LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-12-2018, 03:59 AM   #1
banderas20
LQ Newbie
 
Registered: Aug 2018
Posts: 18

Rep: Reputation: Disabled
Question OpenVPN tun0 missing


Hello,

I am following this tutorial to set up a VPN in Debian:

https://www.hugeserver.com/kb/how-to...ubuntu-debian/

when I have the keys and the "server.conf" already configured, I issue "ifconfig", and find out that I have not the necessary "tun0" interface.

¿Why is that so?

Besides, I expected to need 2 physical interfaces: one for the incoming traffic and the second to give VPN access to internal resources. I don't understand why "tun0" solves this issue and how....

Many thanks in advance!
 
Old 08-12-2018, 07:30 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 20,413

Rep: Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963
Quote:
Originally Posted by banderas20 View Post
Hello,
I am following this tutorial to set up a VPN in Debian:

https://www.hugeserver.com/kb/how-to...ubuntu-debian/
...and you've been following it (and others, apparently) for some time now:
https://www.linuxquestions.org/quest...ca-4175635834/
https://www.linuxquestions.org/quest...ca-4175636000/
https://www.linuxquestions.org/quest...sa-4175635749/
Quote:
when I have the keys and the "server.conf" already configured, I issue "ifconfig", and find out that I have not the necessary "tun0" interface.

¿Why is that so?

Besides, I expected to need 2 physical interfaces: one for the incoming traffic and the second to give VPN access to internal resources. I don't understand why "tun0" solves this issue and how....
Because you have not actually started the openVPN service, which creates the TUNx device. This is the fourth thread you've started about openVPN; the tutorials and guides on the Debian wiki are pretty clear, and even the link you posted in this thread explains the TUN device.
 
Old 08-12-2018, 09:48 AM   #3
banderas20
LQ Newbie
 
Registered: Aug 2018
Posts: 18

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
This is the fourth thread you've started about openVPN; the tutorials and guides on the Debian wiki are pretty clear, and even the link you posted in this thread explains the TUN device.
Yes, the fourth. And I am trying to ask different questions in every thread to better understand what I'm doing. I apologize to any user that may be upset by them, and I have marked them as SOLVED.

I didn't know there was a limit on the number of threads. And maybe you understand the tutorials better since you have more than 20K posts. I guess that also means that you have far more experience in Linux than me. Forgive my lack of intelligence.

If you don't want to answer me, or think I'm dumb, no one forces you to reply.

All of your replies have a scent of superiority. Maybe you should read a tutorial on humility.

Thanks for showing me the path, Master.
 
Old 08-12-2018, 01:52 PM   #4
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 20,413

Rep: Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963
Quote:
Originally Posted by banderas20 View Post
Yes, the fourth. And I am trying to ask different questions in every thread to better understand what I'm doing. I apologize to any user that may be upset by them, and I have marked them as SOLVED.

I didn't know there was a limit on the number of threads.
There is not, but asking questions that differ only SLIGHTLY from one another, then not taking the advice/suggestions offered isn't good.
Quote:
And maybe you understand the tutorials better since you have more than 20K posts. I guess that also means that you have far more experience in Linux than me. Forgive my lack of intelligence. If you don't want to answer me, or think I'm dumb, no one forces you to reply. All of your replies have a scent of superiority. Maybe you should read a tutorial on humility. Thanks for showing me the path, Master.
And maybe you should quit being sarcastic, and follow instructions. When you first asked about using SSL to generate an RSA certificate, you were told "No, don't do that, they're different": https://www.linuxquestions.org/quest...sa-4175635749/

..then you follow it up with:
https://www.linuxquestions.org/quest...ca-4175635834/
https://www.linuxquestions.org/quest...ca-4175636000/

...where you **USE SSL**, despite being told they were different, and ignoring the instructions/tutorials that plainly told you how to use easy-rsa. And here you post a link that says specifically that the TUN device is created when openvpn is started....and ask us where the TUN device is? Sorry, these are all pretty self-explanatory...the how-to link you posted in this thread (if it's actually FOLLOWED), will get you an openVPN server up and running. You just need to follow the steps, and when you're told this, you come back with "scent of superiority" comments???

