Proxmox on a dedi
Recently set up proxmox on hetzner dedi and thought I'd document this. It's mostly in the form of a bash script for documentation purposes, but it won't actually run in one shot - does need baby-sitting, mostly due to the reboots and various confirmation prompts.
The tricky bit is that we've only got 1 external IP so proxmox default config doesn't fly. We need a NAT layer & port forward for incoming stuff we want to go to specific containers. Also, proxmox is fond of serving the management UI externally so we do also need to FW this.
I've got a fixed IP so my security solution is to block everything except my home IP. See the line that has "REPLACEME_YOUR_HOME_IP" in it - you may need to do something different there.
Nothing particularly original here - just wanted it all in one place. Main sources are
https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_12_Bookworm
https://pve.proxmox.com/wiki/Network_Configuration
Also noted that there is a hetzner guide over here, but I didn't really use it.
`
#!/bin/bash
# Ensure the script is run as root
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# Update the package list
echo "Updating package lists..."
apt-get update
# Upgrade all installed packages
echo "Upgrading installed packages..."
apt-get upgrade -y
# Perform a distribution upgrade
echo "Performing a distribution upgrade..."
apt-get dist-upgrade -y
# Remove unnecessary packages
echo "Removing unnecessary packages..."
apt-get autoremove -y
# Clean up the local repository of retrieved package files
echo "Cleaning up..."
apt-get autoclean
echo "Update and clean-up complete!"
#############
#Install helpful software
#############
apt-get install htop tree lsof -y
#############
#Install ufw
#############
apt-get install ufw -y
ufw allow from REPLACEME_YOUR_HOME_IP
#Fix forwarding - else things like DNS resolution won't work
sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
ufw enable
ufw reload
#############
#Change hostname
#############
hostname hetzner
cp /etc/hosts /etc/bck_hosts
sed -i 's/Debian-bookworm-latest-amd64-base/hetzner/g' /etc/hosts
#############
#Add proxmox repo, add key and upgrade
#############
echo "deb [arch=amd64] http://download.proxmox.com/debian/pve bookworm pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list
wget https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg
apt update && apt full-upgrade
#############
#Add proxmox repo, add key and upgrade
#############
apt install proxmox-default-kernel
reboot
#############
#Add proxmox packages needed
#############
apt install proxmox-ve postfix open-iscsi chrony
apt remove linux-image-amd64 'linux-image-6.1*'
update-grub
apt remove os-prober
reboot
#############
#Change repo to free
#############
rm -f /etc/apt/sources.list
rm -f /etc/apt/sources.list.d/hetzner-security-updates.list
rm -f /etc/apt/sources.list.d/pve-enterprise.list
rm -f /etc/apt/sources.list.d/pve-install-repo.list
echo "deb http://ftp.debian.org/debian bookworm main contrib" > /etc/apt/sources.list
echo "deb http://ftp.debian.org/debian bookworm-updates main contrib" >> /etc/apt/sources.list
echo "deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription" >> /etc/apt/sources.list
echo "deb http://security.debian.org/debian-security bookworm-security main contrib" >> /etc/apt/sources.list
apt update
#############
#Update LXC container db
#############
pveam update
pveam available --section system | grep debian
pveam download local debian-12-standard_12.2-1_amd64.tar.zst
#############
#Create NAT bridge
#############
echo "auto vmbr0" >> /etc/network/interfaces
echo "#private sub network" >> /etc/network/interfaces
echo "iface vmbr0 inet static" >> /etc/network/interfaces
echo " address 10.10.10.1/24" >> /etc/network/interfaces
echo " bridge-ports none" >> /etc/network/interfaces
echo " bridge-stp off" >> /etc/network/interfaces
echo " bridge-fd 0" >> /etc/network/interfaces
echo " post-up echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/network/interfaces
echo " post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o enp5s0 -j MASQUERADE" >> /etc/network/interfaces
echo " post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o enp5s0 -j MASQUERADE" >> /etc/network/interfaces
reboot
#############
#Change root password to access GUI
#############
passwd
Your NIC names may differ. Final /etc/network/interfaces looks like so
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
iface lo inet6 loopback
auto enp5s0
iface enp5s0 inet static
address HETZNERIPHERE/26
gateway HETZNERGATEWAYHERE
up route add -net HETZNERIPHERE netmask 255.255.255.192 gw HETZNERGATEWAYHERE dev enp5s0
auto vmbr0
#private sub network
iface vmbr0 inet static
address 10.10.10.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o enp5s0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o enp5s0 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -i enp5s0 -p tcp --dport 8000 -j DNAT --to 10.10.10.2
post-down iptables -t nat -D PREROUTING -i enp5s0 -p tcp --dport 8000 -j DNAT --to 10.10.10.2
Note the last two lines - those are tests. It assumes you've got a VM/LXC on IP 10.10.10.2 serving something on port 8000. Because it is a NAT setup without specific forwarding nothing will be accessible of the individual VMs/LXC. You'll also need a ufw rule for it - i.e.
ufw allow in 8000
The LXC should also be configured with an IP in the private subnet (e.g. 10.10.10.2) and the gateway as 10.10.10.1
Comments
Also check out these setup scripts (accessible via the "Website" link): https://github.com/tteck/Proxmox