Re: [PVE-User] Internet facing Proxmox
You can also setup iptables so that only your fixed IPs are allowed to port 8006 (and ssh port...) On 14/09/14 19:00, ad...@extremeshok.com wrote: You don't need a VPN Follow the guides on my site this will give you a secure and optimized proxmox. Set proxmox admin interface to only listen locally (127.0.0.1) and connect via an ssh tunnel to port 8006. No offense, but this should be standard knowledge for an admin. Guides on https://extremeshok.com/blog Sent from my iPhone On 14 Sep 2014, at 6:44 PM, Bart Lageweg | Bizway b...@bizway.nl wrote: Hi Gerald, Use Eth0 for internal network + VPN access. Use Eth1 for internet access (no IP in interface, only create for bridge) Goodluck Bart -Oorspronkelijk bericht- Van: pve-user [mailto:pve-user-boun...@pve.proxmox.com] Namens Gerald Brandt Verzonden: zondag 14 september 2014 18:41 Aan: pve-user@pve.proxmox.com Onderwerp: [PVE-User] Internet facing Proxmox Hi, I've been asked to set up a Proxmox server on the Internet. Has anybody done so, and how secure is the web interface on port 8006? I was considering running a VPN on Proxmox, and not allowing port 8006 access unless you were connected to the VPN. That creates issues if the VPN server goes down. Also, with the new built in firewall, how easy is it to run all VPN's on a private address space and port forward as needed? Gerald ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user -- Zuzendari Teknikoa / Director Técnico Binovo IT Human Project, S.L. Telf. 943575997 943493611 Astigarraga bidea 2, planta 6 dcha., ofi. 3-2; 20180 Oiartzun (Gipuzkoa) www.binovo.es ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Re: [PVE-User] Internet facing Proxmox
I would strongly suggest against this or indeed any way to put proxmox directly on the internet. The way I go about this would be to create a private network inside proxmox and host a real firewall system such as pfsense (pfsense.org) to front the internet and then use PPTP or OpenVPN to connect into the network. Much safer. Cheers, --Guy On 15 Sep 2014, at 08:31, Eneko Lacunza elacu...@binovo.es wrote: You can also setup iptables so that only your fixed IPs are allowed to port 8006 (and ssh port...) On 14/09/14 19:00, ad...@extremeshok.com wrote: You don't need a VPN Follow the guides on my site this will give you a secure and optimized proxmox. Set proxmox admin interface to only listen locally (127.0.0.1) and connect via an ssh tunnel to port 8006. No offense, but this should be standard knowledge for an admin. Guides on https://extremeshok.com/blog Sent from my iPhone On 14 Sep 2014, at 6:44 PM, Bart Lageweg | Bizway b...@bizway.nl wrote: Hi Gerald, Use Eth0 for internal network + VPN access. Use Eth1 for internet access (no IP in interface, only create for bridge) Goodluck Bart -Oorspronkelijk bericht- Van: pve-user [mailto:pve-user-boun...@pve.proxmox.com] Namens Gerald Brandt Verzonden: zondag 14 september 2014 18:41 Aan: pve-user@pve.proxmox.com Onderwerp: [PVE-User] Internet facing Proxmox Hi, I've been asked to set up a Proxmox server on the Internet. Has anybody done so, and how secure is the web interface on port 8006? I was considering running a VPN on Proxmox, and not allowing port 8006 access unless you were connected to the VPN. That creates issues if the VPN server goes down. Also, with the new built in firewall, how easy is it to run all VPN's on a private address space and port forward as needed? Gerald ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user -- Zuzendari Teknikoa / Director Técnico Binovo IT Human Project, S.L. Telf. 943575997 943493611 Astigarraga bidea 2, planta 6 dcha., ofi. 3-2; 20180 Oiartzun (Gipuzkoa) www.binovo.es ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Re: [PVE-User] Internet facing Proxmox
Guy, so how do you connect if the Firewall VM is down? :) On 15/09/14 09:43, Guy Plunkett wrote: I would strongly suggest against this or indeed any way to put proxmox directly on the internet. The way I go about this would be to create a private network inside proxmox and host a real firewall system such as pfsense (pfsense.org) to front the internet and then use PPTP or OpenVPN to connect into the network. Much safer. Cheers, --Guy On 15 Sep 2014, at 08:31, Eneko Lacunza elacu...@binovo.es wrote: You can also setup iptables so that only your fixed IPs are allowed to port 8006 (and ssh port...) On 14/09/14 19:00, ad...@extremeshok.com wrote: You don't need a VPN Follow the guides on my site this will give you a secure and optimized proxmox. Set proxmox admin interface to only listen locally (127.0.0.1) and connect via an ssh tunnel to port 8006. No offense, but this should be standard knowledge for an admin. Guides on https://extremeshok.com/blog Sent from my iPhone On 14 Sep 2014, at 6:44 PM, Bart Lageweg | Bizway b...@bizway.nl wrote: Hi Gerald, Use Eth0 for internal network + VPN access. Use Eth1 for internet access (no IP in interface, only create for bridge) Goodluck Bart -Oorspronkelijk bericht- Van: pve-user [mailto:pve-user-boun...@pve.proxmox.com] Namens Gerald Brandt Verzonden: zondag 14 september 2014 18:41 Aan: pve-user@pve.proxmox.com Onderwerp: [PVE-User] Internet facing Proxmox Hi, I've been asked to set up a Proxmox server on the Internet. Has anybody done so, and how secure is the web interface on port 8006? I was considering running a VPN on Proxmox, and not allowing port 8006 access unless you were connected to the VPN. That creates issues if the VPN server goes down. Also, with the new built in firewall, how easy is it to run all VPN's on a private address space and port forward as needed? Gerald ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user -- Zuzendari Teknikoa / Director Técnico Binovo IT Human Project, S.L. Telf. 943575997 943493611 Astigarraga bidea 2, planta 6 dcha., ofi. 3-2; 20180 Oiartzun (Gipuzkoa) www.binovo.es ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user -- Zuzendari Teknikoa / Director Técnico Binovo IT Human Project, S.L. Telf. 943575997 943493611 Astigarraga bidea 2, planta 6 dcha., ofi. 3-2; 20180 Oiartzun (Gipuzkoa) www.binovo.es ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Re: [PVE-User] Internet facing Proxmox
well yeah that's always a problem. :).. I also use zenoss core (zenoss.org) to monitor my systems. You can easily configure zenoss to monitor the firewall etc, and if it's down, you can have it connect to proxmox and restart it. Cheers, --Guy On 15 Sep 2014, at 08:51, Eneko Lacunza elacu...@binovo.es wrote: Guy, so how do you connect if the Firewall VM is down? :) On 15/09/14 09:43, Guy Plunkett wrote: I would strongly suggest against this or indeed any way to put proxmox directly on the internet. The way I go about this would be to create a private network inside proxmox and host a real firewall system such as pfsense (pfsense.org) to front the internet and then use PPTP or OpenVPN to connect into the network. Much safer. Cheers, --Guy On 15 Sep 2014, at 08:31, Eneko Lacunza elacu...@binovo.es wrote: You can also setup iptables so that only your fixed IPs are allowed to port 8006 (and ssh port...) On 14/09/14 19:00, ad...@extremeshok.com wrote: You don't need a VPN Follow the guides on my site this will give you a secure and optimized proxmox. Set proxmox admin interface to only listen locally (127.0.0.1) and connect via an ssh tunnel to port 8006. No offense, but this should be standard knowledge for an admin. Guides on https://extremeshok.com/blog Sent from my iPhone On 14 Sep 2014, at 6:44 PM, Bart Lageweg | Bizway b...@bizway.nl wrote: Hi Gerald, Use Eth0 for internal network + VPN access. Use Eth1 for internet access (no IP in interface, only create for bridge) Goodluck Bart -Oorspronkelijk bericht- Van: pve-user [mailto:pve-user-boun...@pve.proxmox.com] Namens Gerald Brandt Verzonden: zondag 14 september 2014 18:41 Aan: pve-user@pve.proxmox.com Onderwerp: [PVE-User] Internet facing Proxmox Hi, I've been asked to set up a Proxmox server on the Internet. Has anybody done so, and how secure is the web interface on port 8006? I was considering running a VPN on Proxmox, and not allowing port 8006 access unless you were connected to the VPN. That creates issues if the VPN server goes down. Also, with the new built in firewall, how easy is it to run all VPN's on a private address space and port forward as needed? Gerald ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user -- Zuzendari Teknikoa / Director Técnico Binovo IT Human Project, S.L. Telf. 943575997 943493611 Astigarraga bidea 2, planta 6 dcha., ofi. 3-2; 20180 Oiartzun (Gipuzkoa) www.binovo.es ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user -- Zuzendari Teknikoa / Director Técnico Binovo IT Human Project, S.L. Telf. 943575997 943493611 Astigarraga bidea 2, planta 6 dcha., ofi. 3-2; 20180 Oiartzun (Gipuzkoa) www.binovo.es ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Re: [PVE-User] Internet facing Proxmox
You don't need a VPN Follow the guides on my site this will give you a secure and optimized proxmox. Set proxmox admin interface to only listen locally (127.0.0.1) and connect via an ssh tunnel to port 8006. No offense, but this should be standard knowledge for an admin. Guides on https://extremeshok.com/blog Sent from my iPhone On 14 Sep 2014, at 6:44 PM, Bart Lageweg | Bizway b...@bizway.nl wrote: Hi Gerald, Use Eth0 for internal network + VPN access. Use Eth1 for internet access (no IP in interface, only create for bridge) Goodluck Bart -Oorspronkelijk bericht- Van: pve-user [mailto:pve-user-boun...@pve.proxmox.com] Namens Gerald Brandt Verzonden: zondag 14 september 2014 18:41 Aan: pve-user@pve.proxmox.com Onderwerp: [PVE-User] Internet facing Proxmox Hi, I've been asked to set up a Proxmox server on the Internet. Has anybody done so, and how secure is the web interface on port 8006? I was considering running a VPN on Proxmox, and not allowing port 8006 access unless you were connected to the VPN. That creates issues if the VPN server goes down. Also, with the new built in firewall, how easy is it to run all VPN's on a private address space and port forward as needed? Gerald ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user ___ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user