How can I let other lxc containers use the OpenVPN (server)-lxc

J

John Driessen

Active Member
Proxmox Subscriber
Apr 27, 2020
36
1
28
58
Hi,

I have a Turnkey Linux OpenVPN LXC running on the Proxmox 6.3.host. This LXC also connects to a DuckDNS subdomain.
This OpenVPN lxc works fine, several other physical machines (laptops, mobile phones etc) are able to connect to the VPN.

The KVM Virtual machines (Debian / Ubuntu) I'm running are also able to use the VPN service, via ovpn-files and the Network manager.
So now I want my lxc containers to use the same VPN-service (through the OpenVPN lxc) as well.
The lxc containers are all based on Ubuntu 20.04.
Can someone provide a detailed description of what I should do to accomplish this
- for privileged containers
- for unprivileged containers.

Thanks in advance for your support.
 
OpenVPN needs tun/tap interfaces. But tun/tap interfaces is prohibited for LXC untill you configured it is the LXC file. There no web-interface to add the options.

Howto: https://vroomtech.io/enable-tuntap-in-a-proxmox-lxc-container/

What is works for me, is to add at the end of XXX.conf container file:
Code: 
lxc.mount.entry: /dev/net dev/net none bind,create=dir
lxc.cgroup.devices.allow: c 10:200 rwm

Can't remeber where I taken this.

I use Pritunl, it uses OpenVPN inside, and work with no issue and tiny footrpinf: 256 fo 515M memory used and les than 1G disk used. But I never have more that a couple of connection and my traffic is very low, mostly SSH and web management.

I am not sure if it will work in unpriveledged container - but you may try.
 
Last edited:
Alexey Pavlyuts said:
OpenVPN needs tun/tap interfaces. But tun/tap interfaces is prohibited for LXC untill you configured it is the LXC file. There no web-interface to add the options.

Howto: https://vroomtech.io/enable-tuntap-in-a-proxmox-lxc-container/

What is works for me, is to add at the end of XXX.conf container file:
lxc.mount.entry: /dev/net dev/net none bind,create=dir lxc.cgroup.devices.allow: c 10:200 rwm
Can't remeber where I taken this.

I use Pritunl, it uses OpenVPN inside, and work with no issue and tiny footrpinf: 256 fo 515M memory used and les than 1G disk used. But I never have more that a couple of connection and my traffic is very low, mostly SSH and web management.

I am not sure if it will work in unpriveledged container - but you may try.
Click to expand...
Hello,

Doesn't work for me for unpriviledged container on PVE 6.3-3. Any idea ?
 
Alexey Pavlyuts said:
Try priveleged. I am not sure it can work unpriveleged mode.
Click to expand...
I thought it used to work with unpriviledged containers, that was what the bind mount was for: use the tun device node from host, because unpriviledged containers can't create device nodes...
from here I guess that the syntax for bind mounts may have changed, thus the line
Code: 
lxc.mount.entry: /dev/net dev/net none bind,create=dir
might not be valid any more ? It has no effect, at least, I dont see any /dev/net in my CT. I couldn't figure out how to bind mount the device node (PVE 6.3-3), the doc cited above mentions that but doesn't give the syntax nor examples :confused:
I tried
Code: 
mp0: /dev/net,mp=/dev/net
but the CT doesn't start
 
Last edited:
You must log in or register to reply here.
Top Bottom