{"id":6463,"date":"2025-12-06T16:44:32","date_gmt":"2025-12-06T15:44:32","guid":{"rendered":"https:\/\/roccadomenico.it\/wordpress\/?p=6463"},"modified":"2025-12-08T09:33:11","modified_gmt":"2025-12-08T08:33:11","slug":"proxmox-openvpn-per-collegare-vpn","status":"publish","type":"post","link":"https:\/\/roccadomenico.it\/wordpress\/proxmox-openvpn-per-collegare-vpn\/","title":{"rendered":"Proxmox OPENVPN per collegare VPN"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"6463\" class=\"elementor elementor-6463\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f7aa224 e-flex e-con-boxed e-con e-parent\" data-id=\"f7aa224\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e71dea7 elementor-widget elementor-widget-text-editor\" data-id=\"e71dea7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Ho la <span style=\"color: #000000;\"><strong>macchina B<\/strong><\/span> <strong><span style=\"color: #000000;\">(Server Proxmox)<\/span><\/strong> sulla quale gira una VM HomeAssistant,che si trova collegato a internet sotto rete non pubblica e pertanto non raggiungibile dall&#8217;esterno<\/p><p>OBIETTIVO:collegarlo\u00a0 alla <span style=\"color: #000000;\"><strong>macchina A (server openvpn)<\/strong><\/span> in modo da poterlo inserire permanentemente in un tunnel con la mia rete e collegarlo VPN<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-445c66c e-flex e-con-boxed e-con e-parent\" data-id=\"445c66c\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-abbb185 elementor-widget elementor-widget-text-editor\" data-id=\"abbb185\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Installare OpenVPN su Macchina B (Proxmox)<\/p><p><strong><span style=\"color: #000000;\">apt update<\/span><\/strong><br \/><strong><span style=\"color: #000000;\">apt install openvpn -y<\/span><\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-875aa24 e-flex e-con-boxed e-con e-parent\" data-id=\"875aa24\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8d220cd elementor-widget elementor-widget-text-editor\" data-id=\"8d220cd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Sul server openvpn creare il file <strong><span style=\"color: #000000;\">openvpn_proxmox1.ovpn<\/span><\/strong> e rinominarlo <strong><span style=\"color: #000000;\">openvpn_proxmox1.config<\/span><\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-df191f8 e-flex e-con-boxed e-con e-parent\" data-id=\"df191f8\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b00b6eb elementor-widget elementor-widget-text-editor\" data-id=\"b00b6eb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Posizionare il file .confi in <strong><span style=\"color: #000000;\">\/etc\/openvpn\/client<\/span><\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b79ab1e e-flex e-con-boxed e-con e-parent\" data-id=\"b79ab1e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-91cbf15 elementor-widget elementor-widget-text-editor\" data-id=\"91cbf15\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Avviare il server<\/p><p><strong><span style=\"color: #000000;\">systemctl start openvpn-client@openvpn_proxmox1<\/span><\/strong><\/p><p>Verifica stato server<\/p><p><strong><span style=\"color: #000000;\">systemctl status openvpn-client@openvpn_proxmox1<\/span><\/strong><\/p><p>Se si vuole avvio automatico all&#8217;avvio di proxmox<\/p><p><strong><span style=\"color: #000000;\">systemctl enable openvpn-client@openvpn_proxmox1<\/span><\/strong><\/p><p>Riavvio del server<\/p><p><strong><span style=\"color: #000000;\">systemctl restart openvpn-client@openvpn_proxmox1<\/span><\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-728b3df e-flex e-con-boxed e-con e-parent\" data-id=\"728b3df\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-61333aa elementor-widget elementor-widget-text-editor\" data-id=\"61333aa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>A questo punto verifichiamo che il tunnel funzioni<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-8be6367 e-flex e-con-boxed e-con e-parent\" data-id=\"8be6367\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7efad84 elementor-widget elementor-widget-text-editor\" data-id=\"7efad84\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Verificare