Cannot allocate tun tap dev dynamically mac os

Common Problems

It’s complicated!

Tunnelblick is an interface for OpenVPN. Most problems people think they have with Tunnelblick are really problems they are having with OpenVPN, so what follows is a mix of information about Tunnelblick and OpenVPN.

OpenVPN is such a powerful tool with so many options, and computer configurations are so varied, that it is difficult to have an exhaustive guide to troubleshooting problems. Tunnelblick is designed to deal easily with the most common setups, so if it doesn’t apply to your situation, or doesn’t help, ask the Tunnelblick Discussion Group or the OpenVPN users mailing list for help.

I used a different program and uninstalled it, but with Tunnelblick all I can see are my old configurations!

The different program (for example, Urban Shield) uses a customized version of Tunnelblick that makes backups of their configurations and restores them when Tunnelblick starts up, and also hides all other configurations. To solve this problem:

1. Rename the /Library/Application Support/Tunnelblick folder to be named Tunnelblick.old. (This will hide the backup, so Tunnelblick doesn’t see it and doesn’t restore it.)
2. Reinstall Tunnelblick from the .dmg (disk image)

How can you tell if OpenVPN connected to a server?

1. Click on the Tunnelblick icon at the top of the display.
2. See what appears in the drop-down list for the configuration you are trying to troubleshoot:
   • If the entry shows Connect xyz, configuration xyz is not connected and Tunnelblick is not trying to connect
   • If the entry shows √ Disconnect xyz, configuration xyz is connected
   • If the entry shows — Connect xyz, Tunnelblick is trying to connect configuration xyz

If OpenVPN is not connected to the server

If OpenVPN can’t connect to the server and Tunnelblick hasn’t popped up a window explaining why, there should be one or more error messages in the OpenVPN log to indicate what the problem is. To see the OpenVPN log, click on the Tunnelblick icon, click on «VPN Details», click on the large «Configurations» button at the top of the window, click on the name of the configuration you are troubleshooting on the left side of the window, and then click on the «Log» tab on the right side. The OpenVPN log is the large area of black text on a white background. (It contains messages from Tunnelblick in addition to the messages from OpenVPN.)

Look at lines near the end of the log for an error message.

OpenVPN Connects, but you can’t surf the Internet

A connection is established, but drops out or is restarted after a few seconds or minutes, or DNS stops working after a few minutes

This can have several causes:

• Another computer on your network is attempting to connect to the VPN using the same credentials.
• You don’t have «Monitor connection» checked. When DHCP is renewed, the change is ignored (because «Monitor connection» isn’t checked) and the VPN-supplied DNS server is replaced with the DHCP-supplied server. Often a DHCP-supplied server will only respond to queries which originate within that network. Since the DNS queries originate from the VPN, which is outside of that network, the queries will not be answered. Put a check next to «Monitor network».

An error messages says to see details in the Console Log

See The Console Log for instructions on viewing the Console Log.

An error message says «write to TUN/TAP : Input/output error (code=5)»

OpenVPN may display a series of these messages when using a TAP connection. Although a few such messages are normal, if they continue to be displayed for more than a few seconds and the connection is never established, try to connect with DNS/WINS set to «Set nameserver (alternate 1)».

An error message says «You have tried to connect using a configuration file that is the same as the sample configuration file installed by Tunnelblick»

This means that you have tried to connect to a VPN without setting up a configuration file. Consult your network administrator or your VPN service provider to obtain configuration and other files or the information you need to modify the sample file. For more information, see Getting VPN Service.

An OpenVPN log entry says «potential route subnet conflict»

This means that the remote network you are creating a VPN to has IP addresses that are also in your local LAN.

One way to fix this is to include a «redirect gateway local» option in the OpenVPN configuration file and un-check Tunnelblick’s «Route all IPv4 traffic through the VPN». (All traffic will still be routed through the VPN because of the «redirect gateway» option.)

Another way to fix this is to change the addresses of your local LAN. You do this by changing your router’s configuration. For some routers you specify the first three numbers of the LAN (e.g. 192.168.77); in other routers you specify the address of the router itself (e.g. 192.168.77.1).

