Change Log
Sept. 17, 2023
- Complete rewrite of the Create an OWASP Juice Shop Container in Proxmox step
- Now shows the reader how to set up and manage a Dockerized install of OWASP Juice Shop on LXC, greatly simplifying the installation and upkeep of the server
Sept. 13, 2023
- Updated the Create a pfSense Firewall for Our Proxmox Lab step with prompts added by Netgate when configuring the interface IPs, as there were some minor discrepancies that might be confusing to some.
Aug. 29, 2023
- Proxmox VE 8 runs on top of Debian 12 —
bookworm
— whereas Proxomx VE 7 ran on top of Debian 11 —bullseye
. - Changed references of
bullseye
tobookworm
in specific areas of the project to reflect the change to Proxmox VE 8. - Updated the title from
Proxmox VE 7...
toProxmox VE 8...
Looking for My VirtualBox Guide?

Honorable Mentions
- Check out @Dewalt’s PimpMyKali script to make your Kali VMs so much better
- @Tank1334 for QA testing and feedback
- @dfir-jesseee from the Black Hills Information Security Discord server for QA testing and feedback
- @Jj19101 for QA testing and feedback
- @Blund from the TCM Security Discord Server for QA testing and feedback
- @Admiral Awesome from the InfoSec Prep Discord Server for QA testing and feedback
- @ip3c4c for QA testing, feedback, and his own additions to this lab guide documented at his blog
Foreword
You could follow this guide successfully to get up and running with an old desktop computer or a dedicated server. A few things might change on your end like disk partitioning or format types (eg. ZFS or ext4). Should mostly stay the same otherwise.
I would recommend a system with at least:
- A somewhat current i7 CPU
- 16 GB RAM
- 500 GB SSD storage
- More than one disk would be preferred
- A smaller disk for the Proxmox installation
- A larger disk to store the guest disks
- More than one disk would be preferred
- Again, SSDs would be best
All networks are also not created equal. I would recommend at least:
- A good connection speed
- A capable router with more advanced configuration options
Prerequisites
Host
A host system to run Proxmox (an old laptop if you are following this guide for that purpose); preferably a system with a decent processor and enough RAM. You could use a desktop computer or an old server – tower or rackmount as well.
My Production Home Server
I run my production instance of Proxmox on this server:

- A single Intel Xeon D-1541
- 128 GB RAM
- 256 GB SSD OS Disk
- 2 TB, 4 disk SATA array, ZFS Raid-Z2
- 4 port network interface card
It's not much – certainly not compared to many home labs I've seen. I would love to upgrade eventually, but that has not happened for a variety of reasons.
That is why we are doing this exercise – to show that you do not need to start with anything fancy to begin your home lab.
Get started now!
Upgrade as you grow.
The New Laptop Server

An HP EliteBook 840 G4
- Intel i7-7600U dual core, hyperthreaded
- 16 GB RAM
- 1 Intel gigabit Ethernet NIC
- 1 SSD, 500 GB
Why an Old Laptop?
Is it the greatest option? No. Is it recommended as a long-term strategy? Probably not. Are there far better choices? Absolutely.
I want to demonstrate that we can GET STARTED TODAY with a simple home lab using something that you may have lying around the house; or something that is not going to cost a fortune to acquire.
Just note that I strongly recommend using SSDs whenever possible in your home lab.
Maybe you have tinkered with something like VirtualBox or VMware Player. Those are both respectable platforms and they have their place in virtualization and lab environments. But, we can do so much more. We can learn so much more.
Upgrades
If you are lacking in resources, determine if you can upgrade your components. The laptop I used in this guide was equipped with 16 GB RAM and I upgraded it to 32 GB (which is the max for this system).
Network
A router with more sophisticated configuration options would be best, as we will be setting up a VPN for remote access. This guide does not cover how to tunnel out of CGNAT.
What is Carrier Grade NAT (CGNAT)?
How can I check if I am behind CGNAT?
- Login to your home router and find its public IP address
- Google search:
what’s my IP
- Compare the two
- If they’re the same, good. If they’re different, that is bad
What We'll Build

