/dev/net/tun stopped working after Debian upgrade from buster to bullseye: Operation not permitted

Hi, I am running a privileged lxc bullseye container inside a bullseye host.

Use case: I run a proprietary dial up VPN client (barracudavpn, utilizes /dev/net/tun) inside the container and use the container as a gateway to route specific IPv4 destination IPs over a dial-up VPN connection. To rule out problems with this software, I also tried this with openvpn, without success, same results.

This has worked “out-of-the-box” under Debian buster, but has stopped working after an upgrade to Debian bullseye (=buster successor).

The relevant error (e.g. in journal -xe) inside the container is:

(...) barracudavpn[109]: Error opening tunnel device /dev/net/tun: open failed: Operation not permitted

The problem is easily confirmed by:

root@host:~# ls -al /dev/net/tun
crw-rw-rw- 1 root root 10, 200 Jan 11 15:59 /dev/net/tun
root@host:~# lxc-attach  -n container
root@container:~# ls -al /dev/net/tun
crw-rw-rw- 1 root root 10, 200 Jan 11 14:59 /dev/net/tun
root@container:~# cat /dev/net/tun
cat: /dev/net/tun: Operation not permitted

I iterated through the various solutions I found for the notorious openvpn problem associated with /dev/net/tun, including (but not restricted to):

lxc.cgroup.devices.allow = c 10:200 rwm
lxc.mount.entry = /dev/net dev/net none bind,create=dir 0 0

At the moment I am a little lost - I tried to start the container with “-l DEBUG” but did not see anything helpful - so even a hint on how to debug this deeper would be appreciated.

Thank you.

edited: formatting

Maybe triple check that /sys/fs/cgroup/devices indeed has the relevant entry.

I know that Debian has migrated to cgroup2 for their development version, maybe you got that change on your system somehow making lxc.cgroup meaningless?

Hi, thank you very much for that hint - indeed, there was no directory named /sys/fs/cgroup/devices.
So the immediate solution is as easy as to change:

lxc.cgroup.devices.allow = c 10:200 rwm


lxc.cgroup2.devices.allow = c 10:200 rwm

At least for me this resolved my problem.

Yep, that’s right.