Nested virtualization on Proxmox VE

I am not an expert on this and still trying to learn to use Proxmox. If you are trying to run GNS3, EVE-NG or may be studying for VMware, you probably want to enable hardware virtualization. Meaning your PVE as your main hypervisor can host another hypervisor as a guest VM that can host its own VMs. This reminds me of the movie Inception.

Anyways this feature is disabled by default. You will need access either via console to your PVE or SSH to it.

To verify if nested virtualization is enabled used this command:

root@pve:~# cat /sys/module/kvm_intel/parameters/nested 
N

If the output says ‘N’, then it is disabled. To enable the nested virtualization:

For Intel CPU:

root@pve:~# echo "options kvm-intel nested=Y" > /etc/modprobe.d/kvm-intel.conf

After issuing the command above, we will need to reload the kernel module by using these commands:

root@pve:~# modprobe -r kvm_intel
root@pve:~# modprobe kvm_intel

At this point, if reloading fails, ensure that all your VMs are have been powered off then try it again.

Once the kernel module reload works, check it again if the nested virtualization is enabled:

root@pve:~# cat /sys/module/kvm_intel/parameters/nested 
Y

If it returns ‘Y’, then you are good to go.

When creating a new VM such as GNS3, EVE-NG or ESXi, make sure you select host under CPU type.

Screen Shot 2017-09-10 at 10.54.57 AM

Also, this should be enabled by default, but check it anyway. Once you created the VM, navigate to the VM and go to its Options. Make sure that the KVM hardware virtualization is set to Yes.

Screen Shot 2017-09-10 at 10.57.15 AM

 

This is it. Cheers!!!

Advertisements
Posted in Misc., Proxmox, virtualization, vmware | Tagged , , , , , , , , | Leave a comment

Plex server discovery from a different subnet

I am using unRaid server, but as far as I know, this can be done on any Plex app (QNAP or Synology) or containers. Okay, I am going to make this short. Installing Plex server on unRaid is pretty easy. The problem is if your unRaid is on a different subnet where the admin user is, you will never be able to discover the Plex server.

I am using bin-hex’ Plex container, but it should be the same with others too. What needs to be done is modifying the Preferences.xml file. The .xml file is in Plex Media Server folder. As long as you can find this folder, you will find the Preference.xml file. Since I am using bin-hex’ Plex container, the location is /mnt/cache/appdata/binhexplex/Plex Media Server/Preferences.xml. 

Here you will see the file Preferences.xml. I used nano to edit the file. Here are the steps:

  1. Stop the Plex server
  2. Navigate to the location of the Preferences.xml. In my case, is here /mnt/cache/appdata/binhex-plex/Plex Media Server/
  3. Before opening the file make a backup of the Preferences.xml
  4. Open the file using your text editor
  5. At the very end of the content before the /> add the following:
    1. allowedNetworks=”your-ip-subnet/netmask”
      1. For example:
      2. <Preferences OldestPreviousVersion=... ... ... allowedNetworks="172.16.0.0/255.240.0.0"/>
  6. Save the .xml and power on the Plex server
  7. GUI to the Plex server and you will see the UI will automatically find the Plex server

 

Cheers!

Posted in media, Misc. | Tagged , , , , , , | Leave a comment

Proxmox VE for my homelab

I finally spent and built a server for my home lab. I have the free ESXi 6.5 on my old server N54L, but it is very limited this server can do – does not enough power for real labbing and ESXi free is very limited and ESXi, in general, is really picky in regards to hardware. I don’t even know if my hardware that I bought from eBay recently is in WMWare HCL.

I have been looking for a free and stable hypervisor for my lab. For now my requirements are:

  • Widely supported – hardware wise
  • Will work with my hardware components
    • Intel Xeon E5-2650 v1
    • Supermicro X9SRL-F motherboard
    • Hynix HMT42GR7BFR4C-RD

  • Supports nested virtualization
  • Can be accessed by any device such as iPad/iPhone, Android, PC, Mac and Linux
  • Some enterprise features
  • Easy to use

After Google-ling for a while, I found XenServer, and Proxmox VE to be good candidates.

I tried XenServer at first since it is more use in Enterprise than Proxmox VE, and it is very VMware like. I would say if you are familiar with ESXi, you will get around with XenServer – just like if you are familiar with Cisco IOS you can configure Force10, Dell VRTX, etc.

I noticed some issues. The first problem that I have with the XenServer is, the XenCenter – it is similar to VMware’s vSphere thick client and it is only available for Windows. I know there is a Python version of the XenCenter which is called OpenXenManager. Again, it is still a desktop client. There is XenOrchestra a web based client, but it takes some more resources. The XenServer itself requires a lot of resources which I am very limited to for my Home lab. I thought may be I should try Proxmox. The good thing about the XenServer is it supports .ova files.

