How to download LXC version of OpenWRT and run it on Proxmox

kavejo

Member
Jan 28, 2020
16
2
23
36
Hi,

I am looking to run an OpenWRT container to provide network access to my VMs.

I have seen on https://us.images.linuxcontainers.org/ that there is a template built for OpenWRT 19.07.
When I run pveam available, the containers at the URL above are not listed but other ones are listed instead.

Looking at https://bugzilla.proxmox.com/show_bug.cgi?id=2044, this seem to have been requested already.
I have just updated the bug informing about the availability of a pre-built template from https://us.images.linuxcontainers.org/images/openwrt/.

Is there any chance to have this container included in the one Proxom VE has access to?
Otherwise is there an easy way to downlaod it from the linuxcontainers.org images repository using pveam?

Thank you.
 
hi,

you can use wget to download the rootfs (rootfs.tar.xz) to your PVE host and use it as a template (however since this isn't officially supported by PVE some things may not work properly)
 
  • Like
Reactions: MadalinC
Thank you @oguz,

Would I need to convert the file from tar.xz to tar.gz? Do I need to observe any specific naming convention in the way I rename the file?

Thank you.
 
i think it should work as tar.xz
place it on one of your storages with CT templates (for example local) and use it as the template while running CT creation wizard
 
i think it should work as tar.xz
place it on one of your storages with CT templates (for example local) and use it as the template while running CT creation wizard

Thanks for the info. I tried this with the latest Arch Linux and all seems to be working just fine.

I am wondering, are there any changes that the Proxmox team made to the provided archlinux-base template?

OR is it simply a LxC archlinux template from September 2019?
Weirdly enough, the latest Arch Linux template has working networking and the provided one (from Sept. 2019) breaks when updated.

Thanks!
 
Hi All.

I have used an LXC/LXD openwrt 21.02 image from Canonical but I cannot get any Internet on the LAN. The openwrt router has Internet access, I can install packages, and use diagnostic utilities. It might be an issue with openwrt firewall not loading properly as I can access Luci via WAN interface which is normally blocked. Has anyone else come across this? Many thanks.
 
I was following this post to install the openwrt on proxmox LXC, I have the same problem. From openwrt I can access internet, but any VM behind openwrt is not able to ping any machine outside the proxmox.
I noticed the iptables -L does not show any iptables rules, so, I update something in firewall settings via Luci Web UI, and iptables seems appear. After that I added some NAT rules in firewall, studently everything works, but after I reboot the openwrt, everything stops working again, and I tried to redo all the work, seems no luck.

Btw, install openwrt as VM seems work well, just I see a constant small CPU usage(1-2%) on proxmox dashboard, but inside operwrt VM, cpu usage is zero, not sure why.
 
Hi. I have used a Snapshot image of OpenWrt and it's working as expected. https://uk.lxd.images.canonical.com/images/openwrt/snapshot/amd64/default/
Download one of the available images, and create your container in the Proxmox shell.
Code:
pct create 301 local:vztmpl/openwrt-20221011-rootfs.tar.xz --rootfs local-lvm:0.256 --ostype unmanaged --hostname openwrt --arch amd64 --cores 1 --memory 256 --swap 0 --unprivileged 1
Now, create a new Linux bridge in Proxmox (e.g. 192.168.3.0/24).
Add 2 new network devices to your new container eth0 (this is the OpenWrt WAN interface, so I connected mine to vmbr0 for Internet access) and eth1 (LAN interface in OpenWrt - connected to new linux bridge vmbr1)
Start your container and from the Proxmox shell connect to it.
Code:
pct enter 301
Update packages, install nano and luci
Code:
opkg update
opkg isntall nano
opkg install luci-ssl
/etc/init.d/uhttpd restart
Edit the firewall configuration to allow HTTPS traffic from WAN. nano /etc/config/firewall
Add this to end of file and save with Ctrl + X
Code:
config rule
    option target 'ACCEPT'
    option src 'wan'
    option proto 'tcp'
    option dest_port '443'
    option name 'Allow-WAN-Web'

Get your WAN ip address with ip a | grep eth0 and reboot the container.

Open a browser tab and go to https://ContainerWanIP, log in and change your root password.

Now go to Network -> Interfaces -> Add new interface.

Name: lan
Protocol: Static address
Device: eth1

Click Create Interface. Now add...

IP Address: 192.168.3.1 (or whatever subnet you wish to use)
IPv4 Netmask: 255.255.255.0

Click Firewall Settings tab and select LAN from the dropdown list and on the DHCP server tab, select Setup DHCP server and then click Save.

Now move a VM to vmbr1 and test connectivity. Thank you.
 
OpenWRT 21 does not seem to NAT correctly for some reason. I have the same problem, the LXC can ping a wan address but anything on the lan doesn't make it through. I was also able to get it working just once by fiddling with NAT but then I lost it and can't seem to get it working again.