After changing the LAN address, you should restart all computers (and other network devices including network printers), so they start using addresses in the new address range.

Example:
WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]

This means that both the remote network and your local network are using the 192.168.1. ** range of IP addresses. So change your local network to use, for example, 192.168.5. ** , or 192.168.23. * . If you get the same warning message, try another address range.

An OpenVPN log entry says «Cannot allocate TUN/TAP dev dynamically»

This problem indicates a problem with the Tun and/or Tap system extensions.

It can be caused by the following sequence in the configuration file:
dev-type tun

dev abcdefg
and a workaround is to replace both lines with the single line
dev tun
(substitute «tap» for «tun» in the above if this is a Tap configuration.)

It can be caused by extra Tun or Tap system extensions being loaded. See the following entry.

An error message says «Tunnelblick was not able to load a device driver (kext) that is needed to connect. «

An OpenVPN log entry says «Tunnelblick: openvpnstart status #247: Error: Unable to load tun and tap kexts. Status = 71»

An OpenVPN log entry says «Tunnelblick: openvpnstart status #247: Error: Unable to load net.tunnelblick.tun and/or net.tunnelblick.tap kexts in 5 tries. Status = 71»

An OpenVPN log entry says «Note: unable to redirect default gateway — Cannot read current default gateway from system»

There is a problem (in macOS and/or OpenVPN) which causes OpenVPN to be unable to read the default gateway when you try to connect OpenVPN through an existing PPP connection; here is a workaround:

Create a ppp start-up script /etc/ppp/ip-up and add the following:

#!/bin/sh
PATH=/sbin:/usr/sbin/:/usr/bin:/bin
gw=`ifconfig ppp0|grep inet| awk ‘< print $4 >‘`
route change default $gw -ifscope ppp0

Save the script and make it executable running chmod a+x /etc/ppp/ip-up .

Please note that the above script was made for interface ppp0. If for any reason you have more/other, make the changes accordingly.

An OpenVPN log entry says «Cannot load certificate file XXX.crt: error: 02001002:system library:fopen:No such file or directory: error: 20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines»

Your certificate file (XXX.crt) was not found. Usually the file should be in the same folder as the OpenVPN configuration file, not in a subfolder. For example, if the configuration file has a line such as
cert abcde.crt
or
ca abcde.crt
then the file abcde.crt should be in the same folder as the configuration. If the configuration file has a line such as
cert xyz/abcde.crt
or
ca xyz/abcde.crt
then the file abcde.crt should be in the xyz subfolder of the folder with the configuration.

An OpenVPN log entry says «TLS Error: Auth Username/Password was not provided by peer»

Your client configuration file should include an «auth-user-pass» option.

An OpenVPN log entry says «script failed: could not execute external program»

An up or down script contains an error. Common causes:

• The use of a script file with Windows line breaks (CR-LF) instead of Unix/Mac line breaks (LF).
• The use of a script file that does not have execute permission for root.
• The use of a script file with syntax errors.

Cannot Empty the Trash

If you dragged an old copy of Tunnelblick to the Trash and now cannot empty the Trash and because Finder complains that something is «in use» (probably something named Sparkle.framework), try the following:

Launch Terminal (in /Applications/Utilities).

Copy/paste the following into Terminal:

You will be asked for your password. Type it in (it will not show up as you type it) then press the «enter/return» key on the keyboard.

Quit Terminal, then try to empty the Trash.

I am repeatedly asked for my password or token value (Tunnelblick 3.6.9beta02 or higher)

For some OpenVPN setups that use «small block» ciphers and username/password authentication or two-factor authentication (2FA), this can be very annoying because the user will be asked to authenticate each time 64 MB has been transferred through the VPN.

There are several ways to avoid the problem:

• Use a cipher which is not a «small block» cipher. (This must be done on both OpenVPN client and OpenVPN server.)
• Use OpenVPN 2.4 or higher and enable cipher negotiation. This must be done on both the server and client.
• For username/password authentication, have Tunnelblick save the username and password in the Keychain.
• For 2FA, do not use —auth-nocache, and use the —auth-token option in the client-connect and auth-user-pass-verify scripts on the server side to ask for 2FA once per session only.

