0

I am going to setup a VPN Server on Centos 7 VPS, running as Docker container. However, after installing OpenVPN and configuring it, I see the server status failed: enter image description here

This is my server.conf file:

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

And this is what written in messages file in var/log/ after run command below:

systemctl start openvpn@server.service

Oct  7 08:35:39 systemd: Cannot add dependency job for unit systemd-vconsole-setup.service, ignoring: Unit is masked.
Oct  7 08:35:39 systemd: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Oct  7 08:35:39 openvpn: Fri Oct  7 08:35:39 2022 OpenVPN 2.4.12 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 17 2022
Oct  7 08:35:39 openvpn: Fri Oct  7 08:35:39 2022 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Oct  7 08:35:39 openvpn: Fri Oct  7 08:35:39 2022 Diffie-Hellman initialized with 2048 bit key
Oct  7 08:35:39 openvpn: Fri Oct  7 08:35:39 2022 ROUTE_GATEWAY ON_LINK IFACE=venet0 HWADDR=00:00:00:00:00:00
Oct  7 08:35:39 openvpn: Fri Oct  7 08:35:39 2022 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Oct  7 08:35:39 openvpn: Fri Oct  7 08:35:39 2022 Exiting due to fatal error
Oct  7 08:35:39 systemd: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
Oct  7 08:35:39 systemd: openvpn@server.service: main process exited, code=exited, status=1/FAILURE
Oct  7 08:35:39 systemd: Unit openvpn@server.service entered failed state.
Oct  7 08:35:39 systemd: openvpn@server.service failed.
Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
Sasan
  • 103
  • 5
  • So what's in the log? It should log to syslog, so check `messages` or `syslog` or `daemon` file. Also you can try to start it by hand (not as a service) using `openvpn --config ` and see what it says. – Nikita Kipriyanov Oct 07 '22 at 08:09
  • @NikitaKipriyanov Where can I read its log? Could you please share the path. – Sasan Oct 07 '22 at 08:16
  • I found `openvpn-status.log` file in openvpn folder, but it is empty. – Sasan Oct 07 '22 at 08:22
  • No, that's not a log file, but a status file that you defined. It is empty because it didn't started in the first place. Typically syslog writes its log files to `/var/log/`. – Nikita Kipriyanov Oct 07 '22 at 08:25
  • @NikitaKipriyanov I shared the log after command `systemctl start openvpn@server.service` – Sasan Oct 07 '22 at 08:39
  • `Oct 7 08:35:39 pandora openvpn: Fri Oct 7 08:35:39 2022 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)` What is the system you are running it on? Is it OpenVZ or any other container (Docker, LXC)? If so, you're generally out of luck. This is not something which is typically done within a container. – Nikita Kipriyanov Oct 07 '22 at 08:41
  • @NikitaKipriyanov Yes. A website is running on Docker Container. I have no way? – Sasan Oct 07 '22 at 08:44

1 Answers1

1

In the container it is only possible to create and use a tun device if the hosting provider gives your container such a possibility. They need:

  • to load a tuntap driver on the host
  • to give your container a permission to use it

If this requirement is met, you may create a missing device node and use it with OpenVPN or other applications:

mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 0666 /dev/net/tun

Probably you'll need to create it each time container boots, in which case it is convenient to create a systemd unitt which runs these commands for you and set it up to be required for network:

[Unit]
Description=/dev/net/tun device node
Requires=sysinit.target
After=sysinit.target
Documentation=https://www.kernel.org/doc/Documentation/networking/tuntap.txt

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=mkdir -p /dev/net
ExecStart=mknod /dev/net/tun c 10 200
ExecStart=chmod 0666 /dev/net/tun

[Install]
WantedBy=network-pre.target

Save this into /etc/systemd/system/tuntap-dev.service and run systemctl enable tuntap-dev.service to start it at boot.

Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
  • But I am not going to setup a VPN Server as Docker container. Docker container is exist to run up my web site . I am going to setup a vpn server independent of Docker. – Sasan Oct 07 '22 at 09:23
  • Then you must run the server not in the container. Your last comment hinted that you are running OpenVPN within a container, and this is what is need to run it in the container. There'll be no missing `/dev/net/tun` device node if you run it on the bare metal or in the VM, since it would appear normally (created by `udev`) in that case. – Nikita Kipriyanov Oct 07 '22 at 09:30
  • I got it. After run `mkdir -p /dev/net` `mknod /dev/net/tun c 10 200` `chmod 0666 /dev/net/tun` and restarting OpenVPN its status change to `active`. Does it need to create `tuntap-dev.service`? – Sasan Oct 07 '22 at 09:33
  • I'll suggest you to restart a container. If it happens everything was retained, you don't need a service. If the device node disappears, create a service and it will reappear each time, so you don't need to worry about it. – Nikita Kipriyanov Oct 07 '22 at 09:39
  • Thanks a lot Nikita – Sasan Oct 07 '22 at 09:49
  • https://serverfault.com/questions/1112488/why-cant-i-connect-to-the-openvpn-server-from-windows-client-to-centos-vps-even Can you give me a help? – Sasan Oct 07 '22 at 11:57