Reviewing the Network Diagram
Working downward from the top:
- Internet
- Modem (cable) / ONT (fiber)
- This is the line between you and your ISP (the demarcation point)
- Router
- WAN Port
- This is the IP address provided by your ISP
- The Wide Area Network
- LAN Port
- This is your private network
- The Local Area Network
- It is not accessible directly from the Internet except by port forwarding
- Uses Port Address Translation via the WAN interface to reach the Internet
- This is your private network
- WAN Port
- Laptop
- Connected to your router either by Wi-Fi or network cable
- This provides the hardware on which Proxmox runs
- This is how WAN-routed traffic gets to the Internet and how traffic gets to other hosts on the LAN from Proxmox guests
- Logical Interface
- Proxmox maps the physical network devices on your laptop to logical ones
- VMBR0 will be bridged to the physical interface to allow guests access to the LAN and WAN
- VMBR0 (Open vSwitch Virtual Switch)
- Bridged to the logical interface
- Any VMs attached to this virtual switch will be on your home router’s LAN
- We create a SPAN port to forward a copy of every frame on every interface to the sniff port used by the NIDS
- Virtual pfSense
- WAN Port (vtnet0 interface)
- This is not a public IP, rather a private IP on your home router’s LAN
- Attached to VMBR0
- Allows traffic to get out to the LAN and to the Internet via your home router’s WAN port
- LAN Port (vtnet1 interface)
- Provides another virtual LAN for VMBR1
- Firewall rules will dictate how traffic is routed between subnets
- VLANs are defined as sub-interfaces on vtnet1
- vtnet1 (native): 10.0.0.0/24
- Any machine that is not tagged with a VLAN
- vtnet1.80 - 10.80.80.0/24
- Active Directory Lab
- vtnet1.666 - 10.6.6.0/24
- Any untrusted machine that needs internet access
- vtnet1.999 - 10.9.9.0/24
- Any untrusted machine that should be isolated and only accessible to Kali Linux
- vtnet1 (native): 10.0.0.0/24
- WAN Port (vtnet0 interface)
- VMBR1 (Open vSwitch Virtual Switch)
- Connected to pfSense LAN port (not bridged to a physical interface)
- Provides connectivity to pfSense for internal VMs
- Any time a machine is plugged in, we can define a VLAN tag
- The VLAN tag will be stamped on the frame headers and flow up the wire to pfSense, where pfSense will determine how to route the packets between any networks
- We create a SPAN port to forward a copy of every frame on every interface to the sniff port used by the NIDS
Installing Proxmox VE 8
A Note on Virtualization
Type 1 Hypervisors
- These are called “bare metal” hypervisors, because there is nothing between the hypervisor and the computer’s hardware.
- Installed directly on the disk
- When you turn on the computer, the hypervisor is loaded
- There is no other operating system
- Have 100% of the access to the computer’s hardware resources
- Common type 1 hypervisors:
- VMware ESXi
- Proxmox
- XCP-NG
Type 2 Hypervisors
- Installed on top of an operating system like Windows, Linux, or Mac OS
- Do not have direct access to the computer’s hardware
- Cannot utilize 100% of the computer’s hardware resources, as they must be shared with the primary operating system
- When you turn on the computer, the primary operating system is loaded, then you run the hypervisor
- Common type 2 hypervisors:
- VirtualBox
- VMware Player
- VMware Fusion
Staging the Environment
I will be using my home router as an example. This procedure may vary from router to router. Most routers ship with a default private IP address range of 192.168.1.0/24
. This can be changed at any time. I changed mine to be 172.16.1.0/24
.
In my browser, I go to https://172.16.1.1
and login.

Then, I go to the Advanced > System Settings. I set my local domain to home.lab
and save the changes.

