Creating a Proxmox Cloud Server with NAT on a Hetzner virtual DEDICATED VPS server - tutorial
Creating a Proxmox Cloud Server with NAT on a Hetzner virtual DEDICATED VPS server - tutorial
In this video tutorial , I take you step-by-step from acquiring a Hetzner VPS, installing Proxmox on it, and then configuring it including building your own NAT based network, so the Virtual Machines it hosts are naturally protected from internet based attacks.
=========================================================================
## Following the success of this channel, i have created a New Channel called “Virt Tech”
## that specialises in the related field of Virtualization Technology Videos,
## specifically Virtualbox initially. It can be found here :
##
## / @virt-tech
##
## Please try it out if the topic interests you.
=========================================================================
==========================================================
## If you are looking for a particular video try,
## 1) Channel : https://cloudtechlinks.com/YTChannel
## 2) then : https://cloudtechlinks.com/All-Videos
======================================================
DISK PARTITION :
PART swap swap 32G
PART /boot ext3 512M
PART / ext4 all
DESKTOP BUILD COMMANDS :
apt-get update \u0026\u0026 apt-get upgrade -y
apt-get install xfce4 htop xrdp gedit firefox-esr terminator
NAT NETWORK - APPEND TO FILE: /ETC/NETWORK/INTERFACES.
auto vmbr99
#private sub network
iface vmbr99 inet static
address 10.10.10.1
netmask 255.255.255.0
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 [GREATER THAN SHMBOL] /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s ‘10.10.10.0/24’ -o enp2s0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s ‘10.10.10.0/24’ -o enp2s0 -j MASQUERADE
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT —zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT —zone 1
--------------------------------------------------------------------------------------------
PORT FORWARDING RULES :
iptables -t nat -A PREROUTING -p tcp -d 144.76.154.55 —dport 53389 -i enp2s0 -j DNAT —to-destination 10.10.10.10:3389
iptables -t nat -A PREROUTING -p tcp -d 144.76.154.55 —dport 80 -i enp2s0 -j DNAT —to-destination 10.10.10.10:80
iptables -t nat -L —line-numbers
apt-get install iptables-persistent (not used in video, but may be make rules persist between reboots)
iptables-save = /etc/iptables/rules.
TRANSCRIPT OF INTRODUCTION
===========================
Over the years I have tried a number of PC based virtual machine solutions, and created a number of VMs, which I still use. As a result, I now find I have virtual machines in too many places. Locally i have VMs in Virtualbox and VMware on my windows PC and QEMU on Linux. In the cloud I have multiple demonstration instances on Amazon web services because I currently have a work client who uses them, and my own web server running on the VULTR cloud provider, as I found they offer the best value for money.
So I was looking to fix all that by hosting all these local and cloud based virtual machines on a single server using a single technology, but how.
After a bit of research and thinking, I came up with the following plan, I would need a single server to put all my existing VMs on, I would use ProxMox , a free industrial strength virtual machine manager, and to prevent me having to punch holes in my routers firewall by opening up ports by for example running my web server locally, I would host it in the cloud instead.
So I needed a server which did not need to be brand new only reliable and stable. It would need to be a dedicated server, as although a few providers allow you to install a virtualization solution on their public cloud instances, which are already virtual machines themselves, this type of nested virtualization solution is normally very slow. As it would need to run a number of virtual machines simultaneously, at least 2 of which would use the memory hungry windows operating system, with the rest running some flavor of linux, I would need a server with a decent CPU, a minimum of 16 GB of memory, 500 GB of Usable disk space , but most of all it had to be cheap , so a maximum of about 35 or 40 dollars a month as i would be saving by not needing any AWS or vulture instances.
=========
I will now demonstrate step by step what was involved.
So covering the server ordering process., The installation of Proxmox without a graphical user interface, briefly changing the root password from the one that we were given and switching on the firewall. I will then install a lightweight desktop with web browser, so i can use the web browser on the server to get any ISO files or VM hard disks off drop box, google drive or one drive without using my intermittent, slow , internet connection, by downloading anything to my local downloads folder first.
