Proxmox VE 8: Converting a Laptop into a Bare Metal Server

In this project, we will take a look at an in-detail process of setting up a Proxmox home lab on a bare metal server.
Proxmox VE 8: Converting a Laptop into a Bare Metal Server
In: Proxmox, Home Lab, Computer Networking, Attack, Defend, CTF

Change Log

View Change Log

Mar. 27, 2024

  • Added a diagram to the project landing page for those that may not be familiar with -- or a struggling to visualize -- the process of clustering and what might be required to create a cluster.

Mar. 19, 2024

  • Corrected the interface configuration on Metasploitable 2
  • Prefer default route out AD lab interface for Internet access
  • Added a route to Kali's subnet through the correct interface

Mar. 14, 2024

Mar. 13, 2024

  • Update several screenshots in the AD lab section to bring it up-to-date with the latest user experience
  • Update the AD lab firewall rules to correct a logic flaw
  • The original ruleset will block traffic to the default gateway of the lab
  • Update adds a rule to the top of the ruleset that allows traffic to the default gateway, which will also correct issues with the DNS resolver

Mar. 6, 2024

  • Updated Setup Remote Access to Our Proxmox Home Lab step
  • Since WireGuard kernel modules are now shipped in Linux kernels 6.x and up, it is no longer required to install the backported wireguard-dkms package
  • The preparatory steps run in the PVE shell have now been updated to reflect this

Jan. 25, 2024

Dec. 30, 2023

  • Massive upgrade to the Active Directory Lab Step!
  • Added a completely new step to help you set up a vulnerable AD lab using this project on GitHub, and also demonstrate some example attacks that are possible
  • Added instructions on creating the Active Directory VLAN and firewall rules
  • Added additional steps to help you understand how to roll back your AD lab to clean slate
  • Redid some configurations to make it easier to get hosts up and running without driver injection, even if that does deviate from the known best practices

Oct. 16, 2023

  • Update the Wazuh SIEM and NIDS step with new cron jobs
  • Removed redundant @reboot jobs and reduced two cron jobs with conditionals that will attempt to start the NIDS container if not running and create the mirror port.

Sept. 17, 2023

Sept. 13, 2023

Aug. 29, 2023

  • Proxmox VE 8 runs on top of Debian 12 — bookworm — whereas Proxomx VE 7 ran on top of Debian 11 — bullseye.
  • Changed references of bullseye to bookworm in specific areas of the project to reflect the change to Proxmox VE 8.
  • Updated the title from Proxmox VE 7... to Proxmox VE 8...

Foreword

⚠️
You are not required to use a laptop. This guide specifically focuses on converting an old laptop into a bare metal server.

You could follow this guide successfully to get up and running with an old desktop computer or a dedicated server. A few things might change on your end like disk partitioning or format types (eg. ZFS or ext4). Should mostly stay the same otherwise.


What We'll Build


Reviewing the Network Diagram

Working downward from the top:

