Entry Level Hypervisors: Proxmox on VPS with LXC Containers, Cloudflare Tunnels and Docker.

I wanted to write a tutorial to take advantage of Linux's built-in virtualisation features, even on most VPSs available on Lowendtalk. You will need a single public IPv4 address for convenience and a domain hosted on Cloudflare. I use Proxmox, which is an amazing free Hypervisor that you can actually run inside of a KVM VPS (A hypervisor within a hypervisor)

Regarding server requirements, I recommend a minimum of 8GB, which has worked well for a few containers in a homelab. I use this with VPS servers from Advin Servers and Hetzner, both of which let you install Proxmox from their respective control panels. Most providers I have used, including Racknerd and Hostbrr, will install the ISO for you. The only stipulation is that it must be a KVM VPS with virtualisation enabled.

How do I check if KVM is enabled?
Assuming you are running a x86_64/AMD64/Intel64 system run the following command:
$ lscpu
Check Virtualisation Features -> Virtualisation and Hypervisor Vendor.
The virtualisation should either read AMD-V or VT-x. The Hypervisor vendor should be KVM.

Installing Proxmox
If the Proxmox ISO is not available from your VPS panel, ask your Lowend provider to upload it for you from the following URL:
https://enterprise.proxmox.com/iso/proxmox-ve_9.0-1.iso
Change the boot order so your VM boots from the mounted ISO
Restart the VM. Access the VM via a VNC connection in your VPS panel, then follow the setup process in the Proxmox GUI.
In particular, ensure you enter the correct Public IPV4 address, the correct gateway for that IP and the fully qualified domain name. This FQDN will be a subdomain of one of your Cloudflare-hosted domains. For this tutorial, I will use example.com as the domain name, and the FQDN/Hostname for Proxmox will be proxmox.example.com. You do not need to make any DNS changes as yet.
Ensure you enter a secure password; it will also serve as your root password for the server.

Follow the setup process for Proxmox. At the end of the setup, the VPS will reboot. At this point, you should unmount the Proxmox ISO. Restart the VNC console if required. If you are taken back to the Proxmox setup GUI, ensure the CD is unmounted and restart the VPS.
Proxmox will restart, and you will be able to access the Proxmox GUI on any web browser at https://ipv4_of_your_sever:8006.

The first thing that I do at this stage is disable the Enterprise repositories x2. You will find the Server drop-down beneath the Datacentre drop-down on the left-hand side of the Proxmox GUI.
Disable the Enterprise Repositories
Proxmox GUI ->Server->Repositories
In the same view, add the pve-no-subscription repository (Add).

With Proxmox, you can run most shell commands as root directly from the GUI. Go to Server -> Shell in the GUI.
An SSH terminal will be displayed. You are auto-logged in as root. Update Proxmox by running
$ apt-get update && apt-get full-upgrade -y

Install your Cloudflare Tunnel
On your Cloudflare Dashboard, go to 'Zero Trust', which you will find on the left-hand side of the main account home page. Next, go to Network->Tunnels->Create a Tunnel.
Select Cloudflared as your tunnel type. Then give your tunnel a name.
The next page will guide you through installing and running connectors. Choose Debian as the environment, then install Cloudflared with the first command. Copy and paste the first command into your Proxmox Shell. To ensure Cloudflared runs on startup, copy and paste the second command on Cloudflare. This command enables Cloudflared on your server, and you will see the connector listed on your Cloudflare dashboard.
Clicking Next will let you publish your first route on Cloudflare. Under 'Add a published route...'
Enter your Proxmox subdomain (i.e. proxmox.example.com). Then enter your chosen Cloudflare domain in the next column. Leave the path / column empty. Under protocol, select HTTPS, and under URL, enter your public_ipv4:8006.
Click the additional options drop-down, then select the TLS option. Turn on No TLS Verify and HTTP2 connection.
Then select complete setup.
The Cloudflare tunnel will be installed, and your Proxmox server will be available at https://proxmox.example.com behind a secure SSL certificate from Cloudflare.
You can publish additional routes from the Zero Trust dashboard
Zero Trust ->Network->Tunnels. Select your tunnel, then click edit, then select 'Published Application Routes'.

