diff --git a/sys/net/if_tuntap.c b/sys/net/if_tuntap.c
--- a/sys/net/if_tuntap.c
+++ b/sys/net/if_tuntap.c
@@ -649,7 +649,7 @@
 			error = cv_wait_sig(&tp->tun_cv, &tp->tun_mtx);
 		else
 			cv_wait(&tp->tun_cv, &tp->tun_mtx);
-		if (error != 0) {
+		if (error != 0 && tp->tun_busy != 0) {
 			tp->tun_flags &= ~TUN_DYING;
 			TUN_UNLOCK(tp);
 			return (error);
@@ -663,8 +663,18 @@
 	TAILQ_REMOVE(&tunhead, tp, tun_list);
 	mtx_unlock(&tunmtx);
 
-	/* destroy_dev will take care of any alias. */
-	destroy_dev(tp->tun_dev);
+	/*
+	 * destroy_dev will take care of any alias.  For transient tunnels,
+	 * we're being called from close(2) so we can't destroy it ourselves
+	 * without deadlocking, but we already know that we can cleanup
+	 * everything else and just continue to prevent it from being reopened.
+	 */
+	if ((tp->tun_flags & TUN_TRANSIENT) != 0) {
+		tp->tun_dev->si_drv1 = tp->tun_dev;
+		destroy_dev_sched(tp->tun_dev);
+	} else {
+		destroy_dev(tp->tun_dev);
+	}
 	seldrain(&tp->tun_rsel);
 	knlist_clear(&tp->tun_rsel.si_note, 0);
 	knlist_destroy(&tp->tun_rsel.si_note);
@@ -1108,6 +1118,16 @@
 	struct tuntap_softc *tp;
 	int error __diagused, tunflags;
 
+	/*
+	 * Transient tunnels do deferred destroy of the tun device but want
+	 * to immediately cleanup state, so they clobber si_drv1 to avoid a
+	 * use-after-free in case someone does happen to open it in the interim.
+	 * We avoid using NULL to be able to distinguish from an uninitialized
+	 * cdev.
+	 */
+	if (dev->si_drv1 == dev)
+		return (ENXIO);
+
 	tunflags = 0;
 	CURVNET_SET(TD_TO_VNET(td));
 	error = tuntap_name2info(dev->si_name, NULL, &tunflags);