Content
0.88 -> over the years i have tried a number of
2.72 -> pc based virtual machine solutions
5.04 -> and created a number of vms which i
7.12 -> still use
8.4 -> as a result i now find i have virtual
10.8 -> machines in too many places
13.2 -> locally i have vms in virtualbox and
15.519 -> vmware on my windows pc and qemu
18.32 -> on linux in the cloud i have multiple
20.96 -> demonstration instances on amazon web
23.039 -> services because i currently have a work
24.88 -> client who uses them
26 -> and my own web server running on the
27.68 -> vulture cloud provider
29.039 -> as i found they offer the best value for
31.039 -> money
33.2 -> so i was looking to fix all that by
34.96 -> hosting all these local and cloud-based
36.96 -> virtual machines on a single server
38.879 -> using a single technology but how
41.2 -> [Music]
42.64 -> after a bit of research and thinking i
44.719 -> came up with the following plan
46.32 -> i would need a single server to put all
48.079 -> my existing vms on
51.36 -> i would use proxmox a free industrial
53.76 -> strength virtual machine manager
57.36 -> and to prevent me having to punch holes
59.12 -> in my router's firewall by opening up
61.039 -> ports by for example running my web
62.96 -> server locally
63.92 -> i would host it in the cloud instead
70.479 -> so i needed a server which did not need
72.4 -> to be brand new only reliable and stable
75.28 -> it would need to be a dedicated server
77.28 -> as although a few providers allow you to
79.2 -> install a virtualization solution on
81.04 -> their public cloud instances
82.64 -> which are already virtual machines
84.24 -> themselves this type of nested
86.08 -> virtualization solution is normally very
88.32 -> slow
89.28 -> as it would need to run a number of
90.72 -> virtual machines simultaneously
92.799 -> at least two of which would use the
94.24 -> memory hungry windows operating system
96.4 -> with the rest running some flavor of
98.079 -> linux i would need a server with a
99.84 -> decent cpu
101.2 -> a minimum of 16 gigabytes of memory 500
104.32 -> gigabytes of usable disk space
106.32 -> but most of all it had to be cheap so
108.32 -> maximum of about 35 or 40 dollars a
110.56 -> month as i would be saving by not
112.159 -> needing any aws or vulture
114 -> instances i will now demonstrate step by
118 -> step what was involved
121.28 -> so covering the server ordering process
124.56 -> the installation of proxmox without a
126.56 -> graphical user interface
128.879 -> briefly changing the root password from
130.8 -> the one that we were given and switching
132.48 -> on the firewall
134.16 -> i will then install a lightweight
135.84 -> desktop with web browser
137.36 -> so i can use the web browser on the
139.2 -> server to get any iso files or vm hard
141.84 -> disks off dropbox
143.2 -> google drive or onedrive without using
145.36 -> my intermittent slow
146.72 -> internet connection by downloading
148.48 -> anything to my local downloads folder
150.48 -> first
152.8 -> the final bit of proxmox configuration
155.12 -> that i will do is to enable a nat
156.8 -> network on the server
158.48 -> what it means is i be able to attach any
160.64 -> of my vms to this nat internal network
162.879 -> so they can browse the internet all via
164.8 -> the single server ip address without
166.959 -> having to buy additional ip addresses
169.12 -> one for each vm then i will test all the
172 -> above by creating a new windows 10 vm
174.48 -> and apply some port forwarding rules
176.4 -> so i can access it from the internet
180.159 -> the ultimate aim being by following this
182.159 -> demonstration you will be able to
183.76 -> complete all these steps even with only
185.76 -> basic linux knowledge
188.959 -> so let's get started
201.599 -> on screen you can see the hetzner
203.599 -> website where my research ended up
206.159 -> mainly because they offer the best value
208.159 -> for money secondhand servers
210 -> i was able to find if you select
213.599 -> dedicated
214.319 -> then auction it takes you to a web page
216.48 -> showing all the used servers you can
218.08 -> currently rent
218.959 -> with no commitment longer than a month
220.72 -> and no setup fees to pay
223.92 -> i won't show the whole order process but
226 -> just to say the machine i ordered
227.68 -> had 32 gigabytes of ram two times two
230.48 -> terabyte enterprise quality hard disk
232.64 -> drives and a decent i7 cpu
235.12 -> all for under 27 euros if i were to do
238.239 -> it again
238.959 -> i would probably get one with 48
240.72 -> gigabytes of ram is that only cost a
242.64 -> couple of euros more
244 -> but it means that most or all of the vm
246 -> hard disk can be automatically cached in
248 -> the server's memory
249.12 -> meaning any disk access that vm does
251.36 -> would be very fast indeed
253.599 -> a few minutes or so after placing the
255.519 -> order i received an email detailing the
257.68 -> server's address
258.639 -> and details of the initial user id and
260.639 -> password to access it
265.44 -> i access the server in the normal way by
267.759 -> using an ssh
268.88 -> client as i am using windows on my pc i
272.24 -> use putty which you can get from the
273.84 -> website on screen
276.96 -> when i was first accessing my server
279.04 -> even though its hard disks are empty it
280.8 -> will be running a basic version of linux
282.639 -> by booting up across the network by
284.479 -> using the hetzner rescue system
286.88 -> if for some reason it's not or you wish
288.8 -> to use the rescue system sometime it in
290.88 -> the future that can be done using
292.4 -> hetzner control panel system which they
294.56 -> call robot
296 -> just indicate you want the linux 64-bit
298.639 -> version of the rescue system and note
300.479 -> down the randomly generated root
302.08 -> password it gives you
314.16 -> then go into reset to reboot the server
328.31 -> [Music]
337.52 -> now with use my putty ssh client and
340.08 -> using the details from the email or the
342.16 -> last request to the rescue system i
344.16 -> connect to the server
355.37 -> [Music]
361.37 -> [Music]
367.38 -> [Music]
370.72 -> once and i use their install image
372.319 -> program to load an image of proxmox on
374.479 -> my server
384.31 -> [Music]
392.84 -> wow
394.56 -> in the installation configuration file i
396.88 -> leave the default software raid in place
399.12 -> because these disks are secondhand and i
401.12 -> wanted as a result the extra protection
403.199 -> that it offered
405.759 -> i originally used any fully qualified
408 -> domain name as i didn't have one
409.68 -> available but later on when we use port
411.84 -> forwarding rules although i used the
413.52 -> server ip address when i specified the
415.84 -> rules it stored them using this
417.44 -> machine's fully qualified domain name
420.639 -> so now not to cause any complications
422.88 -> later on i use an existing domain name
425.199 -> of mine which now points to the
426.8 -> machine's ip address
452.639 -> and finally i just change the partitions
454.88 -> to a basic linux partition scheme
507.44 -> when the install image program has
509.36 -> finished i just reboot the server
514.27 -> [Music]
515.599 -> when fully rebooted i just access the
517.599 -> proxmox via its web interface by
519.839 -> specifying the https protocol the
522.479 -> server's ip address and port 8006 as
525.44 -> shown on screen
536.88 -> then i login with the rescue system
538.8 -> generated new root password
563.36 -> in this speeded up section as the
565.04 -> current root password was not of my
566.8 -> choosing
567.279 -> i log in and change it to a very long
569.36 -> and complex one
570.399 -> so although this server is accessible
572.16 -> from the internet no one will be able to
574.08 -> brute force the password
592.07 -> [Music]
595.839 -> the other piece of housekeeping we need
597.6 -> to do now that the server is up and
599.519 -> running is to switch on the hertz or
601.2 -> firewall as by default it is set to
603.2 -> allow all ports on the server to be
605.04 -> accessed from every ip address
620.72 -> so using the hetzner robot web console
623.2 -> just while i am building the server
624.88 -> is to restrict access to the server to
626.88 -> just my ip address
628.88 -> if my isp changes my ip which they do
631.68 -> very
632 -> occasionally i would just need to change
633.839 -> this ip rule
640.079 -> the installation process for the
641.68 -> lightweight desktop i have been able to
643.6 -> reduce
644.079 -> down to only a couple of lines of
645.68 -> commands
648.32 -> both of which you will find in the
649.76 -> description below
652.64 -> the first updates the repository indexes
655.12 -> and then installs any module upgrades to
657.36 -> the latest version it is able to find
660.959 -> the second command installs xfce which
663.76 -> is a lightweight desktop
665.12 -> htop which is a text based resource
667.68 -> monitor so we can see how hard the cpus
670.16 -> are working and what is our current
671.519 -> memory usage
672.959 -> it also installs xrdp which is secure
675.839 -> remote desktop viewer get it which will
677.92 -> allow use to edit files graphically from
680 -> the desktop and firefox which is a web
682.399 -> browser
684.8 -> through the magic of video editing i
686.56 -> have reduced the installation process to
688.64 -> only a few seconds
689.76 -> it actually takes 5 to 10 minutes
699.6 -> so to connect to my remote desktop all i
701.839 -> do is start the remote desktop
703.6 -> connection software
704.72 -> that comes pre-installed on windows pcs
709.76 -> put in the ip address of our server
718.56 -> the username root
725.76 -> tick the box to allow me to save
727.44 -> credentials as this is my pc
731.839 -> confirm that the local resources tab
733.92 -> only tries to connect our clipboard and
735.92 -> our local drives as only these options
738 -> work
743.2 -> before saving these settings so next
745.44 -> time if we were to use our saved file we
747.6 -> will not be prompted for a password as
749.44 -> it's stored encrypted in the repository
751.36 -> and is only accessible when using this
753.279 -> windows user
764.16 -> now when prompted we enter or paste our
766.16 -> long complex password
791.92 -> now we need to implement a nat
793.44 -> networking bridge so any vms we create
795.76 -> can bridge to the existing server's ip
798 -> address and be forwarded on to the
799.6 -> internet
800.72 -> otherwise if the vms needed their own
802.72 -> proper external ip
804.079 -> we would need to buy one for each vm
806 -> from hertzner
807.68 -> on screen you can see a simple diagram
810 -> that shows how we are going to add our
811.68 -> bridge to what is already in place
813.6 -> and specified in the server's existing
815.6 -> interfaces file
817.279 -> everything that exists already you can
819.199 -> see depicted above the dotted line
821.6 -> we are simply going to append some code
823.68 -> which you will find in the youtube
825.04 -> description to the end of this
826.48 -> interfaces file to create
828 -> the bridge shown below the dotted line
831.92 -> that will create a bridge called vmbr99
835.04 -> which connects to our existing ethernet
836.959 -> card which in my server is called enp2s0
840.24 -> and from there it forwards messages so
842 -> our bridge can get to the internet
844.56 -> if i briefly show on screen the server's
847.04 -> existing interfaces file
848.56 -> all i want you to do is jot down the
850.32 -> name it has given to your existing
852 -> ethernet card
853.6 -> mine is called enp2s0 which i have
856.399 -> highlighted in yellow
859.36 -> the code that we are going to append to
861.12 -> the interfaces file is shown on screen
863.279 -> now
863.6 -> all you need to do is first change the
865.519 -> two highlighted references to reflect
867.36 -> your ethernet card's name
869.36 -> after appending the bridge code and
871.04 -> rebooting the server to ensure all
872.8 -> changes have taken effect
874.24 -> any vm we then connect to this new
876.079 -> bridge will get full internet access
878.8 -> however at the moment all new
880.399 -> connections from the internet will get
882 -> to the server's ethernet card and just
883.92 -> go to the main server's operating system
886.72 -> if we want certain ports to be
888.32 -> automatically forwarded on to a
889.839 -> particular port on a particular ip
892 -> address on our new bridge we have to
893.839 -> specify that
896.639 -> the sample rule you see on screen now is
899.199 -> processed by the ethernet card shown in
901.279 -> green and any data packets it sees that
903.44 -> are addressed to the server's ip address
905.519 -> on port 80 are forwarded on to the vm
907.68 -> whose ip address
908.88 -> in this case is 10.10.10.10 also on port
912.56 -> 80.
913.6 -> any of the bits in yellow or blue can be
915.76 -> changed we will use versions of the rule
918.079 -> later when we are testing our new bridge
920 -> network with a window 10vm
923.839 -> i will demonstrate on screen you see the
926.72 -> code that we are planning to append to
928.32 -> the interfaces file for our new vmvr 99
931.36 -> bridge a copy of which is in the youtube
933.36 -> description
936 -> however because the youtube description
937.759 -> does not allow greater than signs just
939.839 -> replace the bracketed words greater than
941.839 -> sign with that character
944.959 -> because we saved our connection
946.56 -> information to get to the server's
948.079 -> desktop in a file we can use that icon
950.48 -> to connect
954.31 -> [Music]
959.92 -> once connected we browse over to the
961.839 -> interfaces file
972.62 -> [Music]
984.8 -> and then just paste our new code to the
986.8 -> end of it
997.01 -> [Music]
1004 -> once i have finished i just save and
1008.839 -> exit
1011.36 -> and finally restart the server do not
1013.759 -> select shutdown
1014.72 -> as restarting a switched off server can
1016.72 -> be difficult
1018.18 -> [Music]
1020.24 -> our proxmox server is now fully built
1022.639 -> however to prove it in the linux bridge
1024.4 -> we created as fully functional we need
1026.319 -> to build a test vm
1029.52 -> i have chosen a windows 10 test vm for
1032 -> this purpose
1032.72 -> as being slightly more complex to set up
1034.88 -> with its vert i o drivers than an
1036.64 -> equivalent linux machine it will be a
1038.4 -> more thorough test
1041.439 -> we connect to the desktop of our server
1043.36 -> and start our firefox web browser
1058.72 -> this will take an extra few seconds to
1060.72 -> start up the first time
1062.08 -> so please be patient
1077.2 -> first we browse over to the windows
1079.2 -> stable vert i o
1080.48 -> drivers and download the iso
1084.24 -> google search kept giving me problems so
1086.559 -> i changed the default search engine to
1092.84 -> duckduckgo
1094.46 -> [Music]
1114.07 -> [Music]
1135.79 -> [Music]
1156.08 -> i then downloaded the windows 10 iso
1158.24 -> from microsoft
1177.68 -> [Music]
1191.54 -> [Music]
1198.08 -> still on the server's web browser i
1200.08 -> brought up the proxmox web interface
1202.159 -> logged on
1222 -> and uploaded both isos into proxmox
1245.919 -> so now i create the vm in the normal
1248.08 -> proxmox way
1250.96 -> on the general tab i give the vm a name
1256.559 -> on the os tab i select the windows iso
1259.2 -> under the guest vm section
1260.799 -> select microsoft windows and ensure 10
1263.12 -> shows in the version window
1270.48 -> on the system tab i ensure that bird ios
1273.12 -> csi is showing as the scsi controller
1277.84 -> for hard disk i select bus device shows
1280.48 -> as scsi
1281.52 -> and select cache is right back
1296.08 -> on the cpu tab i give the vm enough
1298.559 -> sockets or cores to run reasonably well
1304.24 -> for the type as i am not needing to
1306 -> transfer the vm to other proxmox servers
1308.48 -> i don't need to keep the default type
1310.24 -> and instead pick the faster host option
1314.24 -> for memory i give it eight gigabytes so
1316.24 -> it can run reasonably quickly
1321.2 -> for network i ensure that the bmvr99 nat
1324.24 -> bridge we built earlier is selected and
1326.159 -> that the network model shows vert io
1328.159 -> para virtualized as selected
1336.32 -> finally i confirm all the settings
1341.52 -> then we go to the hardware tab for our
1343.52 -> vm and add a second cd-rom containing
1346 -> our virt i o driver's iso
1370.72 -> we then select console and start the vm
1373.2 -> it will go to the windows 10 iso
1401.679 -> on this screen you will see that windows
1403.84 -> cannot see the hard disk
1405.36 -> as it doesn't come packaged with vert i
1407.2 -> o drivers
1408.72 -> so we select load driver and ok on the
1411.039 -> following message
1413.919 -> from the list of virt ios csi drivers
1416.64 -> that were found
1417.44 -> it is important we select the windows 10
1419.52 -> 1.
