You’ve successfully installed Cloudflare WARP inside a Proxmox LXC container. You ran warp-cli connect without any errors, and the status shows Connected — but as soon as you check the internet, there is no connection at all. Pings fail, curl times out, and it feels as if the internet has completely died.
If you are experiencing this, you are not alone. This is a classic issue encountered by warp-cli users in LXC environments, and the solution is quite specific: /dev/net/tun needs to be passed through to the container.
Why Does This Happen? #
Cloudflare WARP works by creating a TUN interface — a virtual network interface used to route all traffic through Cloudflare’s network. On standard systems (VMs or bare metal), this process works seamlessly because the kernel has full access to /dev/net/tun.
The problem is that LXC containers run in an isolated environment by default and do not have access to that device node. When warp-cli tries to create the TUN interface, the operation fails silently — WARP reports Connected, but the tunnel isn’t actually functioning because the TUN interface was never created.
Symptoms include:
warp-cli status→ Connectedcurl https://cloudflare.com/cdn-cgi/trace→ curl: (6) Could not resolve host or timeoutping 1.1.1.1→ Network unreachableip a→ NoCloudflareWARPinterface appears in the list
Solution: Passthrough /dev/net/tun to LXC
#
There are two ways to do this. The easiest and safest method is via the Proxmox Web GUI, without needing to manually edit configuration files.
Method 1: Via Proxmox Web GUI (Recommended) #
- Open your Proxmox Web UI in your browser (
https://PROXMOX_IP:8006). - In the left panel, select the problematic LXC container.
- Go to the Resources menu.
- Click the Add button → select Device Passthrough.
- In the path field, enter
/dev/net/tun. - Click Add to save.
- Restart your container.
This step was tested on Proxmox VE 9.1.5. The menu layout might differ slightly in older versions.
After the container restarts, try connecting WARP again:
warp-cli connectThen verify:
curl [https://cloudflare.com/cdn-cgi/trace](https://cloudflare.com/cdn-cgi/trace)
ip a | grep CloudflareWARPIf the CloudflareWARP interface appears and curl successfully returns a response, the problem is solved.
Method 2: Manually Editing the LXC Configuration File #
If you prefer using the CLI or don’t have access to the GUI, edit the LXC configuration file directly on the Proxmox host.
Shutdown the container first, then edit its configuration file:
nano /etc/pve/lxc/<CONTAINER_ID>.confAdd the following two lines at the very bottom:
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=fileReplace <CONTAINER_ID> with your numerical LXC ID (e.g., 100, 101, etc.).
Furthermore, if your container is running as unprivileged (which is the default and more secure), ensure the ownership of /dev/net/tun on the host is correct:
# Run this on the Proxmox host, NOT inside the container
chown 100000:100000 /dev/net/tunVerify the result:
ls -l /dev/net/tun
# Expected output:
# crw-rw-rw- 1 100000 100000 10, 200 ...Start the container again and test the WARP connection as usual.
Final Verification #
Once the container is running, perform the following checks inside the LXC:
# 1. Connect WARP
warp-cli connect
# 2. Check status
warp-cli status
# 3. Ensure the TUN interface is created
ip a | grep -A2 CloudflareWARP
# 4. Test internet connection via WARP
curl [https://cloudflare.com/cdn-cgi/trace](https://cloudflare.com/cdn-cgi/trace) | grep warp
# Should display: warp=onIf warp=on appears, congratulations — your WARP is now running perfectly inside LXC!
Why Isn’t Just Installing warp-cli Enough? #
It’s a fair question. Many WARP installation tutorials for Linux only cover the package installation process without mentioning the need for a TUN device in container environments. However, TUN/TAP is a core component of how WARP and other tunnel-based VPNs (like OpenVPN or WireGuard in certain configs) operate.
On bare metal or full VMs, the kernel provides direct access to /dev/net/tun. In LXC, kernel isolation prevents this device from being available automatically — hence, it must be explicitly exposed by the Proxmox administrator.
Summary #
| Issue | Cause | Solution |
|---|---|---|
| warp-cli Connected but no internet | /dev/net/tun unavailable in LXC |
Passthrough /dev/net/tun via Proxmox GUI or edit .conf |
CloudflareWARP interface missing |
TUN device cannot be created | Add lxc.cgroup2.devices.allow and lxc.mount.entry |
| Permission error on unprivileged LXC | UID mapping mismatch (container vs host) | chown 100000:100000 /dev/net/tun on Proxmox host |
If you are using WARP for other homelab purposes, such as accessing internal services, don’t forget to adjust your WARP mode (e.g., proxy mode for specific use cases) using warp-cli set-mode.
I hope this article helps. If you still run into trouble, feel free to leave a comment below — I’ll try to help.
Reference: Cloudflare WARP Connector - Proxmox LXC (Reddit r/CloudFlare)
