# Proxmox-Exposed-Host In This Post I'm showing you How to create a Proxmox host which is reachable trough internet. It presupposes you have Debian already installed on your server: # Access and Update the Server ## Add User ```adduser yourusername``` ## install sudo ```apt-get install sudo``` ## Add new user to sudo Group ```sudo adduser mynewuser sudo``` ## Create and copy your SSH Key [Creating SSH-key](https://wiki.tinfoil-hat.net/books/creating-an-ssh-key-pair/page/creating-ssh-key) ## Connect with SSH Key ```bash ssh yourusername@ip-address ``` ## Upgrade Server ```bash apt-get update && apt-get dist-upgrade -y ``` ## Harden SSH Install UFW ```bash apt-get install ufw ``` Allow Port 22 (SSH Port) with Protocol TCP ```bash ufw allow 22/tcp ``` activate UFW ```bash ufw enable ``` edit SSH Config File ```bash nano /etc/ssh/sshd_config Now edit / instert the following PermitRootLogin no MaxAuthTries 6 AllowUsers yourusername PasswordAuthentication no PermitEmptyPasswords no PubkeyAuthentication yes ``` Reload SSH ```bash systemctl restart sshd ``` ## Convert your Debian 10 Server to Proxmox 6 Add an ```/etc/hosts``` entry for your IP address * Note: Make sure that no IPv6 address for your hostname is specified in /etc/hosts * For instance, if your IP address is 192.168.15.77, and your hostname prox4m1, then your /etc/hosts file should look like: ```nano /etc/hosts``` ```bash 127.0.0.1 localhost.localdomain localhost 192.168.15.77 prox4m1.proxmox.com prox4m1 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ``` You can test if your setup is ok using the hostname command: ```bash hostname --ip-address ``` ```bash 192.168.15.77 # should return your IP address here ``` Adapt your sources.list Add the Proxmox VE repository: ```bash echo "deb http://download.proxmox.com/debian/pve buster pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list ``` ## Add the Proxmox VE repository key ```bash wget http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg chmod +r /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg # optional, if you have a non-default umask ``` Update your repository and system by running ```bash apt update && apt full-upgrade ``` ## Install the Proxmox VE packages ```bash apt install proxmox-ve postfix open-iscsi ``` ### Recommended: remove the os-prober package * The os-prober package scans all the partitions of your host, including those assigned to guests VMs, to create dual-boot GRUB entries. If you didn't install Proxmox VE as dual boot beside another Operating System, you can safely remove the os-prober package. ```bash apt remove os-prober ``` ## Update and check grub2 config by running: ```bash update-grub ``` ## Now Reboot ```bash reboot ``` ## Enter Proxmox Management UI Allow the Proxmox management Port (8006) to be open ```bash ufw allow 8006/tcp ``` Reload UFW ```bash ufw reload ``` After that your Management Web Interface should be reachable in your Browser under https://your-ip-address:8006/ *Note: we won't expose the Control Interface for very long* ## Configure Proxmox **Edit the file /etc/network/interfaces** Paste the following (if your Main Interface is eth0) ```bash auto vmbr1 iface vmbr1 inet static address 10.10.10.254 netmask 255.255.255.0 bridge-ports none bridge-stp off bridge-fd 0 # OpenDNS - Nameservers dns-nameservers 208.67.222.222 208.67.220.220 post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE # Like this, you can Portforward external Ports to internal TCP / UDP Ports from LXC Container iptables -t nat -A PREROUTING -p tcp -i vmbr0 --dport 8080 -j DNAT --to-destination 10.10.10.9:8080 ``` Note: that I moved the Part *post-up echo 1 > /proc/sys/net/ipv4/ip_forward* now from the Hardware Interface to the newly created Linux Bridge (vmbr1) Note: repace eth0 for your real ethernet Interface Now Reboot ```bash reboot ``` ## (Optional but recommendet) Make Admin Portal accessable only via VPN Connection or your Static IP: Use / download Openvpn script: https://github.com/angristan/openvpn-install ```bash git clone https://github.com/angristan/openvpn-install ``` Change directory to Openvpn script ```bash cd openvpn-install/ ``` Make script executable ```bash chmod +x openvpn-install.sh ``` run Openvpn script ```bash ./openvpn-install.sh ``` Allow SSH traffic from your OpenVPN connection ```bash ufw allow from 10.8.0.0/24 to any port 22 ``` Allow SSH traffic from your Static IP Address (if you have one at home or use another VPS) ```bash ufw allow from *staticip* to any port 22 ``` Change loglevel of your UFW so that the logfiles don't get gigantic ```bash ufw logging low ``` Edit /etc/default/ufw ``` nano /etc/default/ufw ``` Allow troughput trough your VPN Connection and avoid getting no internet connection when you are connected with your VPN by pasting the following ```bash DEFAULT_FORWARD_POLICY="ACCEPT" ``` Allow Traffic to OpenVPN Port 1194 ```bash ufw allow 1194 ``` **Note:** Depending if you choose UDP or TCP while installing the Openvpn Script you may want to use: 'ufw allow 1194/udp' or 'ufw allow 1194/tcp' reload ufw ```bash ufw reload ``` test Admin Portal Connection via https://10.10.10.254:8006 ```bash sudo openvpn /path/to/openvpn.file ``` and then simply point your Browser to: https://10.10.10.254:8006 if >>EVERYTHING<< works, continue with 13. remove firewall rule to allow connection to port 8006/tcp ```bash ufw delete allow 8006/tcp ``` reload ufw ```bash ufw reload ``` The Only way to connect now to your servers Admin Panel is either via your (if you have one) static IP or trough your VPN connection. ## Fix Locales Error Copy paste the Commands, I also just googled them, and I'm not exactly sure what the Commands are exactly doing, besides, fixing the locales... ```bash export LANGUAGE=en_US.UTF-8 export LANG=en_US.UTF-8 export LC_ALL=en_US.UTF-8 locale-gen en_US.UTF-8 dpkg-reconfigure locales ``` ## No Subscription Repo Now we are pasting the right (no-subscription) Proxmox Apt-Repository. Since we don't have a Subscription and we don't want one (most of the time...) First we remove the file ```/etc/apt/sources.list.d/pve-enterprise.list``` ```bash rm /etc/apt/sources.list.d/pve-enterprise.list ``` Create a new file named pve-no-subscription.list via nano: ```bash nano /etc/apt/sources.list.d/pve-no-subscription.list ``` there we paste simply the following, which has no deeper meaning, besides, it's the Proxmox no subscription Repository ```bash deb http://download.proxmox.com/debian/pve buster pve-no-subscription ``` test if your repositories are correctly set up with updating your Server: ```bash apt-get update apt-get dist-upgrade ``` if there are no error messages, your repositories are correctly setup ## Create a Template The special case with a VPS ## Container in most cases a VPS has only one virtual drive attached, what makes it impossible (if the VPS uses LVM) for Proxmox to create a template, since the template needs to be on another Storage (correct me, if it changed in meantime). So what you do instead is download a LXC Template from the GUI, assign it the last possible IP you have and costumize it. This has several advantages: the first Container has the id 0, if it's your template, the first Container can be assigned with your IP X.X.X.1 you can simply clone your fist Container via GUI even tough it's no "real" Template Note: This is more or less a workaround, since if you have f.e. ZFS as storage, you CAN create templates. Netherless, it is good practice to use your first created container / VM as template, since it's easier, to assign your IP addresses in order. ## Create a reverse Proxy ### Install a webserver in this case we are using a Nginx webserver ```bash apt-get install nginx ``` ### Configure nginx for Nginx configuration I am linking a sample Nginx configuration creator: [https://nginxconfig.io/](https://nginxconfig.io/) test Nginx configuration for mistakes ```bash nginx -t ``` restart Nginx ```bash systemctl restart nginx ``` ... enjoy your nginx reverse proxy