Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!

Looking for something?

Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.

IPFire Community

Differences in Revisions: Hetzner Cloud

»
Added firewall rule for easy copy-paste
# Hetzner Cloud
 
![](./1000px-Logo_Hetzner.svg.png)
 
# About
 
Hetzner Online is a well-known hosting company from Germany. IPFire can be run in their new cloud products to protect the servers behind it.
 
However, Hetzner does not provide a ready-to-use image and IPFire has to be installed manually.
 
# Installation
 
This guide explains the installation of IPFire on Hetzner Cloud.
 
## Step 1: Account Registration
 
Register an account at [https://www.hetzner.com/cloud](https://www.hetzner.com/cloud), if you didn't already do so and set it up as required.
 
Create a new project if you want to as well.
 
## Step 2: Network Setup
 
To set up IPFire to work as a firewall between the Internet and a local, internal network, you will need to create a new network. Choose a name and an IP address range.
 
It is recommended to use a network size of something larger than /24 to be able to create subnets inside this network of size /24.
 
![](./network-setup.png)
 
In this example, I am going to use the default of `10.0.0.0/16` which will automatically create a subnet `10.0.0.0/24`.
 
## Step 3: Create a new server
 
The new server that will later become an IPFire firewall, can only be installed with a default image. The default Ubuntu image or any other will do fine.
 
Any instance size will work fine with IPFire. You can later upgrade it, but you cannot downgrade your instance size.
 
Select the network that we have just created, so that this server will have a second network interface configured.
 
Finally, give your server a name and run it.
 
When the server is booting up, head to the "ISO Images" tab and mount the IPFire image:
 
![](./mount-iso.png)
 
Then head to the power tab and power cycle the server.
 
## Step 4: Installing IPFire
 
The server will now boot into the IPFire installer. Open the console to be able to run the installer.
 
![](./installer.png)
 
Run the installation process as usual selecting your language, accepting the license agreement, partition and formatting the hard disk as well as extracting the system to disk.
 
After that, the system will reboot and you will be greeted by the installation boot menu again. Right here, head back to the "ISO Images" tab again and "unmount" the ISO image.
 
Then, power cycle the server again to boot into the freshly installed system.
 
## Step 5: Setting up IPFire
 
You will be greeted by the setup routine to select your keyboard layout and other things.
 
When you arrive at the network configuration, select GREEN + RED, and assign the network interfaces as shown. There is no way to figure out which MAC address belongs to which networks, so you will have to try and potentially swap them again later.
 
![](./NIC selection.png)
 
### The GREEN Network Interface
 
Assign the IP address that you see in the "Networking" tab of your server for the internal network (in this example, it is 10.0.0.2). 10.0.0.1 will always be used as the default gateway which we will have to configure in a moment.
 
![](./GREEN IP assignment.png)
 
### The RED Network Interface
 
The RED interface can be configured automatically using DHCP.
 
![](./RED IP assignment.png)
 
### Enabling temporary Web UI Access
 
Since we do not have anything running on the GREEN network, yet, we need to enable access to the Web UI over the Internet. This is done by opening port 444 temporarily:
 
![](./temporary web access.png)
 
Copy-Paste the rule from here: `iptables -A CUSTOMINPUT -p tcp --dport 444 -j ACCEPT`
 
This rule will disappear after a reboot. So, please set up an OpenVPN access or IP-restricted access to the web user interface here.
 
Log on to the web user interface by accessing `https://<your public IP address>:444`
 
### Static Routes for GREEN
 
Since Hetzner is routing all traffic over the cloud infrastructure, it does not allow any access between the internal hosts on the network. All packets need to be sent to the lowest address in your subnet, which in this example is 10.0.0.1.
 
In order to reach hosts on the GREEN network from the IPFire system, you will have to create a static route on the web UI routing everything destined to the network that was created to this address.
 
![](./static routes for GREEN.png)
 
All hosts on the GREEN network should be configured with their respective addresses, a subnet mask of 255.255.255.255 and the default gateway being set to the gateway address (10.0.0.1).
 
To let the cloud know, that we want all traffic being sent to the firewall, we need to go back to the network settings and add a new route for `0.0.0.0/0` to the GREEN IP address of the firewall (10.0.0.2).
 
![](./default route in cloud infrastructure.png)
 
# Done
 
This is all that needs to be done to get IPFire running on Hetzner Cloud.