Either follow the instructions or don't. Your choice.
 
Old 08-12-2018, 02:51 PM   #5
redfox2807
Member
 
Registered: Jul 2012
Distribution: Debian testing/stable, Gentoo, CentOS 7, Sailfish OS, Android
Posts: 164

Rep: Reputation: 29
Quote:
Besides, I expected to need 2 physical interfaces: one for the incoming traffic and the second to give VPN access to internal resources. I don't understand why "tun0" solves this issue and how....
If I got your question right. The number of the physical interfaces really depends on your network design. If you're setting up the OpenVPN server on your router machine, then yes, there should be 2 physical interfaces, one for the incoming internet traffic, the other one is for the local traffic. The virtual tun0 interface should be set up for the above mentioned first physical interface. The virtual interface purpose is to separate the 'foreign' internet traffic from the local VPN traffic coming from your VPN clients over the internet.
 
1 members found this post helpful.
Old 08-12-2018, 03:08 PM   #6
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 20,413

Rep: Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963
Quote:
Originally Posted by redfox2807 View Post
If I got your question right. The number of the physical interfaces really depends on your network design. If you're setting up the OpenVPN server on your router machine, then yes, there should be 2 physical interfaces, one for the incoming internet traffic, the other one is for the local traffic. The virtual tun0 interface should be set up for the above mentioned first physical interface. The virtual interface purpose is to separate the 'foreign' internet traffic from the local VPN traffic coming from your VPN clients over the internet.
True...but he also says that the TUN device isn't present, indicating the openVPN service hasn't yet been configured/started. The second interface, as you say, is optional, depending on the network topology. But no matter how many physical interfaces there are, if the openVPN service isn't configured/started, they won't be able to connect.
 
Old 08-13-2018, 02:01 AM   #7
redfox2807
Member
 
Registered: Jul 2012
Distribution: Debian testing/stable, Gentoo, CentOS 7, Sailfish OS, Android
Posts: 164

Rep: Reputation: 29
Quote:
Originally Posted by TB0ne View Post
True...but he also says that the TUN device isn't present, indicating the openVPN service hasn't yet been configured/started. The second interface, as you say, is optional, depending on the network topology. But no matter how many physical interfaces there are, if the openVPN service isn't configured/started, they won't be able to connect.
Right, I guess he's trying to setup a VPN server lacking the basic knowledge of networking. So his question was about what the tun0 interface actually was.

Tun0 will be up after (as root):
Code:
systemctl start openvpn
Of course the service should start successfully without any errors
To autostart the service at boot:
Code:
systemctl enable openvpn
 
Old 08-13-2018, 06:56 AM   #8
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 20,413

Rep: Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963
Quote:
Originally Posted by redfox2807 View Post
Right, I guess he's trying to setup a VPN server lacking the basic knowledge of networking. So his question was about what the tun0 interface actually was. Tun0 will be up after (as root):
Code:
systemctl start openvpn
Of course the service should start successfully without any errors
To autostart the service at boot:
Code:
systemctl enable openvpn
Absolutely. But the OP has been pointed to step-by-step guides in this (and his other) openVPN threads.
 
Old 08-14-2018, 12:54 AM   #9
banderas20
LQ Newbie
 
Registered: Aug 2018
Posts: 18

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by redfox2807 View Post
If I got your question right. The number of the physical interfaces really depends on your network design. If you're setting up the OpenVPN server on your router machine, then yes, there should be 2 physical interfaces, one for the incoming internet traffic, the other one is for the local traffic. The virtual tun0 interface should be set up for the above mentioned first physical interface. The virtual interface purpose is to separate the 'foreign' internet traffic from the local VPN traffic coming from your VPN clients over the internet.
That's the point. I didn't understand what was the purpose of the virtual TUN interface. And how it connected to the local traffic without the need for an additional physical interface.

Quote:
Originally Posted by redfox2807
Right, I guess he's trying to setup a VPN server lacking the basic knowledge of networking. So his question was about what the tun0 interface actually was. Tun0 will be up after (as root):
Code:

systemctl start openvpn

Of course the service should start successfully without any errors
To autostart the service at boot:
Code:

systemctl enable openvpn
I have issued "service openvpn restart" on Debian9 VM. ¿Isn't it the same? The command yields no errors, and tun0 still doesn't show up. I'll try to boot the entire machine.

