Nebula on LXC container.

[Cyberes]

I had some trouble getting Nebula to run on a LXC container. Initially, I set tun.disabled = true since the container didn't have permission to create a tun device. But I discovered that Nebula rejects all incoming traffic except for ICMP when tun is disabled.

This isn't a tutorial, just a simple post to save someone an hour of fiddling around.

The container doesn't need to be privileged.

1. Stop the container.
2. In the container's config file: /etc/pve/lxc/[VM ID number].conf, add these lines to the bottom:

lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
lxc.cgroup2.devices.allow: c 10:200 rwm

3. Start the container.

It used to be lxc.cgroup.devices.allow, now it's lxc.cgroup2.devices.allow.

Some people said to add the line:

lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

but this appears to require a privileged container. Also saw people were adding this too:

lxc.mount.entry = /dev/net dev/net none bind,create=dir

[Cyberes]

Question: why does Nebula reject all incoming traffic minus ICMP when tun is disabled? I run a different Nebula host in a cloud container and don't have permission to create a tun device there and it would be really convenient to have bidirectional communication with it rather than the one-way that unsafe_routes provices.

[brad-defined]

Nebula isn't rejecting the traffic, but it requires the TUN device to pass the underlying packets to the O/S for further processing.

[Cyberes]

Thanks, that's what I assumed.