Wireguard to connect proxmox ?

bilm

New Member
Feb 8, 2024
3
0
1
Hello,
I'm new to proxmox and hypervisors of this type. So far I've been self-hosting for very simple services or using devices like yunohost.

I've made the sketch below to visualize the infrastructure I want to set up:
schema_proxmox.png
I've already installed proxmoxve8 and configured a wireguard wg0 VPN tunnel as a client directly on the proxmox machine. This tunnel seems to be working, I've managed to ping it and the vpn's ip address (and not the public ip of the box) is returned to me when I query online services.

But when I created a VM connected to the interface created by default vmbrO, this vm had the ip address of the freebox 82.65.XXX.XX and not those of the vpn (80.67.XXX.XX).

I'd like my future LAN's network traffic to pass through the VPN wireguard wg0 tunnel, so that the services available on the LAN's VMs can be contacted via the VPN's ip (80.67.XXX.XX) (and not the box ip 82.65.XXX.XX).

Is it possible to create a vmbr network interface configured with the VPN's public ip (80.67.XXX.XX)?
Or maybe I'm going the wrong way and need to do something different?
What do you think?

Thanks for your help and sorry for my bad English!

Bilm
 
Last edited:
Thank you _gabriel for your reply!
I'm just starting with network configuration under proxmox and iptables rules. I'm interested in documentation and configuration examples so I can learn?

Before testing on the machine and going back to my sketch from the first post, if I configure a vmbr1 virtual bridge as below and assign it on the WAN interface of my PFsense VM, will the incoming traffic through the PFsense WAN be that of the VPN (80.67.XXX.XX)?
I'm not sure what values to give to the address and -s parameters (maybe it should be the vpn ip instead)?

Bash:
auto vmbr1
#private sub network
iface vmbr1 inet static
        address  10.10.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o wg0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o wg0 -j MASQUERADE

thanks
bilm
 
will the incoming traffic through the PFsense WAN be that of the VPN (80.67.XXX.XX)?
no. vpn ip will be only on the host.
then guest use an ip from the new local subnet like 10.10.10.0/24 (or 192.168.2.0/24 as you want) + ip of the host (vmbr1) as gateway/router.

edit: by the way, why not pfSense connect itself to wireguard vpn then act as router, there will be easier to manage.
 
Last edited:
you need build EoIP Tunnel via wireguard tunnel and bridge vmbr2 with eoip interface from pve and bridge interface on remote side and remote eoip interface in one bridge with wan adapter

wg-side

br0
address 80.67.1.2/24
gateway 80.67.1.1
bridge-ports eoip0 eth0(wan interface)

wg0
address 10.0.0.2

eoip0
remote 10.0.0.3
local 10.0.0.2


pve-side


vmbr2
bridge-ports eoip2

wg2
address 10.0.0.3

eoip2
remote 10.0.0.2
local 10.0.0.3

I use for same schema mikrotik, but pfsense have eoip too
https://redmine.pfsense.org/issues/10698


P.S. in this scheme there is a serious lack of a router, in the network of which the pve and pfsense will be connected

82.65.XXX.XX --- wan --- router ---- lan (192.168.1.1/24) -> ens0p3(vmbr0) 192.168.1.2/24 -- pve

Then you just turn on pfsense in bridge vmbr0 and just build a wg tunnel from pfsense(192.168.1.3/24) to dedicated server
 
Last edited:
Thanks for your answers !

[...]

edit: by the way, why not pfSense connect itself to wireguard vpn then act as router, there will be easier to manage.
Yes, I'll also look into connecting the pfSense VM directly to my Wireguard tunnel.

you need build EoIP Tunnel via wireguard tunnel and bridge vmbr2 with eoip interface from pve and bridge interface on remote side and remote eoip interface in one bridge with wan adapter

wg-side

br0
address 80.67.1.2/24
gateway 80.67.1.1
bridge-ports eoip0 eth0(wan interface)

wg0
address 10.0.0.2

eoip0
remote 10.0.0.3
local 10.0.0.2


pve-side


vmbr2
bridge-ports eoip2

wg2
address 10.0.0.3

eoip2
remote 10.0.0.2
local 10.0.0.3

I use for same schema mikrotik, but pfsense have eoip too
https://redmine.pfsense.org/issues/10698


P.S. in this scheme there is a serious lack of a router, in the network of which the pve and pfsense will be connected

82.65.XXX.XX --- wan --- router ---- lan (192.168.1.1/24) -> ens0p3(vmbr0) 192.168.1.2/24 -- pve

Then you just turn on pfsense in bridge vmbr0 and just build a wg tunnel from pfsense(192.168.1.3/24) to dedicated server
Thank you for your reply. I didn't know about the eoip protocol. I'll see if it's possible for me to set this up.
 
what exactly do you need? (:

i tried it with a fresh install of proxmox following a few guides
i got a working wire guard connection on the host so all internet traffic is going through there.
the lan network is an exception of course.

as soon as i set up an lxc it "bypasses" the vpn and connects directly to the internet.

atm i try to work around the issue by creating a lxc which has the vpn inside and use this as sort of vpn gateway.
but i read that this might only work as a vm (which is more overhead than i want to have tbh)
 
as soon as i set up an lxc it "bypasses" the vpn and connects directly to the internet.
it's expected as guest doesn't know anything about the host.
this is a network topology to understand :
Each guest (VM or LXC) is like a standalone computer plugged into your real switch.

VPN should be on the main router if you want all devices use VPN including guests.

VPN for only selected guests :
there is some network basis learning curve required to :
create a new different local subnet L like LAN2 with its dedicated bridge like vmbr2
create a guest acting as router / DHCP like openwrt, with 2 interfaces, one connected to vmbr0 for WAN and the other connected to vmbr2 for LAN2.
add vpn into the guest router like openwrt
then guests connected to bridge vmbr2 / LAN2 will use vpn.
This is more a network thing than a virtualization issue, as it's same for all hypervisor.
 
VPN should be on the main router if you want all devices use VPN including guests.
thank you very much for your reply.
you describe is exactly how i imagined it and why i chose to set up the vpn on the host so every guest can / must use it.

sadly i cant figure out the config to get the guest using the hosts vpn :/

i think doing it with a separate vm would be the "easiest" way even tho you are correct the network setup is more complex.
which is why i would prefer to keep it on the host and just force the lxc guests to use the hosts vpn (if someone can point me to a way how to configure this)

if its not possible i ll try to set up a gateway lxc first before going to a vm
 
thank you very much for your reply.
you describe is exactly how i imagined it and why i chose to set up the vpn on the host so every guest can / must use it.

This is not how it works. You can have wireguard on the host and still no guest is forced to use it. To achieve that you will need to add a second bridge network to your host (I would recommend a SDN for it but afik it's not needed per se) and let guests only use this network. For connecting this network to the outside world you then would have a wireguard gateway (which can be on the host or on a guest inside the network). And since you will need to have a kind of DNS or DHCP server for your guest network anyhow I strongly recommend using something like OpenWRT or OPNSense for the guest network.
Or if this to much overhead for you a pihole container. You could also ditch wireguard all together and just have some tailnet subnet router on one or more of these network guests (together with headscale you can self-host this if you don't want to trust the company behind tailscale).
I personally wouldn't use wireguard directly on the host to have better seperation of layers and not messing with the hosts network configuration but in the end you need to pick your poison