Unprivileged LXC containers do not have access to the networking resource
needed for Tailscale to work. This article explains how to give it access.
Among many other uses, LXC containers are often found in Proxmox
virtualization environments.
Instructions
An LXC is a lightweight way to run a virtualized Linux system. An
unprivileged LXC is one where the root user (uid 0) within the container is
mapped to an unprivileged user in the host system, making it possible to
run an LXC more securely.
Tailscale encapsulates its frames in UDP packets and therefore doesn’t
require kernel modules or other privileged operations to form tunnel
connections. However, it does need access to a /dev/tun device which
unprivileged containers usually do not provide.
To bring up Tailscale in an unprivileged container, access to the /dev/tun
device can be enabled in the config for the LXC. For example, using Proxmox 7.0
to host as unprivileged LXC with ID 112, the following lines would be added
to /etc/pve/lxc/112.conf:
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
If the LXC is already running it will need to be shut down and started again
for this change to take effect.
Once /dev/tun is available, the Tailscale Linux package can be installed in
the system running within the LXC.
Alternatively, if you don’t want to grant /dev/tun access, you can use
userspace networking mode
which avoids the
need for any administrative access at all.
Use the
cgroup
environment (instead of the Proxmox 7
cgroup2
environment):
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
If you don’t want to enable /dev/tun access, remove the
lxc.mount.entry:
line.
CentOS 7 and Ubuntu 16.x still have no /dev/net/tun in Proxmox 7.0
WireGuard is a registered
trademark of Jason A. Donenfeld.
© 2024 Tailscale Inc. All rights reserved.
Tailscale is a registered trademark of Tailscale Inc.
Privacy
&
Terms