Running Proxmox on a cheap NAS appliance is great, but you know what’s better than that? Putting your Proxmox containers on the Internet!

Overlay networks#

So far, the only private networking technologies that I have used are Neorouter and Tailscale. They both create a tunnel adapter in Linux that connects to a central server to provide secure links to devices that are not directly linked together.

I have used Neorouter a bunch in the past, and it works well. It lets me use VNC or Microsoft Remote Desktop to connect to computers at home while I am at work, school, or traveling. I have switched to Tailscale (for now) because it works better with Apple IOS devices for doing things like VOIP.

Connecting the VPS and the NAS together#

Tailscale has some neat routing features built in to it:

An Exit Node lets you pipe your local machine’s network traffic through the Internet link of a remote node. This is what most people use a VPN for.

A Subnet Router is like an exit node in reverse. It lets the other devices on your overlay network (known in Tailscale parlance as a tailnet) access other devices on its local area network.

The subnet router feature is what will allow the Internet to access our Proxmox containers.

Configuring the VPS#

First, you need to get the overlay network installed and configured on your VPS. HOWEVER, you will need to get the tunnel adapter properly configured on your Linux containers first.

Begin by shutting down your container and edit its config using the shell of the PVE host (where 123 is the VMID of your container):

nano /etc/pve/lxc/123.conf

The file should look a bit like this:

 # pct config 123
 arch: amd64
 hostname: CT123
 memory: 512
 net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=FE:75:64:2A:A3:58,ip=dhcp,type=veth
 ostype: debian
 rootfs: local-lvm:vm-123-disk-0,size=4G
 features: nesting=1
 swap: 512
 unprivileged: 1

Add these lines to the end of the file:

 lxc.cgroup2.devices.allow: c 10:200 rwm
 lxc.mount.entry: /dev/net dev/net none bind,create=dir

Then, make sure that the tunnel adapter on the PVE host is configured for unprivieged users to access it:

chown 100000:100000 /dev/net/tun

Verify permissions to /dev/net/tun:

ls -l /dev/net/tun
 crw-rw-rw- 1 100000 100000 10, 200 Dec 22 13:26 /dev/net/tun

Now test the container:

pct start 123
pct enter 123

Check the permissions for /dev/net/tun inside the container. These should be root:root

 root@CT123:~# ls -l /dev/net/tun
 crw-rw-rw- 1 root root 10, 200 Dec 22 12:26 /dev/net/tun

To recap, on the PVE host /dev/net/tun should belong to 10000:10000 and on the Linux container /dev/net/tun should belong to root:root.

Now you can type exit and proceed with the installation of your Tailscale subnet router.

Now, on your VPS you should be able to ping IPs from your DMZ network (192.168.38.0/24).