Now, I can ping any device on my network using a local fully qualified domain name (FQDN)
# Pinging using the FQDN
ping lapprox.home.lab
Pinging lapprox.home.lab [172.16.1.16] with 32 bytes of data:
Reply from 172.16.1.16: bytes=32 time=2ms TTL=64
Reply from 172.16.1.16: bytes=32 time=1ms TTL=64
Reply from 172.16.1.16: bytes=32 time=1ms TTL=64
Reply from 172.16.1.16: bytes=32 time=2ms TTL=64
# We're on the same local network so using only the hostname works, too
ping lapprox
Pinging lapprox.home.lab [172.16.1.16] with 32 bytes of data:
Reply from 172.16.1.16: bytes=32 time=2ms TTL=64
Reply from 172.16.1.16: bytes=32 time=1ms TTL=64
Reply from 172.16.1.16: bytes=32 time=1ms TTL=64
Reply from 172.16.1.16: bytes=32 time=2ms TTL=64
Optional: Changing the Private IP Address Range
While still logged into the router, if you wish to change your private IP address range from the default to something else – like 172.16.1.0/24
– now is the time to do that.
You should do either of the following to facilitate that change:
A) Restart the client devices so they get a new IP address
B) Wait for the client DHCP lease to expire and they request a new address
Changing the Private IP Address Space
Again, using my home router as an example (your procedure may vary).
Go to My Network > Network Connections > Network (Home/Office)
Go Settings and change the following values:


Don't forget to save the changes. The router may reboot after making these changes. If you were previously logged in at https://192.168.1.1
, you will now be logged in at https://172.16.1.1
.
Preparing the Laptop
Please remember that the steps I am taking here will probably be different from the steps you take to prepare your computer. This is just serving as a guide to get you in the right direction.
Creating a Bootable USB Drive
First, Download the Proxmox VE ISO.

Then, use a USB drive to make a bootable image using the .ISO
file.

Enabling Virtualization in the BIOS
Turn on the laptop.
Press the ESC
key multiple times until you get to the system setup menu.
Warning: you might need to press a different key on your system to get to the BIOS. For my HP laptop, ESC
was the key to get to the BIOS.
Choose BIOS Setup

Go to Advanced > System Options

Enable VTx and VTd

Save changes and exit the BIOS setup
Boot from the USB Drive
Power off the laptop and insert the USB drive. Power on the laptop and press the ESC
key until you reach the setup menu.

Choose the Boot Menu. Then, choose USB Disk.

Proxmox Installation Steps
Choose Install Proxmox VE (sorry, the font was very small). Down in the bottom-right, click I agree.

Disk Partitioning
Select the install disk and click Options

I referenced the official documentation here: https://pve.proxmox.com/wiki/Installation regarding the partition sizes.
- hdsize: Defines the total hard disk size to be used.
- maxroot: Defines the maximum size of the root volume, which stores the OS. The maximum limit of the root volume size is hdsize/4.
- maxvz (make this value as large as you can):
Defines the maximum size of the data volume. (Where all of the VM and container data files will be stored) - minfree: Defines the amount of free space left in the LVM volume group pve
I will partition my 500 GB disk as such:

Click OK
Wrapping Up
Choose your country, time zone, and keyboard layout. Set a password for the root
user. Set your email address – where you will receive alerts. Then, configure your network settings.

- Hostname:
lapprox.home.lab
(laptop Proxmox. Get it? Funny, right?) - IP Address: I logged into my router and gave lapprox a static IP reservation of
172.16.1.16/24
and filled it out here. - Gateway: Your home router's IP address
- DNS Server: Probably your home router, unless you want to specify otherwise
Confirm everything looks good and install. That's all there is to it.