More information is available at OpenVPN and SWEET32.

Источник

Unable to connect: Cannot allocate TUN/TAP dev dynamically

Last updated: August 6, 2020

Stuck and need some help?

If you see the following error message in your connection log:

Cannot allocate TUN/TAP dev dynamically

or one of the below screens:

You may be running an old version of ExpressVPN .

To resolve this issue, you will need to update your app. The process is quick and simple. To update:

Open the Welcome Email you received when you signed up for ExpressVPN. Click the link in the email.

Once you’ve clicked the link in the welcome email or logged in to the website, click on Download for Mac. This will start the download for your app.

After you have downloaded the latest version of the app, install ExpressVPN on your machine. Now you can continue to enjoy the Internet with safety and privacy!

Was this article helpful?

We’re sorry to hear that. Let us know how we can improve.

What device do you need help with?

Examples: Android, Windows, Linksys router

A member of our Support Team will follow up on your issue.

Источник

SOLVED Openvpn tun interface issues in iocage

Brownz

Junior Member

Hi all Im new to freenas, Have recently tried transitioning my quick and easy warden plugins to iocage manual jails. I followed these guides to setup openvpn:

I have tried many different ways to install openvpn and followed many fixes that are meant to work to fix this error: «Cannot allocate TUN/TAP dev dynamically». I added devfs rule -s 4 add path ‘tun*’ unhide to preinit to try and fix the issue to no avail. When i looked at the ifconfig the interfaces looked a little odd.

Issues:

• Openvpn states «Cannot allocate TUN/TAP dev dynamically» no matter what I do and despite the rules fix.
• On host restart the jail listed 256 tun interfaces (tun0 — tun255).
• On jail restart a single tun interface named tun256, this tun name increments on each subsequent restart.
• On host restart the manually created tun0 interface on host is removed.

This seems irregular, I believe these issues are linked somehow, but my knowledge of network interfaces is limited.

Host Restart — Jail ifconfig (end section):

Jail Restart 1 — Jail ifconfig:

Jail Restart 2 — Jail ifconfig:

What have I done wrong?
Do I need to create a tun interface on the host?

Member

Brownz

Junior Member

Ok thanks for clarifying things.
What do you mean by this ‘check if the tun device is not bigger tan 255’ ?
I increased the openvpn.conf verb value to 5.
I’m not sure if there’s another error log location. I have scanned through this, but apart from the initial warning and the final error I cant see what could be causing the issue, although I’m not sure what to be looking for. This is what the nano /var/log/mesages output looks like:

Member

Restart your freenas box. Enter jail and see if openvpn still created 256 tun devices. There should be only one named tun0

Edit : Also you are missing a ‘ when you posted your devfs rule.

Brownz

Junior Member

Yeah the 256 tun device problem happens EVERY time I reset host/freenas box, but disappears and leaves me with a single one named ‘tun256’ device when I reset jail.
Thanks for noticing typo. unfortunately just a forum typo (wish it was that simple to fix).

I’m wondering if this openvpn bug arrises because the iocage jail is using a new 11.2 release. I might try a fresh 11.1 iocage and see if the problem persists.

Member

alantagne

Newbie

I have the same configuration and the very same problem . Followed the same guide. Running Freenas 11.1-U5, iocage jail is running Freenas 11.1-RELEASE.

Did you resolve the problem?

Brownz

Junior Member

I did try creating a 11.1 iocage and 11.0 iocage and installed to no avail, same issue each time.
I believe I did try making a manual tun device, but the following issues make it tricky and completely useless as a long term solution. There are (0-255) tun devices already, this issue causes me to make it named ‘tun256’, it is then renamed to ‘tun257’ on jail restart, thus making it inconststant with the config file.

Im away from home at the moment, so cant be specific on the details, but I will double check and create a manual tun when i get back at the weekend. I dont suppose anyone/lopr can post any commands needed to create a manual tun interface incase I screwed it up or left anything out the first time?

Member

just ifconfig tun create
but maybe try to disable openvpn on startup and start it manually to see whats going on?

also I am posting my jailconfig, maybe I have some settings that I added for other purposes initially but are vital?

Brownz

Junior Member

I tried again creating a tun interface manually, each time renaming the interface with ifconfig tun256 name tun0 to reset the name. openvpn seems to ignore it and still get the error. On restart I get a single one with the inceremented number. as if the were still 256 of them and is why I rename it.

I have since tried making a manual tun device and leaving the default name ‘tun256’ and renaming the ‘openvpn.conf’ file to include dev tun256 , although I’m not sure this is the right way to specifiy an interface. The message logs now have this:

This first error log makes me think a manual tun device will never work with openvpn.
I also think the custom tun interface is incorrectly creating a directory, (I believe for drivers) because whenever I customize the ‘conf’ and add a custom number to identify the tun it returns with the second error.

I compared the config you provided, it looks almost identical, I changed the few settings that where diferent with no success. There must be something different that we have done, but I’m at a loss. I have no idea where to continue.

Brownz

Junior Member

UPDATE
I have been investigating many settings for the jail and then tried a few things and then noticed something that worked briefly, although incredibly sketchy way of getting it to work, and with one major issue, I cannot connect externally to the internet.

1. Restarted Jail — In order to remove 256 tun devices,
2. ifconfig tun256 name tun0 — to rename the automatically generated tun device by openvpn on jail initialization.
3. service openvpn start — Restart openvpn which then successfully uses the correct tun device ‘tun0’ and initializes.

As soon as a start the service I dont have access to the outside world.

4. service openvpn stop — As soons as I end the service I can access everything again. This also removes the tun interface.

5. service openvpn start — When I start the service again, it seems unable to initilise with a different error, no tun interface is created.

This is the only way I prevent a ‘Cannot allocate TUN/TAP dev dynamically’ error.
Anyone got ideas whats going on?

linit

Neophyte

I am getting a similar issue but after restarting jail I see no tun interfaces and cannot create any
# ifconfig tun256 name tun0
ifconfig: interface tun256 does not exist

I see no tun interfaces with ifconfig and cannot create any new ones without getting the error above.
I was also seeing the same error «Brownz» sees with the dynamic issue when I did have all the 256 tun interfaces before.

I hope more eyes on this will find the issue, this was working for me too in 11.2

Scentle5S

Member

Scentle5S

Member

memel.parduin

Member

esolma

Newbie

I got exactely yhe same problem :

I create a tun device manually on the host because on the jail i don’t have a permission :

but I got another issue when i try to start vpn :

I’m missing something ?

leafyeh7

Neophyte

I encountered the same issue running version 11.2-BETA3.

The issue has been reported at https://redmine.ixsystems.com/issues/45919, but was closed (set to private) due to «sensitive information».

My temporary solution is to disable ‘auto-start’ of the transmission jail, reboot freenas (to get rid of tun0-tun255), and then run

in shell before starting the transmission jail.

I am relatively new to Freenas and unix-like systems, below are a few simple tests I did with transmission jail auto-start disabled.

Preinit script enabled, freenas reboot, start transmission jail manually >> Fail
Preinit script disabled, run the devfs command after freenas rebooted, start transmission jail manually >> Success
Preinit script enabled, run the devfs command after freenas rebooted, start transmission jail manually >> Success

This leads me to the conclusion that for whatever reasons, the devfs script does not work as intended.

I also tried to sneak in the devfs command in the start_precmd (assuming these are the commands executed before jail start) function under /mnt/iocage/jails/transmission/root/usr/local/etc/rc.d/transmission, but it does not solve the problem.

Maybe some experienced users can show us how to properly run the devfs command before transmission jail start.

Edit:
Can confirm that the preinit devfs is not run properly. Here’s what I have when I enabled the preinit script, then use «devfs rule -s 4 show» to see what’s under ruleset #4.

100 include 1
200 include 2
300 include 3
400 path zfs unhide

Here’s what it looks like after running the devfs command unhiding tun* after system rebooted.

100 include 1
200 include 2
300 include 3
400 path zfs unhide
500 path tun* unhide

Источник