Creating Proxied Subnets with LXC

1. Concept
1.1. Goals
1.2. Architecture
1.3. Example Values
2. Setting up the Host System
2.1. Configuring the Bridge
3. Setting up the Proxy Container
3.1. Network Configuration
3.2. VPN Connection
3.2.1. Configuration
3.2.2. Testing
3.2.3. Adding a Custom Service
3.2.4. Enable and Restrict Traffic Proxying
4. Setting up the isolated container(s)
5. See also



short howto on creating a subnet for lxc containers which is proxied through a VPN

1. Concept

1.1. Goals

All communication of a set of containers is routed and sent through a VPN. In the case of an outage of that VPN, the containers in the subnet will not be able to communicate to the outside world.

1.2. Architecture

The "network" is a bridge on the host system. All isolated containers will have a connection to only that bridge, while the proxy container will be attached to the normal lxc bridge (the uplink) and the isolated bridge. All traffic on the isolated bridge will be NATed and tunneled through a VPN by the proxy container.

While this setup is fairly simple, it places some restrictions:

1.3. Example Values

The following values are used throughout the document.

Description Value
default LXC bridge name lxcbr0
LXC bridge subnet
isolated bridge name brvpn
isolated bridge network
proxy container name proxycontainer
proxy container address
isolated container name isolatedcontainer
isolated container address
API to check if VPN is connected https://api.vpn.example/connectcheck
group used to launch openvpn with vpngrp

2. Setting up the Host System

2.1. Configuring the Bridge

Add a new bridge with no attached devices, and give it a separate subnet. There are plenty of ways to configure a bridge; I the following lines to /etc/network/interfaces.

auto brvpn
iface brvpn inet static
        bridge_ports none
        bridge_fd 5
        bridge_stp no

› Make sure you get this right, or your network might refuse to load up at all.

Afterwards bring up the bridge with sudo ifup brvpn and check its existance with ip addr show dev brvpn.

3. Setting up the Proxy Container

3.1. Network Configuration

Edit the container configuration in /var/lib/lxc/proxycontainer/config, copy the net section a second time and adjust it to connect to the bridge: = veth = lxcbr0 = up = 00:16:3e:a0:97:e8 = veth = brvpn = up = 02:16:3e:a0:97:e8 =

› Both the MAC and IP address of the second interface are changed.

Bring up the container and check the internet connection. Check /etc/network/interfaces and disable DHCP on the interface to brvpn if required.

3.2. VPN Connection

This example describes how to setup openvpn. Other VPNs might work very differently.

3.2.1. Configuration

Openvpn in containers doesn’t work out of the box, as a tun device has to be created. This is an adaptation from here.

On the host system add the file /var/lib/lxc/proxycontainer/autodev with the following content:


mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun

Make the file executable: chmod +x /var/lib/lxc/proxycontainer/autodev

Add this to the container config /var/lib/lxc/proxycontainer/config:


Inside the container install the openvpn client and place the configuration files somewhere, for example /etc/openvpn/client/.

› Maybe adjust the access rights.

3.2.2. Testing

Try to open a vpn connection with openvpn --config /etc/openvpn/client/vpn.conf (or whereever you placed your config).

Use an API provided by your VPN provider with curl to check if the VPN is online. Build a pipeline like curl https://api.vpn.example/connectcheck | grep 'You are connected.' that will succeed if you are connected and fail if not. We will need that pipeline in a second.

3.2.3. Adding a Custom Service

Add a group that executes the vpn to later flag the traffic easily with iptables:

groupadd -r vpngrp

Add two scripts for when the VPN goes up/down and make them executable:

touch /etc/openvpn/up /etc/openvpn/down
chmod +x /etc/openvpn/up /etc/openvpn/down

Then create a systemd service unit at /etc/systemd/system/vpn.service to connect to the vpn and call these scripts.

Description=Proxy all traffic via vpn

ExecStart=/usr/sbin/openvpn --config /etc/openvpn/client/vpn.conf


Enable the service

systemctl daemon-reload
systemctl enable vpn.service

3.2.4. Enable and Restrict Traffic Proxying

Start by disabling all traffic forwarding by default. Forwarding will only be enabled by our custom scripts after the firewall has been adjusted. Add to /ect/sysctl.conf:


Add the content of /etc/openvpn/up. Keep in mind that that file is executed immediately after openvpn is launched, at which point it is not yet connected. So our script will first wait for openvpn get up. Afterwards firewall rules are added:

Only after all iptables rules are in place will forwarding be enabled:




while [ $try_result -ne 0 ]
    # no max number of tries, as openvpn will retry forever

    if [ $tries -ge 1 ]
        sleep 5

    echo "checking connection..."
    curl https://api.vpn.example/connectcheck | grep 'You are connected.' > /dev/null
    tries=$(( $tries + 1))

echo "connected."

iptables -t filter -A FORWARD -s -j MARK --set-mark $FORWARD_MARK
iptables -t filter -A FORWARD -m mark --mark $FORWARD_MARK -j ACCEPT
iptables -t filter -A FORWARD -d -j ACCEPT
iptables -t filter -A FORWARD -j DROP

iptables -t filter -A OUTPUT -m owner --gid-owner vpngrp -j MARK --set-mark $VPN_MARK

iptables -t mangle -A POSTROUTING -m mark --mark $VPN_MARK -j ACCEPT
iptables -t mangle -A POSTROUTING -o tun0 -j ACCEPT
iptables -t mangle -A POSTROUTING -d -j ACCEPT
iptables -t mangle -A POSTROUTING -j DROP

iptables -t nat -A POSTROUTING -m mark --mark $FORWARD_MARK -j MASQUERADE

sysctl net.ipv4.ip_forward=1

› Don’t forget to insert your connection-test-pipeline from above.

The teardown script in /etc/openvpn/down is much simpler, it just disables forwarding and clears up the created rules.


sysctl net.ipv4.ip_forward=0

iptables -t filter -F
iptables -t mangle -F
iptables -t nat -F

Restart the container and check the VPN connection to finish.

4. Setting up the isolated container(s)

Create a container and give it the isolated bridge as only interface. Change network config in /var/lib/lxc/isolatedcontainer/config to: = veth = brvpn = up = 02:16:3e:61:83:d4 = =

Inside of the container disable DHCP by editing the /etc/network/interfaces:

auto eth0
iface eth0 inet static

Restart the isolated container and check the vpn connection with curl. For testing stop the proxy container and try to connect somewhere again, it should not work.

5. See also

08 January 2021