I’m a fan of tailscale and LXC containers, so it only made sense to combine the two with just some minor adjustments.

It’s essential to recognize that unprivileged LXC containers, such as the ones used in Proxmox virtualization environments, do not have access to the necessary network resources needed for Tailscale. To form tunnel connections, Tailscale encapsulates its frames in UDP packets instead of relying on kernel modules or other privileged operations. Although this makes it much more accessible and secure, access to a /dev/tun device is still necessary for the system to function properly — something which unprivileged containers are not typically configured with.

To get Tailscale up and running in a LXC container, on Proxmox 7.0+ you must add the following lines of code to its config file to enable access to the /dev/tun device

For example, the following lines would be added to a container with the ID 103 /etc/pve/lxc/103.conf:

lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

To ensure the change is applied, you will need to stop and restart an active LXC instance.

With access to /dev/tun, the Tailscale Linux package can be installed on that LXC system.

Up to date and detailed instructions can be found in Tailscale in LXC containers