diff --git a/nixos/modules/virtualisation/proxmox-lxc.nix b/nixos/modules/virtualisation/proxmox-lxc.nix
index 751e09c43a9e..548421e48e2b 100644
--- a/nixos/modules/virtualisation/proxmox-lxc.nix
+++ b/nixos/modules/virtualisation/proxmox-lxc.nix
@@ -70,6 +70,14 @@ with lib;
         hostName = mkIf (!cfg.manageHostName) (mkForce "");
       };
 
+      # unprivileged LXCs can't set net.ipv4.ping_group_range
+      security.wrappers.ping = mkIf (!cfg.privileged) {
+        owner = "root";
+        group = "root";
+        capabilities = "cap_net_raw+p";
+        source = "${pkgs.iputils.out}/bin/ping";
+      };
+
       services.openssh = {
         enable = mkDefault true;
         startWhenNeeded = mkDefault true;