Quote:
Originally Posted by TB0ne
Absolutely. But the OP has been pointed to step-by-step guides in this (and his other) openVPN threads.
As I said, I have restarted the service with no results.

And again. Sorry if I have opened many threads with slightly differences. I don't like to follow the tutorials or advices blindly without knowing what I'm doing. That's why I try to ask whenever I get stuck. I like to understand exactly what I'm doing. Otherwise I won't learn anything.

Thank you both.
 
Old 08-14-2018, 03:31 AM   #10
redfox2807
Member
 
Registered: Jul 2012
Distribution: Debian testing/stable, Gentoo, CentOS 7, Sailfish OS, Android
Posts: 164

Rep: Reputation: 29
Quote:
I have issued "service openvpn restart" on Debian9 VM. ¿Isn't it the same? The command yields no errors, and tun0 still doesn't show up. I'll try to boot the entire machine.
So you have Debian inside a Debian virtual machine and want to setup a VPN server on it?
Then you better explain the details of your network topology as it's not an ordinary VPN installation. Starting from what kind of VM are you using, what type of the network setup are you using for your VM, etc.
What's the output of:
Quote:
journalctl -u openvpn
and
Quote:
ip addr show
What's the contents of your /etc/openvpn/server.conf?


Quote:
I didn't understand what was the purpose of the virtual TUN interface. And how it connected to the local traffic without the need for an additional physical interface.
As I said, you're trying to make a complex setup lacking the basic knowledge. Furthermore, you're increasing the complexity by using a VM with its sophisticated virtualized network realization. I'd suggest you using a physical maching having two physical interfaces first. Something like an old PC with an additional ethernet card installed. Setup it as a router and install an openvpn server over it.

Answering your question, networking supposes different levels of abstraction. If you're not familiar with the OSI model, then read about it. What a tun0 interface (and the whole VPN) REALLY is, it's a security measure and nothing more than that. Physically the packets flow throught the same wires. If we don't take isolated local networks into account, 'local network' is a logical term. If any of your local PCs is connected to the Internet, your local network actually IS a part of the Internet. The packets flow in, the packets flow out. It's just your router that decides which packet is let in/out, which one is not. There's nothing really that prevents you from letting everyone in and everyone out. So every PC having the right gateway and network settings will be able to use your local network. It would be a disaster from a security point of view, but physically its doable. So even without VPN it's the network administrator who has to decide how will the local traffic be separated from the Internet traffic. You have to decide it prior to any of your VPN activities. Yes, I know, with all those tiny user-friendly routers the things are much easier for the end-user nowadays. But we're talking about network administration here, right? Having done with that, you will have 2 differentiated traffics: the local one and the 'foreign' one from/to the Internet. Generally local traffic is for the machines within a restricted area that are physically connected to each other (no matter wired or wireless), whereas the Internet is the connections to/from the distanced machines outside the restricted area mentioned above. Now you want to let some of the distanced machines to be connected to your local network, while still keeping all the rest out. That's where the VPN steps in. It gives you a framework to identify the dinstanced machine and let in only the predefined ones. So that the traffic from those predefined machines is considered local even thought it's flowing thought the wires intended for the foreign one. So now we have both local and foreign traffic flowing though the same wires over the same interface. Still your router needs to differentiate one from the other and apply different firewall rules for each of them. Having assigned all the local one for that interface to a new virtual interface we are able to do it.

Hope that explains a bit.
 
Old 08-14-2018, 06:14 AM   #11
banderas20
LQ Newbie
 
Registered: Aug 2018
Posts: 18

Original Poster
Rep: Reputation: Disabled
Quote:
So you have Debian inside a Debian virtual machine and want to setup a VPN server on it?
Then you better explain the details of your network topology as it's not an ordinary VPN installation. Starting from what kind of VM are you using, what type of the network setup are you using for your VM, etc.
My physical host is a Windows machine with VMWare Workstation installed. Then I've set up a VM with Debian installed and one single NIC with NAT config (It could be bridged). What I was trying to do is first set up the OpenVPN and then create more VMs with different IP ranges simulating the "office LAN" environment. These VMs should be behind the Debian acting as VPN server. Then I would try to access the "office LAN" from the outside. That is: from my physical Windows machine.


