Wireguard to connect proxmox ?

B

bilm

New Member
Feb 8, 2024
3
0
1
Hello,
I'm new to proxmox and hypervisors of this type. So far I've been self-hosting for very simple services or using devices like yunohost.

I've made the sketch below to visualize the infrastructure I want to set up:
schema_proxmox.png
I've already installed proxmoxve8 and configured a wireguard wg0 VPN tunnel as a client directly on the proxmox machine. This tunnel seems to be working, I've managed to ping it and the vpn's ip address (and not the public ip of the box) is returned to me when I query online services.

But when I created a VM connected to the interface created by default vmbrO, this vm had the ip address of the freebox 82.65.XXX.XX and not those of the vpn (80.67.XXX.XX).

I'd like my future LAN's network traffic to pass through the VPN wireguard wg0 tunnel, so that the services available on the LAN's VMs can be contacted via the VPN's ip (80.67.XXX.XX) (and not the box ip 82.65.XXX.XX).

Is it possible to create a vmbr network interface configured with the VPN's public ip (80.67.XXX.XX)?
Or maybe I'm going the wrong way and need to do something different?
What do you think?

Thanks for your help and sorry for my bad English!

Bilm
 
Thank you _gabriel for your reply!
I'm just starting with network configuration under proxmox and iptables rules. I'm interested in documentation and configuration examples so I can learn?

Before testing on the machine and going back to my sketch from the first post, if I configure a vmbr1 virtual bridge as below and assign it on the WAN interface of my PFsense VM, will the incoming traffic through the PFsense WAN be that of the VPN (80.67.XXX.XX)?
I'm not sure what values to give to the address and -s parameters (maybe it should be the vpn ip instead)?

Bash: 
auto vmbr1
#private sub network
iface vmbr1 inet static
        address  10.10.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o wg0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o wg0 -j MASQUERADE

thanks
bilm
 
bilm said:
will the incoming traffic through the PFsense WAN be that of the VPN (80.67.XXX.XX)?
Click to expand...
no. vpn ip will be only on the host.
then guest use an ip from the new local subnet like 10.10.10.0/24 (or 192.168.2.0/24 as you want) + ip of the host (vmbr1) as gateway/router.

edit: by the way, why not pfSense connect itself to wireguard vpn then act as router, there will be easier to manage.
 
Last edited:
you need build EoIP Tunnel via wireguard tunnel and bridge vmbr2 with eoip interface from pve and bridge interface on remote side and remote eoip interface in one bridge with wan adapter

wg-side

br0
address 80.67.1.2/24
gateway 80.67.1.1
bridge-ports eoip0 eth0(wan interface)

wg0
address 10.0.0.2

eoip0
remote 10.0.0.3
local 10.0.0.2


pve-side


vmbr2
bridge-ports eoip2

wg2
address 10.0.0.3

eoip2
remote 10.0.0.2
local 10.0.0.3

I use for same schema mikrotik, but pfsense have eoip too
https://redmine.pfsense.org/issues/10698


P.S. in this scheme there is a serious lack of a router, in the network of which the pve and pfsense will be connected

82.65.XXX.XX --- wan --- router ---- lan (192.168.1.1/24) -> ens0p3(vmbr0) 192.168.1.2/24 -- pve

Then you just turn on pfsense in bridge vmbr0 and just build a wg tunnel from pfsense(192.168.1.3/24) to dedicated server
 
Last edited:
Thanks for your answers !

_gabriel said:
[...]

edit: by the way, why not pfSense connect itself to wireguard vpn then act as router, there will be easier to manage.
Click to expand...
Yes, I'll also look into connecting the pfSense VM directly to my Wireguard tunnel.

basil said:
you need build EoIP Tunnel via wireguard tunnel and bridge vmbr2 with eoip interface from pve and bridge interface on remote side and remote eoip interface in one bridge with wan adapter

wg-side

br0
address 80.67.1.2/24
gateway 80.67.1.1
bridge-ports eoip0 eth0(wan interface)

wg0
address 10.0.0.2

eoip0
remote 10.0.0.3
local 10.0.0.2


pve-side


vmbr2
bridge-ports eoip2

wg2
address 10.0.0.3

eoip2
remote 10.0.0.2
local 10.0.0.3

I use for same schema mikrotik, but pfsense have eoip too
https://redmine.pfsense.org/issues/10698


P.S. in this scheme there is a serious lack of a router, in the network of which the pve and pfsense will be connected

82.65.XXX.XX --- wan --- router ---- lan (192.168.1.1/24) -> ens0p3(vmbr0) 192.168.1.2/24 -- pve

Then you just turn on pfsense in bridge vmbr0 and just build a wg tunnel from pfsense(192.168.1.3/24) to dedicated server
Click to expand...
Thank you for your reply. I didn't know about the eoip protocol. I'll see if it's possible for me to set this up.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back