commit 930b841185cd9ccf1bb9786249a1cf2226e26b7f Author: Artem Lajko Date: Mon Sep 4 18:38:00 2023 +0200 init push diff --git a/README.md b/README.md new file mode 100644 index 0000000..5f4207e --- /dev/null +++ b/README.md @@ -0,0 +1,125 @@ +# Hetzner Proxmox VE Single Setup + +This repo is about the installation of Proxmox 7.X on Hetzner with pfsense as firewall for WAN, IP floating with additional IP address for the VM's to allow SNAT. + +# Hetzner Promox Architecture + +Alt-Text + +## 1. Install Proxmox on Hetzner + + ssh root@178.63.13.156 + + #run + installimage + +Chose the right image: + +Alt-Text +Alt-Text + +Change install config + +From: + + SWRAIDLEVEL 1 + +To: + + SWRAIDLEVEL 0 (to use all Storage sda+sdb) + +From: + + HOSTNAME Proxmox-Ve.localhost + +To: + + proxmox-single.lab.local (you can call it what ever you want) + +From: + + PART /boot ext3 512M + PART lvm vg0 all + + LV vg0 root / ext3 15G + LV vg0 swap swap swap 6G + +To: + + PART /boot ext**4** 512M + PART lvm vg0 all + + LV vg0 root / ext4 100G + LV vg0 swap swap swap 24G #(available RAM * 1/2) + LV vg0 data /var/lib/vz ext4 3500G #(Remaining memory after deduction of root for storing images and containers) + +The installation takes up to 15 minutes. + +## 2. Set root password and disable port 111 + +After installation a password must be assigned to the root user if access to the Hetzner machine is via ssh-key. The access will be done via the Linux PAM authentication module. + + passwd + New password: xy... + Retype new password:xy... + +Proxmox opens port 111 by default, which is a security risk. Therefore, the port must be disabled. + + iptables -A INPUT -p tcp -m tcp --dport 111 -j DROP + iptables -A INPUT -p udp -m udp --dport 111 -j DROP + sudo /sbin/iptables-save + +Now open the Proxmox-Webconsole with your ordered server IP-Address (MAIN-IP) and login with root and your password: + +https://178.10.10.10:8006 + +## 3. Add additional IP-Address and fetch Metadata + +To enable routing to external networks (SNAT), you'll need to request an extra IP address, since the primary IP of the Hetzner VM doesn't support this function. + +You'll need to request a MAC address for the IP address. This MAC address will be later essential for the pfsense VM that handles routing to the WAN. + +## 4. Config Network + +Clone this git repository and execute the script: + + ./script/nework_config.sh + +All necessary information (main server ip, gateway, etc.) can be taken from the hetzner robot page like this: + +MAIN-IP + Meta: +Alt-Text +ADD-IP + Meta + MAC: +Alt-Text + +## 5. Upload images (pfsense and fedora) + +Alt-Text + +## 6. Create VM and install pfsense + +Alt-Text +Alt-Text +Alt-Text +Alt-Text +Alt-Text +Alt-Text +Alt-Text + +Now start the pfsense (VM) and install with default settings + +## 7. Create VM and install fedora (workstation) + +The steps are identical to pfsense except for the choice of bridge. There vmbr1 (DMZ/LAN) must be selected. + +Alt-Text +Alt-Text +If you check the IP-Address from the created VM (in my case fedora workstation) like: +Alt-Text +You will see the ADD-IP-Address. So SNAT is working and you can extend to config pfsense over the UI for your purpose. + +Alt-Text + +Default credentials are set to **username:** **_admin_** with **password:** **_pfsense_**. + +## **Finished, enjoy your Proxmox Environment!** diff --git a/diagrams/hetzner-proxmox-single.drawio b/diagrams/hetzner-proxmox-single.drawio new file mode 100644 index 0000000..52acfdd --- /dev/null +++ b/diagrams/hetzner-proxmox-single.drawio @@ -0,0 +1,143 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/img/fedora/fedora-0.png b/img/fedora/fedora-0.png new file mode 100644 index 0000000..baf4dea Binary files /dev/null and b/img/fedora/fedora-0.png differ diff --git a/img/fedora/fedora-1.png b/img/fedora/fedora-1.png new file mode 100644 index 0000000..6e73bc5 Binary files /dev/null and b/img/fedora/fedora-1.png differ diff --git a/img/fedora/fedora-2.png b/img/fedora/fedora-2.png new file mode 100644 index 0000000..3e71498 Binary files /dev/null and b/img/fedora/fedora-2.png differ diff --git a/img/hetzner/fetch-meta-0.png b/img/hetzner/fetch-meta-0.png new file mode 100644 index 0000000..58b2aa8 Binary files /dev/null and b/img/hetzner/fetch-meta-0.png differ diff --git a/img/hetzner/fetch-meta-1.png b/img/hetzner/fetch-meta-1.png new