Deploying Proxmox 7 behind a firewall VM

TLS Certificates

In one of my prior articles, Simple certs with Docker-Dehydrated, I demonstrated how to provision certificates from the Let’s Encrypt Certificate Authority and deploy them to remote servers. When you look at how the certificates are simultaneously distributed to each of the servers, you’ll notice that they’re saved to /srv/letsencrypt/.

Proxmox

After I SSH into the Proxmox server, I create a script that will be responsible for copying the certificates into place and restarting Proxmox’s GUI:

/usr/local/bin/sync-certs.sh

#!/usr/bin/sh

cp -v /srv/letsencrypt/example.com/fullchain.pem /etc/pve/local/pveproxy-ssl.pem
cp -v /srv/letsencrypt/example.com/privkey.pem /etc/pve/local/pveproxy-ssl.key
systemctl restart pveproxy

Then, I will run crontab -e to add an entry that runs this script every 7 days at 04:05 (4:05 AM) UTC:

5 4 */7 * *    /usr/local/bin/sync-certs.sh > /dev/null

Firewall

By default, pfSense does not enable SSH. First, let’s turn it on by clicking on System → Advanced → Admin Access and scrolling to the Secure Shell section, clicking on Enable Secure Shell, and clicking on the Save button at the bottom of the screen.

Please note that you can change the SSH port if you would like. In a further section where I demonstrate how to use Tailscale with subnets, I’ll also demonstrate how to access each server separately, so that it won’t be a requirement to change any SSH ports. If you forgo the Tailscale step, you would need to either change the SSH port here and rule in the next step, or change the port forward rule from a prior step for accessing Proxmox via SSH, otherwise, there would be a port collision.

Once you’ve enabled SSH, you will receive a notification in the top right corner. When you click on the notification icon, you will receive a notice when the SSH server has been configured and is ready.

Assuming that you left the firewall SSH port at its default setting, you will need to disable the port forward rules to Proxmox for SSH (and optionally, Mosh).

Click on Firewall → Rules → WAN_Hetzner → Add to allow remote access via SSH to your firewall.

You’re now able to access your firewall via SSH with:

ssh root@example.com

Install rsync and git:

pkg install rsync git

Create a directory for your TLS certificates to be saved to:

mkdir -pv /srv/letsencrypt/

Download the pfsense-import-certificate script to /usr/local/bin/pfsense-import-certificate.php:

curl \
    https://raw.githubusercontent.com/stompro/pfsense-import-certificate/master/pfsense-import-certificate.php \
    > /usr/local/bin/pfsense-import-certificate.php \
    ;

Now you can update the certificate distribution script to refresh the firewall after it’s transferred certificates by adding this line:

/usr/bin/ssh root@FIREWALL_IP '/usr/local/bin/php /usr/local/bin/pfsense-import-certificate.php /srv/letsencrypt/example.com/fullchain.pem /srv/letsencrypt/example.com/privkey.pem'

OR

You can install the Cron package by clicking on System → Package Manager → Available Packages → Search term → Cron → Search → Install

Similar to how we set up the Cron job for certificates on Proxmox, we can run run this script every 7 days at 04:05 (4:05 AM) UTC with the settings that you see in this screenshot.

Synchronization

Now that everything is set up, let’s run the scripts manually to synchronize all of the servers so that we can see our new changes:

On your certificate server:

/usr/local/bin/distro-certs.bash

On your Proxmox host:

/usr/local/bin/sync-certs.sh

On your firewall:

/usr/local/bin/php \
    /usr/local/bin/pfsense-import-certificate.php \
    /srv/letsencrypt/example.com/fullchain.pem \
    /srv/letsencrypt/example.com/privkey.pem \
    ;

You should now be able to securely access Proxmox and the firewall at:

• Proxmox: https://example.com:8006/
• Firewall: https://example.com/