ERROR: Cannot open TUN/TAP dev /dev/net/tun inside systemd-nspawn container

vivy · March 8, 2022, 9:57am

I wish to use VPN only for some services. To filter traffic, I thought that I’d connect VPN inside a systemd-nspawn container and move all the services which need to pass through VPN inside container.

Following the blog Declarative NixOS containers
I created a systemd-nspawn container with private-network.

Within the container, I’m able to access internet. I get the error on connecting openvpn
Service logs

Mar 08 14:50:25 nordvpn systemd[1]: Started OpenVPN instance ‘nordvpn’.
Mar 08 14:50:25 nordvpn openvpn[402]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mar 08 14:50:25 nordvpn openvpn[402]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mar 08 14:50:25 nordvpn openvpn[402]: TCP/UDP: Preserving recently used remote address: [AF_INET]89.238.191.202:1194
Mar 08 14:50:25 nordvpn openvpn[402]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Mar 08 14:50:25 nordvpn openvpn[402]: UDP link local: (not bound)
Mar 08 14:50:25 nordvpn openvpn[402]: UDP link remote: [AF_INET]89.238.191.202:1194
Mar 08 14:50:26 nordvpn openvpn[402]: TLS: Initial packet from [AF_INET]89.238.191.202:1194, sid=65b8f6c9 2466dce5
Mar 08 14:50:26 nordvpn openvpn[402]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Mar 08 14:50:26 nordvpn openvpn[402]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA7
Mar 08 14:50:26 nordvpn openvpn[402]: VERIFY KU OK
Mar 08 14:50:26 nordvpn openvpn[402]: Validating certificate extended key usage
Mar 08 14:50:26 nordvpn openvpn[402]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mar 08 14:50:26 nordvpn openvpn[402]: VERIFY EKU OK
Mar 08 14:50:26 nordvpn openvpn[402]: VERIFY OK: depth=0, CN=uk1875.nordvpn.com
Mar 08 14:50:26 nordvpn openvpn[402]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
Mar 08 14:50:26 nordvpn openvpn[402]: [uk1875.nordvpn.com] Peer Connection Initiated with [AF_INET]89.238.191.202:1194
Mar 08 14:50:27 nordvpn openvpn[402]: SENT CONTROL [uk1875.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Mar 08 14:50:28 nordvpn openvpn[402]: PUSH: Received control message: 'PUSH_REPLY,route-ipv6 2000::/3,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,redir>
Mar 08 14:50:28 nordvpn openvpn[402]: WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and >
Mar 08 14:50:28 nordvpn openvpn[402]: OPTIONS IMPORT: timers and/or timeouts modified
Mar 08 14:50:28 nordvpn openvpn[402]: OPTIONS IMPORT: explicit notify parm(s) modified
Mar 08 14:50:28 nordvpn openvpn[402]: OPTIONS IMPORT: compression parms modified
Mar 08 14:50:28 nordvpn openvpn[402]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Mar 08 14:50:28 nordvpn openvpn[402]: Socket Buffers: R=[212992->1048576] S=[212992->1048576]
Mar 08 14:50:28 nordvpn openvpn[402]: OPTIONS IMPORT: --ifconfig/up options modified
Mar 08 14:50:28 nordvpn openvpn[402]: OPTIONS IMPORT: route options modified
Mar 08 14:50:28 nordvpn openvpn[402]: OPTIONS IMPORT: route-related options modified
Mar 08 14:50:28 nordvpn openvpn[402]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mar 08 14:50:28 nordvpn openvpn[402]: OPTIONS IMPORT: peer-id set
Mar 08 14:50:28 nordvpn openvpn[402]: OPTIONS IMPORT: adjusting link_mtu to 1657
Mar 08 14:50:28 nordvpn openvpn[402]: OPTIONS IMPORT: data channel crypto options modified
Mar 08 14:50:28 nordvpn openvpn[402]: Data Channel: using negotiated cipher 'AES-256-GCM'
Mar 08 14:50:28 nordvpn openvpn[402]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 08 14:50:28 nordvpn openvpn[402]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 08 14:50:28 nordvpn openvpn[402]: net_route_v4_best_gw query: dst 0.0.0.0
Mar 08 14:50:28 nordvpn openvpn[402]: net_route_v4_best_gw result: via 192.168.101.1 dev eth0
Mar 08 14:50:28 nordvpn openvpn[402]: ROUTE_GATEWAY 192.168.101.1
Mar 08 14:50:28 nordvpn openvpn[402]: GDG6: remote_host_ipv6=n/a
Mar 08 14:50:28 nordvpn openvpn[402]: net_route_v6_best_gw query: dst ::
Mar 08 14:50:28 nordvpn openvpn[402]: sitnl_send: rtnl: generic error (-101): Network is unreachable
Mar 08 14:50:28 nordvpn openvpn[402]: ROUTE6: default_gateway=UNDEF
Mar 08 14:50:28 nordvpn openvpn[402]: ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
Mar 08 14:50:28 nordvpn openvpn[402]: Exiting due to fatal error

aanderse · March 8, 2022, 11:54am

Did you add containers.<name>.enableTun to your configuration?

vivy · March 8, 2022, 7:36pm

Thanks aanderse, that was the issue.
Fixed config:

  containers.nordvpn = { 
    ephemeral = true;
    autoStart = true;
    privateNetwork = true;
    enableTun = true;
    hostAddress = "192.168.101.1";
    localAddress = "192.168.101.2";
    bindMounts = { 
      "/host" = { 
        hostPath = "/n/systemd_containers/nordvpn";
      };  
    };  
    config = { config, pkgs, ... }: {
      environment.etc = { 
        "resolv.conf".text = "nameserver 1.1.1.1\n";
      };  

      services.openvpn.servers = { 
        nordvpn = { 
          config = '' config /host/uk1875.nordvpn.com.udp1194.ovpn '';
          authUserPass = { 
            username = "<nordvpn_openvpn_username>";
            password = "<nordvpn_openvpn_pass>";
          };
        };
      };  
    };  
  };