How to enable tun/tap in a LXC container?

martinmp

New Member
Nov 12, 2013
1
0
1
Palma de Mallorca, Spain
Hi! I need to enable the tun device to run a tinc VPN but I can't create the tun device.
I have tested several solution from internet but all fails.
Any help?

Thanks.
Sorry for my english.
 
Hello @martinmp,

I just did some quick testing. You can make a tap device in the following way:

Set this in your Proxmox LXC config file /etc/pve/lxc/<nnn>.conf (Don't do this directly in /var/lib/lxc/<nnn>/config because it will be overwritten on next start of the container.)
Code:
lxc.cgroup.devices.allow: c 10:200 rwm

Then start your container, enter it's shell and do:
Code:
mkdir /dev/net
mknod /dev/net/tun c 10 200
ip tuntap add mode tap
--show it
ip link

I haven't done any testing yet if it is usable though. So succes.
Maybe here you can find usable scripts:
https://www.stgraber.org/2014/09/26/vpn-in-containers/
 
  • Like
Reactions: Shankar
I did it a little differently.
I made the settings directly in the configuration and did not have to do anything more in the LXC container.

nano /etc/pve/lxc/<nnn>.conf
Code:
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

This then looked like this:
1648906310672.png

I was able to run my Wireguard installer directly.

I took this one, by the way:
Code:
wget git.io/wireguard -O wireguard-install.sh && bash wireguard-install.sh
 
Last edited:
I wanted to post a reply because there wasn't info on the web for MY search and I want to make sure someone else can find it. You always have to ask the RIGHT questions, don't you?

I was/am trying to get tailscale setup on an Ubuntu Server 22.04 - tailscaled.service was failing because /dev/net/tun wasn't present... so I went searching for tailscale, tailscaled.service, /dev/net/tun fails, etc etc etc. The correct question would have been Tailscaled.service fails on a Proxmox LXC container. :P

Last, the solution above that worked for me was adding the TWO lines of text to xxx.conf in the /etc/pve/lxc directory on my PVE system... the two lines were:
```
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir
```
Once added to my xxx.conf file, and the lxc container rebooted, /dev/net/tun was present - tailscale installed and went up perfectly.

Hope this helps someone else searching in the future.
 
I wanted to post a reply because there wasn't info on the web for MY search and I want to make sure someone else can find it. You always have to ask the RIGHT questions, don't you?

I was/am trying to get tailscale setup on an Ubuntu Server 22.04 - tailscaled.service was failing because /dev/net/tun wasn't present... so I went searching for tailscale, tailscaled.service, /dev/net/tun fails, etc etc etc. The correct question would have been Tailscaled.service fails on a Proxmox LXC container. :p

Last, the solution above that worked for me was adding the TWO lines of text to xxx.conf in the /etc/pve/lxc directory on my PVE system... the two lines were:
```
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir
```
Once added to my xxx.conf file, and the lxc container rebooted, /dev/net/tun was present - tailscale installed and went up perfectly.

Hope this helps someone else searching in the future.
This put me in the right direction but didn't work. I had to make a small change to the first line:

Code:
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

Reboot container and voila!
 
Last edited:
  • Like
Reactions: rgrfr
@rar1871:
Interesting that this did the trick for you, great to see it helped you out.

If I see it right, you only changed 'cgroup' into 'cgroup2'.
As I'm fairly new to this (and also try to make TUN/TAP working for my OpenVPN server CT), I'd be curious to know why this change worked for you.

What exactly did it affect?

Update:
Found the answer here:
Add the following lines at the end (if you're using PVE < 7.0, change `cgroup2` with `cgroup`)
 
Last edited:
  • Like
Reactions: Phobes and rar1871
@rar1871:
Interesting that this did the trick for you, great to see it helped you out.

If I see it right, you only changed 'cgroup' into 'cgroup2'.
As I'm fairly new to this (and also try to make TUN/TAP working for my OpenVPN server CT), I'd be curious to know why this change worked for you.

What exactly did it affect?

Update:
Found the answer here:
Add the following lines at the end (if you're using PVE < 7.0, change `cgroup2` with `cgroup`)
Thanks for this, I was struggling to get a VPN working and hadn't realized that cgroup was changed to cgroup2 for 7.0 and above!
 
  • Like
Reactions: romayojr
@rar1871:
Interesting that this did the trick for you, great to see it helped you out.

If I see it right, you only changed 'cgroup' into 'cgroup2'.
As I'm fairly new to this (and also try to make TUN/TAP working for my OpenVPN server CT), I'd be curious to know why this change worked for you.

What exactly did it affect?

Update:
Found the answer here:
Add the following lines at the end (if you're using PVE < 7.0, change `cgroup2` with `cgroup`)
The same solution also happens to work when trying to run rootless podman in an LXC (NixOs in my case):
Code:
podman run hello-world
✔ docker.io/library/hello-world:latest
Trying to pull docker.io/library/hello-world:latest...
Getting image source signatures
Copying blob c1ec31eb5944 done   |
Copying config d2c94e258d done   |
Writing manifest to image destination
Error: /nix/store/s7fjjj2sydyrilgbl7h0vf7zgzriqw8n-podman-4.7.2/libexec/podman/slirp4netns failed: "open(\"/dev/net/tun\"): No such file or directory\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\nchild failed(1)\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\n"
 
Thanks for this, I was struggling to get a VPN working and hadn't realized that cgroup was changed to cgroup2 for 7.0 and above!
this solution also worked for me by changing cgroup to cgroup2. now the tun device is enabled for my lxc container to be able to run gluetun VPN successfully. thanks!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!