OpenVPN server in Linux Containers
This article describes how to setup a Linux Container to run OpenVPN in server mode for secure/private internet use. Doing so offers a distinct advantage over using full-blown virtualization like VirtualBox or QEMU in that the resource overhead is minimal by comparison and able to run on low powered devices.
- The host OS needs a bridge ethernet setup to allow the container to run. Refer to Linux Containers#Host network configuration for this.
- One needs to enable packet forwarding. Refer to Internet sharing#Enable packet forwarding for this.
- Although not strictly required, a firewall is highly recommended.
Basic setup and understanding of Linux Containers is required. This article assumes that readers have a base LXC setup operational. Newcomers to these are directed to the aforementioned article.
The container's configuration should be modified to include several key lines in order run OpenVPN.
For the example, the lxc is named "playtime" and a full configuration is shown:
... ## for openvpn lxc.mount.entry = /dev/net dev/net none bind,create=dir lxc.cgroup.devices.allow = c 10:200 rwm
If you use lxc > 4.0, change cgroup to cgroup2 :
... ## for openvpn lxc.mount.entry = /dev/net dev/net none bind,create=dir lxc.cgroup2.devices.allow = c 10:200 rwm
Needed packages within the container
In addition to the base system, official repositories. A properly configured firewall to run within the container is highly recommended. This guide uses which is very easy to configure, but other examples can certainly be used.is required and available from the
Refer to the OpenVPN article to properly setup the home server. Verify openvpn functionality within the container; start openvpn via
email@example.com and once satisfied enable it to run at boot.
Refer to OpenVPN#Firewall configuration to setup the routes and firewall within the container. Failure to do so or to implement with an alternative will prevent openvpn from functioning properly in the container.
Start ufw and enable
ufw.service to start at boot.
# ufw enable