You can skip this troubleshooting chapter unless any difficulties are encountered.

== ip_unpriv vs ip-unpriv ==

There are two similar, yet distinct projects: standalone VPN-FIREWALL and Whonix TUNNEL_FIREWALL. Although both are alike, there is one difference that might be encountered. For instance, in the [[#VPN Configuration File|VPN Configuration File]] section:

* Whonix TUNNEL_FIREWALL uses {{Code2|ip'''_'''unpriv}} (underscore)
* Standalone VPN-FIREWALL uses {{Code2|ip'''-'''unpriv}} (hyphen)

Be sure to use the right version of ip unpriv depending on whether VPN-FIREWALL or Whonix TUNNEL_FIREWALL is in use.

== 50_openvpn_unpriv.conf vs 50_openvpn-unpriv.conf ==

Like the example above:

* Whonix TUNNEL_FIREWALL uses <code>/usr/lib/tmpfiles.d/50_openvpn_unpriv.conf {{Code2|ip'''_'''unpriv}}</code> (underscore)
* Standalone VPN-FIREWALL uses  <code>/usr/lib/tmpfiles.d/50_openvpn-unpriv.conf {{Code2|ip'''-'''unpriv}}</code> (hyphen)

== Cannot ioctl TUNSETIFF ==

  <i>ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)</i>

In <code>openvpn.conf</code> do not use.

<pre>
dev tun
</pre>

Use.

<pre>
dev tun0
</pre>

== Dev tun Mismatch ==

In <code>openvpn.conf</code> do not use.

<pre>
dev tun
</pre>

Use.

<pre>
dev tun0
</pre>

== /run/openvpn/openvpn.status Permission denied ==

  <i>Options error: --status fails with '/run/openvpn/openvpn.status': Permission denied</i>

To avoid permission issues, do <u>not</u>:
* start OpenVPN as root; or
* use <code>sudo openvpn</code>.

Files in the <code>/run/openvpn</code> folder are owned by root, so they cannot be overwritten by the user <code>tunnel</code>.

== debug start ==

To start debug, run the following commands successively.

{{CodeSelect|code=
sudo /usr/sbin/openvpn --rmtun --dev tun0
}}
{{CodeSelect|code=
sudo /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel
}}
{{CodeSelect|code=
cd /etc/openvpn/
}}
{{CodeSelect|code=
sudo -u tunnel openvpn /etc/openvpn/openvpn.conf
}}

== Linux ip link set failed ==

  <i>Linux ip link set failed: external program exited with error status: 2</i>

Use ip_unpriv as documented above.

== Connectivity Test ==
{{connectivity_test}}

== DNS Configuration ==

This only applies if <code>resolvconf</code> is in use.

Permissions on two directories may need to be manually changed if they are not automatically applied. Check if changes are necessary with the following command.

{{CodeSelect|code=
ls -la /run/resolvconf
}}

If the output lists <code>tunnel</code> as having read / write / execute permissions for both <code>/run/resolvconf</code> and <code>/run/resolvconf/interface</code>, then nothing needs modification. If <code>tunnel</code> is not listed as a group for one or both directories, then permissions need to be changed. In that case, run.

{{CodeSelect|code=
sudo chown --recursive root:tunnel /run/resolvconf
}}

Then set the necessary permissions.

{{CodeSelect|code=
sudo chmod --recursive 775 /run/resolvconf
}}

In <code>/run/resolvconf</code>, <code>resolv.conf</code> may or may not be owned by <code>tunnel</code>, depending on whether the systemd service has already started. There is no need to modify permissions on this file, as the permissions will change when the service starts.

== Terminology for Support Requests ==

{{Tunnel_Terminology}}