Networking Server SysAdmin Technology Virtualization

Deploying Proxmox 7 behind a firewall VM

How I run Proxmox with a single IP and MAC address.

Tailscale subnet routing

If you’re not familiar with Tailscale or Netmaker, they’re VPN mesh networks built on top of WireGuard, and make it simple for machines to access each other in a private manner, including when those machines are behind NAT/CGNAT. For this article, I’m demonstrating with a stock install of Tailscale. If you want to self-host like Netmaker allows you to do, you can use Headscale and Headscale UI, but that’s outside the scope of this article.


Add the Tailscale package by clicking on System → Package Manager → Available Packages → Search term → Tailscale → Search → Install:

Direct connections

Add an ingress firewall rule on your WAN for 41641/UDP, which will allow you to reach your servers directly, without the need of a DERP server.

Key generation

After you login to Tailscale, click on SettingsKeysGenerate auth key. At the time of writing, the default values should be fine. The generated key will be shown once, be sure to save it for a subsequent step which will be configured inside of the firewall.


You can now configure Tailscale by clicking on VPN → Tailscale

Click on Authentication and add your generated key from Tailscale.

Now enable Tailscale, enable Advertising Exit Node, and add Advertised Routes to the two LANs for Virtual Machines on the primary IP and the Virtual Machines on the secondary IP. Once you’re finished, click on the Save button:

You should now see your firewall listed in the Tailscale Machine list.

NAT outbound

Set an outbound NAT entry for Tailscale by clicking on FirewallNATOutboundAdd


Click on the three dots on the far right of the firewall. First, click on Disable key expiry. Then, click on Edit route settings…

Enable the two Subnet routes (Virtual Machines for the Primary and Additional networks) and enable Exit node if you want the ability to tunnel your computer through the server when you’re on a public Internet such as a coffee shop.

Now with Tailscale installed on your machine, you can access any of these Virtual Machines or Containers without needing to install the Tailscale client on each of them, and it will pass from your machine directly to your Proxmox firewall, and then directly to the Virtual Machines and Containers.


In the Interface Assignments page, you will have the option to assign Tailscale as an interface.

DO NOT ASSIGN IT: it will cause the firewall to fail to boot when it looks for an interface that isn’t there (since Tailscale isn’t online yet), and then Proxmox and all machines will not be accessible until you recover the Proxmox host.

Split DNS

It’s difficult to keep up with which IP address goes to what server, let’s use DNS to fix that.

In the Tailscale dashboard, click on DNSAdd nameserverCustom…

  • Set the Nameserver to the firewall’s LAN IP address.
  • Set the Search Domain to what you’d like to use with your hosts.

For example, if you have a web server in a cluster that’s web-1, then it would be accessed with web-1.example

To add entries for each of the hosts, click on ServicesDNS ResolverHost OverridesAdd.

4 replies on “Deploying Proxmox 7 behind a firewall VM”

Great post. Thank you so much – exactly what I was looking for!
But I’m missing a step-by-step guide to include Traefik 2 to your setup.
Or can’t I simply find it?

Leave a Reply

Your email address will not be published. Required fields are marked *