PROXMOX UEFI FULL ENCRYPTED DISK GPU PASSTROUGHT USB PASSTROUGHT SERVER VARIANT SSH UNLOCK

Download

https://cdimage.debian.org/images/unofficial/non-free/images-including-firmware

In this example iam using https://cdimage.debian.org/images/unofficial/non-free/images-including-firmware/10.4.0-live+nonfree/amd64/iso-hybrid/debian-live-10.4.0-amd64-standard+nonfree.iso

 

after live cd boot or recovery mode on your server enter this and give the live system a root password

sudo -i
passwd
timedatectl set-timezone US/Central
hostnamectl set-hostname ProxMox

We need
Partition 1 = UEFI    1024MB
Partition 2 = ext4      1024MB
Partition 3 = Linux swap 8192 MB
Partition 4 = ext4 rest of disk space

(
echo g;
echo n;
echo "";
echo "";
echo +1024M
echo n;
echo "";
echo "";
echo +1024M
echo n;
echo "";
echo "";
echo +8192M
echo n;
echo "";
echo "";
echo "";
echo "";
echo t;
echo 3;
echo 19;
echo t;
echo 1;
echo 1;
echo w
) | fdisk /dev/sda

after partition

apt update
apt install openssh-server cryptsetup ntfs-3g dosfstools debootstrap -y

 

after ssh install edit the config

nano /etc/ssh/sshd_config

change and uncomment this lines

PermitRootLogin yes
PasswordAuthentication yes

save the file

and restart the ssh server on the live cd

/etc/init.d/ssh restart

check the ip that the live system are using

ip a

and connect to the ip via putty or other ssh client

ssh root@serverip

Generate a random password for disk encryption

openssl rand -base64 46

LDCuhsqlo+qD6WxR7PBULOuTSaq1XXTzMzOyYhSyx8s5R/DtkAzGfbfieF513A==

format your dirve with cryptsetup

cryptsetup --cipher aes-xts-plain64 -s 512 -h sha512 --iter-time 5000 luksFormat /dev/sda4

and open the disk

cryptsetup luksOpen /dev/sda4 root

make file systems

mkfs.ext4 /dev/mapper/root
mkfs -t vfat -F 32 /dev/sda1
mkfs.ext4 /dev/sda2

now create the swap partition with cryptsetup

/lib/cryptsetup/scripts/decrypt_derived root | cryptsetup -c aes-xts-plain64 -s 512 -h sha512 luksFormat /dev/sda3
/lib/cryptsetup/scripts/decrypt_derived root | cryptsetup luksOpen /dev/sda3 swap

make the swap on and mount the crypted disk

mkswap /dev/mapper/swap
swapon /dev/mapper/swap
mount /dev/mapper/root /mnt
mkdir /mnt/boot
mount /dev/sda2 /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sda1 /mnt/boot/efi

Download the key files from debian

cd /tmp
wget --no-check-certificate https://ftp-master.debian.org/keys/archive-key-8.asc
wget --no-check-certificate https://ftp-master.debian.org/keys/archive-key-8-security.asc
wget --no-check-certificate https://ftp-master.debian.org/keys/archive-key-9.asc
wget --no-check-certificate https://ftp-master.debian.org/keys/archive-key-9-security.asc
wget --no-check-certificate https://ftp-master.debian.org/keys/archive-key-10.asc
wget --no-check-certificate https://ftp-master.debian.org/keys/archive-key-10-security.asc
gpg --import archive-key-*

and install debian buster to /mnt/

debootstrap --keyring=/root/.gnupg/pubring.kbx --arch amd64 buster /mnt/ http://deb.debian.org/debian

after install chroot the new installed debian linux

mount -o bind /dev /mnt/dev
mount -o bind /dev/pts /mnt/dev/pts
mount -t proc /proc /mnt/proc
mount -t tmpfs none /mnt/tmp
mount -o bind /sys /mnt/sys
chroot /mnt /bin/bash


