How to run openvpn in a LXC container inside debian host?

lxc linux debian openvpn

5,353

Adding

lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file

in the container's config file bind-mount the tun char device inside the container which solves the problem.

5,353

omega

Updated on September 18, 2022

Comments

omega over 1 year
I am running debian stretch on my host and I try to configure openvpn inside an Ubuntu xenial LXC guest.

Because openvpn needs a tun device, I followed guides such as http://heider.io/blog/2013/10/26/openvpn-in-a-lxc-container/ to allow tun device creation inside the container.

Unfortunately, setting lxc.cgroup.devices.allow = c 10:200 rwm in the container's config file gives me this error:
```
  lxc-start ERROR    lxc_cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits:1949 - No such file or directory - Error setting devices.allow to c 10:200 rwm for ubuntu
  lxc-start ERROR    lxc_start - start.c:lxc_spawn:1236 - Failed to setup the devices cgroup for container "ubuntu".
  lxc-start ERROR    lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "ubuntu".
```
Edit

I am trying to achieve this in an unpriviledged LXC container, here is the full configuration of this container:
```
# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64

# Container specific configuration
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /home/myuser/.local/share/lxc/ubuntu/rootfs
lxc.rootfs.backend = dir
lxc.utsname = ubuntu

# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = 00:11:22:aa:bb:cc
lxc.network.ipv4 = 192.168.1.101/24
lxc.network.ipv4.gateway = 192.168.1.1

# trying to get /dev/net/tun inside container
lxc.cgroup.devices.allow = c 10:200 rwm
```
When I do not set the devices.allow option in order to be able to start the container, I can see processes inside the container are in the cgroup /sys/fs/cgroup/devices/user.slice (their PID, viewed from outside the container, are actually in the cgroup.procs file of this subdirectory), and from here :
```
$ cat devices.list 
a *:* rwm
```
but from inside the container
```
# mknod /dev/net/tun c 10 200
mknod: /dev/net/tun: Operation not permitted
```
- Daniel B about 7 years
  
  You’re probably missing kernel support for “devices” control groups.
- MariusMatutiae about 7 years
  
  Why exactly do you want to do this in a container? It can be done more easily by setting up a second network namespace, which is the same thing the container does, except there is none of the container overhead.
- omega about 7 years
  
  @MariusMatutiae : It's for test purposes, I want a fully functionnal linux container without having to run a virtual machine.
- omega about 7 years
  
  @DanielB: How could I check that ? What could I do for ?
- Daniel B about 7 years
  
  So I installed the current Debian from scratch and the option works fine. Please verify that all cgroup filesystems (cpuset, cpu/cpuacct, devices, freezer, net_cls/net_prio, blkio and perf_event) are correctly mounted at /sys/fs/cgroup. If not, there may be an error somewhere in your boot configuration. Are you running systemd? Is your Debian installation old and upgrated?
- omega about 7 years
  
  @DanielB: Thanks for your time, all these cgroups are correctly mounted though. This is a clean debian installation, using systemd (4.9.0-2-amd64 #1 SMP Debian 4.9.18-1 (2017-03-30) x86_64 GNU/Linux).
- Daniel B about 7 years
  
  Hm. Are you perhaps trying to start the container while logged in to a non-root account? When I run a container (with or without said config option), its cgroup is available at /sys/fs/cgroup/devices/lxc/<name>. devices.allow is there.
- omega about 7 years
  
  @DanielB I realize I didn't mention it, but I'm running unprivileged container, thus I start the container while logged as a non-root account. I do not have a device cgroup for it, but I do get a freezer, memory and systemd cgroup under /sys/fs/cgroup/freezer/user/ghost/0/lxc/ubuntu, /sys/fs/cgroup/memory/user/ghost/0/lxc/ubuntu, /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-1.‌scope/lxc/ubuntu
baptx over 5 years

Thanks, this worked for me but don't forget to run openvpn as root inside of the container (I forgot to use sudo and thought the problem came from somewhere else).
baptx almost 4 years

Note that you have to add this in the container configuration, for example .local/share/lxc/debian/config (replace debian with your container name). I was wondering why it did not work because I added this line in .config/lxc/default.conf instead. By the way, I noticed a configuration like lxc.mount.entry = /dev/net dev/net none bind,create=dir (from wiki.archlinux.org/index.php/…) works also. Is this solution better than lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file from your answer? Creating the file seems not needed.