TUN/TAP device in lxc containers

To create tun/tap devices in Red Hat or Debian based distros inside lxc containers, create the following systemd unit:

/etc/systemd/system/tundev.service:
    [Unit]
    Description=Add tun device workaround
    Wants=network.target
 
    [Service]
    Type=oneshot
    RemainAfterExit=yes
    ExecStart=/usr/bin/mkdir /dev/net
    ExecStart=/usr/bin/mknod -m 666 /dev/net/tun c 10 200
 
    [Install]
    WantedBy=multi-user.target

To create the tun/tap device before certain units start (ex. OpenVpn) you can add

Before=openvpn@.service

under [Unit].

To allow the container to create the device, the following line must be in the lxc config file (/var/lib/lxc/100/config):

lxc.cgroup.devices.allow = c 10:200 rwm

For Proxmox, add the following line to the container config (ex. /etc/pve/lxc/100.conf):

lxc.cgroup.devices.allow: c 10:200 rwm
TUN/TAP device in lxc containers