how-to-set-user-and-group-in-docker-compose/

What do I think:

• Could this be related to cloudflared and gluetun trying to use the same device, /dev/net/tun
• Could this be related to Bug: gluetun failed to start up due to permission issues write: operation not permitted while establishing dns over tls #320 ?
• What am I missing?

Thanks! Any idea is welcome.

Full log

2025/01/17 11:38:28 stdout 2025-01-17T11:38:28+01:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2025/01/17 11:38:28 stdout 2025-01-17T11:38:28+01:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2025/01/17 11:38:28 stdout 2025-01-17T11:38:28+01:00 INFO [healthcheck] program has been unhealthy for 11s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 172.18.0.2:48159->1.1.1.1:53: write: operation not permitted)
2025/01/17 11:38:26 stdout 2025-01-17T11:38:26+01:00 ERROR [wireguard] Failed to load updated MTU of device: failed to get MTU of TUN device: no such device
2025/01/17 11:38:26 stdout 2025-01-17T11:38:26+01:00 INFO [vpn] retrying in 30s
2025/01/17 11:38:26 stdout 2025-01-17T11:38:26+01:00 ERROR [vpn] cannot listen on UAPI socket: no space left on device
2025/01/17 11:38:26 stdout 2025-01-17T11:38:26+01:00 INFO [wireguard] Using userspace implementation since Kernel support does not exist
2025/01/17 11:38:26 stdout 2025-01-17T11:38:26+01:00 INFO [firewall] allowing VPN connection...
2025/01/17 11:38:17 stdout 2025-01-17T11:38:17+01:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2025/01/17 11:38:17 stdout 2025-01-17T11:38:17+01:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2025/01/17 11:38:17 stdout 2025-01-17T11:38:17+01:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 172.18.0.2:47043->1.1.1.1:53: write: operation not permitted)
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 ERROR [wireguard] Failed to load updated MTU of device: failed to get MTU of TUN device: no such device
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 ERROR [wireguard] Failed to read packet from TUN device: read /dev/net/tun: not pollable
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 INFO [vpn] retrying in 15s
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 ERROR [vpn] cannot listen on UAPI socket: no space left on device
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 INFO [wireguard] Using userspace implementation since Kernel support does not exist
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 INFO [firewall] allowing VPN connection...
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 INFO [healthcheck] listening on 127.0.0.1:9999
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 INFO [http server] http server listening on [::]:8000
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 INFO [firewall] setting allowed subnets...
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 INFO [routing] adding route for 0.0.0.0/0
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2025/01/17 11:38:11 stdout └── Enabled: yes
2025/01/17 11:38:11 stdout └── Version settings:
2025/01/17 11:38:11 stdout | └── Providers to update: nordvpn
2025/01/17 11:38:11 stdout | ├── Minimum ratio: 0.8