OpenWRT 22.03 seems to pass traffic in an LXC just fine. In fact, I was able to get openvpn, mwan3, wireguard, even iphone backup working, and more with a weeks worth of work. Where I'm stumped at the moment is getting ipset working. This is needed to complete my dynamic (best attempt) split vpn working properly as I have it configured in pfsense today. This appears to be a problem because ipset is not compiled in the latest dnsmasq version: https://forum.openwrt.org/t/dnsmasq-full-ipset-support-removed-in-master/150274/5


Why:
The efficiency potential for this is incredible.

VM: Pfsense/Opnsense Lan -> IP (VM) routing speed (iperf3) is ~ 3 Gbps for me. And that's with many months of trying things (pci pass through, etc). I noticed

LXC: openwrt 21 direct can do ~ 55 Gbps but no routing
LXC: openwrt 22 can route ~ 22 Gbps! And pretty much everything works as expected except ipset

I only need ~1.2 gbps to max out my home internet provider but I'm mainly after the efficiency gains on this. The cpu usage is drastically reduced.

My hardware is Intel(R) Pentium(R) Gold 7505 (quad 2.5 gbps intel nics)
 
@Brandon168 following this post. I have set up a couple 22.03 OpenWRT LXC to see if they might be a more efficient and performant option as my home network router/firewall.

it’s early days, but can do you have resources on mwan3 for dual wan setup you can point me toward.

I plan to try and replicate my simple WireGuard home network access and adguard home use on Openwrt before any potential switch from OPNsense.

Lastly, how do you update the OpenWRT firmware when run as an LXC with the least and shortest impact on your network? Install new and restore from backup? Maybe I am missing something obvious there.
 
@Brandon168 following this post. I have set up a couple 22.03 OpenWRT LXC to see if they might be a more efficient and performant option as my home network router/firewall.

it’s early days, but can do you have resources on mwan3 for dual wan setup you can point me toward.

I plan to try and replicate my simple WireGuard home network access and adguard home use on Openwrt before any potential switch from OPNsense.

Lastly, how do you update the OpenWRT firmware when run as an LXC with the least and shortest impact on your network? Install new and restore from backup? Maybe I am missing something obvious there.
Nice. Please share your findings. I’m excited about getting this all to work.

I pretty much followed this: https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3

Imho WireGuard with openwrt seems much more straightforward than via pfsense. I know my outbound route is working but I can’t easily test the inbound until this switches over to primary.

Upgrading the “firmware” is an open question of mine as well. I don’t know how to goo about this easily. Worst case, I’m thinking backup production, restore to the upgraded lab and see how it goes. Honestly, I’m not exited about this route though.

It’s looking like pfsense will remain my primary for a while longer while a few of these things are ironed out.
 
Last edited:
updated my test OpenWRT LXC from 22.03.4 to 22.03.5 by creating a new container then restoring it from a backup of the 22.03.4 config I made. Can't figure out how to update the already running container.

OpenWrt in LXC containers
 
Hey Vesalius,

Thanks for the link, I'm glad they're temporarily available. I'm going to mirror that site (https://images.linuxcontainers.org/images/) for the time being - if anyone 6mos from now needs a copy, I will do my best to create a large archive and if enough people want it I'll publish to https. Using wget for the mirror so it should be easy enough to create a DMZ web server and host it as an archive with Let's Encrypt.


Tmanok
 
Update for anyone desperate to get their hands on images when they're no longer available, I've used wget to mirror them and then hosted them in one of my personal hypervisor clusters in my DMZ. Let's Encrypt was also used on the webserver for added security:

https://linuxcontainers.mirror.lightyearlabs.ca/

Please let me know if you have any trouble reaching the site, I'll do my best to leave it alone for as long as possible (ideally a couple years) and I may refresh the mirror. Mind you I will of course perform infrastructure maintenance from time to time. For example, there is a brand new OPNSense virtual firewall in front of my DMZ, but I may set it up in HA paired mode in the future. It's worth noting, I do not have a huge bandwidth at the location I'm hosting from, it's a 32U rack full of my equipment but I've rationed out the networking so this archive is limited to 6MB/s. If there is a lot of demand I will try to make some adjustments. Downloading a debian rootfs.tar.xz takes <20 seconds and an Ubuntu desktop .qcow2 (1GB) takes <5 minutes for a single user right now.

Final comment, I've not changed a single file on the webserver at this time, but I may decide to:
  1. Update the initial index.html to indicate to users that the site is an archive.
  2. "Refresh" the mirror if I detect changes on the source (https://images.linuxcontainers.org/images)
  3. Some files may not have been 100% copied across, meaning there is a chance that they were damaged. The archive is 320GB, I have not verified the entire thing in order to quickly setup this archive for public (emergency or reference) access.
If you happen to have any other wastes of disk space- I mean good causes to mirror or archive, let me know and I will consider it. When my bandwidth increases, I am considering the idea of hosting an apt mirror for my region long-term.

Cheers,


Tmanok
 
Last edited:
  • Like
Reactions: nicoska

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!