How to Enable TUN/TAP on Linux VPS
TUN/TAP is enabled by default on every SkySilk VPS!
Once enabled, please see below for information on activating TUN/TAP and enabling specific devices.
Activating the TUN device
When using a VPN, a special network device is used by the system to add a tunnel (TUN) to your virtual network stack.
We have enabled this device by default on all of our VPS offerings, however, you will need to activate it from within your virtual machine by running the following commands as root:
cd /dev mkdir net mknod net/tun c 10 200 chmod 0666 net/tun
Script to Activate TUN at Startup
The above commands will need to be run every time the virtual machine starts, so we can create a convenient script which runs those commands automatically on machine startup.
We will then add this script to the /etc/rc.local directory, which ensures that the script will run once the machine has booted for any reason.
Create the following script in /usr/sbin/tunscript.sh using your favorite text editor (like nano):
#!/bin/bash mkdir /dev/net mknod /dev/net/tun c 10 200 chmod 0666 /dev/net/tun
Make sure that the script is executable:
chmod +x /usr/sbin/tunscript.sh
and add the script to /etc/rc.local so that it looks similar to this: (Note: If /etc/rc.local file does not exist, create the file in the /etc/ directory with the command "touch /etc/rc.local" )
/usr/sbin/tunscript.sh || exit 1 exit 0
The or (||) exit 1 will report a failure if the script failed to run. The exit 0 denotes the end of rc.local, and reports that rc.local has run successfully.
Now the TUN device will be created every time the system boots.
Note: On some Linux distributions you may receive this error when attempting to access the device after enabling TUN/TAP:
tun: Operation not permitted
If that is the case please send us a support ticket with your TUN/TAP enable request, and we will manually enable the device.
Why do I need to do this?
In order to provide a secure virtual environment, user access to system devices is strictly controlled. The devices subsystem of Linux is used to allow or deny access to specified system devices, such as FUSE mounts or hard drives. At an administrative level, this is controlled by adding or removing devices from the Device Whitelist for each user's control group. Furthermore, each VPS has it's own control group, which takes advantage of the Linux kernel's no-nonsense enforcement of permissions to isolate VMs from one another.
The TUN/TAP interface is a system device found in the network stack, and the commands mentioned here create a file which allows your operating system to access that device. While each VPS has it's own private virtual network stack, certain system devices are disabled to prevent exploitation of your neighbors.
Fortunately, the TUN/TAP interface is secure and enabled for all of our VPS offerings, but must be manually activated when needed as a security precaution.
The device is activated by running the mknod command, which creates a special file used by the operating system to communicate with the device. The arguments for this command denote the file, type, major number and minor number.
In this case, we are specifying that the /dev/net/tun file is a c, or character device - which means the system will treat the data in the file as characters, as opposed to blocks for a block device. The major and minor numbers are essentially the address for the device, where 10 is a miscellaneous category, and 200 specifically denotes the /dev/net/tun interface.
For a complete list of devices available, click here.
Can you enable a device on my VPS?
We would be happy to! Please send us a support ticket with your request, and we will review it ASAP.