PVE 7 OpenVPN (LXC) problem: Cannot open TUN/TAP dev

S

stepanov1975

Member
Oct 22, 2021
10
6
8
49
Just want to share the working configuration.
I wanted to run OpenVPN in Docker container inside LXC and got the following error:
Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
After some research, I found that adding the following to /etc/pve/lxc/xxx.conf solves the problem:

Code: 
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

The LXC also need to be privileged
 
  • Like
Reactions: glasiuta and gazzaman
I guess if you followed that guide you will not have an issue. However, thank you again for sharing your solution :)
 
stepanov1975 said:
Just want to share the working configuration.
I wanted to run OpenVPN in Docker container inside LXC and got the following error:
Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
After some research, I found that adding the following to /etc/pve/lxc/xxx.conf solves the problem:

Code: 
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

The LXC also need to be privileged
Click to expand...

This VERY much helped me, so thank you. Just need to find a new keyboard after hitting my head on it for two days.
 
So what I know for now:

For unprivileged containers:

Wiki page is correct OpenVPN in LXC, it is works well when you install openvpn inside lxc.
If you want to use docker openvpn image, then you get errors:
Code: 
Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted
or if try to create this device inside image with mknod:
Code: 
mknod: /dev/net/tun: Operation not permitted
As far as device nodes are files, we can bind tun device from lxc to docker:
Code: 
-v /dev/net/tun:/dev/net/tun
Also docker container need NET_ADMIN capability for routing and interface configuration ability. Linux capabilities
YAML: 
version: '2'
services:
  openvpn:
    cap_add:
      - NET_ADMIN
    volumes:
      - /dev/net/tun:/dev/net/tun
Works for me on debian 11 lxc and pve 7.3-6

For privileged containers both variations work:
Code: 
lxc.mount.entry: /dev/net dev/net none bind,create=dir
or
Code: 
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
But privileged lxc is unsafe and I wouldn't recommend give it more privilege then needed.
 
  • Like
Reactions: glasiuta, Bartsch Labs and Dilnane
Morphushka said:
So what I know for now:

For unprivileged containers:

Wiki page is correct OpenVPN in LXC, it is works well when you install openvpn inside lxc.
If you want to use docker openvpn image, then you get errors:
Code: 
Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted
or if try to create this device inside image with mknod:
Code: 
mknod: /dev/net/tun: Operation not permitted
As far as device nodes are files, we can bind tun device from lxc to docker:
Code: 
-v /dev/net/tun:/dev/net/tun
Also docker container need NET_ADMIN capability for routing and interface configuration ability. Linux capabilities
YAML: 
version: '2'
services:
  openvpn:
    cap_add:
      - NET_ADMIN
    volumes:
      - /dev/net/tun:/dev/net/tun
Works for me on debian 11 lxc and pve 7.3-6

For privileged containers both variations work:
Code: 
lxc.mount.entry: /dev/net dev/net none bind,create=dir
or
Code: 
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
But privileged lxc is unsafe and I wouldn't recommend give it more privilege then needed.
Click to expand...
Thanks a lot exactly same issue for docker inside LXC, the "-v /dev/net/tun:/dev/net/tun" made it works for me :D
My Pve version :
Code: 
root@pve:~# pveversion
pve-manager/7.3-3/c3928077 (running kernel: 5.15.74-1-pve)

My LXC config :
Code: 
root@pve:~# cat /etc/pve/lxc/102.conf
arch: amd64
cores: 1
features: nesting=1
hostname: my_lxc
memory: 1024
net0: name=eth0,bridge=vmbr10,firewall=1,gw=192.168.X.X,hwaddr=72:74:F8:51:XX:XX,ip=192.168.X.X/24,type=veth
ostype: debian
rootfs: local-lvm:vm-102-disk-0,size=16G
swap: 1024
unprivileged: 1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

Inside my LXC, my docker version:
Code: 
root@my_lxc:~# docker --version
Docker version 23.0.3, build 3e7cbfd

My docker image:
Code: 
root@my_lxc:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye
Code: 
root@VPNproxy:~# uname -a
Linux VPNproxy 5.15.74-1-pve #1 SMP PVE 5.15.74-1 (Mon, 14 Nov 2022 20:17:15 +0100) x86_64 GNU/Linux

my docker run command:
Code: 
docker run \
        --detach \
        --restart=no \
        --cap-add=NET_ADMIN \
        --volume=/dev/net/tun:/dev/net/tun \
        --publish XXXX:YYYY \
        --tmpfs /etc/xxxxx:exec \
        --name dummy \
        "dummy/dummy:latest"
 
Dilnane said:
Thanks a lot exactly same issue for docker inside LXC, the "-v /dev/net/tun:/dev/net/tun" made it works for me :D
My Pve version :
Code: 
root@pve:~# pveversion
pve-manager/7.3-3/c3928077 (running kernel: 5.15.74-1-pve)

My LXC config :
Code: 
root@pve:~# cat /etc/pve/lxc/102.conf
arch: amd64
cores: 1
features: nesting=1
hostname: my_lxc
memory: 1024
net0: name=eth0,bridge=vmbr10,firewall=1,gw=192.168.X.X,hwaddr=72:74:F8:51:XX:XX,ip=192.168.X.X/24,type=veth
ostype: debian
rootfs: local-lvm:vm-102-disk-0,size=16G
swap: 1024
unprivileged: 1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

Inside my LXC, my docker version:
Code: 
root@my_lxc:~# docker --version
Docker version 23.0.3, build 3e7cbfd

My docker image:
Code: 
root@my_lxc:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye
Code: 
root@VPNproxy:~# uname -a
Linux VPNproxy 5.15.74-1-pve #1 SMP PVE 5.15.74-1 (Mon, 14 Nov 2022 20:17:15 +0100) x86_64 GNU/Linux

my docker run command:
Code: 
docker run \
        --detach \
        --restart=no \
        --cap-add=NET_ADMIN \
        --volume=/dev/net/tun:/dev/net/tun \
        --publish XXXX:YYYY \
        --tmpfs /etc/xxxxx:exec \
        --name dummy \
        "dummy/dummy:latest"
Click to expand...
Hello all,

Apologies for the bump, I am having the exact same issue with an unprivileged LXC trying to get Transmission/openVPN to install on a docker.
I added
-v /dev/net/tun:/dev/net/tun
Click to expand...
and followed the steps from the OpenVPN Proxmox tutorial linked on this page but get this error

Starting container with revision: 1103172c3288b7de681e2fb7f1378314f17f66cf
TRANSMISSION_HOME is currently set to: /config/transmission-home
Creating TUN device /dev/net/tun
rm: cannot remove '/dev/net/tun': Device or resource busy
Click to expand...

version: '3.3'
services:
transmission-openvpn:
cap_add:
- NET_ADMIN
volumes:
- /mnt/docker/:/data
- /mnt/docker/:/config
- /dev/net/tun:/dev/net/tun
environment:
- OPENVPN_PROVIDER=PIA
- OPENVPN_CONFIG=
- OPENVPN_USERNAME=
- OPENVPN_PASSWORD=
- LOCAL_NETWORK=192.168.1.0/24
logging:
driver: json-file
options:
max-size: 10m
ports:
- 9091:9091
image: haugene/transmission-openvpn
Click to expand...
Any suggestions? I am not sure why it's trying to remove '/dev/net/tun?
 
Last edited:
You must log in or register to reply here.
Top Bottom