OpenVPN server in Linux Containers

From ArchWiki

This article describes how to setup a Linux Container to run OpenVPN in server mode for secure/private internet use. Doing so offers a distinct advantage over using full-blown virtualization like VirtualBox or QEMU in that the resource overhead is minimal by comparison and able to run on low powered devices.

Host setup

  1. The host OS needs a bridge ethernet setup to allow the container to run. Refer to Linux Containers#Host network configuration for this.
  2. One needs to enable packet forwarding. Refer to Internet sharing#Enable packet forwarding for this.
  3. Although not strictly required, a firewall is highly recommended.

Container setup

Basic setup and understanding of Linux Containers is required. This article assumes that readers have a base LXC setup operational. Newcomers to these are directed to the aforementioned article.

LXC configuration

The container's configuration should be modified to include several key lines in order run OpenVPN.

For the example, the lxc is named "playtime" and a full configuration is shown:


## for openvpn
lxc.mount.entry = /dev/net dev/net none bind,create=dir
lxc.cgroup.devices.allow = c 10:200 rwm

If you use lxc > 4.0, change cgroup to cgroup2 :


## for openvpn
lxc.mount.entry = /dev/net dev/net none bind,create=dir
lxc.cgroup2.devices.allow = c 10:200 rwm

Needed packages within the container

In addition to the base system, openvpn is required and available from the official repositories. A properly configured firewall to run within the container is highly recommended. This guide uses ufw which is very easy to configure, but other examples can certainly be used.

Package setup


Refer to the OpenVPN article to properly setup the home server. Verify openvpn functionality within the container; start openvpn via openvpn@myprofile.service and once satisfied enable it to run at boot.

Note: Users running openvpn within an unprivileged container will need to create a custom systemd unit to start it within the container. In the replacement unit file, comment out the the line beginning with: LimitNPROC...


Refer to OpenVPN#Firewall configuration to setup the routes and firewall within the container. Failure to do so or to implement with an alternative will prevent openvpn from functioning properly in the container.

Start ufw and enable ufw.service to start at boot.

# ufw enable