  • Internet
  • Modem (cable) / ONT (fiber)
    • This is the line between you and your ISP (the demarcation point)
  • Router
    • WAN Port
      • This is the IP address provided by your ISP
      • The Wide Area Network
    • LAN Port
      • This is your private network
        • The Local Area Network
        • It is not accessible directly from the Internet except by port forwarding
        • Uses Port Address Translation via the WAN interface to reach the Internet
  • Laptop
    • Connected to your router either by Wi-Fi or network cable
    • This provides the hardware on which Proxmox runs
    • This is how WAN-routed traffic gets to the Internet and how traffic gets to other hosts on the LAN from Proxmox guests
  • Logical Interface
    • Proxmox maps the physical network devices on your laptop to logical ones
    • VMBR0 will be bridged to the physical interface to allow guests access to the LAN and WAN
  • VMBR0 (Open vSwitch Virtual Switch)
    • Bridged to the logical interface
    • Any VMs attached to this virtual switch will be on your home router’s LAN
    • We create a SPAN port to forward a copy of every frame on every interface to the sniff port used by the NIDS
  • Virtual pfSense
    • WAN Port (vtnet0 interface)
      • This is not a public IP, rather a private IP on your home router’s LAN
      • Attached to VMBR0
      • Allows traffic to get out to the LAN and to the Internet via your home router’s WAN port
    • LAN Port (vtnet1 interface)
      • Provides another virtual LAN for VMBR1
      • Firewall rules will dictate how traffic is routed between subnets
      • VLANs are defined as sub-interfaces on vtnet1
        • vtnet1 (native): 10.0.0.0/24
          • Any machine that is not tagged with a VLAN
        • vtnet1.80 - 10.80.80.0/24
          • Active Directory Lab
        • vtnet1.666 - 10.6.6.0/24
          • Any untrusted machine that needs internet access
        • vtnet1.999 - 10.9.9.0/24
          • Any untrusted machine that should be isolated and only accessible to Kali Linux
  • VMBR1 (Open vSwitch Virtual Switch)
    • Connected to pfSense LAN port (not bridged to a physical interface)
    • Provides connectivity to pfSense for internal VMs
    • Any time a machine is plugged in, we can define a VLAN tag
      • The VLAN tag will be stamped on the frame headers and flow up the wire to pfSense, where pfSense will determine how to route the packets between any networks
      • We create a SPAN port to forward a copy of every frame on every interface to the sniff port used by the NIDS



Prerequisites

Host

A host system to run Proxmox (an old laptop if you are following this guide for that purpose); preferably a system with a decent processor and enough RAM. You could use a desktop computer or an old server – tower or rackmount as well.

My Production Home Server

I run my production instance of Proxmox on this server:

  • A single Intel Xeon D-1541
  • 128 GB RAM
  • 256 GB SSD OS Disk
  • 2 TB, 4 disk SATA array, ZFS Raid-Z2
  • 4 port network interface card



The New Laptop Server

An HP EliteBook 840 G4

  • Intel i7-7600U dual core, hyperthreaded = 4 vCPU
  • 32 GB RAM (formerly 16 GB, was able to upgrade)
  • 1 Intel gigabit Ethernet NIC
  • 1 SSD, 500 GB

Recommended Specifications

  • A somewhat current i7 CPU
    • The more cores the better
  • 32 GB RAM
    • 16 GB RAM will work for some steps of this pject
      • Could easily run Kali and some Vulnhub VMs
      • Won't work with the SIEM or Active Directory lab
      • Upgrade if you can
  • 500 GB SSD storage
    • More than one disk would be preferred
      • A smaller disk for the Proxmox installation
      • A larger disk to store the guest disks
Why an Old Laptop?

I want to demonstrate that we can GET STARTED TODAY with a simple home lab using something that you may have lying around the house; or something that is not going to cost a fortune to acquire.

As you follow along with this project, the benefits of running a bare-metal hypervisor will become quickly apparent, as you'll see just how much more you are capable of creating.



Network

A router with more sophisticated configuration options would be best, as we will be setting up a VPN for remote access. This guide does not cover how to tunnel out of CGNAT.

What is Carrier Grade NAT (CGNAT)?

How can I check if I am behind CGNAT?

  • Login to your home router and find its public IP address
  • Google search: what’s my IP
  • Compare the two
  • If they’re the same, good. If they’re different, that is bad





Installing Proxmox VE 8

A Note on Virtualization

Type 1 Hypervisors

  • These are called “bare metal” hypervisors, because there is nothing between the hypervisor and the computer’s hardware.
    • Installed directly on the disk
    • When you turn on the computer, the hypervisor is loaded
    • There is no other operating system
  • Have 100% of the access to the computer’s hardware resources
  • Common type 1 hypervisors:
    • VMware ESXi
    • Proxmox
    • XCP-NG

Type 2 Hypervisors

  • Installed on top of an operating system like Windows, Linux, or Mac OS
  • Do not have direct access to the computer’s hardware
  • Cannot utilize 100% of the computer’s hardware resources, as they must be shared with the primary operating system
  • When you turn on the computer, the primary operating system is loaded, then you run the hypervisor
  • Common type 2 hypervisors:
    • VirtualBox
    • VMware Player
    • VMware Fusion





Staging the Environment

I will be using my home router as an example. This procedure may vary from router to router. Most routers ship with a default private IP address range of 192.168.1.0/24. This can be changed at any time. I changed mine to be 172.16.1.0/24.