go to temp directory and give the chroot a password

cd /tmp
passwd

edit the host file

nano /etc/hosts

the file looks like this >

127.0.0.1	localhost
XXX.XXX.XXX.XXX	ProxMox

edit the fstab file

nano /etc/fstab

the file looks like this

# UNCONFIGURED FSTAB FOR BASE SYSTEM
/dev/sda1		/boot/efi       vfat    umask=0077      0       1
/dev/sda2		/boot ext4 defaults 0 1
/dev/mapper/swap       none    swap    sw        0       0
/dev/mapper/root       /       ext4    errors=remount-ro,relatime      0       1
proc            /proc   proc    defaults                0       0
sysfs           /sys    sysfs   defaults                0       0
tmpfs           /dev/shm        tmpfs   defaults        0       0
devpts          /dev/pts        devpts  defaults        0       0

edit the network config

rm /etc/network/interfaces
nano /etc/network/interfaces

copy this config to your network config file

# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

auto eno1
iface eno1 inet static
	address XXX.XXX.XXX.XXX/24
	gateway XXX.XXX.XXX.XXX

auto vmbr0
iface vmbr0 inet static
	address 10.0.0.254/24
	bridge-ports none
	bridge-stp off
	bridge-fd 0
#10.0.0.0

auto vmbr1
iface vmbr1 inet static
	address 192.168.0.254/24
	bridge-ports none
	bridge-stp off
	bridge-fd 0
#192.168.0.0

auto vmbr2
iface vmbr2 inet static
	address 172.16.0.254/24
	bridge-ports none
	bridge-stp off
	bridge-fd 0
#172.16.0.0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward

        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o eno1 -j MASQUERADE

        post-up   iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o eno1 -j MASQUERADE

        post-up   iptables -t nat -A POSTROUTING -s '172.16.0.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '172.16.0.0/24' -o eno1 -j MASQUERADE

install locales

apt update
apt install locales -y

dpkg-reconfigure locales

and setup en_US.UTF-8

apt update
apt install wget gnupg2 -y

download proxmox key

wget http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg
apt-key add proxmox-ve-release-6.x.gpg

set the time zone data to US/Central

dpkg-reconfigure tzdata

remove old source list and create new

rm /etc/apt/sources.list
nano /etc/apt/sources.list

insert this to your apt source list

#------------------------------------------------------------------------------#
#                   OFFICIAL DEBIAN REPOS                    
#------------------------------------------------------------------------------#

###### Debian Main Repos
deb http://deb.debian.org/debian/ stable main contrib non-free
deb-src http://deb.debian.org/debian/ stable main contrib non-free

deb http://deb.debian.org/debian/ stable-updates main contrib non-free
deb-src http://deb.debian.org/debian/ stable-updates main contrib non-free

deb http://deb.debian.org/debian-security stable/updates main
deb-src http://deb.debian.org/debian-security stable/updates main

deb http://ftp.debian.org/debian buster-backports main
deb-src http://ftp.debian.org/debian buster-backports main

# Proxmox

deb http://download.proxmox.com/debian buster pvetest

 

apt update
apt dist-upgrade -y

now install proxmox

apt install proxmox-ve grub-efi-amd64 grub-efi-amd64-bin efibootmgr cryptsetup dropbear -y

create the crypttab

nano /etc/crypttab

 

# <target name> <source device>         <key file>      <options>
root /dev/sda4 none luks
swap /dev/sda3 /dev/urandom swap,cipher=aes-xts-plain64,size=512

edit grub

nano /etc/default/grub

 

GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet intel_iommu=on"

edit the ssh config

nano /etc/ssh/sshd_config

change and uncomment this lines

PermitRootLogin yes
PasswordAuthentication yes

  open modules loader config file

nano /etc/modules

 

# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
vfio
vfio_iommu_type1
vfio_pci
vfio_virqfd

disable ipv6

nano /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

 

sysctl -p

 

echo 'blacklist ipv6' | tee -a '/etc/modprobe.d/blacklist.local' >/dev/null 

IPV6 is now completly disabled

edit the initramfs conf

nano /etc/initramfs-tools/initramfs.conf

add and edit

DEVICE=eno1
IP=XXX.XXX.XXX.XXX::XXX.XXX.XXX.XXX:255.255.255.0:ProxMox:eno1:off

 

cd /etc/dropbear-initramfs/
/usr/lib/dropbear/dropbearconvert dropbear openssh dropbear_rsa_host_key id_rsa
dropbearkey -y -f dropbear_rsa_host_key |grep "^ssh-rsa " > id_rsa.pub

