Proxmox-Exposed-Host

In This Post I'm showing you How to create a Proxmox host which is reachable trough internet. It presupposes you have Debian already installed on your server:

Access and Update the Server

Add User

adduser yourusername

install sudo

apt-get install sudo

Add new user to sudo Group

sudo adduser mynewuser sudo

Create and copy your SSH Key

Creating an SSH-key-pair

Connect with SSH Key

ssh yourusername@ip-address

Upgrade Server

apt-get update && apt-get dist-upgrade -y

Harden SSH

Install UFW

apt-get install ufw

Allow Port 22 (SSH Port) with Protocol TCP

ufw allow 22/tcp

activate UFW

ufw enable

edit SSH Config File

nano /etc/ssh/sshd_config

• Now edit / instert the following

PermitRootLogin no
MaxAuthTries 6
AllowUsers yourusername
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes

Reload SSH

systemctl restart sshd

Convert your Debian 10 Server to Proxmox 6

Add an /etc/hosts entry for your IP address

  * Note: Make sure that no IPv6 address for your hostname is specified in /etc/hosts
  * For instance, if your IP address is 192.168.15.77, and your hostname prox4m1, then your /etc/hosts file should look like: 

nano /etc/hosts

127.0.0.1       localhost.localdomain localhost
  192.168.15.77   prox4m1.proxmox.com prox4m1
 
 # The following lines are desirable for IPv6 capable hosts
 ::1     localhost ip6-localhost ip6-loopback
 ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
 

• You can test if your setup is ok using the hostname command:

hostname --ip-address

192.168.15.77 # should return your IP address here

Adapt your sources.list

• Add the Proxmox VE repository:

echo "deb http://download.proxmox.com/debian/pve buster pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list

Add the Proxmox VE repository key

wget http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg
chmod +r /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg  # optional, if you have a non-default umask

Update your repository and system by running

apt update && apt full-upgrade

Install the Proxmox VE packages

apt install proxmox-ve postfix open-iscsi

Recommended: remove the os-prober package

• The os-prober package scans all the partitions of your host, including those assigned to guests VMs, to create dual-boot GRUB entries. If you didn't install Proxmox VE as dual boot beside another Operating System, you can safely remove the os-prober package.

apt remove os-prober

7. Update and check grub2 config by running:

update-grub

8. Now Reboot

reboot

Enter Proxmox Management UI

Allow the Proxmox management Port (8006) to be open

ufw allow 8006/tcp

Reload UFW

ufw reload

After that your Management Web Interface should be reachable in your Browser under https://your-ip-address:8006/

Note: we won't expose the Control Interface for very long

6. Configure Proxmox

Edit the file /etc/network/interfaces

* Paste the following (if your Main Interface is eth0)

auto vmbr1
iface vmbr1 inet static
        address  10.10.10.254
        netmask  255.255.255.0
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        # OpenDNS - Nameservers
        dns-nameservers 208.67.222.222 208.67.220.220

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward

        post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE

Note: that I moved the Part *post-up echo 1 > /proc/sys/net/ipv4/ip_forward* now from the Hardware Interface to the newly created Linux Bridge (vmbr1) Note: repace eth0 for your real ethernet Interface

Now Reboot

reboot

- Your Network Configuration in your Web Interface Should now look something like this:

7. (Optional but recommendet) Make Admin Portal accessable only via VPN Connection or your Static IP:

Use / download Openvpn script: https://github.com/angristan/openvpn-install

git clone https://github.com/angristan/openvpn-install

Change directory to Openvpn script

cd openvpn-install/

Make script executable

chmod +x openvpn-install.sh

run Openvpn script

./openvpn-install.sh

Allow SSH traffic from your OpenVPN connection

ufw allow from  10.8.0.0/24  to any port 22

Allow SSH traffic from your Static IP Address (if you have one at home or use another VPS)

ufw allow from  *staticip*  to any port 22

Change loglevel of your UFW so that the logfiles don't get gigantic

ufw logging low

Edit /etc/default/ufw

nano /etc/default/ufw

• Allow troughput trough your VPN Connection and avoid getting no internet connection when you are connected with your VPN by pasting the following

DEFAULT_FORWARD_POLICY="ACCEPT"

Allow Traffic to OpenVPN Port 1194

ufw allow 1194

Note: Depending if you choose UDP or TCP while installing the Openvpn Script you may want to use: 'ufw allow 1194/udp' or 'ufw allow 1194/tcp'

reload ufw

ufw reload

test Admin Portal Connection via https://10.10.10.254:8006

sudo openvpn /path/to/openvpn.file

and then simply point your Browser to: https://10.10.10.254:8006

if EVERYTHING works, continue

remove firewall rule to allow connection to port 8006/tcp

ufw delete allow 8006/tcp

reload ufw

ufw reload

The Only way to connect now to your servers Admin Panel is either via your (if you have one) static IP or trough your VPN connection.

8. Fix Locales Error

• Copy paste the Commands, I also just googled them, and I'm not exactly sure what the Commands are exactly doing, besides, fixing the locales...

export LANGUAGE=en_US.UTF-8
 export LANG=en_US.UTF-8
 export LC_ALL=en_US.UTF-8
 locale-gen en_US.UTF-8
 dpkg-reconfigure locales

---

No Subscription Repo

Now we are pasting the right (no-subscription) Proxmox Apt-Repository. Since we don't have a Subscription and we don't want one (most of the time...)

First we remove the file /etc/apt/sources.list.d/pve-enterprise.list

rm /etc/apt/sources.list.d/pve-enterprise.list

Create a new file named pve-no-subscription.list via nano:

nano /etc/apt/sources.list.d/pve-no-subscription.list

there we paste simply the following, which has no deeper meaning, besides, it's the Proxmox no subscription Repository

deb http://download.proxmox.com/debian/pve buster pve-no-subscription

test if your repositories are correctly set up with updating your Server:

apt-get update
apt-get dist-upgrade

if there are no error messages, your repositories are correctly setup

Create a Template

The special case with a VPS

Container

in most cases a VPS has only one virtual drive attached, what makes it impossible (if the VPS uses LVM) for Proxmox to create a template, since the template needs to be on another Storage (correct me, if it changed in meantime). So what you do instead is download a LXC Template from the GUI, assign it the last possible IP you have and costumize it. This has several advantages:

• the first Container has the id 0, if it's your template, the first Container can be assigned with your IP X.X.X.1
• you can simply clone your fist Container via GUI even tough it's no "real" Template

Note: This is more or less a workaround, since if you have f.e. ZFS as storage, you CAN create templates. Netherless, it is good practice to use your first created container / VM as template, since it's easier, to assign your IP addresses in order.

Create a reverse Proxy

Install a webserver

in this case we are using a Nginx webserver

apt-get install nginx

Configure nginx

for Nginx configuration I am linking a sample Nginx configuration creator:

https://nginxconfig.io/

test Nginx configuration for mistakes

nginx -t

restart Nginx

systemctl restart nginx

... enjoy your nginx reverse proxy