PVE 7 OpenVPN (LXC) problem: Cannot open TUN/TAP dev

[stepanov1975]

Just want to share the working configuration.
I wanted to run OpenVPN in Docker container inside LXC and got the following error:
Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
After some research, I found that adding the following to /etc/pve/lxc/xxx.conf solves the problem:

lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

The LXC also need to be privileged

 

[Moayad]

Hi,

Thank you for sharing!
Did you follow our wiki guide about OpenVPN in LXC and get that error?

 

[stepanov1975]

Hi,

Thank you for sharing!
Did you follow our wiki guide about OpenVPN in LXC and get that error?

No. I didn't find this tutorial

 

[Moayad]

I guess if you followed that guide you will not have an issue. However, thank you again for sharing your solution

 

[AColdDayInJuly]

Just want to share the working configuration.
I wanted to run OpenVPN in Docker container inside LXC and got the following error:
Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
After some research, I found that adding the following to /etc/pve/lxc/xxx.conf solves the problem:

lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

The LXC also need to be privileged

This VERY much helped me, so thank you. Just need to find a new keyboard after hitting my head on it for two days.

 

[Morphushka]

So what I know for now:

For unprivileged containers:

Wiki page is correct OpenVPN in LXC, it is works well when you install openvpn inside lxc.
If you want to use docker openvpn image, then you get errors:

Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted

or if try to create this device inside image with mknod:

mknod: /dev/net/tun: Operation not permitted

As far as device nodes are files, we can bind tun device from lxc to docker:

-v /dev/net/tun:/dev/net/tun

Also docker container need NET_ADMIN capability for routing and interface configuration ability. Linux capabilities

version: '2'
services:
  openvpn:
    cap_add:
      - NET_ADMIN
    volumes:
      - /dev/net/tun:/dev/net/tun

Works for me on debian 11 lxc and pve 7.3-6

For privileged containers both variations work:

lxc.mount.entry: /dev/net dev/net none bind,create=dir

or

lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

But privileged lxc is unsafe and I wouldn't recommend give it more privilege then needed.

 

[Dilnane]

So what I know for now:

For unprivileged containers:

Wiki page is correct OpenVPN in LXC, it is works well when you install openvpn inside lxc.
If you want to use docker openvpn image, then you get errors:

Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted

or if try to create this device inside image with mknod:

mknod: /dev/net/tun: Operation not permitted

As far as device nodes are files, we can bind tun device from lxc to docker:

-v /dev/net/tun:/dev/net/tun

Also docker container need NET_ADMIN capability for routing and interface configuration ability. Linux capabilities

version: '2'
services:
  openvpn:
    cap_add:
      - NET_ADMIN
    volumes:
      - /dev/net/tun:/dev/net/tun

Works for me on debian 11 lxc and pve 7.3-6

For privileged containers both variations work:

lxc.mount.entry: /dev/net dev/net none bind,create=dir

or

lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

But privileged lxc is unsafe and I wouldn't recommend give it more privilege then needed.

Thanks a lot exactly same issue for docker inside LXC, the "-v /dev/net/tun:/dev/net/tun" made it works for me
My Pve version :

root@pve:~# pveversion
pve-manager/7.3-3/c3928077 (running kernel: 5.15.74-1-pve)

My LXC config :

root@pve:~# cat /etc/pve/lxc/102.conf
arch: amd64
cores: 1
features: nesting=1
hostname: my_lxc
memory: 1024
net0: name=eth0,bridge=vmbr10,firewall=1,gw=192.168.X.X,hwaddr=72:74:F8:51:XX:XX,ip=192.168.X.X/24,type=veth
ostype: debian
rootfs: local-lvm:vm-102-disk-0,size=16G
swap: 1024
unprivileged: 1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

Inside my LXC, my docker version:

root@my_lxc:~# docker --version
Docker version 23.0.3, build 3e7cbfd

My docker image:

root@my_lxc:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

root@VPNproxy:~# uname -a
Linux VPNproxy 5.15.74-1-pve #1 SMP PVE 5.15.74-1 (Mon, 14 Nov 2022 20:17:15 +0100) x86_64 GNU/Linux

my docker run command:

docker run \
        --detach \
        --restart=no \
        --cap-add=NET_ADMIN \
        --volume=/dev/net/tun:/dev/net/tun \
        --publish XXXX:YYYY \
        --tmpfs /etc/xxxxx:exec \
        --name dummy \
        "dummy/dummy:latest"

 

[Smvb64]

Thanks a lot exactly same issue for docker inside LXC, the "-v /dev/net/tun:/dev/net/tun" made it works for me
My Pve version :

root@pve:~# pveversion
pve-manager/7.3-3/c3928077 (running kernel: 5.15.74-1-pve)

My LXC config :

root@pve:~# cat /etc/pve/lxc/102.conf
arch: amd64
cores: 1
features: nesting=1
hostname: my_lxc
memory: 1024
net0: name=eth0,bridge=vmbr10,firewall=1,gw=192.168.X.X,hwaddr=72:74:F8:51:XX:XX,ip=192.168.X.X/24,type=veth
ostype: debian
rootfs: local-lvm:vm-102-disk-0,size=16G
swap: 1024
unprivileged: 1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

Inside my LXC, my docker version:

root@my_lxc:~# docker --version
Docker version 23.0.3, build 3e7cbfd

My docker image:

root@my_lxc:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

root@VPNproxy:~# uname -a
Linux VPNproxy 5.15.74-1-pve #1 SMP PVE 5.15.74-1 (Mon, 14 Nov 2022 20:17:15 +0100) x86_64 GNU/Linux

my docker run command:

docker run \
        --detach \
        --restart=no \
        --cap-add=NET_ADMIN \
        --volume=/dev/net/tun:/dev/net/tun \
        --publish XXXX:YYYY \
        --tmpfs /etc/xxxxx:exec \
        --name dummy \
        "dummy/dummy:latest"

Hello all,

Apologies for the bump, I am having the exact same issue with an unprivileged LXC trying to get Transmission/openVPN to install on a docker.
I added

-v /dev/net/tun:/dev/net/tun

and followed the steps from the OpenVPN Proxmox tutorial linked on this page but get this error

Starting container with revision: 1103172c3288b7de681e2fb7f1378314f17f66cf
TRANSMISSION_HOME is currently set to: /config/transmission-home
Creating TUN device /dev/net/tun
rm: cannot remove '/dev/net/tun': Device or resource busy

version: '3.3'
services:
transmission-openvpn:
cap_add:
- NET_ADMIN
volumes:
- /mnt/docker/:/data
- /mnt/docker/:/config
- /dev/net/tun:/dev/net/tun
environment:
- OPENVPN_PROVIDER=PIA
- OPENVPN_CONFIG=
- OPENVPN_USERNAME=
- OPENVPN_PASSWORD=
- LOCAL_NETWORK=192.168.1.0/24
logging:
driver: json-file
options:
max-size: 10m
ports:
- 9091:9091
image: haugene/transmission-openvpn

Any suggestions? I am not sure why it's trying to remove '/dev/net/tun?

 

[Morphushka]

Any suggestions? I am not sure why it's trying to remove '/dev/net/tun?

I think it is image related thing, something like "clearing" step before start. Try this one solution: rm -f tun device breaks startup