How to Fix “Cannot open TUN/TAP dev /dev/net/tun” Error in OpenVPN Server Setup on Linux VPS


2 views

When setting up OpenVPN on a Linux VPS, one of the most common errors you'll encounter is the TUN/TAP device initialization failure. The error message typically looks like this:

Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Cannot allocate TUN/TAP dev dynamically

Modern VPN solutions like OpenVPN require kernel-level network tunneling support. The error occurs because:

  • The TUN/TAP kernel module isn't loaded
  • Your VPS provider has disabled virtualization features
  • The /dev/net/tun device file is missing
  • Permissions aren't properly set

Before proceeding with fixes, check if your VPS supports TUN/TAP:

cat /dev/net/tun
# Expected output: File descriptor in bad state
# If you get "No such file or directory", proceed with the fixes below

1. Create the TUN device directory

mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 0666 /dev/net/tun

2. Load the TUN kernel module

modprobe tun
lsmod | grep tun  # Verify the module is loaded

3. Make the change persistent

Add this to /etc/rc.local (before the exit 0 line if present):

mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 0666 /dev/net/tun

4. For OpenVZ VPS (if applicable)

Some OpenVZ providers require special configuration. Add these lines to /etc/vz/vz.conf:

CONFIG_FILE="/proc/vz/vzpriv"
IPTABLES="iptable_filter iptable_mangle"
CAPABILITY="capability:net_admin"

After implementing these changes, test your OpenVPN server:

service openvpn restart
tail -f /var/log/openvpn.log

You should now see successful initialization messages instead of the TUN/TAP error.

If the issue persists, consider:

  • Checking if your VPS provider allows TUN/TAP (some budget providers disable it)
  • Ensuring OpenVPN has the correct permissions (run as root for initial testing)
  • Verifying your OpenVPN configuration file has correct "dev tun" directive
# Example server.conf snippet
dev tun
proto udp
port 1194
ca ca.crt
cert server.crt
key server.key
dh dh.pem

The error occurs because your VPS kernel isn't properly configured for TUN/TAP device support, which OpenVPN requires to create virtual network interfaces. The key log message indicates this clearly:

Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Cannot allocate TUN/TAP dev dynamically

First, verify if your kernel has TUN/TAP module loaded:

lsmod | grep tun

If no output appears, you'll need to enable it.

For most modern Linux kernels, run:

modprobe tun

Then verify it loaded successfully:

lsmod | grep tun

Expected output should show the 'tun' module.

For permanent solution, create the device node:

mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun

Some VPS providers require you to enable TUN/TAP in their control panel:

  • For DigitalOcean: Check "Settings" → "Enable TUN/TAP"
  • For Linode: Check "Configuration Profile" → "TUN/TAP"
  • For AWS EC2: Requires proper instance type and security group rules

After applying the solution, test OpenVPN again:

service openvpn start

Check the status:

service openvpn status

If you're using a container-based VPS (like LXC), you might need additional configuration in your OpenVPN server config:

dev tun
persist-tun
persist-key

Once you get OpenVPN working, consider these security improvements:

# In server.conf
tls-version-min 1.2
cipher AES-256-CBC
auth SHA512

Remember to regenerate your Diffie-Hellman parameters with stronger keys:

openssl dhparam -out /etc/openvpn/dh.pem 4096