Arbitrary tun device name for openvpn?

Hi,

I have made a script which loads every vpn that my vpn provider has, so I can switch between servers easily in my router.

I can maintain 10 concurrent connections and instead of using tun0 to tun9 I would like to use thename of the vpn as the tun device name

example

openvpn.beetvpn_asia_jakarta_5=openvpn
openvpn.beetvpn_asia_jakarta_5.auth='SHA256'
openvpn.beetvpn_asia_jakarta_5.auth_nocache='1'
openvpn.beetvpn_asia_jakarta_5.auth_user_pass='/etc/openvpn/beetvpn.auth'
openvpn.beetvpn_asia_jakarta_5.ca='/etc/openvpn/beetvpn.ca'
openvpn.beetvpn_asia_jakarta_5.cipher='AES-256-GCM'
openvpn.beetvpn_asia_jakarta_5.client='1'
openvpn.beetvpn_asia_jakarta_5.compress='stub-v2'
openvpn.beetvpn_asia_jakarta_5.dev='beetvpn_asia_jakarta_5'
openvpn.beetvpn_asia_jakarta_5.dev_type='tun'
openvpn.beetvpn_asia_jakarta_5.enabled='1'
openvpn.beetvpn_asia_jakarta_5.nobind='1'
openvpn.beetvpn_asia_jakarta_5.persist_key='1'
openvpn.beetvpn_asia_jakarta_5.persist_tun='1'
openvpn.beetvpn_asia_jakarta_5.port='53'
openvpn.beetvpn_asia_jakarta_5.proto='udp'
openvpn.beetvpn_asia_jakarta_5.remote='asia-id5.321inter.net'
openvpn.beetvpn_asia_jakarta_5.tls_cipher='TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'
openvpn.beetvpn_asia_jakarta_5.tls_client='1'
openvpn.beetvpn_asia_jakarta_5.tls_crypt='/etc/openvpn/beetvpn.tlscrypt'
openvpn.beetvpn_asia_jakarta_5.verb='3'

This appears to make the connection but then it fails with a tls timeout a while later

Thu Oct 17 08:46:57 2024 daemon.notice openvpn(beetvpn_asia_jakarta_5)[4860]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Oct 17 08:46:57 2024 daemon.notice openvpn(beetvpn_asia_jakarta_5)[4860]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Oct 17 08:46:57 2024 daemon.notice openvpn(beetvpn_asia_jakarta_5)[4860]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Oct 17 08:46:57 2024 daemon.notice openvpn(beetvpn_asia_jakarta_5)[4860]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Oct 17 08:46:57 2024 daemon.notice openvpn(beetvpn_asia_jakarta_5)[4860]: TCP/UDP: Preserving recently used remote address: [AF_INET]103.150.61.218:53
Thu Oct 17 08:46:57 2024 daemon.notice openvpn(beetvpn_asia_jakarta_5)[4860]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Oct 17 08:46:57 2024 daemon.notice openvpn(beetvpn_asia_jakarta_5)[4860]: UDP link local: (not bound)
Thu Oct 17 08:46:57 2024 daemon.notice openvpn(beetvpn_asia_jakarta_5)[4860]: UDP link remote: [AF_INET]103.150.61.218:53
Thu Oct 17 08:47:57 2024 daemon.err openvpn(beetvpn_asia_jakarta_5)[4860]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Oct 17 08:47:57 2024 daemon.err openvpn(beetvpn_asia_jakarta_5)[4860]: TLS Error: TLS handshake failed
Thu Oct 17 08:47:57 2024 daemon.notice openvpn(beetvpn_asia_jakarta_5)[4860]: SIGUSR1[soft,tls-error] received, process restarting

Tun (whatever) has nothing to do with the tunnel itself.

It the tls fails it is the tunnel that has the problem.

tun is the local virtual network to the router in this case.

Not all OS's can deal with device names for OpenVPN which does not start with tun or tap, OpenWRT does work with fancy names
However I would advise against it as e.g. the PBR package checks for tunX
But you can use things like tunjakarta, or tunusa etc.

As already remarked your error is not related with the naming of the device

Thank you, I have been doing lots of testing.

I could swear it was working and it broke when I changed the tun device names

But I put it back to tun0 and it still don't work.

woopsies !

I will debug this and report later.

BTW, this is part of making a simple proxmox script to make an openwrt LXC container with vpn pre-loaded

Lastly, you mentionned pbr

I did some research and I was going to figure out if pbr was the right solution for me.

My goal will be to create macvlan alias of the LAN interface, one autocreated for each vpn connection, with it's own IP provided by my dhcp server.

From what I understand, pbr will deal with enabling NAT between

tun_beetvpn_asia_jakarta_5 and macvlan_beetvpn_asia_jakarta_5

Is that how it works ? Is that the software that will let me do that ?

thanks !

PBR in essence creates routing tables per (OpenVPN) interface and let you create routing rules to use that specific table
So you can have a specific SSID (or vlan, client, subnet, mac address, etc.) and let that use a specific tunnel
See: https://docs.openwrt.melmac.net/pbr/