Adding VPN access
A homelab is usefull, but we are never always at home, so we need access from another location.
The safest way to ensure network access is setting up a VPN tunnel over the internet.
We used wireguard for that and our proxmox server to host this in an efficient way.
Note that this tunnel can also help secure connections over unsafe wifi networks.
Create a lxc_instance for the VPN
So logged in as a priviledged user on the proxmox GUI, we click on "Create CT" to create a new container. Choose a container name (mine was creatively called vpnserver) and be sure to connect the container to the LAN network bridge(vmbr0). The container needs a fixed IP, so either reserve an IP address in your router, or assign a fixed ip yourself.
I used an alpine lxc template for this container and assign the following resources:
- 128 MB memory
- 128 MB swap
- 1 core CPU (limit to 0.25)
- 4 GB diskspace
The memory seems to be overkill for a wireguard container, but a continuous swapping server is not what you want. As memory is important for a stable connection, this is a no-brainer.
Since this server will hardly ever store data, this 4GB of storage more than enough for the OS and its updates.
Set the root password to your standards, keep in mind that this system is open to the internet, so a strong password is advised.
Install pivpn
You could try to configure wireguard by hand, but if you want to go the easy route, just install pivpn. Even I thought that pivpn is for the RaspberryPi, nope, it works like a charm, just install and enjoy.
It will handle it all for you...
Before installing pivpn, we need to fullfill some prerequisites:
apk add curl
apk add bash
Installation instructions can be found at:
After the installation is finished, the wizzard will take you through the steps of your system configuration.
Configure clients
Adding clients is very easy, just run "pivpn add" and follow the steps.
Configure portforwarding of the chosen port on your modem or router to the ip address of your vpnserver.
Load the client profile on your client device (like your phone) and enjoy.
You can create the container in the nat network of the proxmox server, but you will not be able to access this directly from the outside.
You will need to add a firewall rule to the proxmox server to forward traffic to the container.
iptables -t nat -A PREROUTING -d <ip-of-proxmox>/32 -p udp -m udp -DPORT 51820 -j FORWARD --to-destination <ip-of-vpncontainer>:51820
Forward the port on your internet router to the same port on the proxmox server.
A configuration on the vmbr0(LAN) is the easiest to troubleshoot if anything goes wrong.