[SOLVED] Can't access Proxmox VMs from VPN

[jeanmars]

Hi,
I'm facing a problem where when using VPN (Wireguard) to contact my VMs, I can reach out to PVE (GUI and SSH) itself but not the VMs.
There is a similar issue described here: https://www.reddit.com/r/Proxmox/comments/13k0ndd/cannot_access_my_server_from_vpn/ but unfortunately the solution is not clearly provided.
Here is my network setup:
- PVE IP 192.168.1.11
- VM under PVE: 192.168.1.20
- Raspberry Pi: 192.168.1.10
- VPN client IP: 192.168.65.67

So from VPN client, i can SSH to PVE and Raspberry Pi but trying SSH or any web service hosted in VM fails.
It works if I use the Raspberry Pi as a jump server (SSH to rPI and then SSH to VM).

I do believe this is PVE preventing access to VMs as IP does not come from 192.168.1.0/24 but I disabled firewalls at all levels in Proxmox (VM, node, datacenter).
There should be some iptables setting to change in PVE, anyone can help?
Thanks,
Jean

 

[jeanmars]

Hi kabuki,
Thanks for responding but i believe you didn't pick the right language

 

[kakuni]

I said: As well as the PVE, does the VM itself have a firewall to prevent access from the outside (or another subnet)?

 

[jeanmars]

Hi kakuni,

good hint; I forgot I had fail2ban installed recently so I added the VPN subnet rule at beginning of INPUT chain:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.65.0/24 anywhere
f2b-BanSSHTarpit tcp -- anywhere anywhere multiport dports http,https
f2b-BanAbuseIP tcp -- anywhere anywhere multiport dports http,https
However, same outcome, I can't reach VM from VPN client, only if I use another machine (rPI) as jum server it works.
(anyway just thinking about this I don't think this could be the root because f2b-BanSSHTarpit and f2b-BanAbuseIP are only filtering on discrete IPs).

I thought it could be because of OUTPUT chian, but it is empty:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

And the gateway is also the device providing VPN service so it should work.

Any other idea?

 

[kakuni]

You can see that you can access the VM from outside the Proxmox server because you can connect SSH via the Raspberry Pi.
That suggests that the gateway configuration may be the cause of the problem.
The VPN-connected device and the VM belong to different subnets, are they routed properly?
I mean the router settings, not anything about PVE.

There are many other possible causes, but it seems a good idea to check the fundamental network settings.
Capturing packets is also a powerful tool.

Good luck!

 

[_gabriel]

I'm facing a problem where when using VPN (Wireguard) to contact my VMs, I can reach out to PVE (GUI and SSH) itself but not the VMs.

it's expected with default configuration, as VMS don't know anything about the host neither the VPN used by the host.
iptables rules to forward is required , but it's not really a proxmox scope ...
AllowedIPs is also required in wireguard conf.

 

[jeanmars]

Hi all,
you're right; it's not about Proxmox, it is related to some firewall/iptables/routing issue as I just created another VM inside proxmox and I can connect it directly using Wireguard.
Will have to review all of thta, thanks for the advices.
Jean

 

[jeanmars]

Hi again,
issue solved; outgoing route to VPN subnet was incorrect, I had to add he following at the end of /etc/network/interfaces (Debian) on the VM:
up route add -net 192.168.65.0 netmask 255.255.255.0 gw 192.168.0.254 dev ens18

I also have Docker running on this VM and there are quite a lot of ip routes/subnets, I think some took the precedence on the default gateway:
default via 192.168.0.254 dev ens18

Any it was nothing related to proxmox as I wrongly thought, it was a pure VM routing issue.
Thansk to all to help me pinpointing the issue
Cheers,
Jean