Proxmox as OpenVPN Client

[martan3d]

I have seen this touched upon but not found a definitive answer.

I'd like to connect my Proxmox instance to an OpenVPN network, this OpenVPN server is on AWS. Currently we connect our desktop PCs to the AWS OpenVPN and then also allocate EC2 instances for various internal web apps. We also have our code (gitlab) on AWS. So we are a happy crew all behind the VPN, nothing is accessible from 'the outside'.

I was wondering if it's possible to use Proxmox to 'extend' this (for lack of a better term). I'd like to have the Proxmox host be on the OpenVPN as a client, then as VMs are created they are assigned IPs from the VPN. I guess sort of like an 'on prem EC2'. Obviously, I only want these VMs to be accessible from the VPN.

We keep all of our mission critical data and apps on AWS, but some of the less used and non critical apps I'd like to move to web servers on the Proxmox instance and keep them here in house.

Also, I'd like this to be as transparent as possible so I can show the general users here how to get to the Proxmox Host interface and allocate and start up these VMs without them having to be overly knowledgeable about networking and such.

Is this possible?

 

[_gabriel]

here all my PVE are openvpn client, but just the PVE host, not VMs, I use socat or iptables to redirect some port to few VMs.
I'm not expert, but to connect VMs automatically to openvpn, once pve connected as client it should act as the router for the VMs.

 

[martan3d]

Would you mind telling me how you did that? My test setup has proxmox with it's static IP on the main network (10.2.10.xxx). After installing OpenVPN and getting that working, a reboot shows the tun0 interface with the OpenVPN IP (172.x.x.x). But the main interface is still the static on the regular network and I still get to the web console on that address.

How would I get Proxmox to take the OpenVPN IP as it's main IP?

 

[_gabriel]

How would I get Proxmox to take the OpenVPN IP as it's main IP?

You can't, this is not the way.
Even if was possible, VMs has nothing to do with PVE main ip.

 

[martan3d]

Where do the VM Ips come from then? It looks like they come from the DCHP network that my Proxmox is on.

When I create a Ubuntu VM, only an allocated address appears on the interface, I don't see the tunnel that is on the host.

 

[_gabriel]

Where do the VM Ips come from then? It looks like they come from the DCHP network that my Proxmox is on.

When I create a Ubuntu VM, only an allocated address appears on the interface, I don't see the tunnel that is on the host.

As your VMs are on the bridge attached to a physical NIC , they are connected like a real switch. so they get DHCP ip and they don't even know there is a PVE host , so they can't guess there is a vpn connected on the host.
you need to switch to NAT mode, like VM acting as Router , or PVE host itelf can act as Router https://pve.proxmox.com/wiki/Network_Configuration#sysadmin_network_masquerading
then add rules to route vpn, which require network skill.

 

[martan3d]

So obviously I need to upgrade my network skills! But am I correct that the overall idea would be to use the tun0 connection on the PVE host to route all the traffic to and from the VMs through that? This would leave the PVE web interface on the 'regular' network but the VMs would not be accessible except through the VPN? Sorry, hope that doesn't sound dumb but I guess I am in this regard.

 

[_gabriel]

overall idea would be to use the tun0 connection on the PVE host to route all the traffic to and from the VMs through that

yes, more precisely, traffic pass over the main pve ip which act as router nat.
But I'm wrong way, sorry, my head is too busy trying to write in english.
in Router NAT mode, VMs will not have a vpn ip itself, they can access other vpn ip but not the reverse : other vpn ips can't access vm, like any NAT .
So it's perhaps not the best.
You need site to site connection, but I've no exp here.