{"id":8841,"date":"2025-06-29T01:04:15","date_gmt":"2025-06-28T19:34:15","guid":{"rendered":"https:\/\/www.veeble.com\/kb\/?p=8841"},"modified":"2025-07-04T12:08:48","modified_gmt":"2025-07-04T06:38:48","slug":"how-to-easily-enable-tun-tap-on-openvz-for-vpn-or-proxy-support","status":"publish","type":"post","link":"https:\/\/www.veeble.com\/kb\/how-to-easily-enable-tun-tap-on-openvz-for-vpn-or-proxy-support\/","title":{"rendered":"How to easily Enable TUN\/TAP on OpenVZ for VPN or Proxy Support"},"content":{"rendered":"\n<div class=\"wp-block-uagb-image uagb-block-e0220e48 wp-block-uagb-image--layout-default wp-block-uagb-image--effect-static wp-block-uagb-image--align-none\"><figure class=\"wp-block-uagb-image__figure\"><a class=\"\" href=\"https:\/\/www.veeble.com\/kb\/wp-content\/uploads\/2025\/06\/ChatGPT-Image-Jun-27-2025-05_20_36-PM.jpg\" target=\"\" rel=\"noopener\"><img decoding=\"async\" srcset=\"https:\/\/www.veeble.com\/kb\/wp-content\/uploads\/2025\/06\/ChatGPT-Image-Jun-27-2025-05_20_36-PM-1024x683.jpg ,https:\/\/www.veeble.com\/kb\/wp-content\/uploads\/2025\/06\/ChatGPT-Image-Jun-27-2025-05_20_36-PM.jpg 780w, https:\/\/www.veeble.com\/kb\/wp-content\/uploads\/2025\/06\/ChatGPT-Image-Jun-27-2025-05_20_36-PM.jpg 360w\" sizes=\"auto, (max-width: 480px) 150px\" src=\"https:\/\/www.veeble.com\/kb\/wp-content\/uploads\/2025\/06\/ChatGPT-Image-Jun-27-2025-05_20_36-PM-1024x683.jpg\" alt=\"Diagram showing OpenVZ TUN\/TAP workflow\" class=\"uag-image-8842\" width=\"777\" height=\"461\" title=\"How to easily Enable TUN\/TAP on OpenVZ for VPN or Proxy Support\" loading=\"lazy\" role=\"img\"\/><\/a><\/figure><\/div>\n\n\n\n<p>Enabling <strong>TUN\/TAP on <a href=\"https:\/\/openvz.org\/\" target=\"_blank\" rel=\"noopener\">OpenVZ<\/a><\/strong> is essential for running VPNs and certain proxy services inside containers. Whether you are setting up OpenVPN, <a href=\"https:\/\/www.wireguard.com\/\" target=\"_blank\" rel=\"noopener\">WireGuard<\/a>, or any tunneling-based solution, TUN\/TAP devices must be enabled at the host and container levels. This guide walks you through the process to <strong>enable TUN\/TAP on OpenVZ<\/strong> safely and effectively.<\/p>\n\n\n\t\t\t\t<div class=\"wp-block-uagb-table-of-contents uagb-toc__align-left uagb-toc__columns-1  uagb-block-cffec251      \"\n\t\t\t\t\tdata-scroll= \"1\"\n\t\t\t\t\tdata-offset= \"30\"\n\t\t\t\t\tstyle=\"\"\n\t\t\t\t>\n\t\t\t\t<div class=\"uagb-toc__wrap\">\n\t\t\t\t\t\t<div class=\"uagb-toc__title\">\n\t\t\t\t\t\t\tTable Of Contents\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"uagb-toc__list-wrap \">\n\t\t\t\t\t\t<ol class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#what-is-tuntap\" class=\"uagb-toc-link__trigger\">What is TUN\/TAP?<\/a><li class=\"uagb-toc__list\"><a href=\"#why-enable-tuntap-in-openvz\" class=\"uagb-toc-link__trigger\">Why Enable TUN\/TAP in OpenVZ?<\/a><li class=\"uagb-toc__list\"><a href=\"#prerequisites\" class=\"uagb-toc-link__trigger\">Prerequisites<\/a><li class=\"uagb-toc__list\"><a href=\"#step-by-step-how-to-enable-tuntap-on-openvz\" class=\"uagb-toc-link__trigger\">Step-by-Step: How to Enable TUN\/TAP on OpenVZ<\/a><ul class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#step-1-verify-tun-module-on-the-host-node\" class=\"uagb-toc-link__trigger\">Step 1: Verify TUN Module on the Host Node<\/a><li class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#step-2-enable-tuntap-in-the-container\" class=\"uagb-toc-link__trigger\">Step 2: Enable TUN\/TAP in the Container<\/a><ul class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#21-stop-the-container\" class=\"uagb-toc-link__trigger\">2.1 Stop the Container:<\/a><li class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#22-set-container-configuration\" class=\"uagb-toc-link__trigger\">2.2 Set Container Configuration:<\/a><li class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#23-start-the-container\" class=\"uagb-toc-link__trigger\">2.3 Start the Container:<\/a><\/li><\/ul><li class=\"uagb-toc__list\"><a href=\"#step-3-create-devnettun-in-the-container\" class=\"uagb-toc-link__trigger\">Step 3: Create \/dev\/net\/tun in the Container<\/a><\/li><\/ul><\/li><li class=\"uagb-toc__list\"><a href=\"#troubleshooting-tuntap-in-openvz\" class=\"uagb-toc-link__trigger\">Troubleshooting TUN\/TAP in OpenVZ<\/a><li class=\"uagb-toc__list\"><a href=\"#security-considerations\" class=\"uagb-toc-link__trigger\">Security Considerations<\/a><li class=\"uagb-toc__list\"><a href=\"#use-cases-after-enabling-tuntap\" class=\"uagb-toc-link__trigger\">Use Cases After Enabling TUN\/TAP<\/a><li class=\"uagb-toc__list\"><a href=\"#conclusion\" class=\"uagb-toc-link__trigger\">Conclusion<\/a><\/ul><\/ol>\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<h2 class=\"wp-block-heading\" id=\"what-is-tuntap\">What is TUN\/TAP?