Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Internal VPN
New on LowEndTalk? Please Register and read our Community Rules.

Internal VPN

VoigonVoigon Member
edited June 12 in Help

Hi guys,
I am currently managed a proxmox ve install as a colo.
One thing I was struggling with is making sure only the bare minimum services are exposed to the internet. I have partly achieved this by using cloudflare access which does a good job of protecting the web interface and other systems.
However, I cannot use it for other services like sftp or web services that doesn't work very well behind it.
I want to create a private network between my lxc / kvm containers, docker installs and some clients which only need to access the containers but not other each other or the public internet (I already have an internal network inside proxmox but I am not sure how to access it from outside the cluster).
What is an easy way to achieve that? I prefer not to tangle with iptables and complex configurations as much as possible.

Comments

  • @Voigon said: I prefer to tangle with iptables

    Are you missing a "not" there?

    If so, you might want to look at tailscale.

  • VoigonVoigon Member

    @stevewatson301 said:

    @Voigon said: I prefer to tangle with iptables

    Are you missing a "not" there?

    If so, you might want to look at tailscale.

    I am, thank you for noticing
    I tried tailscale but the user and device limit on the free plan was too low, and if I would pay for each user it will be too expensive.
    Was thinking something like tailscale but self hosted could be great, is that a thing?

  • jmgcaguiclajmgcaguicla Member
    edited June 12

    @Voigon said:
    I tried tailscale but the user and device limit on the free plan was too low, and if I would pay for each user it will be too expensive.

    I'm not saying you should abuse it but the device limit is a soft limit, I currently run a tailnet that is a few nodes over the limit. They even mention this themselves.

    Was thinking something like tailscale but self hosted could be great, is that a thing?

    Headscale, haven't migrated my entire network over it but setting up a few nodes was relatively painless.

    Also consider Nebula and Tinc, I like Tinc in L2 since I can run stuff like CARP/VRRP

    EDIT: ZeroTier is also a good candidate, as easy to set up as Tailscale, plus you can self-host a controller (does not entirely remove your dependency on the root ZT servers, you can also set up your own roots if you wanted to though)

    Thanked by 2skorous TimboJones
  • Look at headscale perhaps? Never used it personally though.

    Thanked by 1Erisa
  • VoigonVoigon Member

    @jmgcaguicla said:

    @Voigon said:
    I tried tailscale but the user and device limit on the free plan was too low, and if I would pay for each user it will be too expensive.

    I'm not saying you should abuse it but the device limit is a soft limit, I currently run a tailnet that is a few nodes over the limit. They even mention this themselves.

    Was thinking something like tailscale but self hosted could be great, is that a thing?

    Headscale, haven't migrated my entire network over it but setting up a few nodes was relatively painless.

    Also consider Nebula and Tinc, I like Tinc in L2 since I can run stuff like CARP/VRRP

    EDIT: ZeroTier is also a good candidate, as easy to set up as Tailscale, plus you can self-host a controller (does not entirely remove your dependency on the root ZT servers, you can also set up your own roots if you wanted to though)

    Headscale looks like an interesting option, is it considered stable?
    Do I manage it by self hosting tailscale's interface or just by commands?

  • jmgcaguiclajmgcaguicla Member
    edited June 12

    @Voigon said:
    Headscale looks like an interesting option, is it considered stable?

    For the basic feature set (joining the tailnet, DERP relaying), sure. I haven't checked the other features tho' (MagicDNS, that Services tab thingy).

    Keep in mind Headscale is just the coordination server, the meat of the VPN functionality is still in the Tailscale client.

    Do I manage it by self hosting tailscale's interface or just by commands?

    Commands, there is no fancy web UI. Management is through an HTTP API (which the headscale binary consumes).

  • UnixfyUnixfy Member

    I personally use ZeroTier with a self-hosted controller and Gravitl's Netmaker https://www.netmaker.org/

    Thanked by 1TimboJones
  • Peppery9Peppery9 Member

    Tailscale & Zerotier are excellent tools that will do what you need. Install their clients on your host servers and route a subnet to them for each host. You don't need to install anything on the VMs this way, so you'll easily fit under any device limits. The end result is all my VMs can reach each over over their internal IPs no matter where they're hosted.

    Zerotier works well, but I found Tailscale/Wireguard gave much better bandwidth (near line speed) between my servers. I've recently moved to plain Wireguard + some scripts to update/push configs out in order to have a bit more control over how the network is configured compared to Tailscale.

  • lala_thlala_th Member

    @Peppery9 said:
    lnstall their clients on your host servers and route a subnet to them for each host.

    Do you have a guide about this?

  • Peppery9Peppery9 Member

    @lala_th said:

    @Peppery9 said:
    lnstall their clients on your host servers and route a subnet to them for each host.

    Do you have a guide about this?

    Tailscale has an article on subnet routing. Zerotier has a similar one. It's quite a straightforward setup.

    Thanked by 1lala_th
  • Daniel15Daniel15 Member

    @Voigon said: I want to create a private network between my lxc / kvm containers, docker installs and some clients which only need to access the containers but not other each other or the public internet

    Do the containers have static IP addresses? WireGuard would work well to allow clients to access the containers. Otherwise for a more dynamic network I'd try Zerotier.

  • _cece_cece Member

    I also suggest zerotier. Easy to setup and to manage. Currently my #1 choice

  • snzsnz Member

    @Daniel15 said:

    @Voigon said: I want to create a private network between my lxc / kvm containers, docker installs and some clients which only need to access the containers but not other each other or the public internet

    Do the containers have static IP addresses? WireGuard would work well to allow clients to access the containers. Otherwise for a more dynamic network I'd try Zerotier.

    That's how I set it up. I use a DNS (https://github.com/mageddo/dns-proxy-server) that will have a fixed IP and WG clients can then use the hostnames set in docker.

Sign In or Register to comment.