I am using Proxmox VE to run a few KVM virtual machines behind a firewall/gateway. The Proxmox Server has one NIC, assigned to vmbr0. The bridge is assigned a local IP address (192.168.185.254) from the local net (192.168.185.0/8).
One of the VMs is acting as a CentOS based OpenVPN Gateway (static IP 192.168.185.200 assigned). Port 1194 UDP is forwarded from the Gateway connecting the LAN to the Internet to the Proxmox host IP (192.168.185.254) and OpnVPN clients can succesfully connect to the OpenVPN Server on the VM (192.168.185.200). Traffic from the VMs tun+ adapters is masqueraded/NATed on the VM to allow access to machines on the LAN through OpenVPN. For testing purposes, no other firewall rules are in effect on the VMs or the Proxmox host.
I can access the OpenVPN gateway VM from the ouside through ssh once the OpenVPN connection has been established. I can also access a webbased frontend on the same VM (both over http and https). I can also ping other machines on the LAN through OpenVPN (both physical and virtual), DNS resolution is also working. Finally, I am able to connect to other _physical_ machines on the LAN through ssh, http, smb, etc. So far, so good.
The weird thing is, while I am able to ping other VMs connected to the same vmbr device on the Proxmox server, I cannot connect to them or to the Proxmox host web interface through neither ssh, http or https. Running tcpdump on the Proxmox host while trying to access it's web interface over the OpenVPN channel, I could see packages being sent from the OpenVPN VM (properly masqueraded) to the destinantion, as well as the answer from the http host. But after the initial handshake no further packages seem to reach the OpenVPN client. I can see some ARP requests and answers from the http host and then, suddenly, the http server tries to send packages to the unmasqueraded address of the OpenVPN client (10.8.0.6)...
I tried instead setting up ssh port forwarding of the Proxmox host port 443 through the OpenVPN VM and it works without delays (e.g. ssh -L 8080:192.168.185.254:443 192.168.185.200) - I can connect to the Proxmox host's Web interface and manage VMs. If I establish a separate ssh tunnel to forward port 5900 to me, I can even access the VNC console.
I do not quite understand what is happening here. As I said, I can access other physical hosts on the LAN through the OpenVPN gateway without problems, so the OpenVPN setup seems to work as intended. To me it looks as if the different networking layers on the bridge are somehow confused, maybe on the ARP side of things?
I looked around quite a bit and read through a lot of different setup ideas. However I choose this setup to keep it simple - after all, it's a small LAN and none of the switches involved are having difficulties with multiple MACs on the same port, so why not just plug all VMs onto the same vmbr device...
I'm probably not seeing the obvious solution here, but maybe somebody could point me in the right direction? I'd be happy to provide more information if needed.
Thx in advance! Proxmox VE is a fantastic product and I'm very impressed with it!
One of the VMs is acting as a CentOS based OpenVPN Gateway (static IP 192.168.185.200 assigned). Port 1194 UDP is forwarded from the Gateway connecting the LAN to the Internet to the Proxmox host IP (192.168.185.254) and OpnVPN clients can succesfully connect to the OpenVPN Server on the VM (192.168.185.200). Traffic from the VMs tun+ adapters is masqueraded/NATed on the VM to allow access to machines on the LAN through OpenVPN. For testing purposes, no other firewall rules are in effect on the VMs or the Proxmox host.
I can access the OpenVPN gateway VM from the ouside through ssh once the OpenVPN connection has been established. I can also access a webbased frontend on the same VM (both over http and https). I can also ping other machines on the LAN through OpenVPN (both physical and virtual), DNS resolution is also working. Finally, I am able to connect to other _physical_ machines on the LAN through ssh, http, smb, etc. So far, so good.
The weird thing is, while I am able to ping other VMs connected to the same vmbr device on the Proxmox server, I cannot connect to them or to the Proxmox host web interface through neither ssh, http or https. Running tcpdump on the Proxmox host while trying to access it's web interface over the OpenVPN channel, I could see packages being sent from the OpenVPN VM (properly masqueraded) to the destinantion, as well as the answer from the http host. But after the initial handshake no further packages seem to reach the OpenVPN client. I can see some ARP requests and answers from the http host and then, suddenly, the http server tries to send packages to the unmasqueraded address of the OpenVPN client (10.8.0.6)...
I tried instead setting up ssh port forwarding of the Proxmox host port 443 through the OpenVPN VM and it works without delays (e.g. ssh -L 8080:192.168.185.254:443 192.168.185.200) - I can connect to the Proxmox host's Web interface and manage VMs. If I establish a separate ssh tunnel to forward port 5900 to me, I can even access the VNC console.
I do not quite understand what is happening here. As I said, I can access other physical hosts on the LAN through the OpenVPN gateway without problems, so the OpenVPN setup seems to work as intended. To me it looks as if the different networking layers on the bridge are somehow confused, maybe on the ARP side of things?
I looked around quite a bit and read through a lot of different setup ideas. However I choose this setup to keep it simple - after all, it's a small LAN and none of the switches involved are having difficulties with multiple MACs on the same port, so why not just plug all VMs onto the same vmbr device...
I'm probably not seeing the obvious solution here, but maybe somebody could point me in the right direction? I'd be happy to provide more information if needed.
Thx in advance! Proxmox VE is a fantastic product and I'm very impressed with it!
