Solved --device /dev/net/tun not working anymore after Docker update 18.09.0-0513

Currently reading
Solved --device /dev/net/tun not working anymore after Docker update 18.09.0-0513

Shadow

Shadow

Media Trophy
777
291
NAS
DS216+II, DS118, DS718+, DS720+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Last edited:
This morning I decided to update all my NAS'es. Running DSM updates and updating packages
One of the packages to be updated is Docker, going to version 18.09.0-0513 .

After the update, I noticed my NordVPN ( azinchen/nordvpn ) container no longer wants to reboot. After re-creating the container, I get this error message:

Code: 
docker: Error response from daemon: linux runtime spec devices: error gathering device information while adding custom device "/dev/net/tun": no such file or directory.

The command I use to re-create the container is:
docker run -ti --cap-add=NET_ADMIN --device /dev/net/tun --name nordvpn4 --hostname nordvpn4 --restart=always --network physical_network_noproxy --ip 192.168.0.196 --dns 192.168.1.194 \

-e USER=[email protected] -e PASS='****' -e COUNTRY=Switzerland -e RECREATE_VPN_CRON="5 */3 * * *" -e NETWORK='192.168.0.0/24;192.168.1.0/24;192.168.3.0/24' -e RANDOM_TOP=10 -e TECHNOLOGY=OpenVPN -e PROTOCOL=openvpn_udp -e CATEGORY='Standard VPN servers' -e TZ='Europe\Amsterdam' -e OPENVPN_OPTS='--pull-filter ignore "ping-restart" --ping-exit 180' -p 8080:80 -d azinchen/nordvpn
Click to expand...

According to the Docker Hub documentation the " --cap-add=NET_ADMIN --device /dev/net/tun" method is to give the container some extra, but restricted, priviliges to what it needs to run. This ofcourse has the preference then giving it full privileges.

Does anyone know what I can do to find a solution? I could try to start the container with full priviliges, but I'd rather not do that.
Should I open a ticket with Synology to ask why this method has stopped working?
 
Even though, I doubt that I can contribute a solution, i'd like to share some thoughts/details.

Judging be the man pages, I can see why a vpn container requires NET_ADMIN to perform actions that need privilged permissions.
https://www.man7.org/linux/man-pages/man7/capabilities.7.html said:
CAP_NET_ADMIN
Perform various network-related operations:
* interface configuration;
* administration of IP firewall, masquerading, and accounting;
* modify routing tables;
* bind to any address for transparent proxying;
* set type-of-service (TOS)
* clear driver statistics;
* set promiscuous mode;
* enabling multicasting;
* use setsockopt(2) to set the following socket options:
SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the
range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
Click to expand...

On a DS918+ I can not see either the device /dev/net or the subdevice /dev/net/tun. The --device argument just "passes in" an existing device. If it's not existing, there is nothing to pass-in.

You must have had something like a vpn client installed on the ds that actualy created the /dev/net/tun device for you. Are you sure you just updated the docker package and did nothing else?

Maybee, I am completly mistaken and it gets created magicaly (witch would kind of surprise me), but could someone with working vpn connection check his system if /dev/net/tun exists?
 
Hello,
Sorry i'm french ;)

Download TUN.sh : https://download.gg/en/file-10531520_e405828393a12e7a
Or create :
Code: 
#!/bin/sh

# Create the necessary file structure for /dev/net/tun
if ( [ ! -c /dev/net/tun ] ); then
  if ( [ ! -d /dev/net ] ); then
    mkdir -m 755 /dev/net
  fi
  mknod /dev/net/tun c 10 200
  chmod 0755 /dev/net/tun
fi

# Load the tun module if not already loaded
if ( !(lsmod | grep -q "^tun\s") ); then
  insmod /lib/modules/tun.ko
fi

In SSH :
( in example TUN.sh is located to /volume1/folder )
sudo su -

cd /volume1/folder

make executable
chmod 0755 TUN.sh

execute
./TUN.sh

Source : [TUTO] rtorrent/rutorrent au travers d'un VPN OpenVPN
 
one-eyed-king said:
You must have had something like a vpn client installed on the ds that actualy created the /dev/net/tun device for you. Are you sure you just updated the docker package and did nothing else?
Click to expand...

Well I also updated my DSM to 6.2.3-25426 ...

And isn't a VPN client available by default in DSM?

1590930157987.png


one-eyed-king said:
Maybee, I am completly mistaken and it gets created magicaly (witch would kind of surprise me), but could someone with working vpn connection check his system if /dev/net/tun exists?
Click to expand...

Well when I discovered this, I held off updating my other NAS (DS718+) which is also running NordVPN docker containers. Sorry I'm a linux noob. How can I show you the /dev/net/tun, on that NAS?
 
The encoding of the file is not good.
Did you use the downloaded file or copy paste?
 
Rusty said:
I have it on all my NAS regardless of VPN being active or not
Click to expand...

As the device is missing on my system, I was trying to figure out wheter you guys installed something that created it or my installation is just messed up ^^ Though, shadows post about the TUN.sh script makes be thing that it isn't there by default and is created by an installed package or an executed command...
 
one-eyed-king said:
As the device is missing on my system, I was trying to figure out wheter you guys installed something that created it or my installation is just messed up ^^ Though, shadows post about the TUN.sh script makes be thing that it isn't there by default and is created by an installed package or an executed command...
Click to expand...
Well on one nas I have never had a need to use vpn in any shape or form and yet, its there
 
EVOTk said:
The encoding of the file is not good.
Did you use the downloaded file or copy paste?
Click to expand...


one-eyed-king said:
As the device is missing on my system, I was trying to figure out wheter you guys installed something that created it or my installation is just messed up ^^ Though, shadows post about the TUN.sh script makes be thing that it isn't there by default and is created by an installed package or an executed command...
Click to expand...

Funny enough I copy/pasted the contect in Notepad++ and saved it accordingly. So after that I downloaded it based on your replies.

EVOTk said:
Download TUN.sh : https://download.gg/en/file-10531520_e405828393a12e7a
Click to expand...

And now it works! Also my NordVPN docker container is working again. Thank you all!

Now I can start updating my other NAS. :)

one-eyed-king said:
As the device is missing on my system, I was trying to figure out wheter you guys installed something that created it or my installation is just messed up ^^ Though, shadows post about the TUN.sh script makes be thing that it isn't there by default and is created by an installed package or an executed command...
Click to expand...

I wouldn't know what it may be. The containers worked before..
And when setting up my new DS718+ I didn't do anything VPN related except for running the VPN client on vDSM, before moving to NordVPN on Docker..
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

S
Docker and ioBroker - getting ESPhome to work (multihost, device adoption)
Well - I suppose it does work: pi@raspberrypi:~ $ telnet 192.168.178.135 9002 Trying 192.168.178.135...
Replies
10
Views
2,080
sebhoff
S
B
ASP.NET & Synology Diskstation
A few years back I tried "Mono" successfully, it wasn't running in a Docker-container back then though...
Replies
1
Views
3,115
oRBIT
oRBIT

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top