dev-resources.site

for different kinds of informations.

How to Install Tailscale in a Proxmox CE 8.2 LXC Container (AlmaLinux 9)

Published at

11/20/2024

Context

I recently needed to set up Tailscale in an AlmaLinux 9 LXC container running on my Proxmox 8.2 server. Following the official instructions from Tailscale's RHEL 9 guide and even trying their Linux install script, I ran into some issues. The main problem turned out to be missing TUN device support in the LXC container.

UPDATE : this is actually documented here under unprivileged lxc. Thanks to @echobot in Reddit for the info.

The Initial Problem

After following the installation steps, when I tried to start Tailscale, I got this error:

failed to connect to local tailscaled; it doesn't appear to be running (sudo systemctl start tailscaled ?)

Checking the logs with journalctl -u tailscaled -n 50 --no-pager, I found:

is CONFIG_TUN enabled in your kernel? `modprobe tun` failed with: modprobe: FATAL: Module tun not found in directory /lib/modules/6.8.8-4-pve

What Didn't Work

My first attempt was to use the older Proxmox method of enabling TUN support by adding:

features: nesting=1,tun=1

to the container configuration. This resulted in:

TASK ERROR: format error tun: property is not defined in schema and the schema does not allow additional properties

This didn't work because Proxmox 8.x handles TUN/TAP support differently than previous versions.

What Actually Worked

1. Configure TUN Support

I had to edit the LXC container configuration on the Proxmox host:

nano /etc/pve/lxc/<container-id>.conf

And add these lines:

lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

2. Create TUN Device on Host

In my case my system already had dev/net/tun. I checked this with ls -l /dev/net/tun.

> ls -l /dev/net/tun
crw-rw-rw- 1 root root 10, 200 Jul 27 23:02 /dev/net/tun

If your system does not have it, then create it the TUN device exists on the Proxmox host:

mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 666 /dev/net/tun

3. Restart Container

pct restart <container-id>

or use the WebUI for that.

4. Install Tailscale

After fixing the TUN support, I could properly install Tailscale in the container (i must say I always could install it, I could just not run it):

# Add Tailscale repository
dnf config-manager --add-repo https://pkgs.tailscale.com/stable/almalinux/9/tailscale.repo

# Install Tailscale
dnf install tailscale

# Start and enable the service
systemctl enable --now tailscaled

# Connect to Tailscale network
tailscale up

Verifying Everything Works

To make sure everything was working correctly, I ran:

# Check service status
systemctl status tailscaled

# Activating tailscape asks for auth and provides a link. Just follow the instructions.
tailscale up

What is `tun` anyway?

TUN/TAP provides packet reception and transmission for user space programs. It can be seen as a simple Point-to-Point or Ethernet device, which, instead of receiving packets from physical media, receives them from user space program and instead of sending packets via physical media writes them to the user space program. -- https://docs.kernel.org/networking/tuntap.html

TUN, short for "network TUN nel," is a virtual network device that operates at the IP level. It acts like a virtual network card, allowing software to send and receive network packets as if it were a physical network interface. TUN is needed for creating virtual private networks (VPNs) and other network tunneling applications, as it provides a way for programs to interact directly with network traffic at a low level.

In the context of running Tailscale in an LXC container, TUN is required because Tailscale uses it to create its secure network tunnel. LXC containers, by default, don't have access to create these virtual network devices. To run Tailscale successfully, the LXC container needs to be configured to allow the creation and use of TUN devices. This involves modifying the container's configuration to grant it the necessary permissions to access and manipulate TUN devices, enabling Tailscale to establish its encrypted network connections and route traffic securely.

References

container Article's

30 articles in total