Install and Secure Proxmox on Debian 8

Nowadays you can rent a VPS server for a few buck, but dedicated servers are also dropping in price. So why not rent a dedicated server and start virtualizing yourself? It’s very easy and probably more secure in the end (managing your own backups) and cheaper if you need a lot of VPSses.

Step 1

Buy a dedicated server or just use a homelab with Debian Jessie.

Step 2

Important set your /etc/hosts file like this (replace the 10.10.10.10 IP with the machine’s IP and yourhost with your servers hostname):

1
2
127.0.0.1       localhost.localdomain localhost
192.168.1.100 yourhost.proxmox.com yourhost pvelocalhost

Step 3

Simple but effective, just run these lines and your Debian Server is suddenly a Proxmox Node:

1
2
3
4
echo "deb http://download.proxmox.com/debian jessie pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list
wget -O- "http://download.proxmox.com/debian/key.asc" | apt-key add -
apt-get update && apt-get dist-upgrade
apt-get install proxmox-ve ntp ssh postfix ksm-control-daemon open-iscsi systemd-sysv

Step 4

Now create a few network bridge interfaces needed for the virtual instances to get their own ethernet interface.
I’m using two bridges, vmbr0 is a bridge for the eth0 in the device itself, with this interface you can easily get an IP from you DHCP server or assign a public IP directly in a datacenter (if you own multiple IPs).
And vmbr1 which is a NAT interface to give instances access to the internet and connect them in their own Local Area Network.
You can assign both vmbr devices to an instance that will provide public accessable services but also need information form other instances hidden behind the NAT.
Open up your /etc/network/interfaces file and replace everything with (for vmbr0 replace the ip/gateway 192.168.1.100/.1 with the ip that is now assigned to eth0, maybe a public IP when the device is in a datacenter):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
address 192.168.1.100
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 8.8.8.8 8.8.4.4
bridge_ports eth0
bridge_stp off
bridge_fd 0

auto vmbr1
iface vmbr1 inet static
address 10.10.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

Step 5

Restart the machine and when eveything is up again login to the Proxmox Webinterface which can be found at: https://192.168.1.100:8600 (replace the IP with the IP assigned to the vmbr0 interface)
If everything went well you’ll find both vmbr interfaces under the network tab in the datacenter-node.

Step 6

The firewall can be easily managed from within Proxmox but you will have to take these two steps to enable it without locking yourself out.
First accept connections to port 22 and 8006 (ssh and the proxmox webinterface). You do this by selecting the node from the left-tree-menu and click on the tab firewall. As destination use the IP of the vmbr0 interface (the IP that is currently in your browsers address bar).

After this enable the firewall on datacenter level. So select the top item (datacenter) from the left-tree-menu and click on the tab firewall and within the tab select the ‘options’ menu. There you are able to enable the firewall for all instances (nodes and containers/VMs):

We are all done. Simply click on the Create VM or Create CT to make yourself a nice VPS Server/Instance :-)