All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Internal VPN
Hi guys,
I am currently managed a proxmox ve install as a colo.
One thing I was struggling with is making sure only the bare minimum services are exposed to the internet. I have partly achieved this by using cloudflare access which does a good job of protecting the web interface and other systems.
However, I cannot use it for other services like sftp or web services that doesn't work very well behind it.
I want to create a private network between my lxc / kvm containers, docker installs and some clients which only need to access the containers but not other each other or the public internet (I already have an internal network inside proxmox but I am not sure how to access it from outside the cluster).
What is an easy way to achieve that? I prefer not to tangle with iptables and complex configurations as much as possible.
Comments
Are you missing a "not" there?
If so, you might want to look at tailscale.
I am, thank you for noticing
I tried tailscale but the user and device limit on the free plan was too low, and if I would pay for each user it will be too expensive.
Was thinking something like tailscale but self hosted could be great, is that a thing?
I'm not saying you should abuse it but the device limit is a soft limit, I currently run a tailnet that is a few nodes over the limit. They even mention this themselves.
Headscale, haven't migrated my entire network over it but setting up a few nodes was relatively painless.
Also consider Nebula and Tinc, I like Tinc in L2 since I can run stuff like CARP/VRRP
EDIT: ZeroTier is also a good candidate, as easy to set up as Tailscale, plus you can self-host a controller (does not entirely remove your dependency on the root ZT servers, you can also set up your own roots if you wanted to though)
Look at headscale perhaps? Never used it personally though.
Headscale looks like an interesting option, is it considered stable?
Do I manage it by self hosting tailscale's interface or just by commands?
For the basic feature set (joining the tailnet, DERP relaying), sure. I haven't checked the other features tho' (MagicDNS, that Services tab thingy).
Keep in mind Headscale is just the coordination server, the meat of the VPN functionality is still in the Tailscale client.
Commands, there is no fancy web UI. Management is through an HTTP API (which the
headscale
binary consumes).I personally use ZeroTier with a self-hosted controller and Gravitl's Netmaker https://www.netmaker.org/
Tailscale & Zerotier are excellent tools that will do what you need. Install their clients on your host servers and route a subnet to them for each host. You don't need to install anything on the VMs this way, so you'll easily fit under any device limits. The end result is all my VMs can reach each over over their internal IPs no matter where they're hosted.
Zerotier works well, but I found Tailscale/Wireguard gave much better bandwidth (near line speed) between my servers. I've recently moved to plain Wireguard + some scripts to update/push configs out in order to have a bit more control over how the network is configured compared to Tailscale.
Do you have a guide about this?
Tailscale has an article on subnet routing. Zerotier has a similar one. It's quite a straightforward setup.
Do the containers have static IP addresses? WireGuard would work well to allow clients to access the containers. Otherwise for a more dynamic network I'd try Zerotier.
I also suggest zerotier. Easy to setup and to manage. Currently my #1 choice
That's how I set it up. I use a DNS (https://github.com/mageddo/dns-proxy-server) that will have a fixed IP and WG clients can then use the hostnames set in docker.