After container is created, you need to edit the configuration file to add the /dev/net/tun device.
# pct config 123
arch: amd64
hostname: CT123
memory: 512
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=FE:75:64:2A:A3:58,ip=dhcp,type=veth
ostype: debian
rootfs: local-lvm:vm-123-disk-0,size=4G
features: nesting=1
swap: 512
unprivileged: 1
# nano /etc/pve/lxc/123.conf
Add the following lines at the end
(if you’re using PVE < 7.0, change `cgroup2` with `cgroup`)
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir
Press Ctrl-X and answer “Y” for saving and press Enter.
For your unprivileged container to be able to access the /dev/net/tun from your host, you need to set the owner by running:
# chown 100000:100000 /dev/net/tun
Check the permissions are set correctly:
# ls -l /dev/net/tun
crw-rw-rw- 1 100000 100000 10, 200 Dec 22 13:26 /dev/net/tun
Finally start the container:
# pct start 123
If you did everything correctly then the container should start. And now iptunnel add command should work.