Quote:
As I said, you're trying to make a complex setup lacking the basic knowledge. Furthermore, you're increasing the complexity by using a VM with its sophisticated virtualized network realization. I'd suggest you using a physical maching having two physical interfaces first. Something like an old PC with an additional ethernet card installed. Setup it as a router and install an openvpn server over it.
Yes, I know it would be more simple to have a physycal PC. But I have no spare machines.
In the past I built an environment with a first layer of VMs running 2 ESX servers with 6 NICs each. Then, on them, I installed a second layer of guest VMs whose hosts where also VMs.
What I'm trying to say is that I think that scenario was more complex that what I'm trying to do now.

Regarding that I lack the basic knowledge, honestly I think I have some knowledge about networking. I may not know some advanced features, but I think I'm not as newbie as you think....

Anyway, thanks for the explanation and for your help. I will post what you ask as soon as I get home. Maybe I will attach a Visio of what I'm trying to do.

Regards!
 
Old 08-14-2018, 07:41 AM   #12
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 20,413

Rep: Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963Reputation: 4963
Quote:
Originally Posted by banderas20 View Post
That's the point. I didn't understand what was the purpose of the virtual TUN interface. And how it connected to the local traffic without the need for an additional physical interface.
It's a virtual interface, much like a bond or bridge interface.
Quote:
I have issued "service openvpn restart" on Debian9 VM. ¿Isn't it the same? The command yields no errors, and tun0 still doesn't show up. I'll try to boot the entire machine.
Did you also issue a "service openvpn status" to see if it started? Did you look in the logs to see if there were any errors?? Basic troubleshooting?
Quote:
As I said, I have restarted the service with no results.
Sorry, haven't seen where you said you started things, only where you're asking where TUN0 is. You've not, to this point, mentioned that you issued a service start.
Quote:
And again. Sorry if I have opened many threads with slightly differences. I don't like to follow the tutorials or advices blindly without knowing what I'm doing. That's why I try to ask whenever I get stuck. I like to understand exactly what I'm doing. Otherwise I won't learn anything.
Yes, but as in the case of generating your certificate, you were told specifically that you COULD NOT use openSSL...and promptly ignored that advice. We're happy to answer questions, but when you get answers and ignore them...there's little else we can tell you. Following things up with sarcastic comments also doesn't give people a whole lot of reason to try to help either.
Quote:
Yes, I know it would be more simple to have a physycal PC. But I have no spare machines. In the past I built an environment with a first layer of VMs running 2 ESX servers with 6 NICs each. Then, on them, I installed a second layer of guest VMs whose hosts where also VMs. What I'm trying to say is that I think that scenario was more complex that what I'm trying to do now.
You really only need one VM for this. Set up one Linux system, and follow that how-to guide...it really isn't harder than that. Port 1194 UDP is the default for openVPN, and if this is a test, there's no need to change the default config. Put the IP address of the VM box in there. If this is a testing/learning box, then you can make it easy, and disable the firewalls totally...while this is not best practices, this will let you learn how to address openVPN first, and verify it works, before moving on. From there, once you KNOW openVPN works, you can enable the firewall and learn how to route things and get a better, clearer picture. Doing both at once when you're not familiar with them can be confusing, since you won't know which piece isn't working or is giving you problems.

If you have ANY other system on your network (Windows, Mac, whatever..), you can load a VPN client on it, and test the connection. Doesn't have to be Linux.
 
