Proxmox Virtual Environment (Proxmox VE) is an open-source platform that allows users to create and manage virtual machines (VMs) and containers. It supports both KVM (Kernel-based Virtual Machine) for full virtualization and LXC (Linux Containers) for lightweight virtualization. By combining Proxmox with a self-hosted VPN, you can enhance your network privacy and control while utilizing the hardware resources efficiently.
In this guide, we will focus on setting up a self-hosted VPN using OpenVPN on a virtual machine running on Proxmox. OpenVPN is a widely used, open-source VPN solution that offers strong encryption and reliable performance. The goal is to create a VPN that ensures secure communication for remote access to your network.
Requirements
Proxmox Virtual Environment (Proxmox VE) installed on your host machine.
A virtual machine (VM) running a Linux distribution, preferably Ubuntu or Debian.
Root access to the VM for system configuration.
OpenVPN software package installed on the VM.
Setting Up a Virtual Machine in Proxmox
The first step in building a self-hosted VPN is to create a VM within Proxmox. Follow these steps:
1. **Create the VM**: In the Proxmox Web UI, click on the “Create VM” button.
2. **Select OS**: Choose the desired Linux distribution. For this example, we’ll use Ubuntu 20.04.
3. **Configure Hardware**: Assign sufficient CPU cores, RAM, and storage to the VM. A minimal setup might involve 1-2 CPU cores, 2GB of RAM, and 20GB of storage.
4. **Network Configuration**: Ensure the VM is connected to a bridge network to allow external communication.
5. **Install the OS**: Attach an ISO of Ubuntu to the VM and start the installation process, following the on-screen instructions to complete the setup.
Once the VM is running, you can proceed with installing OpenVPN.
Installing OpenVPN on Ubuntu
To install OpenVPN on your Ubuntu VM, first, update your package repositories and install the OpenVPN package.
sudo apt update && sudo apt upgrade -y
sudo apt install openvpn easy-rsa -y
Easy-RSA is a utility for managing SSL certificates, which are essential for encrypting your VPN connections. After installing OpenVPN, the next step is to configure the server.
Setting Up the OpenVPN Server
Configure Easy-RSA: Initialize a Public Key Infrastructure (PKI) directory, which will be used to create server and client certificates.
make-cadir /openvpn-ca
cd /openvpn-ca
Build the Certificate Authority (CA):
source vars
./clean-all
./build-ca
This command creates the root certificate for your VPN.
Generate the Server Certificate and Key:
./build-key-server server
Generate the Diffie-Hellman Parameters:
./build-dh
Generate the HMAC Key:
openvpn –genkey –secret keys/ta.key
Create the Server Configuration File: Copy the example server configuration file and edit it according to your setup.
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gzip -d /etc/openvpn/server.conf.gz
nano /etc/openvpn/server.conf
Make the following changes:
Set proto udp and port 1194 to define the VPN protocol and port.
Set server 10.8.0.0 255.255.255.0 for the VPN subnet.
Uncomment and configure the tls-auth and dh options with the paths to the respective files generated earlier.
Starting the OpenVPN Server
Once the server configuration is complete, start the OpenVPN service:
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
Verify that the VPN server is running by checking the status:
sudo systemctl status openvpn@server
Configuring Firewall and Routing
To ensure that traffic is routed properly through the VPN, configure your firewall and enable IP forwarding.
Enable IP Forwarding:
Edit /etc/sysctl.conf and uncomment the following line:
net.ipv4.ip_forward=1
Apply the changes:
sudo sysctl -p
Configure NAT (Network Address Translation):
Run the following command to set up the necessary firewall rules:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Make the changes persistent:
sudo apt install iptables-persistent
Creating Client Certificates
To allow clients to connect to the VPN, you need to create individual client certificates. Run the following command for each client:
./build-key client1
This generates the client certificate and key, which can then be used to configure the OpenVPN client.
Configuring the Client
Install OpenVPN on the Client: Install OpenVPN on the client machine using the package manager.
sudo apt install openvpn -y
Transfer Certificates and Keys: Copy the client’s .ovpn configuration file, the client’s certificate, key, and the CA certificate to the client machine.
Connect to the VPN: Use the following command to start the VPN connection on the client machine:
sudo openvpn –config /path/to/client.ovpn
The client should now be connected to the self-hosted VPN running on your Proxmox VM.