In my browser, I go to https://172.16.1.1 and login.

Then, I go to the Advanced > System Settings. I set my local domain to home.lab and save the changes.

Now, I can ping any device on my network using a local fully qualified domain name (FQDN)

# Pinging using the FQDN
ping lapprox.home.lab

Pinging lapprox.home.lab [172.16.1.16] with 32 bytes of data:
Reply from 172.16.1.16: bytes=32 time=2ms TTL=64
Reply from 172.16.1.16: bytes=32 time=1ms TTL=64
Reply from 172.16.1.16: bytes=32 time=1ms TTL=64
Reply from 172.16.1.16: bytes=32 time=2ms TTL=64


# We're on the same local network so using only the hostname works, too
ping lapprox

Pinging lapprox.home.lab [172.16.1.16] with 32 bytes of data:
Reply from 172.16.1.16: bytes=32 time=2ms TTL=64
Reply from 172.16.1.16: bytes=32 time=1ms TTL=64
Reply from 172.16.1.16: bytes=32 time=1ms TTL=64
Reply from 172.16.1.16: bytes=32 time=2ms TTL=64





Optional: Changing the Private IP Address Range

While still logged into the router, if you wish to change your private IP address range from the default to something else – like 172.16.1.0/24 – now is the time to do that.

Your devices will not immediately get a new IP from the router

You should do either of the following to facilitate that change:

A) Restart the client devices so they get a new IP address
B) Wait for the client DHCP lease to expire and they request a new address





Changing the Private IP Address Space

This is optional

Again, using my home router as an example (your procedure may vary).
Go to My Network > Network Connections > Network (Home/Office)
Go Settings and change the following values:

Private IPv4 Address Space
DHCP Pool Range

Don't forget to save the changes. The router may reboot after making these changes. If you were previously logged in at https://192.168.1.1, you will now be logged in at https://172.16.1.1.





Preparing the Laptop

Please remember that the steps I am taking here will probably be different from the steps you take to prepare your computer. This is just serving as a guide to get you in the right direction.

Creating a Bootable USB Drive

First, Download the Proxmox VE ISO.

Then, use a USB drive to make a bootable image using the .ISO file.





Enabling Virtualization in the BIOS

Turn on the laptop.
Press the ESC key multiple times until you get to the system setup menu.

Warning: you might need to press a different key on your system to get to the BIOS. For my HP laptop, ESC was the key to get to the BIOS.

Choose BIOS Setup

Go to Advanced > System Options

Enable VTx and VTd

Save changes and exit the BIOS setup





Boot from the USB Drive

Power off the laptop and insert the USB drive. Power on the laptop and press the ESC key until you reach the setup menu.

Choose the Boot Menu. Then, choose USB Disk.





Proxmox Installation Steps

Choose Install Proxmox VE (sorry, the font was very small). Down in the bottom-right, click I agree.





Disk Partitioning

ℹ️
If you only have one disk in the laptop, you need to adjust the partition sizes. If you have more than one disk, you can skip this step.

Select the install disk and click Options

My laptop has a single SSD where I will install Proxmox

I referenced the official documentation here: https://pve.proxmox.com/wiki/Installation regarding the partition sizes.

  • hdsize: Defines the total hard disk size to be used.
  • maxroot: Defines the maximum size of the root volume, which stores the OS. The maximum limit of the root volume size is hdsize/4.
  • maxvz (make this value as large as you can):
    Defines the maximum size of the data volume. (Where all of the VM and container data files will be stored)
  • minfree: Defines the amount of free space left in the LVM volume group pve

I will partition my 500 GB disk as such:

Note the maxvz is as big as I could make it within the constraints

Click OK





Wrapping Up

Choose your country, time zone, and keyboard layout. Set a password for the root user. Set your email address – where you will receive alerts. Then, configure your network settings.

