Jump to: navigation, search


You can skip this troubleshooting chapter unless you notice any issues.

ip_unpriv vs ip-unpriv[edit]

There are two similar distinct projects. Standalone VPN-FIREWALL and Whonix TUNNEL_FIREWALL. They share a lot similarities, but one difference that you might stumble upon. In chapter #VPN Configuration File there is a difference.

  • Whonix TUNNEL_FIREWALL uses ip_unpriv (underscore)
  • Standalone VPN-FIREWALL uses ip-unpriv (hyphen)

So make sure you are using the right version of ip unpriv according to the project you are using, VPN-FIREWALL and Whonix TUNNEL_FIREWALL.

50_openvpn_unpriv.conf vs 50_openvpn-unpriv.conf[edit]

Similar to above...

  • Whonix TUNNEL_FIREWALL uses /usr/lib/tmpfiles.d/50_openvpn_unpriv.conf ip_unpriv (underscore)
  • Standalone VPN-FIREWALL uses /usr/lib/tmpfiles.d/50_openvpn-unpriv.conf ip-unpriv (hyphen)
Cannot ioctl TUNSETIFF[edit]
ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)

In openvpn.conf do not use.

dev tun


dev tun0
Dev tun missmatch[edit]

In openvpn.conf do not use.

dev tun


dev tun0
/run/openvpn/openvpn.status Permission denied[edit]
Options error: --status fails with '/run/openvpn/openvpn.status': Permission denied

Do not start openvpn as root. Do not use "sudo openvpn". This would lead to permission issues. Files in /run/openvpn folder owned by root. So they cannot be overwritten by user tunnel.

debug start[edit]

Debug start in command line.

sudo /usr/sbin/openvpn --rmtun --dev tun0
sudo /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel
cd /etc/openvpn/
sudo -u tunnel openvpn /etc/openvpn/openvpn.conf
Linux ip link set failed[edit]
Linux ip link set failed: external program exited with error status: 2

Use ip_unpriv as documented above.

DNS Configuration[edit]

If you are using resolvconf only...

You may need to manually change permissions on two directories if they are not automatically applied. Check to see if changes are necessary by running the following command:

ls -al /run/resolvconf

If the output lists tunnel as having read/write/execute permissions for both /run/resolvconf and /run/resolvconf/interface then you will not need to modify anything. If tunnel is not listed as group for one or both of these directories then you will need to change the permissions, like so:

sudo chown --recursive root:tunnel /run/resolvconf

then you will need to set the permissions bits

sudo chmod --recursive 775 /run/resolvconf

In /run/resolvconf, resolv.conf may or may not be owned by tunnel depending on whether the systemd service has started already or not. There is no need to modify permissions on this file, as its permissions will change when the service starts.

Terminology for Support Requests[edit]

Phrases such as "over Tor" are ambiguous. Please do not prevent your own coining of words. That leads to people talking past each other. Please use the same terms that are consistently used in documentation such as.

  • How to connect to a VPN before Tor (User -> VPN -> Tor -> Internet)
  • How to connect to Tor before a VPN (User -> Tor -> VPN -> Internet)
  • etc.

Always refer to the connection scheme, User -> VPN -> Tor -> Internet or User -> Tor -> VPN -> Internet etc.