Homelab | Low-level design—Proxmox

1. Introduction

Regarding the “Architecture design and implementation – High-level design” chapter, the under-cloud part, the implementation of the local environment consists of Proxmox and its several VMs with different functionalities, as well as a number of Dockers with different functionalities within the VMs.

as follows:

  • Proxmox, installation and configuration, etc., many functions and mixed, can be compared to Vsphere
  • Debian VM, here as the main Linux use, a bit of Ubuntu’s stable version of the branch of the meaning, suitable for production environment system
  • OpenMediaVault, an open source lightweight NAS system
  • OpenWrt, as a proxy service for other services to use, non-transparent proxy
  • Win10, a graphical workstation
  • a Raspberry Pi, bare metal running, running multiple ARM architecture Docker applications

2. Deployment

1 Proxmox, Installation and Configuration

After the installation, it is still relatively simple to get it running. Here are the instructions Network-related configuration, for example, in my environment, I am using wireless to connect to the network.

root@pve01:~# cat /etc/network/interfaces
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface enp1s0 inet manual

auto wlp0s20f3
iface wlp0s20f3 inet dhcp
        wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

auto vmbr0
iface vmbr0 inet static
        bridge-ports enp1s0
        bridge-stp off
        bridge-fd 0

auto vmbr999
iface vmbr999 inet static
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -P INPUT ACCEPT
        post-up iptables -P FORWARD ACCEPT
        post-up   iptables -t nat -A POSTROUTING -s '' -o wlp0s20f3 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '' -o wlp0s20f3 -j MASQUERADE
        post-up   iptables -t nat -A POSTROUTING -s '' -o wlp0s20f3 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '' -o wlp0s20f3 -j MASQUERADE
        #post-up iptables -t nat -A PREROUTING -d -j DNAT --to-destination
        #post-up iptables -t nat -A PREROUTING -d -j DNAT --to-destination
        #post-up iptables -t nat -A PREROUTING -d -j DNAT --to-destination
        #post-up iptables -t nat -A PREROUTING -d -j DNAT --to-destination
        #post-up iptables -t nat -A PREROUTING -d -j DNAT --to-destination
        #post-down iptables -t nat -A PREROUTING -d -j DNAT --to-destination
        #post-down iptables -t nat -A PREROUTING -d -j DNAT --to-destination
        #post-down iptables -t nat -A PREROUTING -d -j DNAT --to-destination
        #post-down iptables -t nat -A PREROUTING -d -j DNAT --to-destination
        #post-down iptables -t nat -A PREROUTING -d -j DNAT --to-destination
        post-up iptables -t nat -A PREROUTING -i wlp0s20f3 -p tcp --dport 3389 -j DNAT --to
        post-down iptables -t nat -D PREROUTING -i wlp0s20f3 -p tcp --dport 3389 -j DNAT --to
        post-up iptables -t nat -A PREROUTING -i wlp0s20f3 -p tcp --dport 445 -j DNAT --to
        post-down iptables -t nat -D PREROUTING -i wlp0s20f3 -p tcp --dport 445 -j DNAT --to

Configuration Logic:

  • The wireless NIC, wlp0s20f3, acts as a gateway to connect to the home WiFi network through the wpa_supplicant service configured previously
  • The wired NIC is enp1s0, bridged to the vmbr0 virtual switch
  • Another virtual switch, vmbr999, is used to connect to the other VM NICs.
  • Other virtual network segments configured with source NAT for accessing the Internet
  • Configure a NAT Server for the wireless NIC wlp0s20f3 to facilitate direct access to the VMs from external networks

2 Debian VM

This VM is a main Linux system with a couple of important applications that docker installs

  • FRP Client, used to connect to hosts in the cloud, establish an FRP tunnel, and act as a secondary reverse proxy
docker run --restart=always --network host -d -v /root/frpc_free_terminal.ini:/etc/frp/frpc.ini --name mele3q_frpc_free_terminal snowdreamtech/frpc

sam@debian:~$ more frpc_free.ini
server_addr = xxx.samliu.tech
server_port = 1234
token = xxxxxooooo

# Penetrate intranet services that require web access, such as the management interface of Synology NAS DSM.

type = http
local_ip =
local_port = 80
custom_domains = *.samliu.tech
subdomain = blog

type = udp
local_ip =
local_port = 51820
remote_port = 9853
  • Nginx Management Proxy(NPM),Acts as a tertiary reverse proxy, forwarding to the real back-end service
version: "3"
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
      # Add any other Stream port you want to expose
      # - '21:21' # FTP

    # Uncomment the next line if you uncomment anything in the section
    # environment:
      # Uncomment this if you want to change the location of 
      # the SQLite DB file within the container
      # DB_SQLITE_FILE: "/data/database.sqlite"

      # Uncomment this if IPv6 is not enabled on your host
      # DISABLE_IPV6: 'true'

      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
  • Next-terminal, Web-based device management platform, supporting RDP, SSH, etc.


version: '3.3'
    image: dushixiang/guacd:latest
      - /home/sam/next-terminal/data:/usr/local/next-terminal/data
    image: dushixiang/next-terminal:latest
      DB: sqlite
      GUACD_HOSTNAME: guacd
      GUACD_PORT: 4822
      - "8088:8088"
      - /etc/localtime:/etc/localtime
      - /home/sam/next-terminal/data:/usr/local/next-terminal/data
  • Wireguard, Next-generation VPN solution, supports remote VPN and site-to-site VPN, connects to the intranet and is easy to manage.


version: "2.1"
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
      - NET_ADMIN
      - SYS_MODULE
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Shanghai
      - SERVERURL= #optional
      - SERVERPORT=9853 #optional
      - PEERS=3 #optional
      - PEERDNS= #optional
      - INTERNAL_SUBNET= #optional
      - ALLOWEDIPS=,, #optional
      - LOG_CONFS=true #optional
      - /home/sam/wireguard-appdata/config:/config
      - /lib/modules:/lib/modules #optional
      - 51820:51820/udp
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

3 OpenMediaVault VM

Install openmediavault on Proxmox

4 OpenWrt VM


5 Raspberry Pi

ARM-architecture hardware with numerous Docker-based applications installed, such as this Pi Dashboardhttps://pidashboard.samliu.tech/

三 Other/references

iGPU Passthrough to VM (Intel Integrated Graphics)

How to Install Proxmox VE

Related Posts

Leave a Reply

Your email address will not be published.