<\/h2>\n\n\n<p>Before diving into the configuration, it&#8217;s important to understand what TUN and TAP are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>TUN (Network TUNnel)<\/strong>: Works at the IP level, typically used with routing applications like OpenVPN.<\/li>\n\n\n\n<li><strong>TAP (Network TAP)<\/strong>: Operates at the Ethernet level, supporting layer 2 traffic, often used for bridging.<\/li>\n<\/ul>\n\n\n\n<p>These virtual network kernel drivers allow the creation of network interfaces used by tunneling protocols.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<h2 class=\"wp-block-heading\" id=\"why-enable-tuntap-in-openvz\">Why Enable TUN\/TAP in OpenVZ?<\/h2>\n\n\n<p>By default, <strong>TUN\/TAP is disabled in OpenVZ containers<\/strong> for security and resource control. However, VPN software or advanced proxy tools require these interfaces to establish encrypted tunnels or perform network routing. If you&#8217;re hosting VPN services for personal use or client needs, enabling TUN\/TAP is a critical step in preparing your OpenVZ container.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<h2 class=\"wp-block-heading\" id=\"prerequisites\">Prerequisites<\/h2>\n\n\n<p>Before you proceed, ensure the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You have <strong>root access to the OpenVZ host node<\/strong>.<\/li>\n\n\n\n<li>The container is <strong>already created and running<\/strong>.<\/li>\n\n\n\n<li>Your OpenVZ environment supports <strong>TUN\/TAP modules<\/strong>.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<h2 class=\"wp-block-heading\" id=\"stepbystep-how-to-enable-tuntap-on-openvz\">Step-by-Step: How to Enable TUN\/TAP on OpenVZ<\/h2>\n\n<h3 class=\"wp-block-heading\" id=\"step-1-verify-tun-module-on-the-host-node\"><strong>Step 1: Verify TUN Module on the Host Node<\/strong><\/h3>\n\n\n<p>Ensure that the <code>tun<\/code> module is loaded on the host:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>lsmod | grep tun<\/code><\/pre>\n\n\n\n<p>If it&#8217;s not loaded, run:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>modprobe tun<\/code><\/pre>\n\n\n\n<p>Make sure it&#8217;s enabled on boot:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"tun\" &gt;&gt; \/etc\/modules<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<h3 class=\"wp-block-heading\" id=\"step-2-enable-tuntap-in-the-container\"><strong>Step 2: Enable TUN\/TAP in the Container<\/strong><\/h3>\n\n\n<p>You need to modify container settings on the host.<\/p>\n\n\n<h4 class=\"wp-block-heading\" id=\"21-stop-the-container\">2.1 Stop the Container:<\/h4>\n\n\n<pre class=\"wp-block-preformatted\"><code>vzctl stop &lt;CTID&gt;<\/code><\/pre>\n\n\n\n<p>Replace <code>&lt;CTID&gt;<\/code> with the container ID.<\/p>\n\n\n<h4 class=\"wp-block-heading\" id=\"22-set-container-configuration\">2.2 Set Container Configuration:<\/h4>\n\n\n<p>Run the following command to allow TUN access:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vzctl set &lt;CTID&gt; --devnodes net\/tun:rw --save<br>vzctl set &lt;CTID&gt; --capability net_admin:on --save<br>vzctl set &lt;CTID&gt; --devices c:10:200:rw --save<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>--devnodes net\/tun:rw<\/code><br>Grants the container read\/write access to the <code>\/dev\/net\/tun<\/code> device.<\/li>\n\n\n\n<li><code>--capability net_admin:on<\/code><br>Enables the <code>net_admin<\/code> capability, which is required to configure network interfaces inside the container.<\/li>\n\n\n\n<li><code>--devices c:10:200:rw<\/code><br>Provides access to the specific character device used by TUN (major 10, minor 200).<\/li>\n<\/ul>\n\n\n\n<p>These changes ensure that the container can initialize and use the TUN\/TAP device, which is essential for running VPN or proxy services.