We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Fun with Proxmox and other virtual environments


MagicCamera
2016-02-02, 11:33 PM
There is one other reason I want to use a private LAN. I like Canonical's Landscape for central management of keeping my Ubuntu boxes up to date instead of manually accessing each one individually I can log in to a web GUI and push the updates/upgrades all at once on up to 10 VMs and 50 containers. I don't really want that web GUI to be internet facing at all, I'd rather it sat in the LAN and I VPN in and use my desktop browser to access a local IP. I looked at the SoftEther, it's impressive, and I may very well adopt it in the near future. Because it has so many features and inticacies, I will stick with what I know and test out SE later. Thanks for the input though. Much appreciated.

MagicCamera
2016-02-02, 07:21 PM
I'm only using OpenVPN so I can sftp into the web directory of the backend web servers as though they were on my home LAN, since they are not accessible directly from the internet, which is the way I want it to work. And the openVPN is on a VM not the host. There is no additional software on the host since I don't want to interfere with Proxmox. I have tried using the Proxmox UI to define an internal network but it didn't work or was sporadic, so I chose the vm nat type bridge instead and that worked. I've not heard of SoftEther but I'll check it out.

HTMLtag
2016-02-02, 03:51 PM
Wow, it sounds like you made a simple task very complicated.
Internal networks can be defined from inside of Proxmox's UI.
The NAT can be done with similar rules you're using for OpenVPN.

Using OpenVPN complicates things, you can use SoftEther and setup a VPN with advanced routing. It requires minimal config and supports connections from nearly every VPN client, from OpenVPN, to IPSec, to PPTP, etc.

As far as SFTP comes, the SSH server you're running has it built-in, just use an sftp client like FileZilla or Bitvise.

MagicCamera
2016-02-01, 09:19 PM
So I got hooked on owning a dedicated server, that my wife so gracefully got me a 1 year subsciption for Christmas. I think she was fed up with me putzin' with the internet services at home with my pfSense box and Oracle VirtualBox environment I had running on my wee Mac Mini under the telly. Anyway, since using the dedicated server here at OVH I have had a frustrating time figuring out a few things that I'd now like to share with my fellow users. It's too long to write up in this forum so I will compile my findings to my own web server and post the link at a later date.

Here is a brief, however, of what I managed to accomplish through searching high and low for the vital information I needed to make it happen.

Let's start here: I needed to create a private LAN, I know there is an eth1 on the server, but had difficulty attaining reliable connections system wide. So I decided to follow this guide and create a bridge: http://help.ovh.co.uk/Proxmox#link4 and created a vm nat. This worked great, the LAN server had the internet access as though it were a machine behind a home router, so then I needed a box that had 2 NICs one public and one private in order to communicate with or direct inbound traffic to from the internet via haproxy. Then all my troubles began, trouble is that you can't have 2 default gateways so I found the solution here: https://www.thomas-krenn.com/en/wiki..._on_One_System

Okay so I figured out how to put a public facing VM with an extra NIC to talk to backend servers. I decided to create a MySQL server, and 2 Wordpress servers that will be load balanced and sychronized and talk to the MySQL in the backend, but the public facing server will reverse proxy and load balance the connection. The WP servers had to be set up with glusterFS and share the same directory for all the WP files. I used Nginx as web server software. If you get this far you can follow this guide and try it out yourself: https://www.digitalocean.com/communi...n-ubuntu-14-04

Oh yes I use Ubuntu as my main LinuxOS, I'll do FreeBSD on occasion, but they have similar tutorials for other OS's like CentOS.

Anyway that all worked fine and dandy, but then I had a dilemma, how to I SFTP (I never use FTP, it's insecure. SSH Keys is way to go) into the web servers with Adobe Dreamweaver if they are hidden behind the host's LAN? Easy, OpenVPN to the haproxy VM that has that all important 2nd NIC. However, there is a catch, you need to set up the openvpn server.conf file to push the route and then tell the VM box that it needs to reply to the OpenVPN client with some firewall iptable rules. I installed iptables-persistent and set up the rules.v4 at /etc/iptables and added these 3 vital rules:

-A FORWARD -i eth1 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth1 -j ACCEPT
-A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE

See this tutorial for OpenVPN, there are other OS versions you can look for on their tutorial site. https://www.digitalocean.com/communi...n-ubuntu-14-04

Those are just the rules for OpenVPN to be allowed to access the network as a whole. There are other rules you need to put in place that I won't post here as they would take up too much space. Send me a PM and I'll send you a text file with everything you need to get started. But I'd refer you to this tutuorial: https://www.digitalocean.com/communi...n-ubuntu-14-04 That is but one of a few they have so search the tutorials if you need something more juicy.

So now when I initiate VPN to my VM box, I can ping local IP network right from my home computer like the boxes were under the table in the kitchen. It's a nifty set up and if you are interested, PM me and I can point you in the right direction, follow all those I guides I posted here and you should be well on your way to building a good secure server. I like to lock down my servers to be tighter than a camel's nostrils in a sandstorm and I tested extensively connections to and from to make sure that my home computer and office are the only ones allowed to access the ssh and openvpn ports. Instead of inserting a rule that depicts and actual IP address from my home computer, I put in a domainname that points to my home internet service, so if my IP changes the theory is my DynDNS will update that info and my host firewall will re-translate it. I have yet to test it, but at least my office IP is static. Just hope they don't fire me at the same time my ISP changes my IP.

Comments welcome, and if you need advice I am more than happy to help.

Oh it's a good idea to create a VM with a desktop app on it if you have software on LAN machines that require web page access. I keep an Ubuntu Desktop handy but don't keep it running, I only fire it up when I need it. But technically if your OpenVPN is successful you can access the web application of your new LAN VM from your home computer web browser by typing in the local address e.g. http://192.168.X.X

For my next project, I want to look into running pfSense to head up my backend LAN. If anyone has any tricks of the trade on that I'd like to hear from you. I just can't wrap my head around one thing, pfSense is supposed to be at the front but I can't put it infront of the host, that's like trying to copy a directory into itself... or as Adobe puts it, "the file can't be inserted into itself" I think someone at Adobe has a dark sense of humour because that sounds rude!