medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9f46b7a6cd28da22e52487b6da09e89fe3d522f2
the_information_nexus/docs/tech_docs/OPENwrt.md

3.4 KiB
Raw Blame History

To set up a Proxmox container (CT) with OpenWRT using the pct create command and configure the firewall to allow SSH and HTTPS access on the WAN interface (eth1), let's compile a comprehensive guide including the commands for creating the container and the necessary firewall configuration within OpenWRT.

Container Creation with Proxmox

First, let's clarify the Proxmox command for creating the container:

Container 1

pct create 101 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz --unprivileged 1 --architecture amd64 --ostype unmanaged --hostname openwrt-0 --storage local-lvm \
--net0 name=eth0,bridge=vmbr0,firewall=1 \
--net1 name=eth1,bridge=vmbr1,firewall=1

Container 2

pct create 101 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz --unprivileged 1 --architecture amd64 --ostype unmanaged --hostname openwrt-0 --storage local-lvm \
--net0 name=eth0,bridge=vmbr0,firewall=1 \
--net1 name=eth1,bridge=vmbr2,firewall=1

This command creates an unprivileged container with ID 106, using an OpenWRT root filesystem. It configures three network interfaces:

  • eth0: Main LAN interface with a static IP and gateway.
  • eth1: WAN interface on vmbr1, which will be used to allow external SSH and HTTPS access.
  • eth2: Additional network interface.

Firewall Configuration in OpenWRT

For the OpenWRT container to allow SSH (port 22) and HTTPS (port 443) on eth1, you must ensure that eth1 is treated as the WAN interface in OpenWRT's network and firewall settings. Here's how to set up the necessary firewall rules within the OpenWRT system:

  1. Define Network Interfaces in OpenWRT: Ensure eth1 is configured as the WAN interface in /etc/config/network. This might look something like this:

    config interface 'wan'
    option ifname 'eth1'
    option proto 'dhcp'

  2. Update Firewall Settings: In /etc/config/firewall, you should add rules to allow SSH and HTTPS. These rules need to specify that they apply to traffic coming in on eth1 (which should be associated with the wan zone). Heres how you would configure the firewall:

    config zone
    option name 'wan'
    list network 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config rule
    option name 'Allow-SSH'
    option src 'wan'
    option dest_port '22'
    option proto 'tcp'
    option target 'ACCEPT'

config rule
    option name 'Allow-HTTPS'
    option src 'wan'
    option dest_port '443'
    option proto 'tcp'
    option target 'ACCEPT'

Applying the Configuration

After editing the configuration files, apply the changes:

  • Restart the network service: /etc/init.d/network restart
  • Reload the firewall: /etc/init.d/firewall restart

Final Considerations

  • Security: Ensure you have set strong passwords and consider using key-based authentication for SSH.
  • Testing: After setting up, test the accessibility of SSH and HTTPS from outside your LAN to confirm the firewall rules are working as expected.
  • Backup Configurations: Always keep backups of your configurations before making significant changes.

This setup will configure your Proxmox container with OpenWRT to allow SSH and HTTPS traffic on eth1, ensuring remote management capabilities from the WAN side.