There can be various issues regarding the TUN device depending on your host environment.
This usually means you do not have the tun kernel module.
Usually loading the module on your host with insmod /lib/modules/tun.ko or modprobe /lib/modules/tun.ko should do the trick.
Otherwise you might have to re-compile your Kernel with the tun module.
This is still unclear why this is caused, but probably running the container with --device /dev/net/tun solves it.
This can happen when running LXC containers.
-
Find your LXC container number, let's call it
12345 -
Edit-> OUTDATED!/etc/pve/lxc/12345.confand add:lxc.cgroup2.devices.allow: c 10:200 rwm lxc.mount.entry: /dev/net dev/net none bind,create=dir lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file -
Since Proxmox 8.1 you can add devices to your lxc container and no longer have to rewrite the permissions to your tun device which is a security risk
- run this commands at your pve host system to SET device
pct set 123245 -dev0 /dev/net/tun pct reboot 12345- run this commands at your pve host system to UNSET device
pct set 12345 -delete dev0 pct reboot 12345 -
In your run command or docker-compose.yml, use:
--device /dev/net/tun:/dev/net/tun
or
devices: - /dev/net/tun:/dev/net/tun
Thanks to @Vendetta1985, source comment
This can happen with podman, usually due to SELinux. Create a SELinux policy to allow the rootless container to use the /dev/net/tun device.
-
Copy the content below to a new file
gluetun_policy.temodule gluetun_policy 1.0; require { type tun_tap_device_t; type container_file_t; type container_t; class chr_file { getattr ioctl open read write }; class sock_file watch; }
-
Convert it to a policy module:
checkmodule -M -m -o gluetun_policy.mod gluetun_policy.te -
Compile the policy:
semodule_package -o gluetun_policy.pp -m gluetun_policy.mod -
Install the policy:
semodule -i gluetun_policy.pp
Alternatively generate the policy yourself:
-
Start the container and extract the SELinux policy
sudo grep gluetun /var/log/audit/audit.log | audit2allow -a -M gluetun_policy -
Inspect the policy
cat gluetun_policy.te -
Install it with
semodule -i gluetun_policy.ppAnother solution is to run the container with--privileged.
Thanks to @OkanEsen, source comment
cannot Unix Open TUN device file: operation not permitted and cannot create TUN device file node: operation not permitted
This happens on LXC containers.
-
Find your container number, let's call it
12345 -
Edit-> OUTDATED!/etc/pve/lxc/12345.confand add:lxc.cgroup2.devices.allow: c 10:200 rwm lxc.mount.entry: /dev/net dev/net none bind,create=dir lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file -
Since Proxmox 8.1 you can add devices to your lxc container and no longer have to rewrite the permissions to your tun device which is a security risk
- run this commands at your pve host system tu SET device
pct set 123245 -dev0 /dev/net/tun pct reboot 12345- run this commands at your pve host system to UNSET device
pct set 12345 -delete dev0 pct reboot 12345 -
In your run command or docker-compose.yml, use:
--device /dev/net/tun:/dev/net/tun
or
devices: - /dev/net/tun:/dev/net/tun
🙏 thanks to @user037951, source discussion. 🙏 thanks to @Vendetta1985, source comment
This can occur due to a change in containerd that restricts access to the tun device from un-priviledged containers.
To resolve, ensure the container is marked as privileged:
containers:
- image: ghcr.io/qdm12/gluetun:<version>
securityContext:
privileged: trueThere is some additional context and discussion on this issue on the tailscale project.
Either:
- You need to run your Docker command as root by prefixing it with
sudo. 🙏 thanks to @jnelle, source comment - You have a mismatch between your Kernel and the installed tun module. This can happen when upgrading your system and not rebooting. A simple reboot might fix it. 🙏 thanks to @aviolaris, original issue
- Validate if the module
tunis loaded correctly in the current kernel, see the original issue