How to set access Proxmox dashboard behind the firewall
Proxmox is the opensource virtual machine management which is setup on as a virtual machine. I have set it up under KVM on Ubuntu 22. Since my ubuntu is behind my university firewall and proxmox is behind this ubuntu. When created, it uses the NAT to connect to the host VM.
The problem is I want to find out how to access proxmox dashboard port 8006 and ssh to it using through from outside. Due to my limited knowledge on network setting, I have been googling many keywords , eg. accessing proxmox dashboard from outside network, etc.
I cannot find these two pages are useful but it takes time to understand. For beginner, in setting proxmox. Please read them.
Part 1 tells you how to install proxmox on VM and Part 3 is where we setup to get to the dashboard and ssh from the outside.
Let’s focus on part 3, where we create the hook on the host machine where virsh is installed. Create the folder.
sudo mkdir -p /etc/libvirt/hooks
Then create the file
vi /etc/libvirt/hooks/qemu:
Insert the following code.
#!/bin/bash
# /etc/libvirt/hooks/qemu
# Forward ports for Proxmox
# See https://wiki.libvirt.org/page/Networking
# Find your actual Proxmox VM IP address and put it here:PROXMOX_IP=192.168.122.X. # 1) change it here
# Associative array of TCP host ports to TCP proxmox ports:
PROXMOX_TCP_PORTS=([8006]=8006 [2222]=22) # 2) port mapping
# Port forwarding for the Proxmox VM
if [ “${1}” = “proxmox” ]; then #3) vm name
for key in “${!PROXMOX_TCP_PORTS[@]}”;
do
host_port=${key}
proxmox_port=${PROXMOX_TCP_PORTS[key]}
if [ “${2}” = “stopped” ] || [ “${2}” = “reconnect” ]; then
/sbin/iptables -D FORWARD -o virbr0 -p tcp -d $PROXMOX_IP \
— dport $proxmox_port -j ACCEPT
/sbin/iptables -t nat -D PREROUTING -p tcp \
— dport $host_port -j DNAT — to $PROXMOX_IP:$proxmox_port
fi
if [ “${2}” = “start” ] || [ “${2}” = “reconnect” ]; then
/sbin/iptables -I FORWARD -o virbr0 -p tcp -d $PROXMOX_IP \
— dport $proxmox_port -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp \
— dport $host_port -j DNAT — to $PROXMOX_IP:$proxmox_port
fi
done
fi
In this code, 1) change it your internal proxmox vm ip 2) is the list of port map to host VM 3) is the proxmox VM name.
Then restart the libvirtd to activate it.
sudo systemctl restart libvirtd
This one maps ports 8006 from VM to host port 8006 and map ssh port of VM 22 to host VM port 2222. If you have more port mapping, then you list them down. The if-condition checks to perform port forwarding using iptables for this vm name.
Next, you can ssh to the VM using
ssh -p 2222 root@158.xx.xx.xx # your host ip
you probably need to open port 8006 for host vm to allow access.
sudo ufw allow 8006/tcp
Now the problem is when you go through port 8006 through the host VM. You may get “connnection refused” due to it is behind the host firewall.
The solution is to use ssh tunnel on host VM.
sudo -A -v -N -L 8006:localhost:8006 root@proxmox
Assume proxmox is the name of your VM defined in /etc/hosts
bya dding this line at the end of the file.
158.xx.xx.xx. proxmox
Then from outside network, my case I have to tunnel through my host VM
ssh -v -N -L 8006:localhost:8006 user@158.xxxx
It is very tedious to tunnel two times even inside the host vm. user is the user of host vm.
So, I create the service to do tunneling. sudo vi /etc/systemd/system/ssh-tunnel-persistent.service
[Unit]
Description=Persistent SSH Tunnel to from port 8006 on this server to port 9090 on external server (for encrypted traffic)
After=network.target[Service]
Restart=on-failure
RestartSec=5
User=yourusername
Group=yourusername
#ExecStart=/usr/bin/ssh -NTC -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -L 0.0.0.0:8006:127.0.0.1:8006 root@192.168.122.xx
ExecStart=/usr/bin/ssh -A -v -N -L 8006:localhost:8006 root@proxmox[Install]
WantedBy=multi-user.target
Then you can restart the service.
sudo systemctl daemon-reload
sudo systemctl restart ssh-tunnel-persistent.service
sudo systemctl status ssh-tunnel-persistent.service
In case there is error, check the journal sudo journalctl -n 100 -u ssh-tunnel-persistent.service
The trick here is the passwordless for logging in the proxmox VM with this two commands.
ssh-keygen
ssh-copy-id -f root@proxmoxand set
User=yourusername
Group=yourusernamein the above file /etc/systemd/system/ssh-tunnel-persistent.service
Then the service can run.
Now I can use only one tunnel from outside to my university and access
Yeh! finally I did it. After hours,….
Now, I have learned about creating iptables, and bridge network this time. :3
References:
https://computingforgeeks.com/create-private-network-bridge-proxmox-with-nat/
https://www.cyberciti.biz/faq/systemd-systemctl-list-all-failed-units-services-on-linux/
https://techviewleo.com/install-proxmox-qemu-guest-agent-on-ubuntu/
