A friend of me asked me if I would rent hime some computing power of my server for his school projects. I’ll happily do it for a couple bucks to pay off the electricity bill.
Anyways, I started by creating the VM with ubuntu server, creating a user, configuring ssh etc.
First weird thing was, that I was only able to access the VMs IP (192.168.0.29) from devices that are not my TrueNAS itself (192.168.0.60). That wouldn’t really matter, since I don’t need to access the VM myself, but the Host must have access to it for the Cloudflared Tunnel to work.
Second thing is, that within the VM I can unfortunately access all devices in my local network. And while I do trust my friend, I still don’t want him to have access to that (pretty understandable I assume).
I asked Claude so many questions, and he told me to:
Create a VLAN on my Router. Unfortunately, my router does not allow that…
Create some sort of Network Bridge on the TrueNAS Host besides the main Interface. Whatever I tried, as soon as I hit ‘Test Changes’ I lost all network access to my NAS. Fortunately the built-in 60 second auto-revert always saved the day.
Configure the Network in the VM directly. I never really saw any huge configuration Options either when creating the VM or editing after creation…
Now I’m left with the VM, and it’s not even accessible for him yet (even if it would raise some security concerns for me…). I told him I’d get it up by the weekend so he can run his coding projects….
I’d appreciate any input and tips very much! Thanks
Bind the VM to a dedicated physical interface (e.g give it a dedicated NIC), then isolate that port at the router. That will simplify everything.
As to how to isolate it at the router, that depends on its capabilities. Applying ‘client isolation’ is probably the easiest method.
Else you will need to learn more about networking, what you’re trying to do can be achieved with vlan and/or subnet isolation. But, assuming your router supports it, this is not trivial to set up and maintain.
If your router & switches in between do not support VLANs or you don’t have spare ports, there is no real secure way to do this. Your friend would be able to break out of any limitations you set up any other way I can think of of the top of my head (e.g. creating a tunnel directly from his VM to isolate from everything else - which he could disable/change)
Claude actually cooked, I’ve asked him again, this time I’m running an Incus Container (instead of direct VM) and he added acl configurations for the container:
# Create a new ACL
sudo incus network acl create isolated-acl
# Add rule to allow Internet access (allow all outbound by default)
sudo incus network acl rule add isolated-acl egress action=allow
# Add rule to block access to your LAN subnet
sudo incus network acl rule add isolated-acl egress action=reject destination=192.168.0.0/24
# Add rule to allow DNS (needed for Internet)
sudo incus network acl rule add isolated-acl egress action=allow destination=0.0.0.0/0
# View the ACL
sudo incus network acl show isolated-acl
# Attach the ACL to incusbr0
sudo incus network set incusbr0 security.acls=isolated-acl
# Verify
sudo incus network show incusbr0
This worked fine, I have no idea what it does though tbh. (And I know, running shell scripts generated by AI without knowing what it does is a bad thing…)
I don’t have any experience with incus on that level, so I don’t know if the rule following this comment just is described wrong since it has nothing to do with DNS or if it even overrides the last rule in which case the slop machine worked as I’d expect it to. But a quick good old search revealed this site, if you want to see how DNS is handled:
But let’s break down the rule in question. Just from what can be read from this rule and as I interpret it: This rule is an egress - meaning outbound - rule. So far it makes sense. The action is “allow”. Which means, it allows whatever comes next. What comes next is a destination of 0.0.0.0/0. Which means any IP possible (in IPv4), Internet or local. Judge for yourself if that is what you want it to do. At a minimum “he” “lied” to you, as you seem to describe it.
Consider blocking all nonrouting IPs instead of just 192.168.0.x (assuming you are not using them for attaching your container to your tunnel). This reduces the risks of malicious DHCP or a fat finger error opening your network unintentionally.
For isolating a VM while still allowing public access via Cloudflare Tunnel, the cleanest approach is: (1) create a separate VLAN or bridge in TrueNAS for the VM with no gateway to your LAN, (2) install the cloudflared agent inside the VM, (3) the tunnel connects outbound to Cloudflare so it does not need inbound ports or LAN access. The VM can reach the internet (for the tunnel) but cannot reach your LAN devices. In your Cloudflare dashboard, set up the tunnel to point to the VM service. For DNS, add a CNAME record pointing your subdomain to the tunnel UUID. This way the VM is network-isolated from your LAN but publicly accessible through Cloudflare. publicdns.info/tools/dig can help you verify the CNAME is resolving correctly after setup.
Hi @PaddraighOS thanks a lot for the response.
If I give my friend root access to the VM, wouldn’t that make the cloudflare “token” accessible to him? So he could possibly steal that, although I don’t know what it would really benefit him.
Sounds a bit scary though for me, but I will try it out once. Using a cloudflare tunnel on my host pointing at my VMs Port did not work unfortuantely… so maybe this will!
Thanks again
