Skip to main content

Proxmox-Exposed-Host

In This Post I'm showing you How to create a Proxmox host which is reachable trough internet. It presupposes you have Debian already installed on your server:

Access and Update the Server

Add User

adduser yourusername

install sudo

apt-get install sudo

Add new user to sudo Group

sudo adduser mynewuser sudo

Create and copy your SSH Key

Creating an SSH-key-pairkey

Connect with SSH Key

ssh yourusername@ip-address

Upgrade Server

apt-get update && apt-get dist-upgrade -y

Harden SSH

Install UFW

apt-get install ufw

Allow Port 22 (SSH Port) with Protocol TCP

ufw allow 22/tcp

activate UFW

ufw enable

edit SSH Config File

nano /etc/ssh/sshd_config

    
Now edit / instert the following

PermitRootLogin no MaxAuthTries 6 AllowUsers yourusername PasswordAuthentication no PermitEmptyPasswords no PubkeyAuthentication yes

Reload SSH

systemctl restart sshd

Geoblocking unwanted Visitors

Geoblock with:

ip-backlist-china-and-russia

Attention: Run in screen, this takes a large amount of time! Install screen and git

apt-get install screen git

Copy blacklist sources

wget "https://git.tinfoil-hat.net/?p=china-russia-ip-blocklist.git;a=snapshot;h=refs/heads/master;sf=tgz"

Change directory to copied Sources

cd ip-backlist-china-and-russia/

Create Screen session

(if SSH session is interrupted the command doesn't cancel)

screen -S blocklist

This is a while loop in Bash and will deny the connections from the IP adresses in this file. This step may take 1 to 2 hours to complete.

while read line; do sudo ufw deny from $line; done < blocklist.txt && bash block_china_ufw.sh

After you executed the command, you can send Screen to the Background with: CTRL+a+d

Convert your Debian 10 Server to Proxmox 6

Add an /etc/hosts entry for your IP address

  • Note: Make sure that no IPv6 address for your hostname is specified in /etc/hosts
  • For instance, if your IP address is 192.168.15.77, and your hostname prox4m1, then your /etc/hosts file should look like:

nano /etc/hosts

127.0.0.1       localhost.localdomain localhost
  192.168.15.77   prox4m1.proxmox.com prox4m1

# The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters

You can test if your setup is ok using the hostname command:


hostname --ip-address


192.168.15.77 # should return your IP address here

Adapt your sources.list

Add the Proxmox VE repository:


echo "deb http://download.proxmox.com/debian/pve buster pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list

Add the Proxmox VE repository key

wget http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg
chmod +r /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg  # optional, if you have a non-default umask

Update your repository and system by running

apt update && apt full-upgrade

Install the Proxmox VE packages

apt install proxmox-ve postfix open-iscsi

Recommended: remove the os-prober package

    The os-prober package scans all the partitions of your host, including those assigned to guests VMs, to create dual-boot GRUB entries. If you didn't install Proxmox VE as dual boot beside another Operating System, you can safely remove the os-prober package. 

    apt remove os-prober

      Update and check grub2 config by running:

      update-grub

        Now Reboot

        reboot

        reboot

        Enter Proxmox Management UI

        Allow the Proxmox management Port (8006) to be open

        ufw allow 8006/tcp

        Reload UFW

        ufw reload

        After that your Management Web Interface should be reachable in your Browser under https://your-ip-address:8006/

        Note: we won't expose the Control Interface for very long

        6.

        Configure Proxmox

        Edit the file /etc/network/interfaces

          Paste the following (if your Main Interface is eth0)

          auto vmbr1
iface vmbr1 inet static
        address  10.10.10.254
        netmask  255.255.255.0
        bridge-ports none
        bridge-stp off
        bridge-fd 0

          

        # OpenDNS - Nameservers
        dns-nameservers 208.67.222.222 208.67.220.220

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward

        post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE

       # Like this, you can Portforward external Ports to internal TCP / UDP Ports from LXC Container
       iptables -t nat -A PREROUTING -p tcp -i vmbr0 --dport 8080 -j DNAT --to-destination 10.10.10.9:8080

