OpenWRT in PVE

When running a virtual lab in a PVE cluster, it helps to also have a virtual router. If you’re keeping things lean by using LXC containers, you can put your router in a container too with OpenWRT.

The process in PVE is to:

• Prepare Networking
• Download OpenWRT
• Create The Container
• Edit The FW Init

Prepare Networking

A default install of PVE creates a single Linux Bridge, usually named vmbr0. Think of this as a virtual switch. The management interface is on that bridge, as well as any containers or guests. Most things just need one interface, but OpenWRT expects two. It is a router, after all.

In most cases, adding a VLAN is best, but there are other options. You can see and make changes in the Proxmox web GUI by changing to Server View, selecting a ProxMox Host, then going to System -> Network.

Overlay Network

The simplest thing to do is nothing. When you create a container for OpenWRT you just add a second interface and attach it to the same bridge. The downside is that you can’t offer DHCP services because they depend on broadcasts which you’re probably already handling with another router. You can however, just select another private network range for your OpenWRT LAN interface and manually address containers that you want to use it. You’ll have two networks operating on the same LAN (this is called an overlay) but that’s fine. As long as you don’t mind doing it all manually.

VLAN

Another way is to add a Virtual LAN. You don’t need smart network equipment as PVE handles it and normal switches are happy with it. Simply edit the config for vmbr0 and enable the VLAN aware checkbox. Then add an interface to the container and specify a VLAN Tag, such as “2”. This will let you enable DHCP without disrupting the rest of your network. This isn’t a security layer per se, but PVE will filter traffic and the rest of your network will ignore any broadcasts they see that have a VLAN Tag.

Additional Bridge

You can also create a new bridge. Select new and allow it to select the name (which should be vmbr1). Leave the rest at the defaults (all blank with autostart checked). Important If you have a cluster you must actually connect this new bridge to a network adapter in the “Bridge ports” setting. Otherwise, it won’t be able to talk beyond the host it’s currently on. If you don’t have a second NIC, then this probably won’t do what you want.

Download OpenWRT

You want just the root file system, not the full image that includes the kernel. Happily, OpenWRT makes this available. Navigate to their releases, find the most recent, and drill down to targets / x86 / 64 / rootfs.tar.gz. It will save along the lines of “openwrt-24.10.1-x86-64-rootfs.tar.gz”.

Next, upload it to PVE with a secure copy to the root home folder like scp openwrt* root@pve01:

Create The Container

What we uploaded earlier isn’t actually a template, but it’s close enough as along as we create the container at PVE’s command line¹. The key here is that we provide an archive and set the OS type to unmanaged.

pct create \
 201 \
 ./openwrt* \
 --rootfs local-lvm:0.4 \
 --ostype unmanaged \
 --hostname openwrt \
 --arch amd64 \
 --cores 2 \
 --memory 256 \
 --swap 0 \
 --features nesting=1 \
 --net0 name=eth0,bridge=vmbr0,tag=2 \
 --net1 name=eth1,bridge=vmbr0

Also of note, we enable nesting so that dnsmasq will start² and set the VLAN tag on eth0, which comes up as LAN on this image of OpenWRT. The rootfs syntax is STORAGE_ID:SIZE_IN_GiB.

Add Clients and Rules

When creating guests, make sure to change their network settings in PVE to have a VLAN tag of ‘2’ (or whatever you’re using).

In OpenWRT, add rules Network -> Firewall -> Port Forwards. There are no WAN rules discrete from port forwarding.

Updates

You should update by downloading new firmware, not by using the package manger. In fact: “Generally speaking, the use of opkg upgrade is very highly discouraged. It should be avoided in almost all circumstances³.”

But if you must;

opkg update
opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade