Permanent Fix for OpenVPN TUN/TAP Device Error: /dev/net/tun Creation on Debian


2 views

When working with OpenVPN on Debian systems (particularly older versions like Wheezy), you might encounter this persistent error during client connection attempts:

ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)

This occurs because the system doesn't automatically create the required virtual network device directory structure. While manual creation works temporarily:

mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun

These changes don't persist across reboots, causing frustration for sysadmins and developers automating VPN connections.

For Debian-based systems, we need to implement a boot-time solution through system configuration. Here's the most reliable approach:

# Create udev rule
echo 'KERNEL=="tun", NAME="net/tun", MODE="0666", GROUP="vpn"' | sudo tee /etc/udev/rules.d/90-tun.rules

# Reload udev rules
sudo udevadm control --reload-rules

For modern Debian systems with systemd, create a tmpfiles configuration:

# Create configuration file
echo 'd /dev/net 0755 root root' | sudo tee /etc/tmpfiles.d/tun.conf

# Apply changes
sudo systemd-tmpfiles --create

After implementing either solution, verify the device exists:

ls -l /dev/net/tun

Expected output should show:

crw-rw-rw- 1 root vpn 10, 200 May 15 12:34 /dev/net/tun

For Docker containers or LXC environments, you'll need to either:

  1. Pass the device through with --device=/dev/net/tun
  2. Or use privileged mode (not recommended for production)
docker run --device=/dev/net/tun my-openvpn-image

For deployment scripts, include this check:

#!/bin/bash
if [ ! -c /dev/net/tun ]; then
    mkdir -p /dev/net
    mknod /dev/net/tun c 10 200
    chmod 600 /dev/net/tun
fi

When running OpenVPN client on Debian-based systems (including Wheezy), you might encounter this frustrating error during connection attempts:

ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)

While the temporary solution of manually creating the device node works, it doesn't survive reboots. Here's why this happens:

The TUN/TAP virtual network device requires proper kernel support and device node creation. Modern Linux systems typically handle this through udev rules, but some minimal installations or older distributions like Wheezy might lack these configurations.

Key components involved:

  • Kernel module: tun.ko (should be loaded automatically)
  • Device node: /dev/net/tun (major device 10, minor 200)
  • Permissions: Typically root:root with 600 permissions

Here are three approaches to make this fix persistent across reboots:

1. Systemd Service (Recommended for modern Debian)

# Create a systemd service file
sudo tee /etc/systemd/system/create-tun-device.service <

2. udev Rule (More elegant solution)

# Create udev rule
sudo tee /etc/udev/rules.d/90-tun.rules <

3. Init Script (For older systems without systemd)

# Create init script
sudo tee /etc/init.d/tun-device <

After implementing any of these solutions, verify with:

ls -l /dev/net/tun
cat /dev/net/tun

The first command should show proper permissions, and the second should return "File descriptor in bad state" - this is expected behavior indicating the device is working.

For containerized environments (Docker, LXC):

# Docker run requires:
--device /dev/net/tun --cap-add=NET_ADMIN

# LXC requires in container config:
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file

Remember that kernel module loading can be automated by adding tun to /etc/modules if it's not loading automatically.