Hetzner Online is a well-known hosting company from Germany. IPFire can be run in their new cloud products to protect the servers behind it.
However, Hetzner does not provide a ready-to-use image, so IPFire has to be installed manually.
This guide explains the installation of IPFire on Hetzner Cloud.
If you haven't already, register an account at https://www.hetzner.com/cloud and set it up as required.
Create a new project if you want to as well.
To set up IPFire to work as a firewall between the Internet and a local, internal network, you will need to create a new network. Choose a name and an IP address range.
It is recommended to use a network size of something larger than /24 to be able to create subnets inside this network of size /24.
In this example, I am going to use the default of
10.0.0.0/16 which will automatically create a subnet
The new server that will later become an IPFire firewall can only be installed with a default image. The default Ubuntu image or any other will do fine.
Any instance size will work fine with IPFire. You can later upgrade it, but you cannot downgrade your instance size.
Select the network that we have just created, so that this server will have a second network interface configured.
Finally, give your server a name and run it.
When the server is booting up, head to the "ISO Images" tab and mount the IPFire image:
Then head to the power tab and power cycle the server.
The server will now boot into the IPFire installer. Open the console to be able to run the installer.
Run the installation process as usual selecting your language, accepting the license agreement, partitioning and formatting the hard disk as well as extracting the system to disk.
After that, the system will reboot, and you will be greeted by the installation boot menu again. Right here, head back to the "ISO Images" tab again and "unmount" the ISO image.
Then, power cycle the server again to boot into the freshly installed system.
You will be greeted by the setup routine to select your keyboard layout and other things.
When you arrive at the network configuration, select GREEN + RED, and assign the network interfaces as shown. There is no way to figure out which MAC address belongs to which networks, so you may have to swap them later.
Assign the IP address that you see in the "Networking" tab of your server for the internal network (in this example, it is 10.0.0.2). 10.0.0.1 will always be used as the default gateway, which we will have to configure in a moment.
The RED interface can be configured automatically using DHCP.
Since we do not have anything running on the GREEN network yet, we need to enable access to the Web UI over the Internet. This is done by opening port 444 temporarily with this command:
iptables -A CUSTOMINPUT -p tcp --dport 444 -j ACCEPT
This rule will disappear after a reboot. So, please set up an OpenVPN access or IP-restricted access to the web user interface here.
Log on to the web user interface by accessing
https://<your public IP address>:444
If you cannot log in at this point, you likely need to swap the network card assignments as mentioned above.
Since Hetzner is routing all traffic over the cloud infrastructure, it does not allow any access between the internal hosts on the network. All packets need to be sent to the lowest address in your subnet, which in this example is 10.0.0.1.
In order to reach hosts on the GREEN network from the IPFire system, you will have to create a static route on the web UI routing everything destined to the network that was created to this address.
All hosts on the GREEN network should be configured with their respective addresses, a subnet mask of 255.255.255.255, and the default gateway being set to the gateway address (10.0.0.1).
To let the cloud know that we want all traffic being sent to the firewall, we need to go back to the network settings and add a new route for
0.0.0.0/0 to the GREEN IP address of the firewall (10.0.0.2).
This is all that needs to be done to get IPFire running on Hetzner Cloud.