ℹ️
I strongly recommend giving your Proxmox host a static DHCP reservation. It is best practice to give your important infrastructure permanent IP addresses.
  • Hostname: lapprox.home.lab (laptop Proxmox. Get it? Funny, right?)
  • IP Address: I logged into my router and gave lapprox a static IP reservation of 172.16.1.16/24 and filled it out here.
  • Gateway: Your home router's IP address
  • DNS Server: Probably your home router, unless you want to specify otherwise

Confirm everything looks good and install. That's all there is to it.





Required Updates

Log into Proxmox locally at the server or via SSH. The username is root and the password was set by you during the installation procedure.

Update the APT Repositories

# Comment out the enterprise repositories
sed '/^[^#]/ s/^/# /' -i /etc/apt/sources.list.d/pve-enterprise.list
sed '/^[^#]/ s/^/# /' -i /etc/apt/sources.list.d/ceph.list

# Add the community repositories
echo -e '\n# Proxmox community package repository' >> /etc/apt/sources.list
echo 'deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' >> /etc/apt/sources.list





Install Some Dependencies

apt clean && apt update
apt install ifupdown2 openvswitch-switch -y





If You're Using a Laptop

If you are following this guide, using an old laptop, you will want to disable power off when the lid is closed.

# We're going to edit this file in the terminal
nano /etc/systemd/logind.conf

Change these lines from this:

#HandleLidSwitch=suspend
#HandleLidSwitchExternalPower=suspend
#HandleLidSwitchDocked=ignore

to this:

HandleLidSwitch=ignore
HandleLidSwitchExternalPower=ignore
HandleLidSwitchDocked=ignore

Press CTRL + X to exit. Press Y to save the changes. Press Enter to save with same file name. Now, we need to restart the login service.

systemctl restart systemd-logind.service





Install Any Pending Upgrades

pveupgrade





Before We Begin

The Web Console

In your web browser go to https://proxmox-ip-address:8006. In my case, I will be going to https://172.16.1.16:8006. You should see a login screen.

To log in, the username is root and the password is whatever you set it to during the installation steps.

Upon logging in, you will be informed that you do not have an active support subscription. You can press OK and safely ignore this.





Changing the Software Networking

Converting to Open vSwitch

By default, Proxmox uses Linux Bridges. There is nothing wrong with Linux Bridges. They just do not allow us to accomplish some of the things we could do with our home lab.





Make a Backup of the Current Network Configuration

Open the shell from the web console. This is the same shell as if you are sitting in front of the server.

And, run this command:

cp /etc/network/interfaces /etc/network/interfaces.bak





Remove the Linux Bridge

Click on your [Proxmox Node] > Network. Select vmbr0 and choose Remove.





Create the Open vSwitches

Create the Production Switch

Click Create > OVS Bridge
A bridge is another name for a switch

Fill out the fields exactly like this and click Create. Note that my physical interface on my laptop has the name enp0s31f6. Fill in this field with your physical interface name.





Create the Management Interface

Click Create > OVS IntPort. An IntPort is a way to create VLANs.

Fill it out and click Create. Make sure you enter your Proxmox node’s IP address – not mine. The Proxmox web console IP address gets its own IntPort. This is will ensure that you can log into the web console.





Create the pfSense Internal Switch

Click Create > OVS Bridge.

Fill out exactly like this and click Create.





Create a VLAN for Internet-Facing Insecure VMs

Click Create > OVS IntPort. Fill it out as pictured and click Create.

VLAN ID 666





Create a VLAN for Isolated Insecure VMs

Click Create > OVS IntPort. Fill it out as pictured and click Create.