<\/p>\n\n\n<h4 class=\"wp-block-heading\" id=\"23-start-the-container\">2.3 Start the Container:<\/h4>\n\n\n<pre class=\"wp-block-preformatted\"><code>vzctl start &lt;CTID&gt;<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<h3 class=\"wp-block-heading\" id=\"step-3-create-devnettun-in-the-container\"><strong>Step 3: Create \/dev\/net\/tun in the Container<\/strong><\/h3>\n\n\n<p>Log into the container:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vzctl enter &lt;CTID&gt;<\/code><\/pre>\n\n\n\n<p>Now, ensure the <code>\/dev\/net\/tun<\/code> device exists:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>mkdir -p \/dev\/net<br>mknod \/dev\/net\/tun c 10 200<br>chmod 600 \/dev\/net\/tun<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<h2 class=\"wp-block-heading\" id=\"troubleshooting-tuntap-in-openvz\">Troubleshooting TUN\/TAP in OpenVZ<\/h2>\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Issue:<\/strong><code>Cannot open TUN device inside container.<\/code>\n<ul class=\"wp-block-list\">\n<li><strong>Solution:<\/strong> Check device permissions, module loading, and container capabilities.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Issue:<\/strong> Device not found after reboot.\n<ul class=\"wp-block-list\">\n<li><strong>Solution:<\/strong> Automate <code>\/dev\/net\/tun<\/code> creation via container startup scripts or templates.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<h2 class=\"wp-block-heading\" id=\"security-considerations\">Security Considerations<\/h2>\n\n\n<p>While enabling <strong>TUN\/TAP in OpenVZ containers<\/strong> is necessary for VPNs, it also raises security implications:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Containers with TUN access can create tunnels bypassing network restrictions.<\/li>\n\n\n\n<li>Only trusted users\/clients should be allowed access.<\/li>\n\n\n\n<li>Always monitor traffic and limit privileges using firewall rules or custom scripts.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<h2 class=\"wp-block-heading\" id=\"use-cases-after-enabling-tuntap\">Use Cases After Enabling TUN\/TAP<\/h2>\n\n\n<p>Once TUN\/TAP is enabled, you can proceed to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Install OpenVPN server\/client<\/strong> within the container.<\/li>\n\n\n\n<li><strong>Run WireGuard<\/strong> with proper kernel support.<\/li>\n\n\n\n<li><strong>Deploy SOCKS proxies or tunnel-based services<\/strong> for secure remote access.<\/li>\n<\/ul>\n\n\n\n<p>These use cases are common in hosting environments or self-managed VPS services requiring private, secure connectivity.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<h2 class=\"wp-block-heading\" id=\"conclusion\">Conclusion<\/h2>\n\n\n<p>Enabling <strong>TUN\/TAP on OpenVZ for VPN or Proxy support<\/strong> is a straightforward yet vital process for secure tunneling operations. Following the right steps ensures compatibility, security, and functionality. Always test the setup post the enablement and keep security best practices in mind when allowing network-related capabilities in containers.  To explore reliable and affordable OpenVZ VPS options, you may check the plans available on <a href=\"https:\/\/www.veeble.com\/in\/vps-hosting\/\">Veeble\u2019s website<\/a>.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Enabling TUN\/TAP on OpenVZ is essential for running VPNs and certain proxy services inside containers. Whether you are setting up OpenVPN, WireGuard, or any [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[12,1],"tags":[],"class_list":["post-8841","post","type-post","status-publish","format-standard","hentry","category-openvz","category-uncategorized"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false},"uagb_author_info":{"display_name":"Jeevan Kurian","author_link":"https:\/\/www.veeble.com\/kb\/author\/jeevan\/"},"uagb_comment_info":0,"uagb_excerpt":"Enabling TUN\/TAP on OpenVZ is essential for running VPNs and certain proxy services inside containers. Whether you are setting up OpenVPN, WireGuard, or any [&hellip;]","_links":{"self":[{"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/posts\/8841","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/comments?post=8841"}],"version-history":[{"count":5,"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/posts\/8841\/revisions"}],"predecessor-version":[{"id":8849,"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/posts\/8841\/revisions\/8849"}],"wp:attachment":[{"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/media?parent=8841"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/categories?post=8841"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/tags?post=8841"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}