Title: Running tailscale inside of a proxmox container Date: 2021-07-08 11:00 Since the war on COVID is going better than the war on drugs, odds are that I'll eventually be allowed to roam wild and free outside of my flat. Meaning that I'll need a VPN: I don't trust commercial ones, maintaining a [PKI](https://en.wikipedia.org/wiki/Public_key_infrastructure) sucks almost as much as dealing with [IPSEC](https://en.wikipedia.org/wiki/IPsec) or [OpenVPN](https://openvpn.net/), so I gave a try at [tailscale](https://tailscale.com)'s free plan, since I've heard good things about it, and a friend of mine is working there. I'm using [proxmox](https://proxmox.com/en/proxmox-ve) at home, with everything neatly packed into small unprivileged [lxc](https://linuxcontainers.org/lxc/) containers, and since tailscale is [packaged](https://pkgs.alpinelinux.org/packages?name=tailscale&branch=edge) in Alpine Linux, deploying it shouldn't be much of a hassle. The hardest part was to allow the container to use a [TUN](https://en.wikipedia.org/wiki/TUN/TAP) device, but fortunately, the [kernel's documentation on the topic](https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt) is pretty straightforward ``` root@proxmox:~# ls -l /dev/net/tun crw-rw-rw- 1 root root 10, 200 Feb 12 2017 /dev/net/tun root@proxmox:~# echo 'lxc.cgroup.devices.allow: c 10:200 rwm' >> /etc/pve/lxc/102.conf root@proxmox:~# echo 'lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file' >> /etc/pve/lxc/102.conf root@proxmox:~# pct enter 102 ~ # apk add tailscale ~ # rc-update add tailscale ~ # echo 'net.ipv4.ip_forward = 1' | tee -a /etc/sysctl.conf ~ # echo 'net.ipv6.conf.all.forwarding = 1' | tee -a /etc/sysctl.conf ~ # sysctl -p /etc/sysctl.conf ~ # reboot root@proxmox:~# ``` plus a couple of clicks in tailscale's admin interface, and everything just works: [DNS](https://tailscale.com/kb/1054/dns/), [exit nodes](https://tailscale.com/kb/1103/exit-nodes/), [sharing](https://tailscale.com/kb/1106/taildrop/), [subnet routers](https://tailscale.com/kb/1019/subnets/), … it's glorious. edit: the procedure is now [documented on tailscale's website](https://tailscale.com/kb/1130/lxc-unprivileged/).