Copy this key to your desktop

nano id_rsa

and save

nano /etc/initramfs-tools/hooks/crypt_unlock.sh

paste this

#!/bin/sh

PREREQ="dropbear"

prereqs() {
  echo "$PREREQ"
}

case "$1" in
  prereqs)
    prereqs
    exit 0
  ;;
esac

. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions

if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
cat > "${DESTDIR}/bin/unlock" << EOF
#!/bin/sh
if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\`
# following line kill the remote shell right after the passphrase has
# been entered.
kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\`
exit 0
fi
exit 1
EOF
  
  chmod 755 "${DESTDIR}/bin/unlock"
  
  mkdir -p "${DESTDIR}/lib/unlock"
cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
#!/bin/sh
[ "\$1" == "--ping" ] && exit 1
/bin/plymouth "\$@"
EOF
  
  chmod 755 "${DESTDIR}/lib/unlock/plymouth"
  
  echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
  
fi

 

chmod a+x /etc/initramfs-tools/hooks/crypt_unlock.sh
update-initramfs -k all -u
systemctl disable dropbear

 

nano /etc/default/dropbear

change this line to this

NO_START=0

disable getty you never see on the server this

systemctl disable getty@.service
systemctl disable serial-getty@.service
systemctl disable console-getty.service
systemctl disable getty-static.service
systemctl disable container-getty@.service

update initramfs and install grub to /dev/sda and update-grub

update-initramfs -u -k all
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ProxMox --recheck --debug /dev/sda
update-grub


exit
umount /mnt/sys
umount /mnt/tmp
umount /mnt/proc
umount /mnt/dev/pts
umount /mnt/dev
umount /mnt/boot
umount /mnt
cryptsetup luksClose root
after reboot use puttyGen load the id_rsa key from your desktop and save the private key in putty format

now go in your putty to Connection>SSH>Auth

browse for private key file for authentication



let got connect to your server and check you can login with root and enter this command with your password

echo -n "LDCuhsqlo+qD6WxR7PBULOuTSaq1XXTzMzOyYhSyx8s5R/DtkAzGfbfieF513A==" > /lib/cryptsetup/passfifo

 

 

 

Dell Optiplex 9010 GPU PCIe Passthrough – All USB Ports Passthrough

 

 

Internet Browsers tests

Microsoft Edge Browser


Microsoft Internet Explorer 11




TOR Browser


All Browsers Working over TOR

Putty over TOR

everything and all runs over the TOR Network

 

let us start the passtrough config with tor gateway

 

u need to find out your addresses in this example my GPU is NVIDIA GeForce GT 710


lspci -n -s 01:00

echo "options vfio_iommu_type1 allow_unsafe_interrupts=1" > /etc/modprobe.d/iommu_unsafe_interrupts.conf
echo "options vfio-pci ids=10de:1381,10de:0fbc disable_vga=1" > /etc/modprobe.d/vfio.conf
echo "blacklist radeon" >> /etc/modprobe.d/blacklist.conf 
echo "blacklist nouveau" >> /etc/modprobe.d/blacklist.conf 
echo "blacklist nvidia" >> /etc/modprobe.d/blacklist.conf 


nano /etc/default/grub

GRUB_DEFAULT=0
GRUB_TIMEOUT=0.00
GRUB_DISTRIBUTOR="Proxmox Virtual Environment"
GRUB_CMDLINE_LINUX_DEFAULT="splash video=efifb:off ipv6.disable=1 intel_iommu=on"
GRUB_CMDLINE_LINUX=""


update-initramfs -k all -u
update-grub

exit
umount /mnt/sys
umount /mnt/tmp
umount /mnt/proc
umount /mnt/dev/pts
umount /mnt/dev
umount /mnt/boot
umount /mnt
cryptsetup luksClose root
reboot