Conclusion
By following these steps, you’ve successfully set up a self-hosted VPN using Proxmox and OpenVPN. This solution provides secure remote access to your network and allows for complete control over your VPN infrastructure.
1. Verify Network Connectivity
VPN Client IP: After connecting, confirm that your VPN client is assigned an IP address (typically within the 10.8.0.0/24 range as configured in the guide).
Ping Test: Try pinging the Proxmox server’s IP address from your VPN client. If the ping fails, this points to a routing or firewall issue between the VPN subnet and the Proxmox host.
2. Check Routing and NAT Configuration
IP Forwarding & NAT: The guide instructs you to enable IP forwarding and set up NAT using an iptables rule (sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE). Ensure these settings are active. If the VPN traffic isn’t correctly routed to the Proxmox network, the admin portal won’t be reachable.
Bridged Network: Verify that your Proxmox VM (and thus the Proxmox host) is on a bridged network that is accessible from the VPN. If the Proxmox server is on a separate subnet, you might need additional routing rules.
3. Firewall and Port Settings
Proxmox Admin Port: The Proxmox admin portal usually runs on port 8006. Make sure no firewall (either on the Proxmox host or in your network) is blocking this port from connections coming from your VPN subnet.
VPN Server Rules: Sometimes, firewall rules on the VPN server might limit access to internal resources. Double-check that traffic destined for the Proxmox server isn’t being blocked.
4. Proxmox Configuration
Listening Interface: It’s possible that the Proxmox admin service is bound only to a specific network interface (for example, only the local or a specific internal IP). Review the Proxmox proxy configuration (often in files like /etc/default/pveproxy) to ensure it’s listening on the interface that the VPN clients can reach.
Direct IP Access: If you’re using a domain name, try accessing the admin portal directly via its IP address to rule out DNS issues.
5. Logs and Further Testing
Review Logs: Check both the VPN server logs and Proxmox logs for any error messages or indications that the connection attempt is being blocked or misrouted.
Temporary Rule Adjustments: As a test, you might temporarily loosen firewall restrictions to see if you can access the portal. If this works, reintroduce the rules one at a time to isolate the issue.
using this guide, i can connect to my VPN but i can’t manage proxmox admin portal
1. Verify Network Connectivity
VPN Client IP: After connecting, confirm that your VPN client is assigned an IP address (typically within the 10.8.0.0/24 range as configured in the guide).
Ping Test: Try pinging the Proxmox server’s IP address from your VPN client. If the ping fails, this points to a routing or firewall issue between the VPN subnet and the Proxmox host.
2. Check Routing and NAT Configuration
IP Forwarding & NAT: The guide instructs you to enable IP forwarding and set up NAT using an iptables rule (sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE). Ensure these settings are active. If the VPN traffic isn’t correctly routed to the Proxmox network, the admin portal won’t be reachable.
Bridged Network: Verify that your Proxmox VM (and thus the Proxmox host) is on a bridged network that is accessible from the VPN. If the Proxmox server is on a separate subnet, you might need additional routing rules.
3. Firewall and Port Settings
Proxmox Admin Port: The Proxmox admin portal usually runs on port 8006. Make sure no firewall (either on the Proxmox host or in your network) is blocking this port from connections coming from your VPN subnet.
VPN Server Rules: Sometimes, firewall rules on the VPN server might limit access to internal resources. Double-check that traffic destined for the Proxmox server isn’t being blocked.
4. Proxmox Configuration
Listening Interface: It’s possible that the Proxmox admin service is bound only to a specific network interface (for example, only the local or a specific internal IP). Review the Proxmox proxy configuration (often in files like /etc/default/pveproxy) to ensure it’s listening on the interface that the VPN clients can reach.
Direct IP Access: If you’re using a domain name, try accessing the admin portal directly via its IP address to rule out DNS issues.
5. Logs and Further Testing
Review Logs: Check both the VPN server logs and Proxmox logs for any error messages or indications that the connection attempt is being blocked or misrouted.
Temporary Rule Adjustments: As a test, you might temporarily loosen firewall restrictions to see if you can access the portal. If this works, reintroduce the rules one at a time to isolate the issue.