Required Updates
Log into Proxmox locally at the server or via SSH. The username is root
and the password was set by you during the installation procedure.
Update the APT Repositories
# Comment out, backup, and remove the enterprise repositories
cat /etc/apt/sources.list.d/pve-enterprise.list | sed 's/^/# /g' > /etc/apt/sources.list.d/pve-enterprise.list.bak
cat /etc/apt/sources.list.d/ceph.list | sed 's/^/# /g' > /etc/apt/sources.list.d/ceph.list.bak
rm /etc/apt/sources.list.d/pve-enterprise.list
rm /etc/apt/sources.list.d/ceph.list
# Add the community repositories
echo -e '\n# Proxmox community package repository' >> /etc/apt/sources.list
echo 'deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' >> /etc/apt/sources.list
Install Some Dependencies
apt clean && apt update
apt install ifupdown2 openvswitch-switch -y
If You're Using a Laptop
If you are following this guide, using an old laptop, you will want to disable power off when the lid is closed.
# We're going to edit this file in the terminal
nano /etc/systemd/logind.conf
Change these lines from this:
#HandleLidSwitch=suspend
#HandleLidSwitchExternalPower=suspend
#HandleLidSwitchDocked=ignore
to this:
HandleLidSwitch=ignore
HandleLidSwitchExternalPower=ignore
HandleLidSwitchDocked=ignore
Press CTRL + X
to exit. Press Y
to save the changes. Press Enter
to save with same file name. Now, we need to restart the login service.
systemctl restart systemd-logind.service
Install Any Pending Upgrades
pveupgrade
Before We Begin
The Web Console
In your web browser go to https://proxmox-ip-address:8006
. In my case, I will be going to https://172.16.1.16:8006
. You should see a login screen.

To log in, the username is root
and the password is whatever you set it to during the installation steps.
Upon logging in, you will be informed that you do not have an active support subscription. You can press OK and safely ignore this.

Changing the Software Networking
Converting to Open vSwitch
By default, Proxmox uses Linux Bridges. There is nothing wrong with Linux Bridges. They just do not allow us to accomplish some of the things we could do with our home lab.
Make a Backup of the Current Network Configuration
Open the shell from the web console. This is the same shell as if you are sitting in front of the server.

And, run this command:
cp /etc/network/interfaces /etc/network/interfaces.bak
Remove the Linux Bridge

Click on your [Proxmox Node] > Network. Select vmbr0
and choose Remove.
Create the Open vSwitches
Create the Production Switch
Click Create > OVS Bridge
A bridge is another name for a switch

Fill out the fields exactly like this and click Create. Note that my physical interface on my laptop has the name enp0s31f6
. Fill in this field with your physical interface name.

Create the Management Interface
Click Create > OVS IntPort. An IntPort is a way to create VLANs.

Fill it out and click Create. Make sure you enter your Proxmox node’s IP address – not mine. The Proxmox web console IP address gets its own IntPort. This is will ensure that you can log into the web console.

Create the pfSense Internal Switch
Click Create > OVS Bridge.

Fill out exactly like this and click Create.

Create a VLAN for Internet-Facing Insecure VMs
Click Create > OVS IntPort. Fill it out as pictured and click Create.


Create a VLAN for Isolated Insecure VMs
Click Create > OVS IntPort. Fill it out as pictured and click Create.


Final Review
By the end of this, you should have a set of interfaces that looks like this:

If for some reason you made a typo or some other error in your configuration and you’re having trouble connecting via the web browser:
- Go to your Proxmox server and logon locally
- Run these commands
cp /etc/network/interfaces.bak /etc/network/interfaces
ifreload -a
- Try following these steps again
Next Steps in the Series
Getting to Know Proxmox

Create a pfSense Firewall for Security Infrastructure

Adding a Comprehensive Wazuh SIEM and Network Intrusion Detection System (NIDS) to the Lab

