This document explains common ways to pass host devices into Proxmox LXC containers. Examples use /dev/net/tun.
Applies to: Proxmox VE with LXC (cgroup v2)
This method is useful for advanced or legacy setups. For most cases, Option 2 is recommended.
ls -lah /dev/netExample output:
total 0
drwxr-xr-x 2 root root 60 Jan 11 08:37 .
drwxr-xr-x 22 root root 4.9K Jan 11 08:37 ..
crw-rw-rw- 1 root root 10, 200 Jan 11 09:37 tun
- Major number:
10 - Minor number:
200 - Type:
c(character device)
Edit /etc/pve/lxc/<lxc-id>.conf, add:
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,optional,create=dir
# or
lxc.mount.entry: /dev/net/tun /dev/net/tun none bind,optional,create=filelxc.cgroup2.devices.allow
- Allows the container to access a specific device.
c→ character device10:200→ major:minor numberrwmpermissions:r= readw= writem= mmap (required by many drivers)
lxc.mount.entry
- Bind-mounts the host’s
/dev/netdirectory into the container at/dev/net(or/dev/net/tunfile). optional: Do not fail container startup if the source path is missing. (useful for hot-plug or non-critical devices).
pct restart <lxc-id>Proxmox provides a simpler syntax that automatically handles:
- cgroup permissions
- bind mounts
- ownership inside the container
Edit /etc/pve/lxc/<lxc-id>.conf, add:
dev0: /dev/net/tun,gid=0,uid=0dev0- Arbitrary index (
dev0,dev1, …)
- Arbitrary index (
/dev/net/tun- Device path on the host
uid(optional)- User ID owning the device inside the container
gid(optional)- Group ID owning the device inside the container