          Note: that I moved the Part post-up echo 1 > /proc/sys/net/ipv4/ip_forward now from the Hardware Interface to the newly created Linux Bridge (vmbr1) Note: repace eth0 for your real ethernet Interface Now Reboot

          reboot
            Your Network Configuration in your Web Interface Should now look something like this:

              (Optional but recommendet) Make Admin Portal accessable only via VPN Connection or your Static IP:

              Use / download Openvpn script: https://github.com/angristan/openvpn-install

              git clone https://github.com/angristan/openvpn-install

              Change directory to Openvpn script

              cd openvpn-install/

              Make script executable

              chmod +x openvpn-install.sh

              run Openvpn script

              ./openvpn-install.sh

              Allow SSH traffic from your OpenVPN connection

              ufw allow from  10.8.0.0/24  to any port 22

              Allow SSH traffic from your Static IP Address (if you have one at home or use another VPS)

              ufw allow from  staticip*staticip*  to any port 22

              Change loglevel of your UFW so that the logfiles don't get gigantic

              ufw logging low

              Edit /etc/default/ufw

              nano /etc/default/ufw

              Allow troughput trough your VPN Connection and avoid getting no internet connection when you are connected with your VPN by pasting the following

              DEFAULT_FORWARD_POLICY="ACCEPT"

              DEFAULT_FORWARD_POLICY="ACCEPT"

              Allow Traffic to OpenVPN Port 1194

              ufw allow 1194

              Note: Depending if you choose UDP or TCP while installing the Openvpn Script you may want to use: 'ufw allow 1194/udp' or 'ufw allow 1194/tcp' reload ufw

              ufw reload

              test Admin Portal Connection via https://10.10.10.254:8006

              sudo openvpn /path/to/openvpn.file

              and then simply point your Browser to: https://10.10.10.254:8006 if >>EVERYTHING<< works, continue with 13. remove firewall rule to allow connection to port 8006/tcp

              ufw delete allow 8006/tcp

              reload ufw

              ufw reload

              The Only way to connect now to your servers Admin Panel is either via your (if you have one) static IP or trough your VPN connection.

              8.

              Fix Locales Error

              Copy paste the Commands, I also just googled them, and I'm not exactly sure what the Commands are exactly doing, besides, fixing the locales...

              export LANGUAGE=en_US.UTF-8 export LANG=en_US.UTF-8 export LC_ALL=en_US.UTF-8 locale-gen en_US.UTF-8 dpkg-reconfigure locales

              No Subscription Repo

              Now we are pasting the right (no-subscription) Proxmox Apt-Repository. Since we don't have a Subscription and we don't want one (most of the time...) First we remove the file /etc/apt/sources.list.d/pve-enterprise.list

              rm /etc/apt/sources.list.d/pve-enterprise.list

              Create a new file named pve-no-subscription.list via nano:

              nano /etc/apt/sources.list.d/pve-no-subscription.list

              there we paste simply the following, which has no deeper meaning, besides, it's the Proxmox no subscription Repository

              deb http://download.proxmox.com/debian/pve buster pve-no-subscription

              test if your repositories are correctly set up with updating your Server:

              apt-get update
apt-get dist-upgrade

              if there are no error messages, your repositories are correctly setup

              Create a Template

              The special case with a VPS

              Container

              in most cases a VPS has only one virtual drive attached, what makes it impossible (if the VPS uses LVM) for Proxmox to create a template, since the template needs to be on another Storage (correct me, if it changed in meantime). So what you do instead is download a LXC Template from the GUI, assign it the last possible IP you have and costumize it. This has several advantages:

              the first Container has the id 0, if it's your template, the first Container can be assigned with your IP X.X.X.1 you can simply clone your fist Container via GUI even tough it's no "real" Template

              Note: This is more or less a workaround, since if you have f.e. ZFS as storage, you CAN create templates. Netherless, it is good practice to use your first created container / VM as template, since it's easier, to assign your IP addresses in order.

              Create a reverse Proxy

              Install a webserver

              in this case we are using a Nginx webserver

              apt-get install nginx

              Configure nginx

              for Nginx configuration I am linking a sample Nginx configuration creator:

              https://nginxconfig.io/

              test Nginx configuration for mistakes

              nginx -t

              restart Nginx

              systemctl restart nginx

              ... enjoy your nginx reverse proxy Navigation menu

              Log in

Page
Discussion

Read
View source
View history
              Back to top