OpenVPN no longer needs lxc.cgroup.devices.allow and lxc.hook.autodev

[naisanza]

Upon 2 nights and 14 hours of troubleshooting later, it turns out Proxmox 4.4-1/eb2d6f1e no longer needs the following lines of code inside /etc/pve/lxc/<container>.conf

lxc.cgroup.devices.allow = c 10:200 rwm
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

With these two lines of code that was needed before, an OpenVPN client could connect to the VPN service, but client traffic would never leave the container (as seen from traffic analysis from the client, firewall, and container)

I don't know why this is, maybe a kernel update, maybe something else. I don't know, but I'm just glad it's back to working again

 

[LnxBil]

Maybe you changed something inside your LXC policies, but it does not work without the setting in vanilla pve-manager/4.4-13/7ea56165:

Jun 10 13:24:58 gateway daemon.err /etc/init.d/openvpn[212]: TUN/TAP support is not available in this kernel

Jun 10 13:24:58 gateway daemon.err /etc/init.d/openvpn[198]: ERROR: openvpn failed to start

(for the test i commented the lxc-stuff out and afterwards back in to ensure that it works again)

 

[naisanza]

Maybe you changed something inside your LXC policies, but it does not work without the setting in vanilla pve-manager/4.4-13/7ea56165:

Unless it changed when the server was turned off for maintenance and back on again. I don't know what changed.

Everything is vanilla on the server with zero system-wide changes, except for the container config in /etc/pve/lxc/<container>.conf

Where can you find the global LXC policies?