OpenVPN on LXD 2.0

Cerberooo · December 23, 2017, 12:58pm

I tried to setup a OpenVPN Server on a LXD alpine-linux container.
So as i understand it correctly the tun/tap device is provided by LXD. But the OpenVPN server have problems to access the device:

TUN/TAP device tap0 opened
Note: Cannot set tx queue length on tap0: Operation not permitted (errno=1)

How can I fix this?

simos · December 23, 2017, 3:02pm

Do you get any other errors?
Reading this post at VPN in containers | Stéphane Graber's website it says

Fri Sep 26 17:48:12 2014 TUN/TAP device tun0 opened
Fri Sep 26 17:48:12 2014 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Fri Sep 26 17:48:12 2014 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
Fri Sep 26 17:48:12 2014 /sbin/ip link set dev tun0 up mtu 1500
…

but it then manages to continue.

Cerberooo · December 23, 2017, 4:13pm

The VPN runs on tap mode. When I start the client following error appears:

ERROR: Cannot ioctl TUNSETIFF tap: Operation not permitted (errno=1)
Exiting due to fatal error

simos · December 23, 2017, 4:54pm

It looks that you are missing some Linux capability, CAP_NET_ADMIN.
Try to pass it to the container according to https://github.com/lxc/lxd/issues/1982

Cerberooo · December 23, 2017, 5:04pm

Thanks for your help.

Finally it was a client side problem…

simos · December 27, 2017, 9:36am

Nice!

Write a few words about what you did in order to help any future visitor that come here.

John_Doe · February 3, 2018, 1:04pm

As simos wrote… It would be nice with some hints

Cerberooo · May 19, 2018, 11:19am

I run a wrong chown command, so the file rights of the client was wrong.

VTChevalier · July 6, 2018, 1:12am

This is not very descriptive - what properties/where? Did you end up using anything like:
lxc config set container-name raw.lxc=lxc.cap.drop=some-cap

ebahn · September 30, 2018, 10:09pm

I don’t think installing openvpn in a container represents any specific issues. I set up the openvpn container using macvlan, so it get’s its IP address from the router. I have arranged for the router to forward openvpn’s required ports to the openvpn server, and once connected, I can then interact directly with all internal devices (except the lxd host). I installed using the openvpn-access-server (https://openvpn.net/index.php/access-server/overview.html), and it worked ‘out of the box’, but If you install openvpn by hand, it should work the same way.

Jon

bmullan · January 14, 2020, 3:24pm

A couple replies to you asked if you could write up how you finally configured everything to work.

Did you get around to it? If so did you post it somewhere?
thanks

ckruijntjens · October 10, 2022, 8:29am

Hi @ebahn

I have the same thing. Is there a way to set ip up so it can also interact with the lxd host?