This guide explains the process of setting up an OpenVPN container on an unprivileged Debian container with LXC.
All the commands assume a default PVE installation from the official installer.
If your storage is called differently, please adapt the commands accordingly. (e.g., replace ‘local’ with the name of your storage for holding the templates)
Creating the Container
Firstly you need to download the Debian container template.
# pveam update # pveam available | grep debian-10-standard system debian-10-standard_10.7-1_amd64.tar.gz # pveam download local debian-10-standard_10.7-1_amd64.tar.gz
After the download is finished, create the container:
# pct create 123 local:vztmpl/debian-10-standard_10.7-1_amd64.tar.gz --unprivileged 1 -features nesting=1 --net0 name=eth0,bridge=vmbr0,firewall=1,ip=dhcp,type=veth --storage local-lvm
After container is created, you need to edit the configuration file to add the /dev/net/tun device.
# pct config 123 arch: amd64 hostname: CT123 memory: 512 net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=FE:75:64:2A:A3:58,ip=dhcp,type=veth ostype: debian rootfs: local-lvm:vm-123-disk-0,size=4G features: nesting=1 swap: 512 unprivileged: 1
# nano /etc/pve/lxc/123.conf
Add the following lines at the end (if you’re using PVE
lxc.cgroup2.devices.allow: c 10:200 rwm lxc.mount.entry: /dev/net dev/net none bind,create=dir
Press Ctrl-X and answer “Y” for saving and press Enter.
For your unprivileged container to be able to access the /dev/net/tun from your host, you need to set the owner by running:
# chown 100000:100000 /dev/net/tun
Check the permissions are set correctly:
# ls -l /dev/net/tun crw-rw-rw- 1 100000 100000 10, 200 Dec 22 13:26 /dev/net/tun
Finally start the container:
# pct start 123
If you did everything correctly then the container should start.