Woes with securing Proxmox with pfSense as NAT firewall in the cloud

TL;DR: How do I hide the Proxmox web GUI and SSH access on rented OVH server to be accessible only from VPN so I don’t get instagibbed by bots (or give up and go ESXI)?

I recently rented out an OVH baremetal server that I installed Proxmox on and planning on migrating my random kimsufi boxes onto the hypervisor for cost reasons (and also the weird baremetal restore setup plan), but I’m having issues trying to make it secure and hiding the SSH and Web GUI panel behind a NAT Firewall inside of the internal network.

Yes. I am fully aware that failure of that VM will cause the entire system to be inaccessible. I have full KVM and SOL access to the server in case of a failure like that.

I have followed OVH’s Configuring pfSense network bridge documentation on how to setup pfSense for their network, as well as following Lawrence Systems’ pfSense OpenVPN configuration guide and following the steps from Proxmox Staff on how to expose the inner management into local vm network for the same purpose that I want.

Now, I can access the management from within a VM and ping every other VM on the local network, but when I use OpenVPN I can’t access the internal management or ping it, but I can access everything else on the LAN that uses dynamic IP. Neither me or my friends can figure out what’s wrong, because everything is supposed to be functioning correctly.

I tried push “route 10.69.5.0 255.255.255.0”, tried both tun and tap, added rules to allow all traffic and even tried to make a second interface and bridge them into a lan with no luck whatsoever. Friend has a XCP-NG hypervisor with OVH as well with the same exact setup I’m trying to replicate, and other than the IP addresses in the pfSense configs, our configs completely match which makes the whole thing even more headscratchy.

photo_2021-07-08_23-36-321149×517 82.1 KB

10.69.5.254 is the management interface, 5.10 is popos livecd used for configuration and 1 is pfsense. Happens on both Mac and Windows as well.

Pulling my hair out for two days straight and I can’t figure it out. Even got to the point where I had to reinstall proxmox from scratch and restore backups because somehow installing ifupdown2 broke it so hard it didn’t even want to go to grub.

I’m honestly out of ideas what to do or if OVH’s Proxmox image is broken in some way causing the issues.

What about xcp-ng? It’s basically built for this use case.

Proxmox can work but ideally you have ipmi because it’s not easy to recover if you get the interfaces wrong. The main proxmox interface needs to be a virtual one and only ssh bound to the real one. Then you can proxy or forward traffic as needed a la docker or podman

Main reason for not going with xcp-ng is that OVH is no longer offering XenServer/XCP-ng and doesn’t offer installing it through their panel. Only options that I have are ESXi, Hyper-V and Proxmox, and I got no clue where to even start with installing XCP-ng on the host manually with software raid.

photo_2021-07-09_00-52-34900×649 36.7 KB

Second reason is that my friend promised me that he would configure it for me if I allowed to give him some container space on the server and go with proxmox, but alas, here we are me trying to get it running myself because he decided he doesn’t want to do it anymore .