sing-box tun error (permission denied) on Slate 7 (GL-BE3600)

noterm · September 22, 2025, 4:17pm

Hi everyone!
I have a problem with Slate 7 (GL-BE3600)

After I installed sing-box and related packages I’ve got:

sing-box run -c /etc/sing-box/config.json
FATAL[0000] start service: start inbound/tun[tun-in]: configure tun interface: permission denied

What I installed before:

opkg install kmod-inet-diag kmod-netlink-diag kmod-tun iptables-nft

Part of config:

...
  "inbounds": [
    {
      "type": "tun",
      "tag": "tun-in",
      "domain_strategy": "prefer_ipv4",
      "interface_name": "tun-sb",
      "address": ["100.127.0.1/30", "fd00:127:0:1::1/126"],
      "mtu": 9000,
      "auto_route": true,
      "route_exclude_address": [
        "10.0.0.0/8",
        "172.16.0.0/12",
        "192.168.0.0/16",
        "169.254.0.0/16",
        "fc00::/7",
        "fe80::/10"
      ],
      "iproute2_table_index": 2022,
      "iproute2_rule_index": 9000,
      "auto_redirect": true,
      "auto_redirect_input_mark": "0x2023",
      "auto_redirect_output_mark": "0x2024",
      "stack": "system",
      "endpoint_independent_nat": true,
      "sniff": true,
      "sniff_override_destination": true
    }
  ],
...

I noticed this, but not sure if its related:

cat /etc/modules.conf 
# examples:
# options mod1 option=val
# blacklist mod2
blacklist iptable_mangle
blacklist ip6table_mangle
blacklist iptable_nat
blacklist ip6table_nat
blacklist iptable_raw
blacklist ip6table_raw
blacklist iptable_filter
blacklist ip6table_filter

Help me please.

xize11 · September 22, 2025, 8:22pm

Maybe I'm thinking this easy, not much experience with sing-box.

But i have my suspicioun Sing-Box uses either a deprecated method to create tun interfaces, and thus fail, you basicly want a dummy DSA device with the exact same name and see if the script will continue.

You can do that in luci:

Network > interfaces > devices tab -> click add -> select network device and try to match name.

It can also be a configuration error which prevents the creation of the tun device, imho 9000 mtu is a bit high, especially considered not all network equipment and or isp can handle this, try 1500 and either substract it by 30 each time until 1200
minimum and check if that does something.

It could be a issue with the sanitizing of ipv6 strings, try a very simple config with no ipv6, the less the better.

noterm · September 24, 2025, 4:21am

I just played with copy-paste too much — the problem was I had IPv6 in the config, and since it is disabled on my router, I encountered that error.

Now it works. I created a tun interface and added a default rule with different metrics - all traffic is routed by rules.

Thank you for your response.