OpenVPN inside LXC container

• 27 May 2024
• lxc,
• proxmox,
• qbittorrent,
• torrent,
• vpn,
• wireguard,
• openvpn

Why not Wireguard #

My little qbittorrent container has been chugging along for a couple years now, happily connected to its VPN over wireguard. It has worked great! ...Until now.

Recently I noticed that it was suddenly struggling to maintain connections. Even extremely active torrents were stalling out completely -- 0 peers connected, 0 seeds connected. Not sure what exactly has changed with how the VPN routes traffic to cause this, but I needed to correct it. No more passive peering for me, time to set up port forwarding the right way.

My VPN provider does offer port forwarding for Wireguard, but only within their little app. I'm not using the app. I have purchased a static IP from them and I connect directly. They only support OpenVPN for port forwarding in this situation.

Why it doesn't work #

Just like with samba/nfs and gpu transcoding, LXC containers need to be privileged in order to access certain kernel modules. OpenVPN creates a new device in /dev/net/tun using kernel module "tun" -- that ain't gonna work in a LXC.

Googling it brings up various methods involving adding lines to your LXC config file in /etc/pve on the Proxmox host and then doing some user masking similar to samba/nfs. I didn't have to do any of that. All I had to do was add /dev/net/tun as a passthrough device in the "Resources" section of the LXC options.

The steps #

Install openvpn in the container

apt install openvpn

Generate config file or download from VPN provider, place file in:

/etc/openvpn/[yourfile].conf

Make a credentials file

nano /etc/openvpn/creds

Use this format:

username
password

Save the file and secure it:

chmod 600 /etc/openvpn/creds

Add the location of your credentials file to your OpenVPN config:

nano /etc/openvpn/[yourfile].conf

Look for "auth-user-pass" and add the path to the creds file:

auth-user-pass /etc/openvpn/creds

Navigate to the container settings in Proxmox.

Select the "Options" tab.

Click Features --> Enable Nesting and Create Device Nodes

Select the "Resources" tab.

Click Add --> Device Passthrough

Device path: /dev/net/tun --> Click Add

Reboot the container. Test the connection:

openvpn --config /etc/openvpn/[yourfile].conf

2024-05-27 23:48:24 TUN/TAP device tun0 opened

Tadaaaaaaa!

Connect automatically #

Make a systemd timer:

nano /etc/systemd/system/openvpn@yourname.service

With these contents (edit the filename):

[Unit]
Description=OpenVPN connection
After=network.target

[Service]
Type=simple
ExecStart=/usr/sbin/openvpn --config /etc/openvpn/[yourname].conf
Restart=on-failure

[Install]
WantedBy=multi-user.target

Enable and start it:

systemctl daemon-reload
systemctl enable openvpn@yourname
systemctl start openvpn@yourname

Enjoy!

• Previous: Go time
• Next: Opnsense High(er) Availability