VLAN ID 999





Final Review

By the end of this, you should have a set of interfaces that looks like this:

💡
Please be sure to press the "Apply Configuration" button to activate the new network settings.
⚠️
You may lose connectivity to the Proxmox web console

If for some reason you made a typo or some other error in your configuration and you’re having trouble connecting via the web browser:

  1. Go to your Proxmox server and logon locally
  2. Run these commands
cp /etc/network/interfaces.bak /etc/network/interfaces
ifreload -a

  1. Try following these steps again





Next Steps in the Series

Getting to Know Proxmox

Getting to Know Proxmox
In this module, we will take a look at some basic tasks and the core areas of the Proxmox web front end.

Create a pfSense Firewall for Security Infrastructure

Create a pfSense Firewall for Our Proxmox Lab
In this module, we will look at setting up a pfSense firewall VM in Proxmox to segment our home lab network.

Adding a Comprehensive Wazuh SIEM and Network Intrusion Detection System (NIDS) to the Lab

Adding a Comprehensive Wazuh SIEM and Network Intrusion Detection System (NIDS) to the Proxmox Lab
In this module, we will take a look at the process setting up a comprehensive Wazuh SIEM, including a NIDS and some HIDS agents, in our Proxmox home lab.

Create a Kali Linux VM

Create a Kali Linux VM in Proxmox
In this module, we will look at the process of creating a Kali Linux VM using the command line in Proxmox

Create an OWASP Juice Shop Container

Create an OWASP Juice Shop Container in Proxmox
In this module, we will look at creating a container in our Proxmox home lab to run OWASP Juice Shop to practice our web app pentest skills

Adding Vulnhub VMs to the Cyber Range

Adding Vulnhub VMs to Our Proxmox Cyber Range
In this module, we will look at how to import VMs from Vulnhub into our Proxmox home lab

Setup Remote Access to Our Home Lab

Set up Remote Access to Our Proxmox Home Lab
In this module, we will look at using dynamic DNS, OpenVPN, and WireGuard to setup remote access to our Proxmox home lab

Proxmox Troubleshooting

Troubleshooting Proxmox
In this module, we will look at various command line utilities to troubleshoot our Proxmox home lab

Running Windows Guests on Proxmox

Running Windows Guests on Proxmox
In this module, we will look at the optimal way to run Windows guests in our Proxmox home lab

Active Directory Lab: Getting Started

Adding an Active Directory Forest to Our Proxmox Lab
In this module, we will cover the steps to set up a small Active Directory forest in Proxmox, including a domain controller and two client computers

Hack Your Active Directory Lab

Hack Your Proxmox AD Lab
In this module we will look at using a publicly available script to make our Active Directory domain susceptible to multiple vulnerabilities.

Set up a Pivoting Lab

External Pentest Practice in Your Proxmox AD Lab
In this module of the Proxmox cybersecurity home lab project, we are going to look at the process of setting up a dual-homed target to serve as a pivot point into an Active Directory network.

Creating a Windows 7 Buffer Overflow VM

Creating a Windows 7 Buffer Overflow Practice VM in Proxmox
In this module, we will look at creating a vulnerable Windows 7 VM in Proxmox that will run some applications which are vulnerable to 32-bit stack-based buffer overflows





Keeping Tabs on Our Lab

Always-Running Resources

At any time, we are always going to want these resources running, so that our lab will function as intended. You should have these resources set to start at boot, just in case your computer loses power and comes back on.

Name Type CPU RAM Disk
Kali VM 2 cores 4 GiB 75 GB
OpenVPN CT 1 core 512 MiB 10 GB
pfSense VM 2 cores 2 GiB 50 GB
Wazuh Indexer CT 2 cores 4 GiB 25 GB
Wazuh Dashboards CT 2 cores 512 MiB 10 GB
Wazuh Manager CT 2 cores 1 GiB 10 GB
OwlH Manager CT 1 cores 512 MiB 10 GB
OwlH Node CT 4 cores 4 GiB 50 GB
Wireguard CT 1 core 512 MiB 10 GB
Totals 17 GB 250 GB





On-Demand Resources

Name Type CPU RAM Disk
Juice Shop CT 1 core 512 MB 10 GB
Windows Server 2019 VM 2 core 2 GB 40 GB
Windows 10 Enterprise VM 2 core 2 GB 30 GB
Windows 10 Enterprise VM 2 core 2 GB 30 GB
Totals 6.5 GB 110 GB

If we are running on a laptop with 32 GB RAM and 512 GB SSD storage, you can see that we have nearly maxed out the resources. It’s up to you how to proceed. Your options in this scenario would be:

  • Increase the RAM on the server (if possible) and add another disk.
  • Or, you could add another Proxmox node to your network and cluster them and then move the Active Directory lab to the other node.

We can keep tabs on our node’s resource consumption by glancing at the Summary panel, as well as the storage panels -- local and local-lvm.


Note: In this screenshot, HD space(root) is the OS disk space, or local, not local-lvm where the VM disks are allocated.

If we click on local > Summary, we can see how much of the OS disk partition is in use. If we click on local-lvm > Summary, we can see how much of the guest space partition is in use.





What Next?

Work within your constraints and look at ways you can improve what you already have.

Upgrade in Place

If you have a laptop with 16 GB of RAM and 1 TB disk space, I would consider the following:

  • What is the maximum amount of RAM compatible with your system?
    • 32 GB or 64 GB?
      • Can you find a good deal on the memory?
        • Upgrade
      • If not, consider looking at another node.





Add Another Proxmox Node

That’s the nice thing about clustering multiple nodes together. If you have a couple of under-resourced nodes working together, you can accomplish more of your goals. You just have to budget out what works best for you.





Additional Lab Ideas

Other Proxmox Write-Ups

Proxmox - 0xBEN
Proxmox Virtual Environment and related services

Malware Analysis
You could set up a malware analysis environment using some unpatched Windows VMs and the Remnux Linux distro.

Networking Labs
Set up some additional Linux routers and use IPTABLES or set up some additional pfSense firewalls and practice routing between them. You could set up some pivoting networks and practice SSH tunneling and data exfiltration.

Mail Server
Try hosting your own email system.

Web Server
Build a public or internal web server and try deploying a website to said server.





Clustering Proxmox Nodes

On the left, there is lapprox -- the laptop used in the making of this guide. On the right, there is my production Proxmox node. Lapprox is at 172.16.0.16 and my production server is at 172.16.0.6. I have joined them together to form a cluster. I can manage both servers from a single IP address. If I log into lapprox, I can manage both servers. If I log into production, I can manage both servers.



Visualizing the Cluster

Adding another PVE node and creating a cluster is a great way to add more CPU, RAM, and disk when low. You can then migrate existing VMs and LXCs to — and create new ones on — your new PVE node.

If you're still somewhat new to Proxmox, new to home labbing, or the concept of clustering servers is eluding you, I hope this diagram will help.






The Clustering Process

I would highly advise reading this page before proceeding: https://pve.proxmox.com/wiki/Cluster_Manager#pvecm_join_node_to_cluster

A node that is about to be added to the cluster cannot hold any guests. All existing configuration in /etc/pve is overwritten when joining a cluster, since guest IDs could be conflicting. When forming a cluster, empty nodes should always join existing nodes.
  1. Go to your existing node (eg. https://existing-node-ip:8006)
    This is your Proxmox node that already has guests and configurations.
    • Click on Datacenter > Cluster
    • Click on Create Cluster
    • Click on Join Information
    • Click Copy Information
  2. Go to your brand new node (eg. https://172.16.0.16:8006)
    This is your brand-new Proxmox node. It is empty, no guests, no configurations.
    • Go to Datacenter > Cluster
    • Click Join Cluster
    • Paste the Join Information you copied above
    • And, join the cluster





Other Projects

Building a Security Lab in VirtualBox
In this project, we we will take a look at an in-detail process of setting up an entry-level cybersecurity lab using VirtualBox



Honorable Mentions

More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.