Access Admin GUI and SSH from VPN Connection

S

Smitty_Tech

Member
Nov 27, 2020
4
1
8
54
Setup:
  • ProxMox node has a single NIC - 192.168.250.251
    • Able to access the GUI and SSH from the 192.168.250.x LAN
  • The node has a single VM (Ubuntu) which is accessible via ssh from the 192.168.250.x LAN
  • The VPN server is cloud-hosted and provides IPs to clients in the 172.28.x.x range
  • When connected to the VPN, the guest VM (Ubuntu) replies to ping and ssh from the VPN-connected client
  • When connected to the VPN, the node does not reply to ping or ssh and the admin GUI does not answer on https://<IP>:8006
  • When connected to the VPN, all other devices on the 192.168.250.x LAN are reachable, pingable, etc. - so not a firewall rule issue
Some steps taken in an attempt to resolve:
  • Disabled firewall at DC and Node levels
  • Attempted to add a route - possibly malformed
  • Tried the "post-up" method on the /etc/network/interfaces file - again, possibly malformed
Although I can get to the guest, not being able to get to the node's admin areas is a blocker. The node, once fully configured, will be placed in a facility around 1000 miles away. Looking for a solution (ZeroTier, TailScale not options) that allows me to connect to the VPN and then to the node via ssh or https.
 
Is the node acting as the gateway for the 192.168.250.0 network?

'when connected to the vpn' - how does a VM or the node 'connect' to the VPN (is there a client app involved?)

'when connected to the vpn' - what does ip route look like?
 
Is the node acting as the gateway for the 192.168.250.0 network?
Click to expand...
No - the node is a device on the 192.168.250.0 network. Gateway is a Sophos firewall.
'when connected to the vpn' - how does a VM or the node 'connect' to the VPN (is there a client app involved?)
Click to expand...
Not sure I was too clear on what 'when connected to the vpn' meant - this is an OpenVPN client from my machine remotely connecting to the 192.168.250.0 network. So on my machine, I would be coming from the 172.28.x.x VPN IP pool to 192.168.250.x. VMs do not need the VPN as they go out the gateway and have no issue getting internet or LAN access.
'when connected to the vpn' - what does ip route look like?
Click to expand...
All expected routes are shown and reachable. When my client machine is connected to the VPN I have full access to all of 192.168.250.x, just not the web GUI and ssh of the Node.
 
Not an expert and this could be a guess on my part, but I think the issue is that the node will only answer to ssh, ping, and https from devices inside of its LAN (192.168.250.x in this case). Since my VPN connection traffic is coming from 172.28.x.x I think the node is refusing the connection because it is not aware of that network. I'm not sure how to tell the node that it is "OK" to answer traffic from the. 172.28.x.x. network.
 
So the sophos firewall is running OpenVPN and your remote system is running the client software? None of your LAN clients (including the node) are aware of the VPN but only the node is not reachable from outside via the VPN link

Is the node IP address on the same interface as the VM's - i.e vmbr0 or is it directly on an interface like enp1s0?
does the node have a gateway address defined on the management address and can the node reach the internet?
 
So the sophos firewall is running OpenVPN and your remote system is running the client software?
Click to expand...
No - the OpenVPN Server is cloud host at GCP. Client(my machine) runs a ovpn client. The connection would look like this - Client>>OpenVPNServer>>IPSec Tunnel to Sophos>>LAN
None of your LAN clients (including the node) are aware of the VPN but only the node is not reachable from outside via the VPN link
Click to expand...
The LAN clients would use IPSec tunnels if they needed to go to another site so they are unaware of the Inbound OpenVPN connections. Correct, all devices, computers, VMs etc. are accessible using the OpenVPN client - only the node cannot be reached when using the OpenVPN client.
Is the node IP address on the same interface as the VM's - i.e vmbr0 or is it directly on an interface like enp1s0?
Click to expand...
Yes, IP is static on vmbr0 -
does the node have a gateway address defined on the management address and can the node reach the internet?
Click to expand...
Yes and wait, NO!! A closer look and there was a typo in the GW. Updated gateway, able to ping out to internet....AND I CAN CONNECT FROM THE VPN.

Lesson: If you ask someone to do a setup, check their work before you pull your hair out and start posting on the internet!!!

Thanks, @bobmc for asking all the right questions!!!
 
  • Like
Reactions: bobmc
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom