Openvpn in LXD 4.0

For others reading this in the hope to get info about openvpn:
You can simply install it in a normal unpriviledged container (because the tun device is added by default).

Recommendations:

  • set the limitnproc higher in the systemd-service file
    edit /lib/systemd/system/openvpn@.service: LimitNPROC=50
    (Note some people comment LimitNPROC out or set it to infinity, I would try to set it higher first and if you experience problems, you can disable it.)

  • add a Firewall like ufw:
    See for example this article in the arch linux wiki.

  • use a macvlan-device (container will get ipadress directly from router, so no need for proxy) or use a proxy-device for the port-forwarding


Some time ago I started to use openvpn again and I set it up inside an unpriviledged container.

The good news is everything seems to be working so far and I would like to write an up-to-date howto for users searching for this, but I have two questions:

  1. What is the status on the limitnproc problem (see Systemd Issue 6011?
    In the systemd issue it seemed that @brauner and poettering had different opinions about the reason for this problem?

I still get an error stating:
Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
So the problem still seems to exist, though the server is working so far (already tested it for long hours with other persons connected).

Additional Info:

LXD Version: 4.0.0
unpriviledged
OS: Debian Testing amd64 (both host and container)
Kernel: 5.5.0-1-amd64
security.idmap.isolated: “true”
nictype: macvlan

  1. tun-device: I found this (little bit) older thread (openvpn-on-lxd-3-0-3), in which @stgraber stated:

Also worth noting that /dev/net/tun is allowed in the default configuration, so no special config is needed for this.

I guess that is still the case?
I ask because many other howtos still show stuff like this:

#config on host:
lxc config set name raw.lxc ‘lxc.cgroup.devices.allow = c 10:200 rwm’
lxc config device add name tun unix-char path=/dev/net/tun
#config in container:

  1. mknod /dev/net/tun c 10 200
  2. install OpenVPN (https://github.com/Nyr/openvpn-install or manual)
  3. edit /lib/systemd/system/openvpn@.service – comment out/remove LimitNPROC=10
  4. systemctl daemon-reload or reboot container

I have to admit, that I followed this and wondered why the tun device was already in place :smile:.