Deploying Proxmox 7 behind a firewall VM – Page 9

IP Addresses

Data Center / ISP

I’ll add this section at a later date. When writing this article and I went to add additional IPs for documenting with screenshots, and to meet the quality that I try to put into each article, I faced high costs that were outside of my server budget for the month. Sorry.

VPN

Depending on what you’re trying to accomplish, you can create your own Site-to-Site between your locations or use a service. A WireGuard configuration file is simple and straightforward, and a typical configuration file from a VPN service looks like this:

[Interface]
PrivateKey = RQPONMLKJIHGFEDCBAZYXWVUTSRQPONMLKJIHGFEDCBA
Address = 1234:5678::123/64, 1.2.3.4/24
DNS = 1.2.3.4, 1234:123:1234:1::53
MTU = 1234

[Peer]
PublicKey = ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQR
Endpoint = wg.example.com:51820
PersistentKeepalive = 25
AllowedIPs = 0.0.0.0/0, ::/0

In the firewall’s configuration page, add the WireGuard package by clicking on System → Package Manager → Available Packages → Search term → WireGuard → Search → Install:

You can now configure WireGuard by clicking on VPN → WireGuard

Using the example configuration from above, first, I will add a tunnel:

Now to add a tunnel peer:

Enable the WireGuard tunnel and then click on the Save button.

Click on Status to ensure that you’re connected.

Click on Interfaces → Assignments → Available network ports → the WireGuard interface (in my case it’s tun_wg0) → Add

Then click on the new interface (in my case it’s OPT3).

For the interface, the IP and the Gateway will be the IP address in the configuration file. You can add the gateway by clicking on the Add a new gateway button. When you’re finished, save your settings.

Depending on the popularity of your second IP address, when you look at your logs, you should see multiple attempts at port scans, bots, and people poking at your network (and trying to gain access.)

This is precisely why I’ve warned throughout this article that you should have a complex password and not use a simple password since it’s only a short time before people start poking at servers and services on those servers that you expose to the Internet.

Egress

Change the Outbound NAT Mode so that select Virtual Machines and Containers can use a separate IP address from your single/primary one by clicking on Firewall → NAT → Outbound → Outbound NAT Mode → Hybrid Outbound NAT → Save

I then define the outbound traffic for the second network that will come from the “second” WAN. I opt for the ideology of explicit is better than implicit, which is why I specify the entirety of the second network will be part of an outbound NAT so long as it’s not trying to reach an RFC 1918 address that’s an alias which I specified above.

Now I add an outbound rule for everything on the “additional” network bridge with Advanced Options. The key points of this rule are:

Interface: everything on the “additional” bridge (VMS_ADDITIONAL)
Source: VMS_ADDITIONAL net
Destination: not RFC 1918
Tag: Additional
Gateway: WAN_WIREGUARD 1.2.3.4

If your “additional” gateway goes down, you may not want the traffic to originate from your primary IP. There’s two ways to fix this:

Turn off automatic rule creation.
Block tagged traffic with a floating rule on the WAN interface.

To turn off automatic rule creation which omits the gateway:

System → Advanced → Miscellaneous → Gateway Monitoring

Then, enable:

Flush all states when a gateway goes down
Do not create rules when gateway is down

and click on the Save button.

Click on Firewall → Rules → Floating → Add

The key points of this rule with Advanced Options are:

Action: Block or Reject
Interface: WAN
Protocol: Any
Tagged: Additional

Now you can test to ensure that your Virtual Machine or Container is using its secondary IP via the VPN:

dig -x `curl https://wtfismyip.com/text`

Then, you can stop the VPN service and run this command again, and it should fail. If you see your WAN IP then please re-read these instructions and ensure that everything is set correctly.

Ingress

Remember the Simple HTTP Server that we ran on the WAN? Let’s do that again, but on our “second” WAN courtesy of the VPN.

Click on Firewall → NAT → Port Forward → Add:

Tunneling DNS

In addition to forcing traffic across your secondary IP via a VPN, don’t forget that you may face DNS Leaking as well. If you have a VPN service that you trust, you can opt for the DNS server(s) found in the WireGuard configuration file. Other candidates to consider using:

Cloudflare DNS
- 1.1.1.1
Google DNS
- 8.8.8.8
- 8.8.4.4
Quad9
- 9.9.9.9
- 149.112.112.112
OpenDNS
- 208.67.222.222
- 208.67.220.220
Comodo Secure DNS
- 8.26.56.26
- 8.20.247.20

First, set your firewall’s DNS servers by clicking on System → General Setup → DNS Server Settings. Ensure that for each of the DNS servers that you add, the gateway is set to your VPN’s gateway. Ensure that DNS Server Override is disabled. When finished, click on the Save button.

Now click on Services → DNS Resolver

Ensure that the Network Interfaces section is set to All and that the Outgoing Network Interfaces is set to your VPN’s interface (e.g. WAN_WireGuard), enable DNS Query Forwarding, and then click on the Save button.

Now you can test for DNS Leaks by opening a browser in Incognito/Private mode and loading one or more of the following DNS Leak sites:

4 replies on “Deploying Proxmox 7 behind a firewall VM”

Excelente post

Thanks, John!

Great post. Thank you so much – exactly what I was looking for!
But I’m missing a step-by-step guide to include Traefik 2 to your setup.
Or can’t I simply find it?

Hi Fred,

I try to split complex topics into their own articles. You can find my Traefik 2 guide at https://LTG.FYI/Traefik-2. Please let me know if you have further questions, and I’ll try to answer them here or perhaps write additional articles.

Best regards,
Louis