Openvpn in container LXC

AndAsh

Member
Jul 16, 2020
10
0
6
57
Hello, openvpn does not start in an unprivileged lxc container.
Tun interface is connected - instructions have been added to the container configuration:
Code:
lxc.mount.entry: /dev/net dev/net none bind,create=dir
lxc.cgroup.devices.allow: c 10:200 rwm
But when starting openvpn, an error is issued:
Code:
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.10
Diffie-Hellman initialized with 2048 bit key
Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
ROUTE_GATEWAY 197.177.0.254/255.255.255.0 IFACE=eth0 HWADDR=5e:f3:68:01:a0:05
TUN/TAP device tun0 opened
Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
/sbin/ip link set dev tun0 up mtu 1500
openvpn_execve: unable to fork: Resource temporarily unavailable (errno=11)
Exiting due to fatal error
Tun is owned by nobody/nogroup
Code:
ls -l /dev/net
итого 0
crw-rw-rw- 1 nobody nogroup 10, 200 июл 16 09:57 tun
Please help me solve this problem.
 
hi,

the /dev/net/tun on the host needs to belong to the unprivileged user inside the container.

so you can run on your PVE host: chown 100000:100000 /dev/net/tun to set the owner correct, and then it shouldn't complain about permissions.
 
Code:
chown 100000: 100000 / dev / net / tun
chown: change owner '/ dev / net / tun': Invalid argument
 
see the command i've written. you have extra spaces
 
It's not about spaces, the directory is mounted from the host and the owner with the rights is set on mount.
Therefore, they cannot be redefined in the container.
How to specify owner and rights when mounting?
 
It's not about spaces, the directory is mounted from the host and the owner with the rights is set on mount.
Therefore, they cannot be redefined in the container.
How to specify owner and rights when mounting?

you need to run the chown command i wrote a couple posts earlier on your PVE host where the container is.

(this is because you're using a bind mount, so the permissions need to be set on the host, where the original directory is.)

you can literally copy paste it and it should work.
 
What's the best way to maintain the device ownership across host boots?
Also, is there some way to make the ownership change everytime the container boots?
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!