Name of the tun interface when running openvpn?

Question

I have two OpenVPN client setups, controlled by systemd services openvpn.foo and openvpn.bar. They connect to different VPNs and may or may not be active at any point in time.

I'd like to set up different iptables firewall rules for them. The trouble is that the first OpenVPN process seems to grab the tun0 interface, regardless of whether that turns out to be configuration foo or bar. The problem is I can't attach iptables rules to the interface because I don't know whether it goes with VPN foo or bar at the moment.

Questions:

is there a way to get OpenVPN to always issue the same interface names for a given configuration? I was looking for an option in the config file, but couldn't find one. persist-tun seems insufficient as it does not seem to survive a reboot.
is there a way to determine which interface goes with which configuration after the fact?
given that the IP addresses I'm obtaining aren't entirely predictable either, I can't attach the rules to those either. Can anybody think of a trick where to attach them instead?

Thanks!

score 5 · Accepted Answer · edited Jul 21 '16 at 10:06

5

You can give the tun device name in the .ovpn configuration file:

Edit the file /etc/openvpn/server-vpngw.conf and add such lines:

dev tun3
client-config-dir /etc/openvpn/ccd

Then create the following file /etc/openvpn/ccd/vpn-name and edit it like so:

ifconfig-push 10.8.2.202 10.8.2.201
push "route 172.16.12.0 255.255.255.0"
push "route 10.2.4.0 255.255.255.0"

edited Jul 21 '16 at 10:06

Itai Ganot

10,644
29
93
146

answered Jul 21 '16 at 04:17

Uwe Burger

166
3

Duh. Would be nice if the man page was clear about that. Thanks! – Johannes Ernst Jul 21 '16 at 15:49
what are those ips and where do you get them from? – Mehdi Jul 02 '19 at 20:14

score 4 · Answer 2 · edited Jun 11 '20 at 10:02

4

Another simpler approach would be edit the client, and not the server:

Edit the client configuration file

sudo vim /etc/openvpn/client1.conf

And hardcode desired tun interface name:

dev tun69

Repeat step 1 with the second VPN client configuration file
Restart the service to pick up the changes:

sudo service openvpn restart

edited Jun 11 '20 at 10:02

Community

1

answered Jun 02 '20 at 14:06

Javier

51
3

score 1 · Answer 3 · answered Aug 25 '22 at 15:58

1

is there a way to determine which interface goes with which configuration after the fact?

You could even specify general names:

dev-type tun to specify that it is to be a "tun" device type,
dev myovpn to give it the name "myovpn".

answered Aug 25 '22 at 15:58

Golar Ramblar

131
3

Tested on Linux with OpenVPN 2.4.7. – famzah Mar 22 '23 at 21:35

Name of the tun interface when running openvpn?

3 Answers3

Linked