9

I am trying to get Openvpn run inside a LXD/LXC container, and redirect traffic coming to the container to the VPN.

The purpose is to replace a fully fledged VM that does exactly that (and toy with LXD :-)

I managed to get an IP from my main DHCP server, set up the iptables rules for masquerading / forwarding the traffic, but when I try to launch openvpn, it is blocked by the lack of (access to) /dev/net/tun device.

I came accross this post on ServerFault https://serverfault.com/questions/429461/no-tun-device-in-lxc-guest-for-openvpn, but it does not seem to work with current version of LXC and/or LXD managing the configuration...

EDIT: I tried using this incantation, but it did not succeed:

lxc config set mycontainer raw.lxc 'lxc.cgroup.devices.allow = c 10:200 rwm'

EDIT2: tried lxc config device add mycontainer tun unix-char path=/dev/net/tun major=10 minor=200 but on next stop/start, I got

error: Failed configuring device tun: Not implemented

Now I can't even lxc config device remove mycontainer tun as it throws the same Not implemented error. Container seems to be lost...

Community
  • 1
alci
  • 5,761
  • 6
  • 42
  • 65

3 Answers3

14

You want:

lxc config device add CONTAINER tun unix-char path=/dev/net/tun
stgraber
  • 2,824
  • 1
  • 20
  • 19
  • 1
    This solved the `ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)` error I've been getting trying to initiate an OpenVPN connection from a container. Mentioning this here in hopes to add this answer to Google searches on that error. If this also solved @alci 's question, this answer should be accepted. – Jonathan Y. Apr 25 '16 at 07:37
  • I now get `ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)` instead of `ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)` – Jay _silly_evarlast_ Wren Jul 15 '16 at 19:55
3

I was struggling to do this as well inside a unprivileged container. What I ended up doing was

mknod /path/to/your/container/root/tun c 10 200
chown 100000:100000 /path/to/your/container/root/tun

then inside the container 

mkdir /dev/net
ln -s /root/tun /dev/net/tun

This meant I did not have to make any changes to lxc conf

Kent
  • 131
  • 2
0

You need to make the tun device on the host, before you start the container: sudo mknod /path/to/your/container/dev/net/tun c 10 200

sмurf
  • 4,660
  • 1
  • 23
  • 29
  • Thanks. I created the node. I changed its owner:group to 100000:100000. But I still can't see it from within the container... – alci Jul 20 '15 at 13:03