2025/01/17 11:38:11 stdout | ├── DNS address: 1.1.1.1:53
2025/01/17 11:38:11 stdout | ├── Update period: 24h0m0s
2025/01/17 11:38:11 stdout ├── Server data updater settings:
2025/01/17 11:38:11 stdout | └── cloudflare
2025/01/17 11:38:11 stdout | ├── ip2location
2025/01/17 11:38:11 stdout | ├── ifconfigco
2025/01/17 11:38:11 stdout | └── Public IP data backup APIs:
2025/01/17 11:38:11 stdout | ├── Public IP data base API: ipinfo
2025/01/17 11:38:11 stdout | ├── IP file path: /tmp/gluetun/ip
2025/01/17 11:38:11 stdout ├── Public IP settings:
2025/01/17 11:38:11 stdout | └── Timezone: europe/madrid
2025/01/17 11:38:11 stdout | ├── Process GID: 1000
2025/01/17 11:38:11 stdout | ├── Process UID: 1000
2025/01/17 11:38:11 stdout ├── OS Alpine settings:
2025/01/17 11:38:11 stdout | └── Filepath: /gluetun/servers.json
2025/01/17 11:38:11 stdout ├── Storage settings:
2025/01/17 11:38:11 stdout | └── Authentication file path: /gluetun/auth/config.toml
2025/01/17 11:38:11 stdout | ├── Logging: yes
2025/01/17 11:38:11 stdout | ├── Listening address: :8000
2025/01/17 11:38:11 stdout ├── Control server settings:
2025/01/17 11:38:11 stdout | └── Enabled: no
2025/01/17 11:38:11 stdout ├── HTTP proxy settings:
2025/01/17 11:38:11 stdout | └── Enabled: no
2025/01/17 11:38:11 stdout ├── Shadowsocks server settings:
2025/01/17 11:38:11 stdout | └── Additional duration: 5s
2025/01/17 11:38:11 stdout | ├── Initial duration: 6s
2025/01/17 11:38:11 stdout | └── VPN wait durations:
2025/01/17 11:38:11 stdout | ├── Read timeout: 500ms
2025/01/17 11:38:11 stdout | ├── Read header timeout: 100ms
2025/01/17 11:38:11 stdout | ├── Duration to wait after success: 5s
2025/01/17 11:38:11 stdout | ├── Target address: cloudflare.com:443
2025/01/17 11:38:11 stdout | ├── Server listening address: 127.0.0.1:9999
2025/01/17 11:38:11 stdout ├── Health settings:
2025/01/17 11:38:11 stdout | └── Log level: info
2025/01/17 11:38:11 stdout ├── Log settings:
2025/01/17 11:38:11 stdout | └── Enabled: yes
2025/01/17 11:38:11 stdout ├── Firewall settings:
2025/01/17 11:38:11 stdout | └── ::ffff:192.168.0.0/112
2025/01/17 11:38:11 stdout | ├── ::ffff:172.16.0.0/108
2025/01/17 11:38:11 stdout | ├── ::ffff:169.254.0.0/112
2025/01/17 11:38:11 stdout | ├── ::ffff:10.0.0.0/104
2025/01/17 11:38:11 stdout | ├── ::ffff:127.0.0.1/104
2025/01/17 11:38:11 stdout | ├── fe80::/10
2025/01/17 11:38:11 stdout | ├── fc00::/7
2025/01/17 11:38:11 stdout | ├── ::1/128
2025/01/17 11:38:11 stdout | ├── 169.254.0.0/16
2025/01/17 11:38:11 stdout | ├── 192.168.0.0/16
2025/01/17 11:38:11 stdout | ├── 172.16.0.0/12
2025/01/17 11:38:11 stdout | ├── 10.0.0.0/8
2025/01/17 11:38:11 stdout | ├── 127.0.0.1/8
2025/01/17 11:38:11 stdout | └── Blocked IP networks:
2025/01/17 11:38:11 stdout | ├── Block surveillance: no
2025/01/17 11:38:11 stdout | ├── Block ads: no
2025/01/17 11:38:11 stdout | ├── Block malicious: yes
2025/01/17 11:38:11 stdout | └── DNS filtering settings:
2025/01/17 11:38:11 stdout | ├── IPv6: no
2025/01/17 11:38:11 stdout | ├── Caching: yes
2025/01/17 11:38:11 stdout | | └── cloudflare
2025/01/17 11:38:11 stdout | ├── Upstream resolvers:
2025/01/17 11:38:11 stdout | ├── Update period: every 24h0m0s
