17

I am trying to set up an openvpn server inside a lxc guest. However, it seams there is no tun device available in the container.

Starting openvpn inside the container gives me this error:

Tue Sep 18 13:04:18 2012 Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Tue Sep 18 13:04:18 2012 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Sep 18 13:04:18 2012 /sbin/ifconfig  10.6.0.1 pointopoint 10.6.0.2 mtu 1500
SIOCSIFADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFDSTADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFMTU: No such device
Tue Sep 18 13:04:18 2012 Linux ifconfig failed: external program exited with error status: 1
Tue Sep 18 13:04:18 2012 Exiting

In my containers config, I see the following:

#tun
lxc.cgroup.devices.allow = c 10:200 rwm

I'd assume this enabled tun devices for the container, but modprobe tun gives me another error:

FATAL: Could not load /lib/modules/3.2.0-30-generic/modules.dep: No such file or directory

I'm assuming I am missing some permission or something in my container. Can someone tell me what it is?

Lawrence
  • 233
  • 1
  • 2
  • 5

4 Answers4

20

I'm not familiar with lxc, but try the following commands:

# mkdir /dev/net 
# mknod /dev/net/tun c 10 200 
# chmod 666 /dev/net/tun
quanta
  • 50,327
  • 19
  • 152
  • 213
7

The answers above don't actually work now with current versions of lxc. Manually creating a character device with mknod has no effect - the device is not visible inside the container. Use of the autodev functionality in lxc is required.

lxc.cgroup.devices.deny = a

lxc.cgroup.devices.allow = c 10:200 rwm

lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

The order is important - the deny must be first.

Stuart Cardall
  • 531
  • 4
  • 7
  • Actually on a Debian 10 unprivileged LXC container and an Ubuntu 19.10 host, the only thing I needed to to is to add `lxc.mount.entry = /dev/net dev/net none bind,create=dir` in the container config file, mentioned in your link and with a similar solution here: https://superuser.com/questions/1202749/how-to-run-openvpn-in-a-lxc-container-inside-debian-host/1205662#1205662 – baptx May 20 '20 at 17:41
3

In addition to quanta's answer. Also make sure you have this line in the lxc config:

mknod /dev/net/tun c 10 200

This is the right syntax:

#tun
lxc.cgroup.devices.allow = c 10:200 rwm
Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
ApriOri
  • 325
  • 1
  • 10
0

As suggested by our hosting provider EURO-SPACE, these are steps how to enable TUN/TAP on Proxmox LXC containers:

  1. Make sure your container is PRIVILEGED, if not, then make a backup of the container, then restore it and check "Privileged Container".

  2. Shutdown container and edit its configuration file located under /etc/pve/lxc/CTID.conf (CTID is the ID of your container)

  3. Add following lines at the end of file:

    lxc.cgroup.devices.allow: c 10:200 rwm

    lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

  4. Save configuration file and start the container.

  5. Make sure TUN is enabled by running following command:

    cat /dev/net/tun

This should output the following:

cat: /dev/net/tun: File descriptor in bad state

Now you can run VPN.

Besik
  • 26
  • 1