file mode 100644 index 0000000..234344a Binary files /dev/null and b/img/hetzner/fetch-meta-1.png differ diff --git a/img/hetzner/fetch-meta-2.png b/img/hetzner/fetch-meta-2.png new file mode 100644 index 0000000..8e7c04e Binary files /dev/null and b/img/hetzner/fetch-meta-2.png differ diff --git a/img/pfsense/pfsense-0.png b/img/pfsense/pfsense-0.png new file mode 100644 index 0000000..9a65678 Binary files /dev/null and b/img/pfsense/pfsense-0.png differ diff --git a/img/pfsense/pfsense-1.png b/img/pfsense/pfsense-1.png new file mode 100644 index 0000000..5c2de53 Binary files /dev/null and b/img/pfsense/pfsense-1.png differ diff --git a/img/pfsense/pfsense-2.png b/img/pfsense/pfsense-2.png new file mode 100644 index 0000000..48ea271 Binary files /dev/null and b/img/pfsense/pfsense-2.png differ diff --git a/img/pfsense/pfsense-3.png b/img/pfsense/pfsense-3.png new file mode 100644 index 0000000..4efbaa0 Binary files /dev/null and b/img/pfsense/pfsense-3.png differ diff --git a/img/pfsense/pfsense-4.png b/img/pfsense/pfsense-4.png new file mode 100644 index 0000000..ce967de Binary files /dev/null and b/img/pfsense/pfsense-4.png differ diff --git a/img/pfsense/pfsense-5.png b/img/pfsense/pfsense-5.png new file mode 100644 index 0000000..3d41113 Binary files /dev/null and b/img/pfsense/pfsense-5.png differ diff --git a/img/pfsense/pfsense-6.png b/img/pfsense/pfsense-6.png new file mode 100644 index 0000000..f6aa158 Binary files /dev/null and b/img/pfsense/pfsense-6.png differ diff --git a/img/pfsense/pfsense-7.png b/img/pfsense/pfsense-7.png new file mode 100644 index 0000000..49e2f43 Binary files /dev/null and b/img/pfsense/pfsense-7.png differ diff --git a/img/proxmox/arch.png b/img/proxmox/arch.png new file mode 100644 index 0000000..cd486f4 Binary files /dev/null and b/img/proxmox/arch.png differ diff --git a/img/proxmox/proxmox-0.png b/img/proxmox/proxmox-0.png new file mode 100644 index 0000000..885c6ca Binary files /dev/null and b/img/proxmox/proxmox-0.png differ diff --git a/img/proxmox/proxmox-1.png b/img/proxmox/proxmox-1.png new file mode 100644 index 0000000..553ffc6 Binary files /dev/null and b/img/proxmox/proxmox-1.png differ diff --git a/img/proxmox/proxmox-2.png b/img/proxmox/proxmox-2.png new file mode 100644 index 0000000..f63d14e Binary files /dev/null and b/img/proxmox/proxmox-2.png differ diff --git a/script/network_config.sh b/script/network_config.sh new file mode 100755 index 0000000..72880f4 --- /dev/null +++ b/script/network_config.sh @@ -0,0 +1,78 @@ +#!/bin/bash + +read -p "MAIN_SERVER_IP: " MAINSERVERIP +read -p "MAIN_SERVER_GATEWAY_ADRESS: " GATEWAYADRESS +read -p "NETMASK: " NETMASK +read -p "BROADCASTIP: " BROADCASTIP +read -p "ADDITIONAL_IP_ADRESS: " ADD_IP_ADRESS +read -p "NETWORK_INTERFACE: " NETWORK_INTERFACE + +echo " +### Hetzner Online GmbH installimage + +source /etc/network/interfaces.d/* + +auto lo +iface lo inet loopback +iface lo inet6 loopback + + +iface ${NETWORK_INTERFACE} inet manual + + up ip route add -net up ip route add -net ${GATEWAYADRESS} netmask ${NETMASK} gw ${GATEWAYADRESS} vmbr0 + up sysctl -w net.ipv4.ip_forward=1 + up sysctl -w net.ipv4.conf.${NETWORK_INTERFACE}.send_redirects=0 + up sysctl -w net.ipv6.conf.all.forwarding=1 + up ip route add 192.168.0.0/16 via ${ADD_IP_ADRESS} dev vmbr0 + up ip route add 172.16.0.0/12 via ${ADD_IP_ADRESS} dev vmbr0 + up ip route add 10.0.0.0/8 via ${ADD_IP_ADRESS} dev vmbr0 + + +iface ${NETWORK_INTERFACE} inet6 static + address 2a01:4f8:110:5143::2 + netmask 64 + gateway fe80::1 + + +auto vmbr0 +iface vmbr0 inet static + address ${MAINSERVERIP} + netmask 32 + gateway ${GATEWAYADRESS} + broadcast ${BROADCASTIP} + bridge-ports ${NETWORK_INTERFACE} + bridge-stp off + bridge-fd 0 + pointopoint ${GATEWAYADRESS} +#WAN + + +# Virtual switch for DMZ +# (connect your firewall/router KVM instance and private DMZ hosts here) +auto vmbr1 +iface vmbr1 inet manual + bridge_ports none + bridge_stp off + bridge_fd 0 +#LAN0 + +" >interfaces + +cat interfaces + +while true; do + read -p "Config correct? [yes][no]: " yn + case $yn in + [Yy]*) + echo "" + break + ;; + [Nn]*) exit ;; + *) echo "Please answer yes or no." ;; + esac +done + +mv /etc/network/interfaces /etc/network/interfaces.old +mv interfaces /etc/network/interfaces + +echo "The network can be restarted with the following command: /etc/init.d/networking restart "