PVE 7 OpenVPN (LXC) problem: Cannot open TUN/TAP dev

stepanov1975

New Member
Oct 22, 2021
7
2
3
48
Just want to share the working configuration.
I wanted to run OpenVPN in Docker container inside LXC and got the following error:
Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
After some research, I found that adding the following to /etc/pve/lxc/xxx.conf solves the problem:

Code:
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

The LXC also need to be privileged
 
  • Like
Reactions: gazzaman
I guess if you followed that guide you will not have an issue. However, thank you again for sharing your solution :)
 
Just want to share the working configuration.
I wanted to run OpenVPN in Docker container inside LXC and got the following error:
Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
After some research, I found that adding the following to /etc/pve/lxc/xxx.conf solves the problem:

Code:
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

The LXC also need to be privileged

This VERY much helped me, so thank you. Just need to find a new keyboard after hitting my head on it for two days.
 
So what I know for now:

For unprivileged containers:

Wiki page is correct OpenVPN in LXC, it is works well when you install openvpn inside lxc.
If you want to use docker openvpn image, then you get errors:
Code:
Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted
or if try to create this device inside image with mknod:
Code:
mknod: /dev/net/tun: Operation not permitted
As far as device nodes are files, we can bind tun device from lxc to docker:
Code:
-v /dev/net/tun:/dev/net/tun
Also docker container need NET_ADMIN capability for routing and interface configuration ability. Linux capabilities
YAML:
version: '2'
services:
  openvpn:
    cap_add:
      - NET_ADMIN
    volumes:
      - /dev/net/tun:/dev/net/tun
Works for me on debian 11 lxc and pve 7.3-6

For privileged containers both variations work:
Code:
lxc.mount.entry: /dev/net dev/net none bind,create=dir
or
Code:
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
But privileged lxc is unsafe and I wouldn't recommend give it more privilege then needed.
 
So what I know for now:

For unprivileged containers:

Wiki page is correct OpenVPN in LXC, it is works well when you install openvpn inside lxc.
If you want to use docker openvpn image, then you get errors:
Code:
Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted
or if try to create this device inside image with mknod:
Code:
mknod: /dev/net/tun: Operation not permitted
As far as device nodes are files, we can bind tun device from lxc to docker:
Code:
-v /dev/net/tun:/dev/net/tun
Also docker container need NET_ADMIN capability for routing and interface configuration ability. Linux capabilities
YAML:
version: '2'
services:
  openvpn:
    cap_add:
      - NET_ADMIN
    volumes:
      - /dev/net/tun:/dev/net/tun
Works for me on debian 11 lxc and pve 7.3-6

For privileged containers both variations work:
Code:
lxc.mount.entry: /dev/net dev/net none bind,create=dir
or
Code:
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
But privileged lxc is unsafe and I wouldn't recommend give it more privilege then needed.
Thanks a lot exactly same issue for docker inside LXC, the "-v /dev/net/tun:/dev/net/tun" made it works for me :D
My Pve version :
Code:
root@pve:~# pveversion
pve-manager/7.3-3/c3928077 (running kernel: 5.15.74-1-pve)

My LXC config :
Code:
root@pve:~# cat /etc/pve/lxc/102.conf
arch: amd64
cores: 1
features: nesting=1
hostname: my_lxc
memory: 1024
net0: name=eth0,bridge=vmbr10,firewall=1,gw=192.168.X.X,hwaddr=72:74:F8:51:XX:XX,ip=192.168.X.X/24,type=veth
ostype: debian
rootfs: local-lvm:vm-102-disk-0,size=16G
swap: 1024
unprivileged: 1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

Inside my LXC, my docker version:
Code:
root@my_lxc:~# docker --version
Docker version 23.0.3, build 3e7cbfd

My docker image:
Code:
root@my_lxc:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye
Code:
root@VPNproxy:~# uname -a
Linux VPNproxy 5.15.74-1-pve #1 SMP PVE 5.15.74-1 (Mon, 14 Nov 2022 20:17:15 +0100) x86_64 GNU/Linux

my docker run command:
Code:
docker run \
        --detach \
        --restart=no \
        --cap-add=NET_ADMIN \
        --volume=/dev/net/tun:/dev/net/tun \
        --publish XXXX:YYYY \
        --tmpfs /etc/xxxxx:exec \
        --name dummy \
        "dummy/dummy:latest"
 
Thanks a lot exactly same issue for docker inside LXC, the "-v /dev/net/tun:/dev/net/tun" made it works for me :D
My Pve version :
Code:
root@pve:~# pveversion
pve-manager/7.3-3/c3928077 (running kernel: 5.15.74-1-pve)

My LXC config :
Code:
root@pve:~# cat /etc/pve/lxc/102.conf
arch: amd64
cores: 1
features: nesting=1
hostname: my_lxc
memory: 1024
net0: name=eth0,bridge=vmbr10,firewall=1,gw=192.168.X.X,hwaddr=72:74:F8:51:XX:XX,ip=192.168.X.X/24,type=veth
ostype: debian
rootfs: local-lvm:vm-102-disk-0,size=16G
swap: 1024
unprivileged: 1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

Inside my LXC, my docker version:
Code:
root@my_lxc:~# docker --version
Docker version 23.0.3, build 3e7cbfd

My docker image:
Code:
root@my_lxc:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye
Code:
root@VPNproxy:~# uname -a
Linux VPNproxy 5.15.74-1-pve #1 SMP PVE 5.15.74-1 (Mon, 14 Nov 2022 20:17:15 +0100) x86_64 GNU/Linux

my docker run command:
Code:
docker run \
        --detach \
        --restart=no \
        --cap-add=NET_ADMIN \
        --volume=/dev/net/tun:/dev/net/tun \
        --publish XXXX:YYYY \
        --tmpfs /etc/xxxxx:exec \
        --name dummy \
        "dummy/dummy:latest"
Hello all,

Apologies for the bump, I am having the exact same issue with an unprivileged LXC trying to get Transmission/openVPN to install on a docker.
I added
-v /dev/net/tun:/dev/net/tun
and followed the steps from the OpenVPN Proxmox tutorial linked on this page but get this error

Starting container with revision: 1103172c3288b7de681e2fb7f1378314f17f66cf
TRANSMISSION_HOME is currently set to: /config/transmission-home
Creating TUN device /dev/net/tun
rm: cannot remove '/dev/net/tun': Device or resource busy

version: '3.3'
services:
transmission-openvpn:
cap_add:
- NET_ADMIN
volumes:
- /mnt/docker/:/data
- /mnt/docker/:/config
- /dev/net/tun:/dev/net/tun
environment:
- OPENVPN_PROVIDER=PIA
- OPENVPN_CONFIG=
- OPENVPN_USERNAME=
- OPENVPN_PASSWORD=
- LOCAL_NETWORK=192.168.1.0/24
logging:
driver: json-file
options:
max-size: 10m
ports:
- 9091:9091
image: haugene/transmission-openvpn
Any suggestions? I am not sure why it's trying to remove '/dev/net/tun?
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!