1 members found this post helpful.
Old 08-14-2018, 08:58 AM   #13
redfox2807
Member
 
Registered: Jul 2012
Distribution: Debian testing/stable, Gentoo, CentOS 7, Sailfish OS, Android
Posts: 164

Rep: Reputation: 29
Quote:
Originally Posted by banderas20 View Post
My physical host is a Windows machine with VMWare Workstation installed. Then I've set up a VM with Debian installed and one single NIC with NAT config (It could be bridged). What I was trying to do is first set up the OpenVPN and then create more VMs with different IP ranges simulating the "office LAN" environment. These VMs should be behind the Debian acting as VPN server. Then I would try to access the "office LAN" from the outside. That is: from my physical Windows machine.
I see two issues here. First, you have to take care that all those VMs are inside a single network and can see each other. Second, your host machine is definitely a part of that network. It can see any of those VMs directly. So testing a client on it is like setting up your server inside a local network. I assume you could use the layered approach you mentioned where layer 1 is the VPN server and layer 2 is the local network, but I don't have experience with that. Anyway I still don't get what's your ultimate goal is. Why do you need all that complexity at all? Why setting up a VPN server in a VM and connecting from the host as a client to it isn't enough? All that office networks simulation stuff has nothing to do with VPN. It's the matter of routing, firewalling, etc.
 
Old 08-14-2018, 01:17 PM   #14
banderas20
LQ Newbie
 
Registered: Aug 2018
Posts: 18

Original Poster
Rep: Reputation: Disabled
Quote:
It's a virtual interface, much like a bond or bridge interface.
I get that. Now. What is its purpose? Why not use 2 physical NICs? One for the external client and another for the LAN side?

"service openvpn status"
Code:
penvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: 
   Active: active (exited) since Tue 2018-08-14 19:59:44 CEST; 3min 23s ago
  Process: 536 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 536 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 19660)
   CGroup: /system.slice/openvpn.service

Aug 14 19:59:44 debian9 systemd[1]: Starting OpenVPN service...
Aug 14 19:59:44 debian9 systemd[1]: Started OpenVPN service.
OK. If I issue "tail /var/log/myvpn/openvpn.log"
Code:
root@debian9:/etc/openvpn# tail /var/log/myvpn/openvpn.log
Options error: --cert fails with '/etc/openvpn/keys/debian9.cert': No such file or directory
Options error: Please correct these errors.
The problem was with the extension. It's not .cert. It's .crt

Now tun0 appears (but I still don't get its purpose, as I kindly ask you in the first lines of this post). No sarcasm. Seriously

Quote:
I see two issues here. First, you have to take care that all those VMs are inside a single network and can see each other. Second, your host machine is definitely a part of that network. It can see any of those VMs directly. So testing a client on it is like setting up your server inside a local network. I assume you could use the layered approach you mentioned where layer 1 is the VPN server and layer 2 is the local network, but I don't have experience with that.
I'll take that into account. Thanks for the advice
Quote:
Anyway I still don't get what's your ultimate goal is. Why do you need all that complexity at all? Why setting up a VPN server in a VM and connecting from the host as a client to it isn't enough? All that office networks simulation stuff has nothing to do with VPN. It's the matter of routing, firewalling, etc.
I think it's the way it works when you want to connect to your office via VPN from home.
I know the rest has to do with routing and firewalling. I'll get to that later. That's why I have made it so complex. I want to cover as many concepts as possible in one machine. It's like a full project. This way I also train in multiple things.

PS: I have checked this howto https://community.openvpn.net/openvp...gingAndRouting, and under "Using routing" ther is a basic drawing of what I want to do. The thing is that I thought OpenVPN would give eth1 clients directly a IP of the range 192.168.0.1/24 via eth0, but I see tun0 is needed between to set iptables config. ¿Is that so?

Thank you both for your support and sorry for the manners. Let's start over again

Last edited by banderas20; 08-15-2018 at 02:53 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Should tun0 ip address match on both client and server (openvpn) snovosel112811 Linux - Newbie 1 01-19-2017 08:10 PM
(OpenVPN) Route one user's traffic into tun0 with iptables Märk Owen Linux - Networking 0 05-20-2015 08:45 PM
iptables + openvpn + eth0 and tun0 shadyabhi Linux - Networking 3 01-18-2011 03:44 AM
iptables question with OpenVPN (tun0 to tun0 filtering) fang0654 Linux - Server 3 09-30-2009 02:17 AM
OpenVPN : need help with understanding tun0 and P-t-P jonaskellens Linux - Networking 3 08-24-2009 01:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration