Setup VE with Proxmox on Hetzner — Single Mode
Excited to share my €35/month cloud!
Note: This blog assumes Linux knowledge in the field of networks, security and does not explain how Proxmox, virtualization or pfsense works.
Introduction
This configuration has been invaluable during my academic journey, serving as an excellent platform for experimentation and learning. It’s also been great for constructing customer demos, setting up cost-effective air-gapped services, and much more. I ended up with several Kubernetes, OKD (OpenShift) clusters that didn’t cost me €80 a month with 24 cores, 150 GB RAM and 10 TB HDD storage. The topic of an HA setup with Proxmox is covered in another article.
This guide will show you, how setting up your own private Cloud Virtual Environment! Whether you’re a student, a hobbyist, or someone looking to dip their toes into the world of virtualization and networking, you’re in the right place. For just €35 per month, you can create a low-cost, educational setup that will provide you with invaluable hands-on experience. From configuring virtual machines to managing network traffic, this environment serves as a practical playground for learning various IT skills.
This blog is about the installation of Proxmox 7.X on Hetzner with pfsense as firewall for WAN, IP floating with additional IP address for the VM’s to allow SNAT.
This will be part of the environment setup:
- Order Hetzner Server on Stock Exchange
- Order Additional IP-Address for IP-Floating
- Using KVM → VMs are using their own kernel
- Create Network Configuration Bridged → to allow communicating with the gateway of the assigned IP (SNAT)
- Create two VMs → one VM working as Firewall and enable SNAT and the second VM as your Workstation
0. Preparation
0.1 Order Server
NOTE: You need an Account and billing method on hetzner
Go to https://www.hetzner.com/sb search for a server like:
I will take the first and the cheapest one. After your order is finished, it takes on average up to 20–30 Minutes.
0.2 Add additional IP address
Note: Require that the server order is fulfiled
An additional IP address must be requested for routing to the outside, as the main address of the Hetzner VM does not allow routing.
You can order an additional IP-Address from:
Then select One additional IP with costs (Price (monthly): € 2.02 / Setup (once): € 5.83) like:
Now you must order a MAC address for the IP address. The MAC address is later required for the pfsense VM, which is used for routing into the WAN.
Click on the icon near the new ordered IP-Address to request a new MAC Address, like:
0.3 Fetch necessary Meta Information
Now you can fetch the IP-Address Information that will be needed to allow SNAT over pfsense. If you swipe over your main IP-Address, you will see:
- Main-IP-Address (from your server order)
- Ordered Second IP-Address
- MAC Address from the Ordered Second IP-Address
- Gateway
- Netmask
- Broadcast
Save this information, they will be required later by the script to create virtual bridged and attach them to the created VMs.
0.4 Download pfsense
You can download the latest version from https://www.pfsense.org/download/
0.5 Download a ISO Image
I will use fedora Workstation, because I like fedora and workstation gives you a nice UI if you needed it.
https://fedoraproject.org/workstation/download/
Now you are ready to install proxmox on Hetzner!
1. Install Proxmox on Hetzner
First, connect to the ordered server like:
ssh root@178.63.13.156Then run the following command to start an interactive installer:
installimageChose the right image:
Change install config:
#1.
FROM:
SWRAIDLEVEL 1
TO:
SWRAIDLEVEL 0 (to use all Storage sda+sdb)
#2.
FROM:
HOSTNAME Proxmox-Ve.localhost
TO:
proxmox-single.lab.local (you can call it what ever you want)
#3.
FROM:
PART /boot ext3 512M
PART lvm vg0 all
LV vg0 root / ext3 15G
LV vg0 swap swap swap 6G
TO:
PART /boot ext**4** 512M
PART lvm vg0 all
LV vg0 root / ext**4** **100**G
LV vg0 swap swap swap **32**G --> (available RAM * 1/2)
LV vg0 data /var/lib/vz ext4 400G --> (Remaining memory after deduction of root for storing images and containers)
2. Set root password and disable port 111 or service
After installation, a password must be assigned to the root user if access to the Hetzner machine is via ssh-key. The access will be done via the Linux PAM authentication module.
passwd
New password: xy...
