Setting up a dedicated server Part 2 : Proxmox 5 + ZFS + Shorewall +Open VPN

S

This is in continuation of part 1 of “Setting up a dedicated server”.

In this part, the focus is on

  1. Installing Shorewall.
  2. Configuring Proxmox guests and
  3. Installing OpenVPN
Why Shorewall?

First things that must come to mind, when securing a system is the firewall. Not that a firewall would secure the system against hacking, but it’s the basic bare minimum security, which is absolutely needed.

When it comes to system security, it is better to consider “only the paranoid survive” as the only mantra

If you search for free Linux firewalls, you would see a list of firewalls like pfsense, VyOS etc. listed. Unlike pfsense and VyOS, Shorewall is a special case, that it is not a separate firewall, but just a configurator (a damn good configurator) of existing system (Linux) firewall. On the other hand, pfsense and VyOS are special purpose firewall system (of course Linux/FreeBSD based). I prefer Shorewall for its simplicity and the flexibility it provides.

Shorewall must be installed in the Proxmox host system. This ensures that the host system is sufficiently secured. Instead of I writing the entire story of how to configure, I would rather redirect it to this link. It is one of the best resources out there for configuring Shorewall on Proxmox.  Based on this, I have also put a quick starter template. Feel free to download and use it. It has necessary rules for the Proxmox. One thing to note is whenever you give an IP address to the guests, please user /8 CIDR, so that you can have OpenVPN tunnels easily.

installing OpenVPN

With Proxmox installed and Shorewall help us create a DMZ, we need a tunnel to get into the tunnel and play with our little lab. I like OpenVPN. I like the Angristan script for installing OpenVPN. In order to run OpenVPN in an LXC (Linux container) guest, we need Tun enabled. For that first, we need to enable tun in the config file of the guest. This is done in the host be editing the file

 /etc/pve/lxc/(vmid0/(vmid).conf

and adding the following code

 lxc.cgroup.devices.allow = c 10:200 rwm 

In addition, we also need to add the following bit to the rc.local file, so that it runs every time, the guest is started.


cd /dev
mkdir net
mknod net/tun c 10 200<span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span>
chmod 0666 net/tun

Please ensure that we have the following line is the first line of rc.local.

 #!/bin/sh -e 

That’s it. Restart the guest and we are good to go. Connect with any openVPN client and you can even use it as VPN tunnel for browsing.

 

About the author

nagu

Business leader, Technology Consultant and a Polyglot programmer. Infectious passion for Innovations and new technologies. Respects good UX. Current interests are in Microservices, ethical hacking and lockpicking!.

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By nagu

Nagu Gopalakrishnan

Business leader, Technology Consultant and a Polyglot programmer. Infectious passion for Innovations and new technologies. Respects good UX. Current interests are in Microservices, ethical hacking and lockpicking!.

About Me