Create a Kali Linux VM

Create an OWASP Juice Shop Container

Adding Vulnhub VMs to the Cyber Range

Setup Remote Access to Our Home Lab

Proxmox Troubleshooting

Running Windows Guests on Proxmox

Active Directory Lab: Getting Started

Creating a Windows 7 Buffer Overflow VM

Keeping Tabs on Our Lab
Always-Running Resources
At any time, we are always going to want these resources running, so that our lab will function as intended. You should have these resources set to start at boot, just in case your computer loses power and comes back on.
Name | Type | CPU | RAM | Disk |
---|---|---|---|---|
Kali | VM | 2 cores | 4 GiB | 75 GB |
OpenVPN | CT | 1 core | 512 MiB | 10 GB |
pfSense | VM | 2 cores | 2 GiB | 50 GB |
Wazuh Indexer | CT | 2 cores | 4 GiB | 25 GB |
Wazuh Dashboards | CT | 2 cores | 512 MiB | 10 GB |
Wazuh Manager | CT | 2 cores | 1 GiB | 10 GB |
OwlH Manager | CT | 1 cores | 512 MiB | 10 GB |
OwlH Node | CT | 4 cores | 4 GiB | 50 GB |
Wireguard | CT | 1 core | 512 MiB | 10 GB |
Totals | 17 GB | 250 GB |
On-Demand Resources
Name | Type | CPU | RAM | Disk |
---|---|---|---|---|
Juice Shop | CT | 1 core | 512 MB | 10 GB |
Windows Server 2019 | VM | 2 core | 2 GB | 40 GB |
Windows 10 Enterprise | VM | 2 core | 2 GB | 30 GB |
Windows 10 Enterprise | VM | 2 core | 2 GB | 30 GB |
Totals | 6.5 GB | 110 GB |
If we are running on a laptop with 32 GB RAM and 512 GB SSD storage, you can see that we have nearly maxed out the resources. It’s up to you how to proceed. Your options in this scenario would be:
- Increase the RAM on the server (if possible) and add another disk.
- Or, you could add another Proxmox node to your network and cluster them and then move the Active Directory lab to the other node.
We can keep tabs on our node’s resource consumption by glancing at the Summary panel, as well as the storage panels -- local and local-lvm.


Note: In this screenshot, HD space(root) is the OS disk space, or local, not local-lvm where the VM disks are allocated.
If we click on local > Summary, we can see how much of the OS disk partition is in use. If we click on local-lvm > Summary, we can see how much of the guest space partition is in use.
What Next?
Work within your constraints and look at ways you can improve what you already have.
Upgrade in Place
If you have a laptop with 16 GB of RAM and 1 TB disk space, I would consider the following:
- What is the maximum amount of RAM compatible with your system?
- 32 GB or 64 GB?
- Can you find a good deal on the memory?
- Upgrade
- If not, consider looking at another node.
- Can you find a good deal on the memory?
- 32 GB or 64 GB?
Add Another Proxmox Node
That’s the nice thing about clustering multiple nodes together. If you have a couple of under-resourced nodes working together, you can accomplish more of your goals. You just have to budget out what works best for you.
Additional Lab Ideas
Malware Analysis
You could set up a malware analysis environment using some unpatched Windows VMs and the Remnux Linux distro.
Networking Labs
Set up some additional Linux routers and use IPTABLES or set up some additional pfSense firewalls and practice routing between them. You could set up some pivoting networks and practice SSH tunneling and data exfiltration.
Mail Server
Try hosting your own email system.
Web Server
Build a public or internal web server and try deploying a website to said server.
Clustering Proxmox Nodes

On the left, there is lapprox -- the laptop used in the making of this guide. On the right, there is my production Proxmox node. Lapprox is at 172.16.0.16
and my production server is at 172.16.0.6
. I have joined them together to form a cluster. I can manage both servers from a single IP address. If I log into lapprox, I can manage both servers. If I log into production, I can manage both servers.

The Clustering Process
I would highly advise reading this page before proceeding: https://pve.proxmox.com/wiki/Cluster_Manager#pvecm_join_node_to_cluster
/etc/pve
is overwritten when joining a cluster, since guest IDs could be conflicting. When forming a cluster, empty nodes should always join existing nodes.- Go to your existing node (eg.
https://existing-node-ip:8006
)
This is your Proxmox node that already has guests and configurations.- Click on Datacenter > Cluster
- Click on Create Cluster
- Click on Join Information
- Click Copy Information
- Go to your brand new node (eg.
https://172.16.0.16:8006
)
This is your brand-new Proxmox node. It is empty, no guests, no configurations.- Go to Datacenter > Cluster
- Click Join Cluster
- Paste the Join Information you copied above
- And, join the cluster