How to download LXC version of OpenWRT and run it on Proxmox

[fdcastel]

continued here due to character limit

addfile "/etc/openvpn/azire.ca" "600" "root:root"
(...)

@shodan. You can use https://gist.github.com to avoid these annoyances.

One example.

As a bonus, it also has the benefit of maintaining a history of revisions, allowing you to track your progress throughout your coding journey.

Keep going with your excellent work in the finest tradition of Holmesian work.

 

[fdcastel]

For anyone else interested in this topic, I've put a quick example of how to set up an OpenWRT LXC instance here:

https://github.com/fdcastel/Proxmox-Automation?tab=readme-ov-file#openwrt

 

[cave]

The previous guides are nice, but actually there are just a few steps needed to have a running LXC-openWrt Host.
A bit overspecific.

Download from https://fra1lxdmirror01.do.letsbuildthe.cloud/images/openwrt/23.05/amd64/default/

copy your file in the correct folder.

scp rootfs.tar.xz root@pve2:/var/lib/vz/template/cache/openwrt_23.05_amd64_rootfs.tar.xz

create the container

root@pve2:~# pct create 155 /var/lib/vz/template/cache/openwrt_23.05_amd64_rootfs.tar.xz --arch amd64 --hostname vwrt.homelab.lan --rootfs pve-vm:2 --memory 1024 --cores 1 --description vwrt0-router --ostype unmanaged --unprivileged 1 --features nesting=1

So before we boot up that host, let's add some NIC's



eth0 or eth0.2 is usually the WAN Port.
eth1 or eth0.1 is usually the LAN/Bridge Port.

so in my case it's veth0(WAN) and veth1(LAN)

change your network settings

root@vwrt:/# vi /etc/config/network

so it looks like:

root@vwrt:/# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config interface 'wan'
option ifname 'veth0'
option proto 'dhcp'

config interface 'wan6'
option ifname 'veth0'
option proto 'dhcpv6'

config interface 'lan'
option proto 'static'
option device 'veth1'
option netmask '255.255.255.nn''
option gateway '192.168.nn.nn'
option ipaddr '192.168.nn.nn'

restart your network service and check your ifconfig

root@vwrt:/# /etc/init.d/network restart
root@vwrt:/#
root@vwrt:/# ifconfig

veth1 should be online already.

give your host a ping to check if it is reachable

navigate to https://192.168.nn.nn






whishes for Christmas

• I'd like to see in Proxmox --ostype openwrt
• and to have openwrt as lxc templates already available for download

 

[cave]

other network settings also possible

like if you have a single NIC and you can do 802.1q VLAN's on your internal Switch.

root@vwrt:/# vi /etc/config/network
config interface 'wan6'
option proto 'dhcpv6'
option device 'veth0.2'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'

config interface 'lan'
option proto 'static'
option device 'veth0.1'
option netmask '255.255.255.nn'
option gateway '192.168.nn.nn'
option ipaddr '192.168.nn.nn'

config device
option type '8021q'
option ifname 'veth0'
option vid '2'
option name 'veth0.2'

config device
option type '8021q'
option ifname 'veth0'
option vid '1'
option name 'veth0.1'

In the GUI

 

[shodan]

I prefer to paste a chunk of text in the proxmox shell and have it work immediately.
In particular, not have to first create,chown,;./run_myscript.sh

I spent too much time trying to do stuff in GUI, I need it working immediately and we all the needed application pre-installed and pre-configured, keys uploaded etc..

 

[a-shark]

OpenWrt 24.10 got released recently, but I can't seem to find an LXC image for it.

Any ETA on when the builds would get uploaded?

 

[shoaloak]

Hi all, I've set up an OpenWrt LXC CT router in my PVE.


However, as discussed in this topic, there is some diverging advice with regards to what/if passing additional LXC configs. As I'm not that well versed in LXC, I was wondering if anybody could give some feedback.

youtube config
The first config (from the aforementioned youtube video):

lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/ dev/net none bind,create=dir

If I understand it correctly, this allows for tun passthrough. This seems only necessary if you want your virtual OpenWrt CT to connect to a VPN. However, this seems like a bad idea because the container has access to the entire network?

bugzilla config
the second config (from robbert):

lxc.include: /usr/share/lxc/config/openwrt.common.conf
lxc.cap.drop: sys_admin
lxc.mount.entry: tmp tmp tmpfs rw,nodev,relatime,mode=1777 0 0

This restricts the container's administrative privileges and creates a tmp storage. What also peaked my interest is that there is a openwrt lxc conf, which leads me to the third config

openwrt config
The third (official) config:

lxc.include = /etc/lxc/default.conf
lxc.include = /usr/share/lxc/config/common.conf
lxc.include = /usr/share/lxc/config/userns.conf
lxc.arch = linux64

# find your ids via
# cat  /etc/s*id|grep $USER
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

lxc.mount.auto = proc:mixed sys:ro cgroup:mixed

# lan interface
lxc.net.0.type = veth

# wan interface
lxc.net.1.type = veth
lxc.net.1.link = lxcbr0

# adapt <user> and <vm-name>
lxc.rootfs.path = dir:/home/<user>/.local/share/lxc/<vm-name>/rootfs

Seems a bit overkill for proxmox? Isn't the lxc.idmap done by 'unprivileged=1'? Also, why doesn't this use the /usr/share/lxc/config/openwrt.common.conf?