after reboot login  and create this config for your tor gateway vm

ssh root@yourdell9010
nano /etc/pve/qemu-server/100.conf

boot: cdn
bootdisk: virtio0
cores: 4
cpu: host
ide2: none,media=cdrom
memory: 512
name: GATE
net0: virtio=A6:9A:66:F4:5C:30,bridge=vmbr1
net1: virtio=C2:32:16:1A:45:07,bridge=vmbr0
numa: 0
onboot: 1
ostype: l26
scsihw: virtio-scsi-pci
smbios1: uuid=f376ea73-6826-487c-9429-813e94f4b805
sockets: 1
virtio0: local:100/vm-100-disk-0.raw,cache=writeback,size=32G
vmgenid: 7d745e0f-5f1f-4c11-8b6c-cabe3805d7ae

upload follow iso file to your proxmox

https://cdimage.debian.org/images/unofficial/non-free/images-including-firmware/10.4.0+nonfree/amd64/iso-cd/firmware-10.4.0-amd64-netinst.iso

install this linux on your vm if the task selection is coming pls select only SSH Server and finish the linux install and edit the SSHd config to login as root

apt install bridge-utils tor isc-dhcp-server ntp -y

rm /etc/tor/torrc
nano /etc/tor/torrc

AutomapHostOnResolve 1
TransPort 10.0.0.1:9050
DNSPort 10.0.0.1:53

rm nano /etc/dhcp/dhcpd.conf
nano /etc/dhcp/dhcpd.conf

ddns-update-style none;

authoritative;

log-facility local7;

# A slightly different configuration for an internal subnet.
subnet 10.0.0.0 netmask 255.255.255.0 {
  range 10.0.0.10 10.0.0.250;
  option domain-name-servers 10.0.0.1;
  option domain-name "0n10n.lokal";
  option routers 10.0.0.1;
  option broadcast-address 10.0.0.255;
  default-lease-time 600;
  max-lease-time 7200;
}

rm /etc/network/interfaces
nano /etc/network/interfaces

 

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug ens18
iface ens18 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        gateway 192.168.0.254

iface ens19 inet manual

#Bridge Setup

auto br0
iface br0 inet static
        address 10.0.0.1
        netmask 255.255.255.0
        bridge_ports ens19
        bridge_maxwait 0
        bridge_fd 1
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward



   post-up iptables -F
   post-up iptables -t nat -F
   post-up iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j REDIRECT --to-ports 53
   post-up iptables -t nat -A PREROUTING -i br0 -p tcp --syn -j REDIRECT --to-ports 9050

 

nano /etc/sysctl.conf

 

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

 

sysctl -p

 

echo 'blacklist ipv6' | tee -a '/etc/modprobe.d/blacklist.local' >/dev/null 

 

nano /etc/default/grub

 

GRUB_DEFAULT=0
GRUB_TIMEOUT=0.00
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet ipv6.disable=1"
GRUB_CMDLINE_LINUX=""

 

nano /etc/default/isc-dhcp-server

 

INTERFACESv4="br0"
INTERFACESv6=""

 

update-grub
update-initramfs -k all -u

reboot the vm and the gateway is ready

 

login to the host and add follow config

 

nano /etc/pve/qemu-server/101.conf

 

bios: ovmf
bootdisk: sata0
cores: 4
cpu: host
efidisk0: local:101/vm-101-disk-1.raw,size=128K
hostpci0: 01:00,pcie=1,x-vga=on
hostpci1: 00:1a.0,rombar=0
hostpci2: 00:1d.0,rombar=0
hostpci3: 00:14.0
ide0: backup:iso/Windows_8.1_x64_US_g0db0x_PPPC.iso,media=cdrom,size=7578580K
machine: q35
memory: 2048
name: Windows
net0: virtio=AA:7F:69:08:8F:39,bridge=vmbr0
numa: 0
onboot: 1
ostype: win8
sata0: local:101/vm-101-disk-0.raw,cache=writeback,size=320G
scsihw: virtio-scsi-pci
smbios1: uuid=c5b7f102-c23c-4956-a076-c58816e2c82e
sockets: 1
vga: none
vmgenid: 1fe99ba0-ce0e-451a-b2c1-9e62fa34a19f

 

now you are ready to install any os over tor network and full passthrough usb and gpu

 

 

Proxmox

Nested Virtualization


echo "options kvm-intel nested=Y" > /etc/modprobe.d/kvm-intel.conf

 

 

why this ?

 

 

 

No more comments

Android over TOR

Leave a Reply

Your email address will not be published. Required fields are marked *