Exposing /dev/net/tun to Proxmox LXC

In Proxmox Virtual Environment (PVE), when you want to use VPN applications that require /dev/net/tun inside an LXC container, you need to make sure that the container is allowed to create tun/tap devices. Here’s how you can add /dev/net/tun to a Proxmox LXC container:

  1. Stop the LXC Container: Before you can add the tun device, you need to stop the container. You can do this from the Proxmox web interface or using the command line:
pct stop <container_id>

Replace <container_id> with the ID of your LXC container.

  1. Modify the LXC Configuration File: You need to edit the configuration file of the LXC container to allow it to create tun devices. The configuration files are usually located in /etc/pve/lxc/ and named after the container’s ID.
nano /etc/pve/lxc/<container_id>.conf

Add the following lines to allow tun devices:

lxc.cgroup.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

The first line allows the container to create character devices with major number 10 and minor number 200, which corresponds to /dev/net/tun. The second line mounts /dev/net/tun from the host to the container.Alternatively, if you prefer using the web interface, you can add these settings via the Resources > Configuration > Options in the container settings.

  1. Add the TUN module to the LXC Container (if necessary): In some cases, you might need to ensure that the tun module is loaded in the host kernel. This can be done by running the following command on the host:
modprobe tun

To make this persistent across reboots, add tun to the /etc/modules-load.d/modules.conf file.

  1. Start the LXC Container: Once you’ve made the changes, you can start the container again:
pct start <container_id>
  1. Verify the Device Inside the Container: After the container is running, enter the container and check if /dev/net/tun exists:
pct enter <container_id>
ls -al /dev/net/tun

You should see the tun device listed. If it’s there, you can proceed with your VPN setup within the container.

Remember to replace <container_id> with the actual ID of your container. These steps require root or appropriate administrative privileges on the Proxmox host.