I also noticed that the openwrt.common.conf uses cgroup instead of cgroup2, so maybe it's old/deprecated?

 

[shoaloak]

OpenWrt 24.10 got released recently, but I can't seem to find an LXC image for it.

Any ETA on when the builds would get uploaded?

I also noticed this. I'll first set finish setting up my home lab with 23.05, but after that I was considering building the latest OpenWrt myself.
As the yaml build file is open.

 

[a-shark]

OpenWrt 24.10 build is available now: https://jenkins.linuxcontainers.org/job/image-openwrt/

Has anyone managed to get irqbalance running in an unpriviledged openwrt lxc. I am seeing the following messages in logs:

Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: Cannot change IRQ 136 affinity: Permission denied
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: IRQ 136 affinity is now unmanaged
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: Cannot change IRQ 137 affinity: Permission denied
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: IRQ 137 affinity is now unmanaged
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: Cannot change IRQ 125 affinity: Permission denied
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: IRQ 125 affinity is now unmanaged
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: Cannot change IRQ 127 affinity: Permission denied
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: IRQ 127 affinity is now unmanaged
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: Cannot change IRQ 123 affinity: Permission denied
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: IRQ 123 affinity is now unmanaged
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: Cannot change IRQ 126 affinity: Permission denied
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: IRQ 126 affinity is now unmanaged
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: Cannot change IRQ 139 affinity: Permission denied
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: IRQ 139 affinity is now unmanaged
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: Cannot change IRQ 128 affinity: Permission denied
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: IRQ 128 affinity is now unmanaged
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: Cannot change IRQ 21 affinity: Permission denied
Mon Feb 10 18:09:17 2025 daemon.warn /usr/sbin/irqbalance: IRQ 21 affinity is now unmanaged

It seems to run fine on priviledged lxc.

 

[shodan]

You might have to use the lxc.mount.entry and/or lxc.idmap along with adjusting the permission for the device files on your host.

Here is how I did that for my gpu drivers when I did a kind of passthrough or whatever it is called..

LXC_CONF_FILE="/etc/pve/nodes/proxmox/lxc/$vmid.conf"
echo "lxc.idmap: u 0 100000 65536" >> "$LXC_CONF_FILE"
echo "lxc.idmap: g 0 100000 44" >> "$LXC_CONF_FILE"
echo "lxc.idmap: g 44 44 1" >> "$LXC_CONF_FILE"
echo "lxc.idmap: g 45 100045 65491" >> "$LXC_CONF_FILE"
echo "lxc.mount.entry: /dev/nvidia0 dev/nvidia0 none bind,optional,create=file" >> "$LXC_CONF_FILE"
echo "lxc.mount.entry: /dev/nvidiactl dev/nvidiactl none bind,optional,create=file" >> "$LXC_CONF_FILE"
echo "lxc.mount.entry: /dev/nvidia-uvm dev/nvidia-uvm none bind,optional,create=file" >> "$LXC_CONF_FILE"
echo "lxc.mount.entry: /dev/nvidia-uvm-tools dev/nvidia-uvm-tools none bind,optional,create=file" >> "$LXC_CONF_FILE"

What is irqbalance for ? I often see it mentionned but never researched it's function ? Is it for QoS or SQM stuff ?

 

[a-shark]

Irqbalance improves the performance by switching the load between different CPU cores.

https://openwrt.org/docs/guide-user/services/irqbalance

It is not related to QoS or SQM, which usually works only on single core which I came to know while reading through OpenWrt forums related to QoSmate.

Anyways, I’ll look into your suggestion and see if I can fix the permissions issue of irqbalance.

 

[dMopp]

On the openwrt site, there is a oneliner to install OpenWRT. Is this not working?

And regarding upgrade, I really have to import the config again? Is there no “upgrade” way inside openwrt? Sorry for the questions but last time i used openwrt is long ago. Iam planing to switch back to openwrt from opnsense due to a lot of QoS issues :/

 

[shoaloak]

On the openwrt site, there is a oneliner to install OpenWRT. Is this not working?

And regarding upgrade, I really have to import the config again? Is there no “upgrade” way inside openwrt? Sorry for the questions but last time i used openwrt is long ago. Iam planing to switch back to openwrt from opnsense due to a lot of QoS issues :/

This is my shell to create an OpenWrt container:

# Make sure you match your architecture
wget https://images.linuxcontainers.org/images/openwrt/24.10/amd64/default/20250213_11:57/rootfs.tar.xz -O /tank-raid1/proxmox/template/cache/openwrt-24.10.tar.xz

# for net, we don't firewall=1 as openwrt does the routing
# mac must start with 0
pct create 100 /tank-raid1/proxmox/template/cache/openwrt-24.10.tar.xz \
    --arch amd64 \
    --hostname openwrt-router \
    --ostype unmanaged \
    --unprivileged 1 \
    --rootfs local-lvm:1 \
    --net0 name=eth0,bridge=vmbr0
    --net1 name=eth1,bridge=vmbr1

 

[Bob.Dig]

This is my shell to create an OpenWrt container

Thank you, worked good but I had to add the second NIC afterwards.

OpenWrt 24.10.1 - Service Release - 15. April 2025

When it comes to upgrading to a newer version of OpenWRT, what are my options with LXC, any good practice advise?