1428.08 -> after the driver loads it can see the
1430 -> hard disk and we proceed to load windows
1432.32 -> in the normal way
1442.48 -> now there is two basic configuration
1444.559 -> tasks i have to do
1445.679 -> which i will demonstrate
1448.799 -> the first is to load the virt i o driver
1451.12 -> in device manager for any devices that
1453.279 -> by a yellow triangle
1454.64 -> shows at present windows as missing
1456.4 -> drivers for
1459.12 -> the second as we have no dhcp server on
1461.84 -> the network to hand out ips
1463.36 -> automatically
1464.159 -> is to allocate a fixed ip in the range
1466.32 -> we set for vmvr 99 to which this vm is
1470.84 -> attached
1485.43 -> [Music]
1493.18 -> [Music]
1505.03 -> [Music]
1513.9 -> [Music]
1529.06 -> [Music]
1542.36 -> [Music]
1552.32 -> for this test vm we use an ip address of
1555.88 -> 10.10.10.10 to make it easy to recall
1558.159 -> later but any ip address between
1561.08 -> 10.10.10.2 and 10.10.10.254 would have
1565.12 -> been fine
1566.4 -> the rest of the details for subnet mask
1568.72 -> gateway and dns
1570 -> servers will always be the same
1588.159 -> i open a web browser just to prove this
1590.4 -> vm can access the internet
1599.98 -> [Music]
1604.32 -> and now to prove port forwarding works i
1606.48 -> firstly enable remote desktop on this
1610.84 -> machine
1612.6 -> [Music]
1620.08 -> and secondly i turn on the web server
1622.24 -> iis or internet information services
1624.64 -> windows feature so i can prove we can
1626.64 -> get to its default page
1628 -> from the internet
1657.46 -> [Music]
1663.63 -> [Music]
1681.44 -> and now by accessing the proxmox server
1683.76 -> from our desktop either using our ssh
1686.159 -> client called putty or by connecting to
1688.159 -> the server's desktop and then running
1689.919 -> the terminal application
1693.12 -> i cut and paste the two port forwarding
1695.12 -> rules i have created
1696.32 -> following the earlier slide
1699.679 -> this first one forwards port 5339 that
1703.52 -> goes to the proxmox server to the vm
1705.6 -> port number 3389
1708.159 -> the rdp remote desktop port
1721.12 -> the second rule forwards any requests to
1723.44 -> our server on port 80 onto the vm
1725.76 -> in this case using the same port our vm
1728.88 -> should return the default iis web server
1731.279 -> page if the connection is working
1744.399 -> the following command lists all if
1746.159 -> table's rules
1765.36 -> this final command saved them however i
1767.679 -> am not sure which rules stay in place
1769.84 -> after a full server reboot
1795.44 -> to test port forwarding of the vm's
1797.44 -> remote desktop i start the remote
1799.36 -> desktop connection software
1800.96 -> put in the proxmox server's ip address
1803.36 -> and port 53389 and press connect
1808.48 -> [Music]
1816.64 -> following entering a valid user name and
1818.88 -> password for the vm
1820.159 -> not the proxmox server i am presented
1822.32 -> with the windows 10 vms desktop
1830.24 -> for the second test i open a web browser
1832.559 -> on my client pc
1833.84 -> and just enter the ip address of the
1835.76 -> server as the web browser uses as
1838.399 -> default port 80 the request is
1840.32 -> automatically forwarded to our windows
1842.159 -> 10 bm and the default iis web page is
1844.799 -> shown
1845.279 -> showing both our port forwarding rules
1847.2 -> work
1849.12 -> in summary we now have a proxmox machine
1851.679 -> in the cloud
1852.399 -> on a hetzner dedicated server all for
1854.399 -> less than 30 euros a month
1857.039 -> check the description for all commands
1858.88 -> you've seen in this video
1862.159 -> thanks for watching if you found this
1864 -> video useful or interesting please hit
1866.08 -> subscribe and smash that bell to be
1868 -> notified of future videos
Source: https://www.youtube.com/watch?v=pgV8B-u9Kps