vpn access for proxmox vm's

[chetan sonawane]

Hello All,

We have proxmox 4.4 host with 20-30 kvm vm's running on it. One if the client have 5 windows vm's . The client require rdp access from vpn connection.

We do not want to use hardware firewall. Please advice , any alternative option using software firewall such as pfence or open vpn which can be install on one of the vm on same proxmox host to achieve this.

Regards,
chetan

 

[bofh]

pretty easy
openvpn on that host
set firewall to block all traffic BUT openvpn net - customer IP range

but better option would be even use of vlans (put al customer vms into one seperate vlan, make your routing for that openvpn instance accordingly
but also use firewall rules to finally isolate him from anyhting else)

vlans should be a must for commercial use (vm isolation anyone?)


however be aware openvpn has a little learning curve to get it right
use at least tls/hmac static key for connection, individual certs with no simultanious double use and ofc udp (its faster and we dont like portscans)


on the upside you can use as many openvpn instances you want
you should however create a static TUN interface for each and assign it to each static ip pool)
like

# device: tun0
auto tun0
iface tun0 inet static
    address                     10.1.25.1
    netmask                     255.255.255.255
    network                     10.1.25.2
    pre-up                      openvpn --mktun --dev tun0

that way you can set iptables rules on boot.
because if your rules load before the interface is intialized your rules wont work at all

so you have now a static virtual interface, define that tun0 into your openvpn config, regardless if the openvpn server runs