[SOLVED] Proxmox configuration with a domain name that is not public

[bluepr0]

Hi!

I've managed to set up Cloudflare + NPM so I can access my private services through my regular domain using certificates. This way, I'm not getting the dreaded non-secure connection alert.

Everything seems to be working okay. I can create as many subdomains as I want. For example, I created one for TrueNAS as "truenas.mydomain.com" and a couple for my PVE nodes as "pve.mydomain.com" and "pve2.mydomain.com." If I access any of these, it will load the web GUI, and it appears to be working fine. However, I'm having issues with all the shells, including the host shell and any shells from VMs or LXCs. I can't figure out what's going on for the life of me.

I get an error when attempting to access the shell of the host via pve.mydomain.com. However, it works fine when I use the local IP address.

failed waiting for client: timed out
TASK ERROR: command '/usr/bin/termproxy 5900 --path /nodes/pve --perm Sys.Console -- /bin/login -f root' failed: exit code 1

And I get this error when I try with an LXC.

()
failed waiting for client: timed out
TASK ERROR: command '/usr/bin/termproxy 5900 --path /vms/100 --perm VM.Console -- /usr/bin/dtach -A /var/run/dtach/vzctlconsole100 -r winch -z lxc-console -n 100 -e -1' failed: exit code 1

Any ideas where I could start digging? Thanks!

 

[Tmanok]

Hey BluePr0,

Are your PVE nodes setup to resolve those DNS entries? And how is your workstation resolving them?
For example, you can own a public domain but have different DNS records internal to your LAN/site networkd if you use your own DNS. Perhaps whatever DNS server your workstation is using is different from what the PVE hosts use.

Two checks you can perform:

1. Login to the host without using a domain on your workstation or SSH in. nslookup pve.mydomain.com
2. Login to the host, select the node, then select DNS. Update your DNS to the same DNS as your workstation (suggestion, not a recommendation, this may not be the best decision).

Cheers, I suggest a local DNS LXC or VM. PowerDNS will give you more control and integration, Pi-Hole will give you access control lists (firewall capabilities).


Tmanok

 

[bluepr0]

Hi @Tmanok thanks for your reply!

I believe the DNS should be configured correctly. I created an A record *.mydomain.com on my cloudflare account that directs to my Nginx proxy manager internal ip (10.0.1.40). Later using Nginx proxy manager I created a certificate using DNS Challenge so I guess that's why even using an external DNS it's resolving it correctly. I do also have a couple of AdGuard instances with pve.mydomain.com and pve2.mydomain.com redirecting to my proxy IP (10.0.1.40)

Here's the nslookup

root@pve:~# nslookup pve.REDACTED.com
Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
Name:   pve.REDACTED.com
Address: 10.0.1.40

root@pve:~# nslookup pve2.REDACTED.com
Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
Name:   pve2.REDACTED.com
Address: 10.0.1.40

root@pve:~#

 

[bluepr0]

Here's an nslookup from my Mac that actually uses the AdGuard DNS. I don't add it to my Proxmox VE servers because I don't really need to block anything, and they're actually running inside those servers.

jonatan@Mac-Studio ~ % nslookup pve2.REDACTED.com
Server:        10.0.1.11
Address:    10.0.1.11#53

Non-authoritative answer:
Name:    pve2.REDACTED.com
Address: 10.0.1.40

 

[bluepr0]

Alright, mystery resolved. If you are accessing the terminal of the host or any VM/LXC and encounter "Undefined Code: 1006" while using Nginx Proxy Manager, you need to enable WebSocket support. This will resolve the issue!

 

[lokamaya]

Thanks for pointing out nginx web.socket.

 

[UnitedWays]

Thank you!

 

[mikebel3]

Hi Bluepr0. I am trying to set up something similar mixing a NPM set up on my synology nas and trying to point a domain / IP address / port from my proxmox LXC instance. It isn't working in that NPM isn't able to get to the LXC container IP + Port. I tried it for Proxmox itself (port 8006) and a docker/portainer instance I set up (port 9443) and both just won't connect. Might you have any idea what I might be doing wrong or can you point me to a guide that worked for you that I can try? Thanks!