You can skip this troubleshooting chapter unless you notice any issues.
ip_unpriv vs ip-unpriv
There are two similar distinct projects. Standalone VPN-FIREWALL and Whonix TUNNEL_FIREWALL. They share a lot similarities, but one difference that you might stumble upon. In chapter #VPN Configuration File there is a difference.
- Whonix TUNNEL_FIREWALL uses ip_unpriv (underscore)
- Standalone VPN-FIREWALL uses ip-unpriv (hyphen)
So make sure you are using the right version of ip unpriv according to the project you are using, VPN-FIREWALL and Whonix TUNNEL_FIREWALL.
50_openvpn_unpriv.conf vs 50_openvpn-unpriv.conf
Similar to above...
- Whonix TUNNEL_FIREWALL uses /usr/lib/tmpfiles.d/50_openvpn_unpriv.conf ip_unpriv (underscore)
- Standalone VPN-FIREWALL uses /usr/lib/tmpfiles.d/50_openvpn-unpriv.conf ip-unpriv (hyphen)
Cannot ioctl TUNSETIFF
ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
In openvpn.conf do not use.
Dev tun missmatch
In openvpn.conf do not use.
/run/openvpn/openvpn.status Permission denied
Options error: --status fails with '/run/openvpn/openvpn.status': Permission denied
Do not start openvpn as root. Do not use "sudo openvpn". This would lead to permission issues. Files in /run/openvpn folder owned by root. So they cannot be overwritten by user tunnel.
Debug start in command line.
sudo /usr/sbin/openvpn --rmtun --dev tun0 sudo /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel cd /etc/openvpn/ sudo -u tunnel openvpn /etc/openvpn/openvpn.conf
Linux ip link set failed: external program exited with error status: 2
Use ip_unpriv as documented above.
If you are using resolvconf only...
You may need to manually change permissions on two directories if they are not automatically applied. Check to see if changes are necessary by running the following command:
ls -al /run/resolvconf
If the output lists tunnel as having read/write/execute permissions for both /run/resolvconf and /run/resolvconf/interface then you will not need to modify anything. If tunnel is not listed as group for one or both of these directories then you will need to change the permissions, like so:
sudo chown --recursive root:tunnel /run/resolvconf
then you will need to set the permissions bits
sudo chmod --recursive 775 /run/resolvconf
In /run/resolvconf, resolv.conf may or may not be owned by tunnel depending on whether the systemd service has started already or not. There is no need to modify permissions on this file, as its permissions will change when the service starts.
Terminology for Support Requests
Phrases such as "over Tor" are ambiguous. Please do not prevent your own coining of words. That leads to people talking past each other. Please use the same terms that are consistently used in documentation such as.
- How to connect to a VPN before Tor (User -> VPN -> Tor -> Internet)
- How to connect to Tor before a VPN (User -> Tor -> VPN -> Internet)
Always refer to the connection scheme, User -> VPN -> Tor -> Internet or User -> Tor -> VPN -> Internet etc.