Install Fuse OverlayFS
If you want to run Docker inside an LXC container, I have not managed to do so without first installing Fuse OverlayFS on the Proxmox host. In the Proxmox Shell run:
$ apt install -y fuse-overlayfs

Creating your Software Defined Network (SDN)
Proxmox makes private networking easy with its SDN feature. You need to enable some features first (taken from the Proxmox website). Run the following commands on the Proxmox Host Shell:
$ apt update
$ apt install libpve-network-perl

Next, select the Datacenter view from the left menu, then look for SDN in the next column. Select Zones under SDN, then Add.
Select 'Simple'. Pick a name for this zone. I have selected vzone1. 'pve' should be autoselected under IPAM. Tick the advanced view, tick automatic DHCP, then Add.
Next, select VNets under SDN and click Create.
Give your VNet a name. I've selected 'vnet1'. Under zone, choose the zone you just created, 'vzone1', and click create.
Next, select the VNet you have just created. A new column of subnets will appear. Create your first private subnet by clicking 'Create'.
Under General, enter your private subnet. In this example, I will use the subnet 10.10.10.0/24. Under gateway, I enter 10.10.10.1. Select SNAT.
Select the next column, DHCP ranges. Under start address and end address, click add, then enter the range you want your DHCP server to use. I usually use start at 10.10.10.10 and end at 10.10.10.200, giving you 190 private IPs to play with!

Create your first container
Promox has a few LXC container templates in its library. For this tutorial, I will install Docker and Portainer in an Ubuntu 24.04 container.
Datacentre->Local->CT Templates.
Click Templates, select the Ubuntu 24.04 template, and download.

Click 'Create CT' near the top right of the Proxmox panel. This starts the container creation process.
In the first panel, enter the container hostname and password. You can also add your SSH public key here. Ensure the 'Unprivileged container' and 'Nesting' boxes are checked. I usually have the advanced options checked here.
In the next panel, click the template drop-down and select the Ubuntu 24.04 template you just downloaded. Click next.
In the next panel, select your disk size. 20GB is sufficient for this exercise.
In the next panel, choose the number of cores. One core is sufficient to run Portainer.
In the next panel, choose your memory. I recommend at least 2GB of RAM to run Docker on Ubuntu. You can also select the swap size here.
In the next panel (this is important), under Bridge, select your VNet. Under IPV4, select DHCP. Under IPV6, it should read 'Static/None'. Click next.
In the next panel, you can enter specific DNS servers or use the default (Hosts DNS servers) by clicking next.
In the next panel, confirm all your settings. Click start after creation to log in to the shell when the container is created.

Installing Docker and Portainer
You will see your container listed under your server drop-down on the left menu. Start the container if you haven't done so already. Select console and log in with the username root and the password you used during the container creation process.
All the next commands are to be run inside the container
Curl is not installed in a new Ubuntu container, even after upgrading, so I do this first by running the following command:
$ apt install curl
then upgrade Ubuntu
$ apt update && apt upgrade -y
Install Docker with the following commands:
To install dependencies:
$ sudo apt install apt-transport-https ca-certificates curl software-properties-common -y

To install Docker's GPG key to your key ring:
$ sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc

To add the Docker Repo to your APT sources:
$ echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Update the repositories:
$ sudo apt update

Install Docker
$ sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Next, we will install Portainer (Community Edition):
Create the Docker Volume for Portainer
$ docker volume create portainer_data

Install Docker
$ docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:lts

Portainer is now accessible via:
https://container_private_ip:9443

To find the container ID (if it is your first container, it will be 10.10.10.10), run the following command:
ip a
Look for the inet address under eth0 and look for the IP address from your private subnet. You will need this for your Cloudflare Tunnel.

Head back to the Cloudflare Zero Trust Dashboard. Network->Tunnels. Select your tunnel and click edit.
Click on Published Application Routes and 'add a published application route'. I am going to use the subdomain 'portainer' and enter it in the (optional) subdomain box, along with my Cloudflare-hosted domain 'example.com'. In the service type select HTTPS, and in the URL, enter the IP address of your container and port 9443, so if this were your first container, in the URL box you would enter 10.10.10.10:9443
Click the additional application settings and select TLS
Select No TLS verify; this seems to be a necessary step if you are using the HTTPS protocol. The option is not there if you are using HTTP. I also always select the HTTP2 connection option. Next, click save.
The Portainer admin panel will now be available at https://portainer.example.com

As I mentioned earlier, Proxmox has quite a few templates, including a number from Turnkey Linux, but I would suggest you check out this excellent repo of LXC templates that I found; a really great library:
https://community-scripts.github.io/ProxmoxVE/

These community scripts should be run from the Proxmox shell. Ensure you select the LXC version. When the container is created, note the private IP address (and the port) it is hosted on for your Cloudflare Tunnel.

Disclaimer:
This is my own work, and I have not used AI. I have followed many online tutorials over the months for all of these steps, and this is what I came up with.
A big shout-out to @advinservers for their support of my networking endeavours and for their exceptional pricing, which made this possible.