In one of my prior articles, Simple certs with Docker-Dehydrated, I demonstrated how to provision certificates from the Let’s Encrypt Certificate Authority and deploy them to remote servers. When you look at how the certificates are simultaneously distributed to each of the servers, you’ll notice that they’re saved to
After I SSH into the Proxmox server, I create a script that will be responsible for copying the certificates into place and restarting Proxmox’s GUI:
#!/usr/bin/sh cp -v /srv/letsencrypt/example.com/fullchain.pem /etc/pve/local/pveproxy-ssl.pem cp -v /srv/letsencrypt/example.com/privkey.pem /etc/pve/local/pveproxy-ssl.key systemctl restart pveproxy
Then, I will run
crontab -e to add an entry that runs this script every 7 days at 04:05 (4:05 AM) UTC:
5 4 */7 * * /usr/local/bin/sync-certs.sh > /dev/null
If you need help with Cron, check out Crontab Guru.
By default, pfSense does not enable SSH. First, let’s turn it on by clicking on System → Advanced → Admin Access and scrolling to the Secure Shell section, clicking on Enable Secure Shell, and clicking on the Save button at the bottom of the screen.
Please note that you can change the SSH port if you would like. In a further section where I demonstrate how to use Tailscale with subnets, I’ll also demonstrate how to access each server separately, so that it won’t be a requirement to change any SSH ports. If you forgo the Tailscale step, you would need to either change the SSH port here and rule in the next step, or change the port forward rule from a prior step for accessing Proxmox via SSH, otherwise, there would be a port collision.
Once you’ve enabled SSH, you will receive a notification in the top right corner. When you click on the notification icon, you will receive a notice when the SSH server has been configured and is ready.
Assuming that you left the firewall SSH port at its default setting, you will need to disable the port forward rules to Proxmox for SSH (and optionally, Mosh).
Click on Firewall → Rules → WAN_Hetzner → Add to allow remote access via SSH to your firewall.
You’re now able to access your firewall via SSH with:
pkg install rsync git
Create a directory for your TLS certificates to be saved to:
mkdir -pv /srv/letsencrypt/
Download the pfsense-import-certificate script to
curl \ https://raw.githubusercontent.com/stompro/pfsense-import-certificate/master/pfsense-import-certificate.php \ > /usr/local/bin/pfsense-import-certificate.php \ ;
Now you can update the certificate distribution script to refresh the firewall after it’s transferred certificates by adding this line:
/usr/bin/ssh root@FIREWALL_IP '/usr/local/bin/php /usr/local/bin/pfsense-import-certificate.php /srv/letsencrypt/example.com/fullchain.pem /srv/letsencrypt/example.com/privkey.pem'
You can install the Cron package by clicking on System → Package Manager → Available Packages → Search term → Cron → Search → Install
Similar to how we set up the Cron job for certificates on Proxmox, we can run run this script every 7 days at 04:05 (4:05 AM) UTC with the settings that you see in this screenshot.
Now that everything is set up, let’s run the scripts manually to synchronize all of the servers so that we can see our new changes:
On your certificate server:
On your Proxmox host:
On your firewall:
/usr/local/bin/php \ /usr/local/bin/pfsense-import-certificate.php \ /srv/letsencrypt/example.com/fullchain.pem \ /srv/letsencrypt/example.com/privkey.pem \ ;
You should now be able to securely access Proxmox and the firewall at:
10 replies on “Deploying Proxmox 7 behind a firewall VM”
Great post. Thank you so much – exactly what I was looking for!
But I’m missing a step-by-step guide to include Traefik 2 to your setup.
Or can’t I simply find it?
I try to split complex topics into their own articles. You can find my Traefik 2 guide at https://LTG.FYI/Traefik-2. Please let me know if you have further questions, and I’ll try to answer them here or perhaps write additional articles.
Great post. Thanks!
I’m just in the process to replicate your setup.
Nearly everything is working but I can’t get any DNS servers working on OPT2. The traffic is routed over the WireGuard-VPN, all fine.
But it seems that any UDP traffic is blocked and I can’t figure out where to unblock it. Any hints much appreciated! Thank you.
Off the top of my head, maybe I forgot to document the DNS Resolver section, but will have to go re-read my article and look for anything that I might have missed, but am in the middle of bee season (video of some of it: https://LTG.FYI/YouTube) and helping restore multiple ranches, so it may take me a moment.
I’ll e-mail you and try to figure it out with you. Once you and I figure this out, I’ll make appropriate edits to the article or one of us can write here in the comments about what needed to be changed.
EDIT: I e-mailed you and the e-mail bounced back as an invalid address. Please feel free to reach out again with a way for me to contact you, so that we can try and figure out what the problem is.
Thank you so much for your tutorial!!!
I can’t access the Ingress server from the VMS_Hetzner network, from external it’s working.
Like in your example: “Now I can access the simple server remotely by visiting http://22.214.171.124:8000”
I can access the website from my browser, but not from a browser running with any VM on the VMS_Hetzner network.
Any idea which Firewall rule is blocking the access from VMS_Hetzner to WAN_Hetzner?
Hi Loomer, you are most welcome! 🙂
I used the interface’s address for the VMs to access the firewall interface. Please see https://thad.getterman.org/articles/proxmox-7-behind-firewall-vm/5/#live_desktop for an example of a Virtual Machine accessing the firewall’s GUI via the VM interface address to configure it instead of the WAN address.
EDIT: I e-mailed you and the e-mail bounced back as an invalid address. Please feel free to reach out again with a way for me to contact you.
I am new to proxmox and your article just blew me away.
I just got the hetzner with 15hdd (no nvme) and I asked for KVM to install proxmox directly on the baremetal
But you do some sort of magic.
you boot into recovery and install proxmox in qemu?
I cannot say I follow
I am not sure I follow (and obviously I already broke my setup trying to change the network settings)
I’ll e-mail you so that we can schedule a time for me to have office hours with you; you screen share with me in observation mode so that I can tell you what to click on and help you get up and running.
I’ll make a YouTube video out of it and then add one or more relevant videos to this article.
Louis T. Getterman IV