In Proxmox Virtual Environment (PVE), when you want to use VPN applications that require /dev/net/tun inside an LXC container, you need to make sure that the container is allowed to create tun/tap devices. Here’s how you can add /dev/net/tun to a Proxmox LXC container:
- Stop the LXC Container: Before you can add the tun device, you need to stop the container. You can do this from the Proxmox web interface or using the command line:
pct stop <container_id>
Replace <container_id> with the ID of your LXC container.
- Modify the LXC Configuration File: You need to edit the configuration file of the LXC container to allow it to create tun devices. The configuration files are usually located in
/etc/pve/lxc/and named after the container’s ID.
nano /etc/pve/lxc/<container_id>.conf
Add the following lines to allow tun devices:
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
The first line allows the container to create character devices with major number 10 and minor number 200, which corresponds to /dev/net/tun. The second line mounts /dev/net/tun from the host to the container.Alternatively, if you prefer using the web interface, you can add these settings via the Resources > Configuration > Options in the container settings.
- Add the TUN module to the LXC Container (if necessary): In some cases, you might need to ensure that the
tunmodule is loaded in the host kernel. This can be done by running the following command on the host:
modprobe tun
To make this persistent across reboots, add tun to the /etc/modules-load.d/modules.conf file.
- Start the LXC Container: Once you’ve made the changes, you can start the container again:
pct start <container_id>
- Verify the Device Inside the Container: After the container is running, enter the container and check if
/dev/net/tunexists:
pct enter <container_id>
ls -al /dev/net/tun
You should see the tun device listed. If it’s there, you can proceed with your VPN setup within the container.
Remember to replace <container_id> with the actual ID of your container. These steps require root or appropriate administrative privileges on the Proxmox host.