ghassan/tailscale-lxc-installation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
tailscale-lxc-installation/readme.md
Ghassan Yusuf feb36d3f67 Update readme.md
2026-02-25 11:03:08 +03:00

6.5 KiB
Raw Blame History

Curl Command

curl -fsSL https://git.innovator.bh/ghassan/tailscale-lxc-installation/raw/branch/main/install.sh | bash

Tailscale in Proxmox LXC

This document describes how to run Tailscale inside a Proxmox LXC container, including enabling /dev/net/tun and optionally using the container as a subnet router. tailscale

Prerequisites

  • Proxmox VE 7 or newer. github
  • An LXC container (Debian/Ubuntu or similar; examples assume Debian/Ubuntu). nihalatwal
  • Access to the Proxmox host shell and the container shell. github

1. Create the LXC container

Create an LXC container from a standard Debian/Ubuntu template (e.g. debian-12-standard or ubuntu-22.04-standard). Keep resources minimal unless you plan to route a lot of traffic. nihalatwal

Example (GUI):

  • Download Debian/Ubuntu CT template from Proxmox templates.
  • Click Create CT, choose the template, set hostname (e.g. tailscale-lxc), disk ~816 GB, RAM 5122048 MB, and assign a static IP if desired. github

Start the container when finished.

2. Enable /dev/net/tun for the container

On the Proxmox host, edit the container config:

nano /etc/pve/lxc/<CTID>.conf

Append the following lines (for Proxmox 7+ with cgroup2): github

lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

For older Proxmox with cgroup v1, the key name differs: github

lxc.cgroup.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

Restart the container to apply the changes:

pct stop <CTID>
pct start <CTID>

Inside the container, verify TUN exists:

ls -l /dev/net/tun
# Expect: character device with major 10, minor 200

3. Install Tailscale inside the LXC

Inside the container:

apt update && apt upgrade -y
apt install -y curl

Install Tailscale using the official Linux installer: tailscale

curl -fsSL https://tailscale.com/install.sh | sh

Enable and start the service:

systemctl enable --now tailscaled

You can check status with:

systemctl status tailscaled

4. Bring the node onto your tailnet

On the container:

tailscale up

Follow the URL printed in the terminal to authenticate the node in your Tailscale admin console. tailscale

After that, verify it has a Tailscale IP:

tailscale ip
tailscale status

You should see an IP in the 100.x.y.z range and the node listed as connected. tailscale

5. Enable IP forwarding (for subnet router use)

If you want this LXC to act as a subnet router for your LAN, enable IP forwarding inside the container: imoize.github

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

Alternatively, use a dedicated sysctl drop-in such as /etc/sysctl.d/99-tailscale.conf with similar content. imoize.github

6. Configure Tailscale as a subnet router (optional)

Decide which LAN subnets behind the LXC you want to advertise, e.g. 192.168.1.0/24. imoize.github

Run:

sudo tailscale up --advertise-routes=192.168.1.0/24

If you are using a local DNS (Pi-hole etc.) and do not want Tailscale to override DNS, you can add: github

sudo tailscale up \
  --advertise-routes=192.168.1.0/24 \
  --accept-dns=false

Then, in the Tailscale admin console:

  1. Go to Machines.
  2. Find this LXC node.
  3. Click the three-dot menu → Edit route settings.
  4. Approve the advertised subnet routes. imoize.github

After approval, devices on your tailnet can reach the advertised subnet via this container. nihalatwal

7. Userspace networking mode (no TUN, optional)

If you cannot or do not want to expose /dev/net/tun, you can run Tailscale in userspace networking mode inside the LXC: tailscale

tailscaled --tun=userspace-networking &
tailscale up --tun=userspace-networking

This avoids needing a TUN device but may have limitations and different performance characteristics compared to kernel TUN mode. tailscale

8. Troubleshooting

  • failed to connect to local tailscaled

    • Ensure tailscaled is running: systemctl status tailscaled.
    • Confirm /dev/net/tun exists and the Proxmox config lines were added correctly. github

  • Container starts but no Tailscale traffic

    • Check IP forwarding and firewall rules inside the LXC.
    • For subnet router scenarios, verify routes are approved in the Tailscale admin console. nihalatwal

  • Unprivileged LXC specifics

    • The /dev/net/tun configuration in the Proxmox LXC config is enough for kernel TUN even in unprivileged LXCs starting with Proxmox 7, as shown in the official LXC + Tailscale guidance. youtube

References

  • Tailscale LXC / unprivileged guide. tailscale
  • Example Proxmox LXC + Tailscale setup. nihalatwal
  • Containers and virtualization notes for Tailscale. tailscale