Proxmox7 with Openvpn issues Ubuntu 20.04 lxc

hi i have been trying for a few days now and i hit the same dead end no matter which way i try and achieve getting OpenVPN working using PIA as the provider.

I am tried privileged and unprivileged containers covering deb 9/10 ubuntu 18/20 but its always the same issue. i am very new to linux so please keep it simple.

I create the container then edit basically follow

cd /etc/pve/lxc
nano 105.conf
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file

but i always get this same error

Sat Jul 17 08:35:10 2021 WARNING: file ‘/etc/openvpn/login.txt’ is group or others accessible
Sat Jul 17 08:35:10 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021
Sat Jul 17 08:35:10 2021 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Sat Jul 17 08:35:10 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]
Sat Jul 17 08:35:10 2021 UDP link local: (not bound)
Sat Jul 17 08:35:10 2021 UDP link remote: [AF_INET]
Sat Jul 17 08:35:10 2021 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Sat Jul 17 08:35:10 2021 [atlanta416] Peer Connection Initiated with [AF_INET]
> Sat Jul 17 08:35:11 2021 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
> Sat Jul 17 08:35:11 2021 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
> Sat Jul 17 08:35:11 2021 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
> Sat Jul 17 08:35:11 2021 Exiting due to fatal error

i can read it enough to see that its fine with the username and password and that it does get an ip from PIA from what i am guessing its the part where it registers the connection inside the container as it cannot get to tun

i have tried everything i can think of and i am aware i should have installed proxmox 6 but everything has worked fine on proxmox7 until this.

my assumption is in debian 11 / bullseye the line to add to the containers conf file is no longer valid ?

lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file

i have googled the issue but keep hitting the same issue on everything does anyone know how to archive this i am literally banging my head against the wall on this one.

You’ll likely need a matching lxc.cgroup.devices entry for this device, otherwise you get the device node but can’t actually interact with it.

Yeah i added

lxc.cgroup.devices.allow: c 10:200 rwm

still no dice.

the strange thing is i accidentally put all the commands to the pve shell and it works shame it wasnt what i needed.

just means its possible just way beyond my ability sadly

here is what i was trying to do as it seams a waste of 1.2gb running it in a vm

VPN Gateway w/ Kill Switch
Instructions for Ubuntu 20.04 Server

IN the shell of the proxmox host got to

cd /etc/pve/lxc

EDIT THE XXX.conf files and add line the following line at the end

lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file

Install Programs

apt install curl net-tools openvpn openssh-server unzip -y

Download OVPN Config files (Private Internet Access)

cd /etc/openvpn

wget --no-check-certificate


nano /etc/openvpn/

openvpn --config /etc/openvpn/us_atlanta.ovpn --auth-user-pass /etc/openvpn/login.txt

nano /etc/openvpn/login.txt


nano /etc/openvpn/

# Flush
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

# Block All
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

# allow Localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Make sure you can communicate with any DHCP server
iptables -A OUTPUT -d -j ACCEPT
iptables -A INPUT -s -j ACCEPT

# Make sure that you can communicate within your own network
iptables -A INPUT -s -d -j ACCEPT
iptables -A OUTPUT -s -d -j ACCEPT

# Allow established sessions to receive traffic:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow TUN
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT

# allow VPN connection
iptables -I OUTPUT 1 -p udp --destination-port 1198 -m comment --comment "Allow VPN connection" -j ACCEPT

# Block All
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

# Log all dropped packages, debug only.

iptables -N logging
iptables -A INPUT -j logging
iptables -A OUTPUT -j logging
iptables -A logging -m limit --limit 2/min -j LOG --log-prefix "IPTables general: " --log-level 7
iptables -A logging -j DROP

echo "saving"
iptables-save > /etc/iptables.rules
echo "done"
#echo 'openVPN - Rules successfully applied, we start "watch" to verify IPtables in realtime (you can cancel it as usual CTRL + c)'
#sleep 3
#watch -n 0 "sudo iptables -nvL"

Creste the start up script

nano /usr/local/sbin/


bash /etc/openvpn/ &
sleep 5
sh -c “echo 1 > /proc/sys/net/ipv4/ip_forward”
bash /etc/openvpn/

Make script executable

chmod +x /usr/local/sbin/

Create systemd unit file

nano /etc/systemd/system/startup.service




Enable service

systemctl enable startup.service

check that it has been enabled

systemctl status startup.service

systemctl disable startup.service

basically it should have allowed me to connect a torrent CT to it as the gateway with mappings back to the openmedia vault vm

thats another thing i am trying to solve mount the network drives on boot. as it mounts fine manually


just installed OPEN VPN on the PVE host and it works in unprivilaged container on features enable device on the ct options.

VPN basic gateway in 35mb

Thanks for the help