TUN in LXC unprivileged container

VPN in container requires tun/tap device – if you don’t have one you have to create it with mknod command. But, there is the problem – in the LXC (Proxmox) unprivileged container is mknod (as syscall) not allowed, because this would introduce possible security problems (see this article).

Luckily LXC natively provides a way to create required devices using lxc.mount.entry, added in LXC container config file (or in proxmox <VMID>.conf):

To provide tun device:

lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file

Additionaly, to provide fuse device use:

lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file

To provide ppp device use (unfortunately ppp currently requires CAP_NET_ADMIN to work):

lxc.mount.entry = /dev/ppp dev/ppp none bind,create=file