OpenVPN in LXC: Difference between revisions
No edit summary |
m (add nesting parameter) |
||
(3 intermediate revisions by the same user not shown) | |||
Line 17: | Line 17: | ||
After the download is finished, create the container: | After the download is finished, create the container: | ||
# pct create 123 local:vztmpl/debian-10-standard_10.7-1_amd64.tar.gz --unprivileged 1 --net0 name=eth0,bridge=vmbr0,firewall=1,ip=dhcp,type=veth --storage local-lvm | # pct create 123 local:vztmpl/debian-10-standard_10.7-1_amd64.tar.gz --unprivileged 1 -features nesting=1 --net0 name=eth0,bridge=vmbr0,firewall=1,ip=dhcp,type=veth --storage local-lvm | ||
After container is created, you need to edit the configuration file to add the /dev/net/tun device. | After container is created, you need to edit the configuration file to add the /dev/net/tun device. | ||
Line 27: | Line 27: | ||
ostype: debian | ostype: debian | ||
rootfs: local-lvm:vm-123-disk-0,size=4G | rootfs: local-lvm:vm-123-disk-0,size=4G | ||
features: nesting=1 | |||
swap: 512 | swap: 512 | ||
unprivileged: 1 | unprivileged: 1 | ||
Line 32: | Line 33: | ||
# nano /etc/pve/lxc/123.conf | # nano /etc/pve/lxc/123.conf | ||
Add the following lines at the end | Add the following lines at the end (if you're using PVE < 7.0, change `cgroup2` with `cgroup`) | ||
lxc. | lxc.cgroup2.devices.allow: c 10:200 rwm | ||
lxc.mount.entry: /dev/net dev/net none bind,create=dir | lxc.mount.entry: /dev/net dev/net none bind,create=dir | ||
Line 92: | Line 93: | ||
Congratulations! You now have an unprivileged Debian container running OpenVPN! | Congratulations! You now have an unprivileged Debian container running OpenVPN! | ||
[[Category: HOWTO]] | If you want to configure networking to make your container accessible from outside, see [[Network Configuration]] | ||
[[Category:HOWTO]] |
Latest revision as of 12:56, 30 August 2021
This guide explains the process of setting up an OpenVPN container on an unprivileged Debian container with LXC.
All the commands assume a default PVE installation from the official installer.
If your storage is called differently, please adapt the commands accordingly. (e.g., replace 'local' with the name of your storage for holding the templates)
Creating the Container
Firstly you need to download the Debian container template.
# pveam update # pveam available | grep debian-10-standard system debian-10-standard_10.7-1_amd64.tar.gz # pveam download local debian-10-standard_10.7-1_amd64.tar.gz
After the download is finished, create the container:
# pct create 123 local:vztmpl/debian-10-standard_10.7-1_amd64.tar.gz --unprivileged 1 -features nesting=1 --net0 name=eth0,bridge=vmbr0,firewall=1,ip=dhcp,type=veth --storage local-lvm
After container is created, you need to edit the configuration file to add the /dev/net/tun device.
# pct config 123 arch: amd64 hostname: CT123 memory: 512 net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=FE:75:64:2A:A3:58,ip=dhcp,type=veth ostype: debian rootfs: local-lvm:vm-123-disk-0,size=4G features: nesting=1 swap: 512 unprivileged: 1
# nano /etc/pve/lxc/123.conf
Add the following lines at the end (if you're using PVE < 7.0, change `cgroup2` with `cgroup`)
lxc.cgroup2.devices.allow: c 10:200 rwm lxc.mount.entry: /dev/net dev/net none bind,create=dir
Press Ctrl-X and answer "Y" for saving and press Enter.
For your unprivileged container to be able to access the /dev/net/tun from your host, you need to set the owner by running:
# chown 100000:100000 /dev/net/tun
Check the permissions are set correctly:
# ls -l /dev/net/tun crw-rw-rw- 1 100000 100000 10, 200 Dec 22 13:26 /dev/net/tun
Finally start the container:
# pct start 123
If you did everything correctly then the container should start.
Using OpenVPN
Enter the container:
# pct enter 123
You should now see the container shell prompt.
root@CT123:~# ls -l /dev/net/tun crw-rw-rw- 1 root root 10, 200 Dec 22 12:26 /dev/net/tun
If you see root:root inside the container and 100000:100000 outside the container, it's correct. (This is because the unprivileged userid 100000 on your host is mapped to 'root' user of the container)
Update packages and install openvpn:
root@CT123:~# apt update root@CT123:~# apt dist-upgrade root@CT123:~# apt install openvpn git
You can use this repository for a basic configuration: https://github.com/Nyr/openvpn-install
root@CT123:~# git clone https://github.com/Nyr/openvpn-install root@CT123:~# cd openvpn-install root@CT123:~# bash openvpn-install.sh
Answer the setup wizard questions according to your setup. At the end you should receive a message like this:
Finished! The client configuration is available in: /root/client.ovpn New clients can be added by running this script again.
If everything worked, then the service should be started and enabled by the setup script.
Verify service is working:
root@CT123:~# systemctl | grep openvpn openvpn-iptables.service loaded active exited openvpn-iptables.service openvpn-server@server.service loaded active running OpenVPN service for server system-openvpn\x2dserver.slice loaded active active system-openvpn\x2dserver.slice root@CT123:~# ps aux | grep vpn nobody 136 0.0 1.3 11780 6844 ? Ss 14:41 0:00 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf
Congratulations! You now have an unprivileged Debian container running OpenVPN!
If you want to configure networking to make your container accessible from outside, see Network Configuration