Auston.dev

Auston.dev

Published: March 15, 2025
5 min read
Enabling TAP Devices in Proxmox LXC Containers
Share this post

Enabling TAP Devices in Proxmox LXC Containers

In some advanced networking scenarios, such as VPNs or custom virtual network setups, you may need to create TAP or TUN devices within an LXC container. While this is straightforward in full VMs or bare metal, it's a bit trickier in LXC due to its containerized and more isolated nature.

This post walks you through the steps to enable TAP device creation in a Proxmox LXC container.

⚠️ Pre-requisites

  • A running Proxmox VE host
  • An existing LXC container
  • Root access on both host and container

Step 1: Allow the Device Node in the Container

Edit the container's configuration file located at /etc/pve/lxc/<CTID>.conf:

nano /etc/pve/lxc/<CTID>.conf

Add the following line:

lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

This grants the container access to the TUN/TAP character device (major 10, minor 200).

Note: Do not edit the config in /var/lib/lxc/<CTID>/config, as it will be overwritten when the container restarts.


Step 2: Start the Container

Now restart your container from the Proxmox web UI or run:

pct start <CTID>

Replace <CTID> with your actual container ID.


Step 3: Create the TAP Device Inside the Container

Enter the container shell:

pct exec <CTID> -- bash

Inside the container:

mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun

Now you can create a TAP device:

ip tuntap add dev tap0 mode tap

Verify it was created:

ip link show tap0

You should see tap0 listed among the network interfaces.


Step 4: What's Next?

You can now use tap0 in various networking setups:

Bridge it to your container’s main network

Use it with OpenVPN, WireGuard, or custom software


Caveats and Tips

Containers have limited kernel access. If you run into permissions issues, make sure the container is privileged, or configure proper security profiles for unprivileged containers.

Use cap_add in lxc.apparmor.profile or lxc.cap.drop to manage capabilities if needed.

Always test network devices carefully, especially in production environments.


Conclusion

Enabling TAP devices in Proxmox LXC containers allows you to simulate real networking interfaces for VPNs and advanced routing. With just a few config changes and device node setups, your container can gain powerful networking abilities.

Happy hacking! 🧪

This text was generated using AI, carefully reviewed.