Retype new password:xy...Proxmox opens port 111 by default, which is a security risk. Therefore, the port must be disabled.
iptables -A INPUT -p tcp -m tcp --dport 111 -j DROP
iptables -A INPUT -p udp -m udp --dport 111 -j DROP
sudo /sbin/iptables-save
##if the service is not needed, then disable and mask it
sudo systemctl disable --now rpcbind rpcbind.socket
sudo systemctl mask rpcbindNow open the Proxmox-Webconsole (https://MAIN-IP:8006)) and login with root and your password.
3. Setup network config
You will need to fetch the Ethernet interface, like enp0s31f6. You can do it the following way:
ifconfig
Output like:
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 138.201.31.244 netmask 255.255.255.192 broadcast 0.0.0.0
inet6 fe80::921b:eff:fe91:c47a prefixlen 64 scopeid 0x20<link>
inet6 2a01:4f8:171:335c::2 prefixlen 64 scopeid 0x0<global>
ether 90:1b:0e:91:c4:7a txqueuelen 1000 (Ethernet)
RX packets 6794 bytes 8203318 (7.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2374 bytes 1945636 (1.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0xf7000000-f7020000Now clone the repo and execute the network_config.sh script, after you add all necessary variables from the meta information then you should that two virtual Linux bridges (vmbr0 and vmbr1) are created.
ifconfig
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 90:1b:0e:91:c4:7a txqueuelen 1000 (Ethernet)
RX packets 7934 bytes 8512965 (8.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2954 bytes 2199014 (2.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0xf7000000-f7020000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 136 bytes 25776 (25.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 136 bytes 25776 (25.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vmbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 138.201.31.244 netmask 255.255.255.255 broadcast 138.201.31.255
inet6 fe80::921b:eff:fe91:c47a prefixlen 64 scopeid 0x20<link>
ether 90:1b:0e:91:c4:7a txqueuelen 1000 (Ethernet)
RX packets 393 bytes 110223 (107.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 287 bytes 129286 (126.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vmbr1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 9e:38:d9:b4:7d:48 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0You will also see the created vmbr[0–1] in the Proxmox Web console like:
4. Upload the images
Before you can create VMs you need first to upload the images (ISO files) to the local storage of the Proxmox VM running on Hetzner. You can do it like:
5. Create VM and Install pfsense
First you have to create a VM from the uploaded Image like:
Now you have created a VM and add the ADD-IP-Address to give the vm access to the internet. Now you need also to add the vmbr1, to connect the pfsense VM to the LAN0 network. This can be done over the Add network device like:
Now start the VM and follow the instruction to install pfsense. If the installation was successful, you will get output like:
Over the IP-Address 138.201.31.225 the VM will access the WAN and over the IP-Address 192.168.1.1 you can access the UI of pfsense from the created LAN0 network.
6. Create VM and Install Workstation (Fedora)
Now you have to create a VM of your choice to test if the SNAT is working.
If you can see, that VM will not be connected to the ADD-IP-Address. The VM will only be connected to the vmbr1 (LAN0).
If you check the IP-Address from the created VM (in my case fedora workstation) like:
You will see the ADD-IP-Address. So SNAT is working and you can extend to config pfsense over the UI for your purpose.
Conclusion
Congratulations, you’ve successfully set up your own private Cloud Virtual Environment for just €35 per month. This affordable setup offers you a valuable opportunity to acquire hands-on experience in various areas like virtualization, networking, and more.
However, it’s important to note that this is a basic configuration and is not recommended for production-level tasks. If you’re considering using this setup for a production environment, you should enhance its security by addressing several key areas, such as:
- Linux PAM + MFA
- Fail2ban against Brutoforce
- SSH: Disable root login, Automatic session timeout, Enable user for SSH, change default port, etc.
- Configure Hetzner Firewall-Rule, default for incoming/outgoing traffic is set to allow all
Contact Information
If you have some Questions, would like to have a friendly chat or just network to not miss any topics, then don’t use the comment function at medium, just feel free to add me to your LinkedIn network!