il tunnel<\/p><p><strong><span style=\"color: #000000;\">ip a show tun0<\/span><\/strong><\/p><p>dovr\u00e0 uscire qualcosa come:<\/p><p><em>default qlen 500<\/em><br \/><em>link\/none <\/em><br \/><em>inet 10.8.0.3\/24 scope global tun0<\/em><br \/><em>valid_lft forever preferred_lft forever<\/em><br \/><em>inet6 fe80::8b6e:9089:24ab:8656\/64 scope link stable-privacy proto kernel_ll <\/em><br \/><em>valid_lft forever preferred_lft forever<\/em><\/p><p>dove 10.8.0.3 \u00e8 l&#8217;ip della macchina B nella VPN<\/p><p>Verifica se si riesce a connettere la porta da un altro pc<\/p><p><strong><span style=\"color: #000000;\">nc -vz 10.8.0.3 8006<\/span><\/strong><\/p><p>dovrebbe darvi<\/p><p><em>connection to 10.8.0.3\u00a0 8006 port tcp* succeeded<\/em><\/p><p>\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d5047b1 e-flex e-con-boxed e-con e-parent\" data-id=\"d5047b1\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8a1ecef elementor-widget elementor-widget-text-editor\" data-id=\"8a1ecef\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong><span style=\"color: #ff0000;\">Parte non sempre necessaria:<\/span><\/strong><\/p><p>poich\u00e8<\/p><ol data-start=\"403\" data-end=\"467\"><li data-start=\"403\" data-end=\"467\"><p data-start=\"406\" data-end=\"467\">Proxmox ha un controllo \u201ctrusted networks\u201d \/ ALLOW_FROM<\/p><\/li><\/ol><ul data-start=\"469\" data-end=\"582\"><li data-start=\"469\" data-end=\"554\"><p data-start=\"471\" data-end=\"554\">Proxmox, per motivi di sicurezza, non accetta richieste HTTPS da IP non previsti.<\/p><\/li><li data-start=\"555\" data-end=\"582\"><p data-start=\"557\" data-end=\"582\">La direttiva si trova in:<span style=\"color: #000000;\"><strong>\/etc\/default\/pveproxy<\/strong><\/span><\/p><\/li><\/ul><p>se pveproxy non esiste crearlo con nano e popolarlo con la seguente direttiva:<\/p><p><strong><span style=\"color: #000000;\">ALLOW_FROM=10.8.0.0\/24<\/span><\/strong><\/p><p>salvare e riavviare pveproxy<\/p><p><strong><span style=\"color: #000000;\">systemctl restart pveproxy<\/span><\/strong><\/p><p><strong><span style=\"color: #000000;\">systemctl status pveproxy<\/span><\/strong><\/p><p>\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-c380206 e-flex e-con-boxed e-con e-parent\" data-id=\"c380206\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d920aed elementor-widget elementor-widget-text-editor\" data-id=\"d920aed\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>A questo punto abbiamo la macchina B (server proxmox) correttamente nel tunnel e raggiungibile anche se non si trova sotto ip pubblico<\/p><p>Riusciamo per\u00f2 al momento a raggiunfere solo la porta 8006<\/p><p>Home Assistant gira sotto un altro ip (creato da proxmox)<\/p><p>dobbiamo fare in modo che anche la macchina HA sia raggiungibile con lo stesso sistema<\/p><p>Andremo pertanto a creare un <strong><span style=\"color: #000000;\">Routing diretto verso la subnet della VM<\/span><\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-242f953 e-flex e-con-boxed e-con e-parent\" data-id=\"242f953\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-4dbbb12 e-flex e-con-boxed e-con e-parent\" data-id=\"4dbbb12\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-30477e3 elementor-widget elementor-widget-text-editor\" data-id=\"30477e3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>supponiamo che l&#8217;ip locale di HA nella VM sia 192.168.123.134 e che l&#8217;interfaccia di rete sia\u00a0<\/p><p><span style=\"color: #000000;\"><strong>sysctl -w net.ipv4.ip_forward=1<\/strong><\/span><br \/><span style=\"color: #000000;\"><strong>echo &#8220;net.ipv4.ip_forward=1&#8221; &gt;&gt; \/etc\/sysctl.conf\u00a0<\/strong><\/span><\/p><p>Creiamo le regole iptables per il port forwarding<\/p><p># Port forwarding dal tunnel VPN (tun0) alla VM<br \/><strong><span style=\"color: #000000;\">iptables -t nat -A PREROUTING -i tun0 -p tcp &#8211;dport 8123 -j DNAT &#8211;to-destination 192.168.123.134:8123<\/span><\/strong><\/p><p># Mascheramento (NAT) per far tornare correttamente le risposte<br \/><strong><span style=\"color: #000000;\">iptables -t nat -A POSTROUTING -o vmbr0 -p tcp &#8211;dport 8123 -d 192.168.123.134 -j MASQUERADE\u00a0<\/span><\/strong><\/p><p>Nota: sostituisci <span style=\"color: #000000;\"><code data-start=\"1146\" data-end=\"1153\">vmbr0<\/code><\/span> con il bridge corretto se la tua VM \u00e8 su un altro bridge.