hey everybody it's Christian and in this video I want to reveal some of my best practices and config settings for proxmox proxmox as you should know is a really nice hypervisor platform I a big fan and I'm running this since the very early days of my home lab and over the time I've collected a list of all the important settings I'm configuring on any new proxmox installation or things that I'll do whenever I need to install a new virtual machine honestly I believe you should never run proxos without knowing these settings yeah it might sound a little dramatic but I'm sure you will agree that there are some pretty important topics you should always take care of such as keeping your proxmox server up todate or configuring storage and backups and I hope this will help you to make all your proxmox setups more secure and robust while getting the most performance out of your Hardware but before we do that we quickly need to talk about another important topic which is how to secure the remote access to your home lab services and I want to point you once more to one of my absolute favorite Solutions called twin gate and a big Thanks goes out to Twin gate for sponsoring this video twin gate is a zero trust network access platform that is easy to deploy even easier to use and always secure in my previous video we've already covered the essential benefits of the ztna concept in it why it is so much better than using vpns and how to install and set up twin gate in your home lab completely for free and twin gate just recently added a couple of new and very exciting features I just want to highlight here such as usage based autolock which automatically revokes the access to inactive accounts airial access that can expire credentials DNS filtering and client configs to enforce security policies and a brand new kubernetes operator to quickly and easily Implement ztna to your kubernetes environment you can be sure of course I will cover those new and cool features in an upcoming video but also so if you want to get an easy and secure access to all your home Lab Services twin gate is really amazing for that you can use it completely for free up to five users and 10 different remote networks and it runs on your Nas Raspberry Pi in the cloud and of course in a VM on your local procm environment so check out twin gate start making your network more secure and safe of course I will leave you a link to their website in the description box down below okay guys so here I'm logged into my proxmox environment at home as can see I just recently built a new proxmox cluster with two notes by the way if you want to check out the tutorial I'll leave you a link in the description box down below but regardless of your setup all these best practices and tips we're going through here in this video are always working on any prox boox environment so it can be a single node cluster it can be two or three node cluster it does not matter at all and I'm configuring those things on any prox boox server that I deploy in my home lab and the first item on this list and this is probably by far the most important thing that you should take care of when running proxmox is that you configure the update procedure correctly and the reason for this is if you go to the repository section you can see that by default there are one or two entries in that list here that start with Enterprise and those Enterprise repositories you can only receive updates from them if you got a valid subscription and now what I always do is because I never buy subscription for my H lab environment I simply just deactivate those Enterprise repositories so make sure to disable the Enterprise environments and then add a new one and from this repository list you can just choose no subscription and if you want to have the SEF repository for distributed storage and a three note cluster you can also enable thef Quincy or Reef repository with no subscription so this will add a new item to that list that you can also enable or disable that will just download any of those updates for proxmox even without a subscription so note you will still get this annoying notification but when you have done that you can simply go to updates refresh and then it will automatically check all the active repositories if there are new updates for proxmox and now and in that list here you can just go to any of your proxo notes and click on upgrade by the way if that is grade out that is the reason because I'm locked in using my authentic uh IDP provider now if you switch back to the standard authentication and log in with a root user you can just open any of your prox book nodes go to updates and click on upgrade this you just need to confirm and then it will pull down the latest upgrades for your proxmox environment the same of course also works if you lck into the Shell with the root user execute an apt update and apt disc upgrade and it will also pull down all the latest upgrades for proxmox and install any new Services automatically so when you configured the update Repository for proxmox correctly you should just upgrade your environment from time to time for example I do that every one or two weeks on all of my proxmox notes in the cluster and of course sometimes they also need a reboot so I'm also rebooting those notes from time to time to apply those latest kernel updates okay guys so the next item on my list is to enable notifications this is also pretty important to know what's going on in your environment so to do that we need to go to Data Center and scroll down down in that list to Notifications so here you can see there is a default entry that will just try to send a mail to the root user's address which doesn't get anywhere so it's really important to add a new notification Target so you can use the send mail or the SMTP uh sending process I would always go and recommend SMTP because this allows you to configure a custom email server and once you've done that it's also important that you go to notification matcher so you can also create a a new one or you just modify the existing notification matches and here you could also specify any match rules and so on usually you don't need to do anything you just need to enable the targets to notify and then switch from the default mail to root and activate your custom notification Target that you have configured with your SMTP credentials for your administrator email address uh once you have done that the notification system should be active and running and you could use it for not getting notified about any backup jobs for example but before we do that we need to go through another important item on my list or at least in my opinion it's pretty important and that is issuing a trusted tier certificate for your proxo server the reason why I think this is important yeah because it's just best practice in it and it allows you to get rid of this annoying certificate warning in your browser whenever you want to open a web connection to your proxmox server now if you want to issue a trusted TLS certificate you should know there are a few things you should have in place before doing this so you should have a public domain registered somewhere for example I've registered the domain sealc creative. de that I'm using and you should use a DNS provider for example Cloud flare Cloud flare is a great example because it's completely free and you can use it to issue let's encrypt certificates using the DNS challenge which which is pretty simple to configure I will show you that in a second and what you should also have is a DNS name or a DNS host that you configure on your DNS server that resolves the host name of your proxmox server to the internal IP address so for example in my home lab I'm running a DNS server if you have watched my bind n tutorial you will probably know what I'm talking about and this will automatically resolve the DNS names for example uh PRX production 1. home. seal creative. de to the internal IP address of my proxmox server the same is also working for the second node so this is just a second DNS entry that resolves the second Noe to its IP address now you can use a local DNS server for that but of course you could also just enter the proxmox addresses with the local IP address on the cloudflare DNS provider then it's publicly resolvable but actually doesn't really matter so there are two possible ways how you can configure this just remember you will need a public domain and a DNS provider something like Cloud flare all right so once you have done that you need to go to Data Center and go to akma which is the akma service protocol that allows you to automatically issue and also renew certificates using let's encrypt and I personally just like the DNS challenge the most because it's the easiest one it doesn't require a connection from the let's encrypt validation server to your local environment it just works with a DNS provider and an API token super simple and easy just go to challenge plugins click on ADD and then just give it a name something like cloudflare DNS and select your DNS provider so make sure you select yours and in the case of cloud flare you will need to authenticate with an email address and an API token you could also use a password in here but I think the token authentication is probably the most secure and the easiest one to create for example on my cloudflare account you can see there are all the public domains that I've registered and configured here so I just need to go to my profile section on the left side go to API tokens and then you can simply create a new API token make sure you enter the API token in here and also add your administrative email address in here and then you need to go to accounts here also add a name your email address again and then select the akma directory so make sure it's selected the first one which is the production environment you could also if you're using that for testing you're not right sure if it works for you you could also select the staging environment but just know that the staging environment issues certificates that are never trusted these are just for testing and if you move to a production environment make sure it's using this directory here accept the terms of service and click on register then you should have two entries here one for accounts and one for challenge plugins so once you have that you can go to your proxmox environment so you need to do that for every note in the cluster and go to certificates so here you can add your ammer certificates make sure that it's using the account you can also addit this here and select the cloud flare account and then add the subject alternative names so the DNS name that resolves to the internal IP address of your proxmox environment make sure it selected the DNS Challenge and not HTTP because because as I said HTTP challenge requires a connection from lets encrypt to your internal proxmox environment select your plug-in that you have previously configured and then just add the domain name for your proxmox environment in my case the PRX production 1 home.se creative. that resolves to the internal IP address by the way you can also add more subject alternative names so if you want to use multiple DNS names for your internal IP address for example you can see that I have added for the Mo Note 1 this DNS name but also the pr cluster one and on the second note it looks similar it also has the PX production 2 for the note identifier but also the same Pi cluster one name and the reason why I'm doing this is if you have watched my last video about the proxmox cluster you know that you can manage any VM from any node in the cluster and I simply created a load balancer object that will forward the incoming traffic on this domain name to any of those two nodes depending on which one is currently active so I don't need to remember which node is currently active and running I can just use the pcluster one name and it will automatically forward the traffic to any of the notes now if you don't add this name to the subject alternative name for both notes you would see a certificate warning when you're doing this because the name would not match these certificates so that's why the cluster DNS name should also be part of the certificate so just add add multiple names as many as you want as many as you need and then click on order certificates now so this will start the akma certificate issuing process if you have done everything correctly it will take a few seconds order new certificates and then you should get rid of the certificate warning in your browser all right so that's it about certificates let's go and talk about Storage storage is also pretty important thing you should definitely take care of when configuring proxmox and that is done in the data center storage menu just as simple as that and the reason why I'm showing you this is that I always configure the storage for my proxar server depending on if I'm adding multiple Drive C if I want to add redundancy to that and if I'm configuring a Target location for a backup this is also really important and the weird thing in proxmox is that if you configurate storage you also need to add a content for the storage and that defines what proxmox is able to store on that storage location so you can see by default you should have those two entries local and local lvm while the first one will store the uh backup files ISO images container templates and only the second one will store the dis images or containers so the actual drives for the virtual machines and containers one thing that I always do on my proxmox environment is configuring an NFS drive and this is pretty important for example this one here is an NFS drive that I have enabled on my Nas storage so here on true Ness I have a storage pool and a specific data set that I've created just for storing virtual machine backups so that allows me to store my virtual machine backups outside of the file system of proxmox which is much more secure if the proxmox server dies or if any local drives on the proxmox server are damaged or whatsoever I have those backups for the viral machine somewhere on a different location on a different file system even though the Nas is currently running as a virtual machine in my prox boox environment M I still use it for storing here you can see I've added this storage location to this IP address I've mounted this specific path and I've also enabled it for the content VZ dump backup file so that I can store backups on this external file system and then you can access this NFS storage from any note in the cluster you can see prox boox one has access to this storage and this is where my backup files are stored as well as Note 2 has access to it this is by the way also a possibility to add a shared storage for all the VMS if you want High availability in a two note cluster but that's a topic for a future video maybe all right yeah let let's talk about backups backups is also one of the most important things that you should always run on proxmox you should never run AVM without backups at least a production virtual machine so that's why you should definitely set up a backup job here in the data center backup menu so you can see I've added a backup job in here for some of my virtual machines you can enable all the VMS that should be included in the backup and depending on which note they are running for example as you can see I've added only production systems excluded my Nas torch of course because this is a Target location so I don't need to store this VM there but for any of my demo environments I'm not using backups because yeah those environments are just temporary testing stuff I could easily create recreate them with without a backup but any of your notes that you want to backup recurrently just enable and then you can set a schedule also don't forget to set the target storage otherwise proximo will try to store that locally and that usually doesn't have much disk space so that's why it is important to configure an additional storage location for taking backups now make sure this is selected here and then add a schedule for example I'm just taking a backup every day and then it's also important if you have paid attention to step two and configure the notification system that you should switch the default auto system to the notification system here so whenever it's taking a backup you will receive an email if it's successful or not and if the backup job is not running you should definitely pay attention to it and repair it so it's important to make sure this is set to notification system here also the compression mode you can just leave it by default the zstd is pretty good by default and also the the snapshot modee is uh important if you want to continue running these VMS then a snapshot job is definitely the best one because it doesn't require to shut the VMS down in order to take it back up it's automatically doing this while the VMS are still running it's pretty cool and yeah then you should also set up the retention so that tells proxmox how many backup files it should keep on the system because if you're just a smaller file system this file system might run out of of dis space pretty soon if you're taking a job every day so therefore I've configured to keep only the last 10 backup files on the NFS storage I could also shrink it down a bit but I think it's pretty important because if you're losing data you probably don't notice it at the same day you might just recognize it three or 4 days later and therefore it's important to keep a few more than just the last backup file so that you can go back in time and find the day where you want to restore the files from all right so that's it about the backup and I think this is really a must have for a good proxmox environment okay so next item on my list is PCI pass through I think this is also pretty important topic especially if you want to virtualize file storage systems and you want to pass through graphics card or storage controllers maybe even network cards to some of your virtual machines so there are a couple of things that you should have enabled for example I mmu which is important for PCI pass through and yeah this requires a CPU that supports I mmu and you also need to enable this in the bios so on most modern mainboards should be enabled by default and then you can simply just check on the proxo system if it hasu enabled so just go to one of your proxo servers execute this and then you should see I mmu is enabled I could also do the same on my first note which is an AMD system and you will see a slightly different result so here it says iommu version 2 AMD is loaded and initialized also check if the remapping is enabled this is the result on the Intel CPU and also this is the message on the AMD system and then you can enable pcie pass through let me also show you how that looks like for example on the second proxmox note I said I virtualized my tret storage server and the way that works is if you go to the hardware section of that VM you can see there is a PCI device that passes through the internal data controller on the main board to the VM so all the drives that are connected on the mainboard to the SATA ports are not accessible on the proxo server itself they are only visible to the virtual machine that is running there now maybe we should clarify if that's a good idea to virtualize a storage server as I said if you're passing through the storage controller there's no real uh difference than running it on bar metal actually so there is no real reason why you could or should not do that and yeah it might might be pretty useful for some people that don't want to install a separate Hardware just for adding storage but also apart from the PCI pass through configuration I also created a list that I always go through when I create any new virtual machines because some of those default settings on proxmox aren't really the best so let's go through some of the best practices for creating VMS as well and let's select my proxmox uh Note 2 and create a new virtual machine here I'm just entering test Ma machine and let's go through these settings one by one so first of all you should pay attention to the guest operating system that you're installing so when you're picking a Linux distribution you will see the type Linux in here and also the newest kernel that is enabled by default but if you're using a Windows system you should definitely make sure that you're switching this to Microsoft Windows select the specific version and also enable this checkbox at additional drive for word iio drivers and on Linux those V iio drivers are automatically built into the OS so you don't need to install them but on Windows they are not part of the Windows operating system and that's why you have to download the windows ver iio drivers from the proxmox website and then you will get an ISO file that you will need to upload to proxmox so here just make sure the ver iio ISO is selected so that you have that ready when you're installing the operating system by the way here you will also see a screenshot what you need to do in the installation process of Windows guest operating system okay but yeah in case you are using Linux you just click on next and you should pay attention to those next settings here so first make sure the sdsi controller is set to ver iio SSI you can use the single mode that's totally fine and you always should enable the guest agent the qo guest agent this makes sure that the guest operating system is better integrated into the proxmox virtual environment and proxmox or the host OS has access to some internal functions and metrics of the guest OS such as the bonian driver for memory and also the IP address and Mac address of the guest OS in case of Windows you should also add a TMP and add a TMP storage again this is required on Modern Windows operating systems on Linux you can ignore this when you're using a graphics card or you're using a Windows OS with a graphical UI you might also go and select the graphics card and switch it to vert I or GPU which makes sure it has a better performance when rendering graphical applications in the VM nor on any other system that doesn't have a graphics card just leave it by default that's totally fine and also on most of my Linux servers I just use the default machine the i44 FX and the default C bios so those versions are the older Legacy versions that are better supported on older systems but again if you have a Windows Os or if you want to do PC P pass through for PCI pass through it's required to select the machine to Q35 which is the newer version that supports PCI Express and newer functionality as well as the BIOS which you can set to ovmf which supports UEFI features now again only a setting that I've configured on my Nas Doge server because there I needed PCI pass through for most of the other operating systems I haven't enabled this except for Windows where the ufi features are pretty useful but also Network make sure that when you're creating a virtual network interface that you are selecting the vert IO model so on some older operating systems where it might not be supported you can also switch to a different one like the E1000 is the I I think the oldest driver that is around or the real tech one for yeah any compatible settings or the VM one if you're importing virtual machines from VM that might not have the IO drivers but in most cases the vert iio drivers are just the best for proxmox and the Linux OS all right so that's basically everything you need to pay attention to when you create a new virtual machine I hope you made some notes here but yeah I'll do one more extra tip for you let's do one more extra tip because what is also pretty cool is that you can create VM templates and that is what I always do for example I've created a VM template for my Ubunto virtual machine and that allows me to easier and simpler provision new vual machines with a cloud in a drive where you can install a new VM you clone it from this template but you can also set a new user a new password give it a new upload a new SSH key give it a different IP address and so on without setting or configuring those things on the VM guest operating system it's pretty cool now you can create those templates in here basically if you have installed AVM that you have prepared so you probably should have deleted any SSH keys or uh reseted the machine ID and so on I'm not going into details here but you can click on convert to template and then store it as a template to clone a different VM from it it's much simpler than always going through the installation process of a guest OS but of course I've also made a video tutorial about that topic and used a another tool for creating those templates automatically in a scripted way with the Hashi Corp Packer application it's so super useful and also I'm using any other systems in combination to proxmox like terraform authentic for my authentication so there are so many more things but I will cover them in additional and upcoming videos okay everybody so I hope these settings and best practices helped you to make your proxmark setup more robust and secure for me personally these are just must haves and if you knew all these tricks and you think I missed a few important ones then please leave me a comment down below so I can add them to my best practice list and as always thanks everybody for watching a big Thanks goes out to all of the patreon supporters you guys make all of these free tutorials possible and yeah everyone have a nice day I'm going to catch you in the next video take care bye-bye