Host a full virtual infrastructure behind a single public IP on Kimsufi [Part One]

Kimsufi is an inexpensive¬†dedicated server platform that makes server infrastructure, in ‘proper’ datacentres, available to the masses – I wouldn’t recommend putting something into production on this platform owing to there being little to no support available¬†and the hardware being of questionable specification. The types of machine on offer look to be ex-corporate desktops coming out of their refresh cycle, powerful by desktop standards, but many generations away from the current iterations.

I currently have 2 running Kimsufi servers, one hosted in Montreal, Canada with the other in Roubaix, France – I wanted to play with geographic replication and resiliency, taking lots of theoretical knowledge picked up in my day job and in my studies towards Microsoft certification.

One of the bigger considerations / limitations of the Kimsufi platform is that you are provided with a single public IPv4 address, which is associated with the machine itself, so in our case, the Proxmox hypervisor. I’d assume it’s to put you off using it for ‘proper’ uses, but also to upsell you into their SoYouStart servers instead, much better placed for production roles.

This makes it quite difficult to expose underlying virtual machines and their associated services as it is dedicated to the management of the host. The most widely discussed means of working around this involved using IPTABLES to forward traffic using NAT from the network interface to a given virtual machine hosted on an internal bridged network – whilst a perfectly valid approach, it proved inflexible to my needs, requiring lots of command line tweaks, and it’s less user friendly than a traditional management UI in a firewall such as PFSense or OPNSense – from my research nobody had put forward a better way, so I researched the capabilities of IPTABLES, and after a few times of knocking my machine off the network and having to wipe and start again, I managed to get something working that I could use.

I’ll soon be publishing a tutorial that is going to run you through the following:

  1. Configuring Proxmox virtual network interfaces and their subnets
  2. Installing a virtual router and passing all traffic through to this, whilst preserving direct access to the VM host
  3. Modifying the IPTable rules to pass all unsolicited traffic to the virtual router
  4. Using this virtual router to provide internet access and port forwarding to/from virtual machines hosted on the machine
  5. Establishing a site to site link over an encrypted VPN connection between an equivalent setup in the other geographic location
  6. Routing configuration to make the internal networks at each site available to the others

This setup makes it possible to play with a few interesting, more complex infrastructure concepts – Active Directory replication across sites, off-site backup targets, externally hosted services with access to local resources, the possibilities are endless. I’ll reiterate my previous warning – use this for production roles at your peril.

Part Two covering the basics, so steps 1 to 4, has now been published.

No Comments

Post a reply

Copyright © James Coleman-Powell, 2016