2025/01/17 11:38:11 stdout | ├── Enabled: yes
2025/01/17 11:38:11 stdout | └── DNS over TLS settings:
2025/01/17 11:38:11 stdout | ├── DNS server address to use: 127.0.0.1
2025/01/17 11:38:11 stdout | ├── Keep existing nameserver(s): no
2025/01/17 11:38:11 stdout ├── DNS settings:
2025/01/17 11:38:11 stdout | └── MTU: 1320
2025/01/17 11:38:11 stdout | └── Network interface: tun0
2025/01/17 11:38:11 stdout | | └── ::/0
2025/01/17 11:38:11 stdout | | ├── 0.0.0.0/0
2025/01/17 11:38:11 stdout | ├── Allowed IPs:
2025/01/17 11:38:11 stdout | | └── 10.5.0.2/32
2025/01/17 11:38:11 stdout | ├── Interface addresses:
2025/01/17 11:38:11 stdout | ├── Private key: 5QB...0k=
2025/01/17 11:38:11 stdout | └── Wireguard settings:
2025/01/17 11:38:11 stdout | | └── Wireguard selection settings:
2025/01/17 11:38:11 stdout | | ├── Countries: spain
2025/01/17 11:38:11 stdout | | ├── VPN type: wireguard
2025/01/17 11:38:11 stdout | | └── Server selection settings:
2025/01/17 11:38:11 stdout | | ├── Name: nordvpn
2025/01/17 11:38:11 stdout | ├── VPN provider settings:
2025/01/17 11:38:11 stdout ├── VPN settings:
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 INFO Settings summary:
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 INFO IPtables version: v1.8.10
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 INFO OpenVPN 2.6 version: 2.6.11
2025/01/17 11:38:11 stdout 2025-01-17T11:38:11+01:00 INFO OpenVPN 2.5 version: 2.5.10
2025/01/17 11:38:10 stdout 2025-01-17T11:38:10+01:00 INFO Alpine version: 3.20.3
2025/01/17 11:38:10 stdout 2025-01-17T11:38:10+01:00 INFO [storage] merging by most recent 20776 hardcoded servers and 20776 servers read from /gluetun/servers.json
2025/01/17 11:38:07 stdout 2025-01-17T11:38:07+01:00 INFO [firewall] enabled successfully
2025/01/17 11:38:07 stdout 2025-01-17T11:38:07+01:00 INFO [firewall] enabling...
2025/01/17 11:38:07 stdout 2025-01-17T11:38:07+01:00 INFO [routing] local ipnet found: 172.18.0.0/16
2025/01/17 11:38:07 stdout 2025-01-17T11:38:07+01:00 INFO [routing] local ethernet link found: eth0
2025/01/17 11:38:07 stdout 2025-01-17T11:38:07+01:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2025/01/17 11:38:07 stdout 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2025/01/17 11:38:07 stdout 💻 Email? [email protected]
2025/01/17 11:38:07 stdout 🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
2025/01/17 11:38:07 stdout 🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
2025/01/17 11:38:07 stdout
2025/01/17 11:38:07 stdout Running version latest built on 2024-12-27T20:18:46.989Z (commit 61b053f)
2025/01/17 11:38:07 stdout
2025/01/17 11:38:07 stdout ========================================
2025/01/17 11:38:07 stdout ========================================
2025/01/17 11:38:07 stdout ======= https://github.com/qdm12 =======
2025/01/17 11:38:07 stdout =========== Made with ❤️ by ============
2025/01/17 11:38:07 stdout ========================================
2025/01/17 11:38:07 stdout =============== gluetun ================
2025/01/17 11:38:07 stdout ========================================
2025/01/17 11:38:07 stdout ========================================

