OpenWRT in Proxmox LXC container via rootfs.tar.gz - wget download error

Michael.Uray · November 18, 2023, 5:18pm

I try to run OpenWRT in a Proxmox LXC container.

For that I downloaded openwrt-23.05.2-x86-64-rootfs.tar.gz into the template directory on the host

root@pve2:~# cd /var/lib/vz/template/cache
root@pve2:/var/lib/vz/template/cache# wget https://downloads.openwrt.org/releases/23.05.2/targets/x86/64/openwrt-23.05.2-x86-64-rootfs.tar.gz

and created a container:

pct create 201 local:vztmpl/openwrt-23.05.2-x86-64-rootfs.tar.gz --rootfs local-lvm:0.256 --ostype unmanaged --hostname owrt --arch amd64 --cores 4 --memory 256 --swap 256 --unprivileged 1

The container starts so far and I was able to setup the network to get the Internet working inside the container.

root@owrt:~# ping downloads.openwrt.org
PING downloads.openwrt.org (168.119.138.211): 56 data bytes
64 bytes from 168.119.138.211: seq=0 ttl=56 time=2.805 ms
64 bytes from 168.119.138.211: seq=1 ttl=56 time=2.897 ms
64 bytes from 168.119.138.211: seq=2 ttl=56 time=2.965 ms
^C
--- downloads.openwrt.org ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2.805/2.889/2.965 ms

Then I tried to run update opkg, but that ended up with an error (wget error 5):

root@owrt:~# opkg update
Downloading https://downloads.openwrt.org/releases/23.05.2/targets/x86/64/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.2/targets/x86/64/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/base/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/base/Packages.gz

Downloading https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/luci/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/luci/Packages.gz

Downloading https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/routing/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/routing/Packages.gz

Downloading https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/telephony/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/telephony/Packages.gz

Collected errors:
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.2/targets/x86/64/packages/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/base/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/luci/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/packages/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/routing/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/telephony/Packages.gz, wget returned 5.

and wget error 8 with --no-check-certificate as option:

root@owrt:~# opkg update --no-check-certificate
Downloading https://downloads.openwrt.org/releases/23.05.2/targets/x86/64/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.2/targets/x86/64/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/base/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/base/Packages.gz

Downloading https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/luci/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/luci/Packages.gz

Downloading https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/routing/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/routing/Packages.gz

Downloading https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/telephony/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/telephony/Packages.gz

Collected errors:
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.2/targets/x86/64/packages/Packages.gz, wget returned 8.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/base/Packages.gz, wget returned 8.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/luci/Packages.gz, wget returned 8.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/packages/Packages.gz, wget returned 8.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/routing/Packages.gz, wget returned 8.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.2/packages/x86_64/telephony/Packages.gz, wget returned 8.

Did some other tests:

root@owrt:~# wget http://www.openwrt.org/
Downloading 'http://www.openwrt.org/'
Connecting to 139.59.209.225:80
HTTP error 503

root@owrt:~# wget https://www.openwrt.org/
Downloading 'https://www.openwrt.org/'
Connecting to 139.59.209.225:443
Connection error: Invalid SSL certificate

root@owrt:~# wget https://www.openwrt.org/ --no-check-certificate
Downloading 'https://www.openwrt.org/'
Connecting to 139.59.209.225:443
HTTP error 503

Same things with other domains like www.google.com.

root@owrt:~# opkg list | grep wget
root@owrt:~#

What could be wrong, that I am not able to download these files?

psherman · November 18, 2023, 5:29pm

It could be an IPv6 issue. Try disabling your wan6 interface and then try again.

slh · November 18, 2023, 6:10pm

And be aware that running OpenWrt in a container (other than full system emulation, e.g. kvm) is not a supported approach and does open up subtle and more blatant security issues.

Michael.Uray · November 18, 2023, 6:13pm

Thanks, I just found the problem, it was a hairpinning rule on the Proxmox host which caused the issue:

iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.82.1:443
iptables -t nat -A PREROUTING -d 89.58.35.17 -p tcp --dport 443 -j DNAT --to 192.168.82.1
iptables -t nat -A POSTROUTING -s 192.168.82.0/24 -p tcp --dport 443 -d 192.168.82.1 -j MASQUERADE

Thank you very much for your help and support!

Michael.Uray · November 18, 2023, 6:15pm

Are there any particular examples what could cause issues?

vgaetera · November 18, 2023, 6:41pm

I've just set up an LXC container on libvirt and it works with the following workaround:
dnsmasq: failed to seed the random number generator: No such file or directory

Michael.Uray · November 18, 2023, 7:16pm

Thanks, my dnsmasq was failing as well and this workaround helped for me too.

pattagghiu · November 24, 2023, 7:59pm

could you explain a little bit more? i've just received my N100 box and i'm starting to play, i haven't understood where this issue comes from and if this is something i'll need to monitor also in the future.
also, is this because the bridge is shared with the host? i assume for openwrt you'll dedicate some nics to the LXC itself, right?
I'm just a little bit scared about system updates with LXC: what about if i update proxmox? or openwrt? if they share the kernel.. am i wrong? thanks

Michael.Uray · November 25, 2023, 10:55am

What issue do you mean?

That's my LXC / network configuration, one vmbr0 is bridged with the external ens3 interface from the VPS, vmbr1 is just an interal between the containers:

root@pve0:~# cat /etc/pve/lxc/101.conf
arch: amd64
cores: 2
hostname: pve0-owrt
memory: 128
net0: name=eth0,bridge=vmbr1,firewall=1,hwaddr=ca:0a:6c:43:bc:93,type=veth
net1: name=eth1,bridge=vmbr0,firewall=1,hwaddr=13:3F:F7:68:8D:A6,type=veth
onboot: 1
ostype: unmanaged
rootfs: local-lvm:vm-101-disk-1,size=264M
swap: 128
unprivileged: 1

Thats a good question, I never tried it.
Not sure which kernel compatibility is required between the host and the guest.

pattagghiu · November 25, 2023, 5:31pm

Sorry, my fault, i replied the post on the hairpinning rule, but i am of the idea of dedicating a proper VM to openwrt, since i'd like this to be my main router..

system · December 5, 2023, 5:31pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.