This is in continuation of part 1 of “Setting up a dedicated server”.
In this part, the focus is on
- Installing Shorewall.
- Configuring Proxmox guests and
- Installing OpenVPN
First things that must come to mind, when securing a system is the firewall. Not that a firewall would secure the system against hacking, but it’s the basic bare minimum security, which is absolutely needed.
When it comes to system security, it is better to consider “only the paranoid survive” as the only mantra
If you search for free Linux firewalls, you would see a list of firewalls like pfsense, VyOS etc. listed. Unlike pfsense and VyOS, Shorewall is a special case, that it is not a separate firewall, but just a configurator (a damn good configurator) of existing system (Linux) firewall. On the other hand, pfsense and VyOS are special purpose firewall system (of course Linux/FreeBSD based). I prefer Shorewall for its simplicity and the flexibility it provides.
Shorewall must be installed in the Proxmox host system. This ensures that the host system is sufficiently secured. Instead of I writing the entire story of how to configure, I would rather redirect it to this link. It is one of the best resources out there for configuring Shorewall on Proxmox. Based on this, I have also put a quick starter template. Feel free to download and use it. It has necessary rules for the Proxmox. One thing to note is whenever you give an IP address to the guests, please user /8 CIDR, so that you can have OpenVPN tunnels easily.
With Proxmox installed and Shorewall help us create a DMZ, we need a tunnel to get into the tunnel and play with our little lab. I like OpenVPN. I like the Angristan script for installing OpenVPN. In order to run OpenVPN in an LXC (Linux container) guest, we need Tun enabled. For that first, we need to enable tun in the config file of the guest. This is done in the host be editing the file
and adding the following code
lxc.cgroup.devices.allow = c 10:200 rwm
In addition, we also need to add the following bit to the rc.local file, so that it runs every time, the guest is started.
cd /dev mkdir net mknod net/tun c 10 200<span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span> chmod 0666 net/tun
Please ensure that we have the following line is the first line of rc.local.
That’s it. Restart the guest and we are good to go. Connect with any openVPN client and you can even use it as VPN tunnel for browsing.