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[juanbretti]

I have a Synology NAS, I think I am missing the installation of Wireguard, following: https://github.com/qdm12/gluetun-wiki/blob/main/setup/advanced/wireguard.md.
But, not sure why it gluetun worked for some days... and later stop working.

[s3than]

There is a recent change to runc which might have been updated

opencontainers/runc#3468

It removed access to /dev/net/tun easy way to check is to add dev/net/tun as a device and if it starts working again that's the issue

[juanbretti]

Thank you @s3than for your reply.

I already have on my docker-compose.yml the line to add dev/net/tun.
I have:

    devices:
      - /dev/net/tun:/dev/net/tun

I tried rebuilding the Docker container with and without that line, and still not able to make gluetun work again.

Am I missing something? Thank you for any feedback.

[KindaWrks]

What I did back on dsm 6(and now) was have task scheduler run a short cli script to happen every boot and run as root. This will make sure you always have tunnel adapter even if you have a power outage.

#!/bin/sh -e

insmod /lib/modules/tun.ko

[juanbretti]

Thank you @KindaWrks for your reply.

I checked, and I do have the /dev/net/tun already installed on my NAS.

admin@NAS:~$ ls -l /dev/net/tun
crw------- 1 root root 10, 200 Jan 20 13:22 /dev/net/tun

admin@NAS:~$ lsmod | grep tun
tun                    19151  0
tunnel4                 2133  1 sit
ip_tunnel              11433  2 sit,vxlan

admin@NAS:~$ sudo cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state

admin@NAS:~$ dmesg | grep tun
[   64.872005] sit: IPv6 over IPv4 tunneling driver
[ 1632.499215] tun: Universal TUN/TAP device driver, 1.6
[ 1632.504879] tun: (C) 1999-2004 Max Krasnyansky <[email protected]>

What could I be missing?

[KindaWrks]

Well, that is a good question. I could be way off but perhaps it's not in the kernel or have the permission to be accessed?
The admittedly lazy way I have it done insert/loads it into the system at a kernel level, which is really frowned on.

[juanbretti]

@KindaWrks may I ask which permissions do you have on /dev/net/tun?
Looks like I have:

admin@NAS:~$ ls -l /dev/net/tun
crw------- 1 root root 10, 200 Jan 20 13:22 /dev/net/tun

[KindaWrks]

The below is my yml file(info redacted) which doesn't seem much different. I can only offer what happened to work for me. When I first just used my yml it wouldn't work. Though after the bang script set as a task it did work from loading it into the kernel upon rebooting. Other then trying the bang script I don't know what personally I can do as it leaves me at a loss.

version: "latest"
services:
gluetun:
image: qmcgaw/gluetun:latest
container_name: gluetun
# line above must be uncommented to allow external containers to connect.
# See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
cap_add:
- NET_ADMIN
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
devices:
- /dev/net/tun:/dev/net/tun
ports:
- 8888:8888/tcp # HTTP proxy
- 8388:8388/tcp # Shadowsocks
- 8388:8388/udp # Shadowsocks
volumes:
- /volume1/docker/gluetun:/gluetun
environment:
# See https://github.com/qdm12/gluetun-wiki/tree/main/setup#setup
- VPN_SERVICE_PROVIDER=
- VPN_TYPE=openvpn
# OpenVPN:
- OPENVPN_USER=
- OPENVPN_PASSWORD=
- TZ=
# Server list updater
# See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
- UPDATER_PERIOD=24h

[tserversbfs]

I also seem to be having this issue.
pulled the latest gluetun tonight. This is a fresh install.
I also have cloudflared installed locally, not docker
Debian 12, on my laptop.

happy to help in any way I can.

services:
gluetun:
image: qmcgaw/gluetun
container_name: gluetun
# line above must be uncommented to allow external containers to connect.
# See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
ports:
- 8888:8888/tcp # HTTP proxy
- 8388:8388/tcp # Shadowsocks
- 8388:8388/udp # Shadowsocks
volumes:
- /root/Public/docker/gluetun:/gluetun
environment:
# See https://github.com/qdm12/gluetun-wiki/tree/main/setup#setup
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=openvpn
- OPENVPN_CUSTOM_CONFIG=/gluetun/custom.conf
# OpenVPN:
- OPENVPN_USER=${OPENVPN_USER}
- OPENVPN_PASSWORD=${OPENVPN_PASSWORD}
# Wireguard:
# - WIREGUARD_PRIVATE_KEY=wOEI9rqqbDwnN8/Bpp22sVz48T71vJ4fYmFWujulwUU=
# - WIREGUARD_ADDRESSES=10.64.222.21/32
# Timezone for accurate log times
- TZ=America/New York
# Server list updater
# See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
- UPDATER_PERIOD=

[healthcheck] program has been unhealthy for 1m1s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 172.19.0.2:41489->1.1.1.1:53: write: operation not permitted)

[juanbretti]

Maybe this thread is related to the bug-fix described at #2606