Tailscale in LXC containers

Unprivileged LXC containers do not have access to the networking resource needed for Tailscale to work. This article explains how to give it access.

Among many other uses, LXC containers are often found in Proxmox virtualization environments.

Instructions

An LXC is a lightweight way to run a virtualized Linux system. An unprivileged LXC is one where the root user (uid 0) within the container is mapped to an unprivileged user in the host system, making it possible to run an LXC more securely.

Tailscale encapsulates its frames in UDP packets and therefore doesn’t require kernel modules or other privileged operations to form tunnel connections. However, it does need access to a /dev/tun device which unprivileged containers usually do not provide.

To bring up Tailscale in an unprivileged container, access to the /dev/tun device can be enabled in the config for the LXC. For example using Proxmox to host as unprivileged LXC with ID 112, the following lines would be added to /etc/pve/lxc/112.conf

lxc.cgroup.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

If the LXC is already running it will need to be shut down and started again for this change to take effect.

Once /dev/tun is available, the Tailscale Linux package can be installed in the system running within the LXC.

Alternatively, if you don’t want to grant /dev/tun access, you can use userspace networking mode which avoids the need for any administrative access at all.

FAQ

I upgraded to Proxmox 7.0 and my LXCs no longer have /dev/net/tun

Proxmox 7.0 switched to a pure cgroup2 environment. Update the line in /etc/pve/lxc/ to:

lxc.cgroup2.devices.allow: c 10:200 rwm

CentOS 7 and Ubuntu 16.x still have no /dev/net/tun in Proxmox 7.0

Proxmox has a guide for containers with a systemd too old to understand cgroup2.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms