Alright so I have a standard setup for ProxMox and I use pfSense as my router/firewall. I want to allow a user to access the ProxMox GUI from anywhere in the world and I can't seem to figure out exactly how to do that. For example, let's assume 192.168.0.1 is default gateway and 192.168.0.2 is ProxMox (for security purposes). What's the best way to go about doing this?
pfSense & ProxMox Remote Access
- Thread starter Vito Reiter
- Start date
The safest way is to create a VPN and allow access to the subnet that your Proxmox hosts lie on.
OpenVPN Appliance is free for up to 2 concurrent users and is very easy to set up in a Virtual Machine in Proxmox if you so desire. Of course, if this user needs to restart Proxmox host then the OpenVPN appliance should lie on a different host / physical hardware.
Just NAT Port Forward 1194, 943 and 443 to the OpenVPN VM IP.
Within OpenVPN GUI under VPN Settings under Routing, select Yes, using NAT and Add the private subnet there.
It's not a good idea to NAT to your host directly form the internet.
If your OpenVPN install lies in the same subnet you're done. If it lies in a separate subnet you'll have to make a firewall rule to allow from OpenVPN either to your hosts only (with Aliases) or to the hosts subnet.
OpenVPN Appliance is free for up to 2 concurrent users and is very easy to set up in a Virtual Machine in Proxmox if you so desire. Of course, if this user needs to restart Proxmox host then the OpenVPN appliance should lie on a different host / physical hardware.
Just NAT Port Forward 1194, 943 and 443 to the OpenVPN VM IP.
Within OpenVPN GUI under VPN Settings under Routing, select Yes, using NAT and Add the private subnet there.
It's not a good idea to NAT to your host directly form the internet.
If your OpenVPN install lies in the same subnet you're done. If it lies in a separate subnet you'll have to make a firewall rule to allow from OpenVPN either to your hosts only (with Aliases) or to the hosts subnet.
Okay gotcha,
I'm just gonna test certain methods because I have a very specific set of permissions for these users in my head that I have to implement. Thanks for the help
I'm just gonna test certain methods because I have a very specific set of permissions for these users in my head that I have to implement. Thanks for the help
Even easier - since he's using pfsense - there is an OpenVPN package for pfsense. Use that one. Its fully integrated with the pfsense distro and you don't need to port foward anything inside your firewall, the VPN exists at the firewall edge so you don't need to forward "dirty" traffic to the appliance (running the risk of a fat finger or other misconfiguration allowing raw internet traffic into your LAN).
Did you succeed with OpenVPN between proxmox hosts at Hetzner?
I am trying the same thing,
But first I wanted one proxmox 5.1 host's openvpn to connect to my existing openvpn server.. (and when it works, between different proxmox hosts)
But every time I try to connect the vmbr0 to the eth (enp2s0) interface, the network will not start correctly after boot.
If I add the binding in the host after boot (like iptables -t nat -A POSTROUTING -s '10.64.12.0/24' -o enp2s0 -j MASQUERADE ) I can without problems access the internet from a guest.. but try to do it inside the network/interface file, seems to lead to some kind of network misbehaviour when booting the host (even the enp2s0 Ethernet IP is not accessible from outside), and I have to reboot in rescue mode..
I am trying the same thing,
But first I wanted one proxmox 5.1 host's openvpn to connect to my existing openvpn server.. (and when it works, between different proxmox hosts)
But every time I try to connect the vmbr0 to the eth (enp2s0) interface, the network will not start correctly after boot.
If I add the binding in the host after boot (like iptables -t nat -A POSTROUTING -s '10.64.12.0/24' -o enp2s0 -j MASQUERADE ) I can without problems access the internet from a guest.. but try to do it inside the network/interface file, seems to lead to some kind of network misbehaviour when booting the host (even the enp2s0 Ethernet IP is not accessible from outside), and I have to reboot in rescue mode..