You can skip this troubleshooting chapter unless any difficulties are encountered.
ip_unpriv vs ip-unpriv
There are two similar, yet distinct projects: standalone VPN-FIREWALL and Whonix TUNNEL_FIREWALL. Although both are alike, there is one difference that might be encountered. For instance, in chapter #VPN Configuration File:
- Whonix TUNNEL_FIREWALL uses ip_unpriv (underscore)
- Standalone VPN-FIREWALL uses ip-unpriv (hyphen)
Be sure to use the right version of ip unpriv according to whether the VPN-FIREWALL or Whonix TUNNEL_FIREWALL project is being used.
50_openvpn_unpriv.conf vs 50_openvpn-unpriv.conf
Like the example above:
- Whonix TUNNEL_FIREWALL uses /usr/lib/tmpfiles.d/50_openvpn_unpriv.conf ip_unpriv (underscore)
- Standalone VPN-FIREWALL uses /usr/lib/tmpfiles.d/50_openvpn-unpriv.conf ip-unpriv (hyphen)
Cannot ioctl TUNSETIFF
ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
In openvpn.conf do not use.
Dev tun Mismatch
In openvpn.conf do not use.
/run/openvpn/openvpn.status Permission denied
Options error: --status fails with '/run/openvpn/openvpn.status': Permission denied
Do not start OpenVPN as root. Do not use sudo openvpn, because this will lead to permission issues. Files in the /run/openvpn folder are owned by root, so they cannot be overwritten by the user tunnel.
To start debug, run the following commands concurrently.
sudo /usr/sbin/openvpn --rmtun --dev tun0
sudo /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel
sudo -u tunnel openvpn /etc/openvpn/openvpn.conf
Linux ip link set failed: external program exited with error status: 2
Use ip_unpriv as documented above.
This only applies if resolvconf is used.
Permissions on two directories may need to be manually changed if they are not automatically applied. Check if changes are necessary via the following command.
ls -la /run/resolvconf
If the output lists tunnel as having read / write / execute permissions for both /run/resolvconf and /run/resolvconf/interface, then nothing needs modification. If tunnel is not listed as a group for one or both of these directories, then permissions need to be changed. In that case, run.
sudo chown --recursive root:tunnel /run/resolvconf
Then set the necessary permissions.
sudo chmod --recursive 775 /run/resolvconf
In /run/resolvconf, resolv.conf may or may not be owned by tunnel, depending on whether the systemd service has already started. There is no need to modify permissions on this file, as the permissions will change when the service starts.
Terminology for Support Requests
Phrases such as "over Tor" are ambiguous. Please do not coin idiosyncratic words or phrases, otherwise this leads to confusion. Please use the same terms that are consistently referenced in documentation, such as:
- How to Connect to a VPN Before Tor (User → VPN → Tor → Internet).
- How to Connect to Tor Before a VPN (User → Tor → VPN → Internet).
- And so on.
Always refer to the connection scheme when requesting support: User → VPN → Tor → Internet or User → Tor → VPN → Internet and so on.