My gut feeling was telling to try Proxmox, so I went ahead and installed Proxmox VE 5.0. Some nice things about Proxmox VE:

  • I don’t need a third party VM for web UI. Proxmox supports it by default
    • I can access the server from any device
  • It does not require a lot of resources
  • It is Debian underneath, so if you are familiar with Debian or Debian based OS you are at home here. There is no need to learn a new syntax
  • Supports nested virtualization
    • So if you are studying for VMware certification, you can install it on a Proxmox server. I tested it.
  • Backup is built-in
  • Linux containers (LXC) supports by default
  • I am not going to list all the features here, but Proxmox VE gives you Enterprise feature for free
  • Supports is optional and it is available for a cheap

The only thing I do not like with Proxmox is the .ova file support. It does not support .ova. Therefore, if you have an .ova, you would need to convert that to .raw or .qcow2 after transferring it to Proxmox VE. I believe it supports .vmdk though, but not 100% sure.

Anyways, I am pretty happy with my Proxmox homelab. It met all my requirements in regards to access to the server and features. Actually, it offers more features than I need for my purposes. The only thing that it is missing is ova support, but converting it to raw or qcow2 is not difficult.

 

Cheers!

Posted in Linux, Misc., Proxmox, virtualization | Tagged , , , , , , , , , , , , | Leave a comment

unRaid and OSX slow directory listing

I have been using unRaid server for several months now, and it works the way I wanted it to be. However, there is one thing that was really annoying. Mapping a network drive on my OSX.

At first, I thought it was the unRaid server’s fault, but after several days of tinkering, it was my OSX that was slow. In Linux, the folder listing shows up very quickly, and the same with Windows, but not on OSX.

To make this post short, the resolution is by going to:

Finder > ViewShow view options then uncheck the Show icons preview

That pretty much fixed my slow directory/folder listing for me. Hope this simple fix would work with yours.

Cheers!

Posted in Misc. | Leave a comment

OpenVPN for Android phone

I am assuming that you already exported the client profile from the OpenVPN server. I am talking about the .ovpn file.

The process is pretty simple. The goal is to import the .ovpn file to the OpenVPN Connect app. Download the OpenVPN Connect app at the Google Play Store. I am lazy, and don’t want to grab the USB cable for my phone. There are three ways to

Now, there are three ways to upload the .ovpn file to an Android phone via USB, email or remote access app.

  • USB is pretty straight forward. Just plug it in to your laptop and drag and drop the .ovpn file.
  • Email – you can attach the.ovpn file to your email and send it to yourself. Open the same email from your phone and download the attached .ovpn. Once downloaded, you will find this .ovpn file in the Download folder Settings > Storage > Explore > Download. I am using Google Pixel so the path might be different compare to yours. 
  • Remote access app – I used the app called AirDroid. It is pretty nice app. You can upload the .ovpn file via web browser. Just remember the location where you uploaded the .ovpn file. Once the app is open via web-browser, I would upload the .ovpn file to Files > Download
    • Here is a youtube video of AirDroid https://youtu.be/51Dti57Z9IY?t=61

Anyways, so once we got the .ovpn file to our Android phone, we need to import it to OpenVPN Connect app. To do so, open the OpenVPN Connect app and click on the three vertical dots in the upper right corner

 

01

Figure 1

 

In the menu, select Import > Import Profile from SD card

 

02

Figure 2

03

Figure 3

 

Navigate to the location of the .ovpn file. In my case, it will be in the Download folder

 

04

Figure 4

 

Select the .ovpn file for the android phone then click on Select

 

05

Figure 5

 

The profile will have a very long name that kind of like gibberish. You can rename the profile by tapping on the Notepad icon then select Rename Profile

 

 

06

Figure 6

08

Figure 7

 

Enter the name that would make sense to me you

 

09

Figure 8

 

Then that is it

 

10

Figure 9

 

Cheers!!!

 

 

Posted in Misc., Sec, Security, vpn | Tagged , , , , , , , , , , , , , , | Leave a comment

OpenVPN for OSX desktop client

I guess we can start with Mac. You can use the Viscosity for $9. You can also use the TunnelBlick which is what I am going to be using here. Download the latest stable release of TunnelBlick, and install it.

Before we start, make sure that you have exported the client vpn profile from OpenVPN server. I got mine from my OPNsense (see the previous post).

Once the TunnelBlick is installed, open the app and you will be prompted with the Welcome message.

 

Screen Shot 2017-05-29 at 8.27.48 AM

Figure 1

Screen Shot 2017-05-29 at 8.29.57 AM

Figure 2

After clicking the OK button, the app will be in the menu bar

Screen Shot 2017-05-29 at 8.36.25 AM

Figure 3

Click on it then select VPN Details. This will open the app

Screen Shot 2017-05-29 at 8.43.45 AM.png

Figure 4

There are two ways to install the VPN profile. You can either drag and drop the .conf file or right click the .conf file and select TunnelBlick. Either one will install the profile. You can either drag and drop the .conf file or right click the .conf file and select TunnelBlick. Either one will install the profile.

You will get a pop-up prompt for the configuration install. Click on Only Me. After this, you may get a prompt to allow the installation by entering the admin user’s credential.

 

Screen Shot 2017-05-29 at 8.48.31 AM

Figure 5

Screen Shot 2017-05-29 at 8.50.32 AM

Figure 6

 

Once the profile is installed, then you can connect to the VPN

Screen Shot 2017-05-29 at 8.53.34 AM.png

After installing the config file, you can rename this config file to any name that makes sense to you by click on the cog or gear icon > Rename configuration in the lower left corner.

Once you are connected, you can see the icon will change and if you hover your pointer to the TunnelBlick icon, you will see some data.

Screen Shot 2017-05-29 at 9.10.19 AM

This is pretty much it. Cheers!!!

Posted in Misc., Sec, Security, vpn | Tagged , , , , , , , , , , , , , , , , | Leave a comment

OPNSense as a VPN server

I recently posted a Raspberry Pi3 as an OpenVPN server. It worked great, but I had some issues that I was still trying to fix (at least, at the time of this writing). Basically, I could not get the Internet access working. I mean it works, but I can only get access to some websites or IP addresses.

Therefore, I tried to find some other alternatives that will let me VPN-in using my laptops (MacOS or Linux) and/or mobile devices such as (iPad/iPhone or Android). I found PFsense and OPNsense firewalls. I already have a firewall, so this post is mainly for remote access VPN. Basically, the sole purpose of this OPNsense/PFsense virtual appliance is to be my SSL VPN concentrator.

I am running this VM on my HP N54L micro server just in case you are wondering.

Here is the network topology:

opnsense

Figure 1

I am assuming that you have the OPNsense/PFsense installed and you are able to access its webUI. Also, since I am going to use this for home use, so I’d use DDNS instead of using my dynamic public IP. There are DDNS that offer free accounts – I use no-ip.

Make sure that you have at least two interfaces – one for the WAN (em0) and the other (em1) for management.

This is optional – by default, the OPNsense/PFsense will create firewall rules and Outbound NAT. In this post, I will be disabling the outbound NAT, since I don’t want to NAT my VPN from the OPNsense to my network. Also, I will create my own firewall rules.

If you do not want to do what I am going to do as I mentioned in the paragraph above then you are done once you finish from the beginning to OpenVPN Server, and no need to continue at Firewall Rules and Network Address Translation part of this guide.

Make sure that you are forwarding (destination NAT) the port 1194/udp from the Internet inbound to your OPNsense/PFsense firewall. Otherwise, it is not going to work.

Dynamic DNS

Let’s get started – login to opnsense webUI.
Navigate to Services > DNS Tools > DynDNS > Add
When done click on Save. This will take a few seconds.

Enter all necessary information  – see Figure 2

opn-figure2

Figure 2

Networking

Navigate to SystemGateway All > Add gateway
Select the WAN interface
Give it a Name
Enter the default gateway IP address in the Gateway field
Check the Default Gateway
Click Save and then Apply changes

opn-figure1-2

Figure 3

Navigate to System Settings > General
Make sure that you update the timezone

opn-figure1

Figure 4

Scroll down and set the DNS servers and select Use gateway from the drop-down menu
Uncheck the Allow DNS server list to be overridden by DHCP/PPP on WAN
Click Save and Apply

opn-figure2-2

Figure 5

Navigate to Interfaces [WAN] 
Then uncheck the Block private networks
Leave the Block bogon networks checked
Set the IPv4 Configuration Type to Static IPv4

opn-figure3

Figure 6

Scroll down and give the WAN interface a static IP and select the IPv4 Upstream Gateway that was set up earlier.
Click Save when done.

opn-figure4

Figure 7

Navigate to Interfaces > [LAN]
Set the IPv4 Configuration Type to Static IPv4

opn-figure5

Figure 8

Scroll down and give the interface an static IP for management access

opn-figure6

Figure 9

OpenVPN Package

We need to download the OpenVPN package. Navigate to System Firmware Packages
Select openvpn23reinstall icon (the one that looks like a recycle icon)

opn-figure10

Figure 10

Certificates

We need to create the CA certificate and OpenVPN Server certificate. Navigate to System Trust Authorities Add or import CA
Ensure you select ‘Create an internal Certificate Authority from the Method drop-down menu.
Enter the necessary information as shown in Figure 11 and 12 then click Save

opn ca

Figure 11

Screen Shot 2017-05-28 at 10.20.46 AM

Figure 12

To create the OpenVPN server certificate, navigate to System Trust Certificates Add or import certificates

  1. Ensure you select ‘Create an internal Certificate Authority from the Method drop-down menu
  2. Under the Certificate authority’s drop-down menu, select the CA that was created earlier
  3. The Type should be Server Certificate
Screen Shot 2017-05-28 at 10.29.54 AM

Figure 13

VPN Users

Now, we need to create the vpn users.
Navigate to System > Access  > Users
Click the + symbol to add a user

Screen Shot 2017-05-28 at 11.04.33 AM

Figure 14

Enter only the following:

  • Username
  • Password
  • Expiration (optional)
  • Make sure that you put a check mark on Certificate  > Click to create a user certificate
Screen Shot 2017-05-28 at 11.41.29 AM

Figure 15

Screen Shot 2017-05-28 at 11.41.46 AM

Figure 16

Since you marked the Click to create a user certificateafter clicking Save, it will take you automatically to System > Trust > Certificates

From here, make sure that you change the Method to Create an internal certificate
It should auto-populate the rest of the fields for you.  All you need to do is click Save

Screen Shot 2017-05-28 at 11.50.06 AM.png

Figure 17

After click Save, it will bring you back to the user creation page (Figure 15 and Figure 16). From here, just click Save

OpenVPN Server

Now we need to create the OpenVPN server. Navigate to VPN OpenVPN > Servers add server

Under General Information, set the Server Mode to Remote Access (SSL/TLS). The rest of the information should be automatically populated.

Screen Shot 2017-05-28 at 1.25.04 PM.png

Figure 18

Under the Cryptographic Settings, make sure to select the OpenVPN server certificate that was created earlier from the Server Certificate drop-down menu.
The rest of the fields should already auto-populated, but modify them if needed for better security as shown below

Screen Shot 2017-05-28 at 1.26.09 PM

Figure 19

Under the Tunnel Settings, do the following:

  1. IPv4 Tunnel Network this is the IP pool where the VPN users going to get their IP address
  2. IPv4 Local Network – this is the resources that the VPN users will have access to. You can add multiple subnets separated by a comma
  3. Redirect Gateway – enabling this will remove the IPv4 Local Network and it will tunnel all the traffic to the VPN tunnel
    1. You probably guessed it already. Leaving the ‘Redirect Gateway‘ disable, the VPN traffic will be set to split tunneling (this is the default)
  4. Concurrent connections – this is number of allowed connections that can connect to the VPN server
  5. Compression –  should be set to Enable with Adaptive Compression
Screen Shot 2017-05-28 at 1.28.03 PM.png

Figure 20

Under Client Settings, the mark the following: Dynamic IP, Address Pool, and TopologyMark the DNS Servers if you have a preferred DNS servers as shown in Figure 21

Screen Shot 2017-05-28 at 3.10.38 PM.png

Figure 21

Under Advanced Configuration,

Screen Shot 2017-05-28 at 4.42.15 PM.png

Figure 22

At this point, you everything is good to go. What is missing is exporting the users profile. Navigate to VPN > OpenVPN > Client Export

  1. Select the OpenVPN server you have created from the Remote Access Server drop-down menu. If you created just one server, then it should already be selected
  2. Select the DDNS that was created at the beginning of this post from the Host Name Resolution drop-down menu
  3. Leave everything as is. Scroll down at the bottom and you will see the users you have created
  4. Select the type of profile you will need for the user in the Export column

Firewall Rules and Network Address Translation

I am going to disable the outbound NAT and will create my own firewall rules. Now, before I disable my NAT, I had a static route for the OpenVPN subnet with the next-hop IP of the WAN interface of the OPNsense.

To disable source NAT (outbound NAT), navigate to Firewall NAT Outbound
Select the Disable outbound NAT rule generation then click Save

Screen Shot 2017-05-28 at 10.12.52 PM.png

Figure 23

The firewall rule is very simple. It is just an inbound to the WAN interface. Basically, what you needed is the second line. I have the third line because I created two OpenVPN servers for two different purposes.

Screen Shot 2017-05-28 at 11.27.00 PM.png

Figure 24

This is the OpenVPN firewall rules. I disabled the default ‘allow all’ rule and created several rules for specific needs

 

Screen Shot 2017-06-09 at 5.10.07 AM.png

Figure 25

 

I believe this is it. Hope you will find this helpful. Cheers!!!

Posted in Misc., Sec, Security, vmware | Tagged , , , , , , , , , , | Leave a comment