Beginner's questions concerning PVE networking, assigning a public IP, and connecting to a VPN Server container

T

tabsnotspaces

New Member
Jan 26, 2021
6
0
1
34
Hello all,

I'm new to proxmox and its way of managing VMs/containers and am struggling with setting up my desired networking strategy.

I have 2 VMs and a container. I want the container to act as a VPN server and be exposed to the public internet so that I can access my local network through it.

I followed this guide for setting up the VPN server container and OpenVPN appears to have been setup correctly (its running, generated an opvn file, and the CA keys look OK), but when trying to connect to it from a different machine, the TLS handshake times out with no data reaching the server (which sounds like a firewall issue):
Code: 
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

Firewall on container:
Code: 
Firewall  no
DHCP  yes
nap  yes
...
I'm assuming that once my client is connected to the VPN, that I should just have access to my local network from there? I'm also not sure what goes into reserving a public IP for my VPN server - what I tried (which is likely wrong) is take the IP for my router and use one of the available addresses. I assume I'll have to make my router's IP static from there? Pretty lost here. Also, are there any firewall changes that I can make to protect my VPN server?

Here's my network interface on the proxmox host:
Code: 
auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
    address 10.0.0.200/24 # local IP
    gateway 10.0.0.1
    bridge_ports eno1
    bridge_stp off
    bridge_fd 0

Here's my network interface on the VPN server:
Code: 
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address 10.0.0.100/24 # local IP
    gateway 10.0.0.1
    bridge-ports enol
    bridge-stp off
    bridge-fd 0

auto eth1
iface eth1 inet static
    address ###.###.248.100/24 # public IP? I took my router's IP address and changed the number a bit. I don't know how to get this or if its setup correctly
    gateway ###.###.248.1

And my router's IP (that I made static based on what was assigned via DHCP)
Code: 
Internet
IP: ###.###.248.121
Subnet: 255.255.252.0
Gateway: ###.###.248.1

LAN
IP: 10.0.0.1
Subnet: 255.255.255.0

I can ssh into every machine no problem using the private IPs and they can each connect to the internet, its just the public IP and VPN connection that appear to be failing.

Sorry for all the questions - I've been trying to do my own research but everything I find gets so deep into the weeds that I don't understand what's required.
 
Last edited:
oguz said:
hi,

to access the VPN service running on the CT, you need to allow and forward that port on your PVE host to NAT to the CT's internal IP address.

you can check here [0]

setup would be something like:

public internet -> home router (NAT) -> CT (local IP)

[0]: https://pve.proxmox.com/wiki/Networ...ith_tt_span_class_monospaced_iptables_span_tt
Click to expand...
OK, I saw that page and wasn't sure which networking strategy to pick. So my container's network interfaces now looks like this

Code: 
auto lo
iface lo inet loopback

auto eno1
#public IP address
iface eno1 inet static
        address  ###.###.248.100
        netmask  255.255.252.0
        gateway  ###.###.248.1

auto vmbr0
#private sub network
iface vmbr0 inet static
        address  10.0.0.100
        netmask  255.255.255.0
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.1/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.1/24' -o eno1 -j MASQUERADE

I attempted to reinstall openvpn but during the client creation, there is now no ip address available to choose from. Should I be using `eth0` instead of `eno1` above?
 
tabsnotspaces said:
I attempted to reinstall openvpn but during the client creation, there is now no ip address available to choose from. Should I be using `eth0` instead of `eno1` above?
Click to expand...
you don't need to reinstall openvpn. this network config needs to be on the PVE host (container network is managed by PVE, no need to edit /etc/network/interfaces in there)
 
  • Like
Reactions: tabsnotspaces
I moved the interface changes to the host and reverted my container's settings and openVPN install. Still no communication from the server when trying to connect with the opvn.

I ended up installing tailscale on my VMs, which handles the VPN layer for me and is free for up to 200 devices. I'll continue to fool around with this container but its no longer a blocker.
 
tabsnotspaces said:
I moved the interface changes to the host and reverted my container's settings and openVPN install. Still no communication from the server when trying to connect with the opvn.

I ended up installing tailscale on my VMs, which handles the VPN layer for me and is free for up to 200 devices. I'll continue to fool around with this container but its no longer a blocker.
Click to expand...
did you also forward the necessary port for openvpn on your PVE? like: iptables -t nat -A PREROUTING -i eno1 -p tcp --port EXPOSED_PORT -j DNAT --to OVPN_CT_IP:OVPN_PORT (change tcp to udp if using udp port)
 
Hello!
I also stuck with the same problem.
I have a dedicated server with 1 public IP. On the server i've got a couple VM and CT with OpenVPN.
After a couple of days I've found a solution.
Assume that you have an external interface:

auto eth0
iface eth0 inet static
address 2.15.15.15/24
gateway 2.15.15.1
dns-nameservers 2.15.241.2 2.15.241.3

You add a Linux bridge for you machines:

auto vmbr0
iface vmbr0 inet static
address 192.168.100.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
#Linux bridge

Ok, VM and CT can see each other, but they can't go to the internet. So you need to enable IPv4 forward and Masquerade outgoing traffic:

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.100.0/24' -o eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.100.0/24' -o eth0 -j MASQUERADE

Now we have to do the last one step. My OpenVPN(192.168.100.23) works with UDP traffic on 1194 port. I need to route it to my container and backwards.

post-up iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to-destination 192.168.100.23:1194
post-down iptables -t nat -D PREROUTING -p udp --dport 1194 -j DNAT --to-destination 192.168.100.23:1194
post-up iptables -t nat -A POSTROUTING -p udp --sport 1194 -s 192.168.100.23 -j SNAT --to-source 2.15.15.15:1194
post-down iptables -t nat -D POSTROUTING -p udp --sport 1194 -s 192.168.100.23 -j SNAT --to-source 2.15.15.15:1194

All manipulations you need to do in etc/network/interfaces , don't forget to reboot your PVE to apply network configuration.
 
  • Like
Reactions: sry
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom