Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)

maximevince · June 19, 2021, 7:27pm

I am creating a custom openvpn client snap,
since I want my Ubuntu Core device to auto-connect to my VPN, wherever it’s located on the planet.

However, designing this snap, I hit the following issue:

OpenVPN is starting with my .ovpn config, and then:

    Sat Jun 19 19:10:48 2021 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
    Sat Jun 19 19:10:48 2021 Exiting due to fatal error

My snap has following plugs:

    plugs:
      - network
      - network-bind
      - network-control
      - firewall-control

I could not find any AppArmor DENIEDs, either.

Any clue if creating a tun device is supported in a snap? And if so, how?

maximevince · June 19, 2021, 8:03pm

I proceeded to add all network-related plugs I could find, and it now works:

    plugs:
      - network
      - network-bind
      - network-control
      - network-manager
      - network-setup-control
      - network-status
      - firewall-control

I have yet to find out which one of these actually did the trick. The snapcraft documentation is really lacking here…

ogra · June 19, 2021, 10:42pm

most likely network-setup-control solved it …
you should use the snappy-debug snap and run it in a second terminal, that might have given the correct hints

maximevince · June 20, 2021, 9:02am

I am still very new to this. It’s a bit hard to find the right tools / logs / output sometimes.
Thanks for the ‘snappy-debug’ hint!

maximevince · June 20, 2021, 12:56pm

I can confirm it was the network-setup-control which was required.

This is now the list of required plugs for my openvpn snap:

      - network
      - network-bind
      - network-control
      - network-setup-control