<\/p><p>\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-cfacf5b e-flex e-con-boxed e-con e-parent\" data-id=\"cfacf5b\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-723143d elementor-widget elementor-widget-text-editor\" data-id=\"723143d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"1507\" data-end=\"1590\"><strong>Persistenza delle regole<\/strong><\/p><p data-start=\"1507\" data-end=\"1590\">Le regole iptables <strong data-start=\"1526\" data-end=\"1551\">scompaiono al riavvio<\/strong>.<br data-start=\"1552\" data-end=\"1555\" \/>Per renderle permanenti puoi usare:<\/p><p data-start=\"1507\" data-end=\"1590\"><strong><span style=\"color: #000000;\">apt install iptables-persistent<\/span><\/strong><br \/><strong><span style=\"color: #000000;\">netfilter-persistent save<\/span><\/strong><\/p><p data-start=\"1507\" data-end=\"1590\">se si vuole disattivare il servizio di caricamento automatico<\/p><p data-start=\"1507\" data-end=\"1590\"><strong><span style=\"color: #000000;\">systemctl disable netfilter-persistent<\/span><\/strong><\/p><p data-start=\"1507\" data-end=\"1590\">\u00a0<\/p><p data-start=\"1507\" data-end=\"1590\">per rimuovere in maniera definitiva le regole rese prima permanenti<\/p><p data-start=\"1507\" data-end=\"1590\"><strong><span style=\"color: #000000;\">apt remove &#8211;purge iptables-persistent<\/span><\/strong><br \/><strong><span style=\"color: #000000;\">rm -rf \/etc\/iptables<\/span><\/strong><\/p><p data-start=\"1507\" data-end=\"1590\">infine<\/p><p data-start=\"1507\" data-end=\"1590\"><strong><span style=\"color: #000000;\">systemctl reload netfilter-persistent<\/span><\/strong><\/p><p data-start=\"1507\" data-end=\"1590\"><strong><span style=\"color: #000000;\"><code data-processed=\"true\"><\/code><\/span><\/strong><\/p><pre data-processed=\"true\"><strong><span style=\"color: #000000;\"><code data-processed=\"true\"><\/code><\/span><\/strong><\/pre><p><strong><code data-processed=\"true\"><\/code><\/strong><\/p><pre data-processed=\"true\"><strong><span style=\"color: #000000;\"><code data-processed=\"true\"><\/code><\/span><\/strong><\/pre><pre data-processed=\"true\"><strong><span style=\"color: #000000;\"><code data-processed=\"true\"><\/code><\/span><\/strong><\/pre><p><strong><code data-processed=\"true\"><\/code><\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Ho la macchina B (Server Proxmox) sulla quale gira una VM HomeAssistant,che si trova collegato a internet sotto rete non pubblica e pertanto non raggiungibile dall&#8217;esterno OBIETTIVO:collegarlo\u00a0 alla macchina A (server openvpn) in modo da poterlo inserire permanentemente in un tunnel con la mia rete e collegarlo VPN Installare OpenVPN su Macchina B (Proxmox) apt [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[30],"tags":[],"class_list":["post-6463","post","type-post","status-publish","format-standard","hentry","category-informatica"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/roccadomenico.it\/wordpress\/wp-json\/wp\/v2\/posts\/6463","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/roccadomenico.it\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/roccadomenico.it\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/roccadomenico.it\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/roccadomenico.it\/wordpress\/wp-json\/wp\/v2\/comments?post=6463"}],"version-history":[{"count":10,"href":"https:\/\/roccadomenico.it\/wordpress\/wp-json\/wp\/v2\/posts\/6463\/revisions"}],"predecessor-version":[{"id":6476,"href":"https:\/\/roccadomenico.it\/wordpress\/wp-json\/wp\/v2\/posts\/6463\/revisions\/6476"}],"wp:attachment":[{"href":"https:\/\/roccadomenico.it\/wordpress\/wp-json\/wp\/v2\/media?parent=6463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/roccadomenico.it\/wordpress\/wp-json\/wp\/v2\/categories?post=6463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/roccadomenico.it\/wordpress\/wp-json\/wp\/v2\/tags?post=6463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}