Multiverse Secure Lab(MSL) Setup for Proxmox by Zelogx™
Zelogx™ Multi-Project Secure Lab Setup is an open-source provisioning toolkit for building secure, L2 isolated development environments on proxmox utilizing Proxmox SDN, Firewall(Security group) and Pritunl.
© 2025 Zelogx. Zelogx™ and the Zelogx logo are trademarks of the Zelogx Project. All other marks are property of their respective owners.
1. Overview
This project builds completely isolated development environments per project by Layer 2 level, accessible securely via VPN. It's a blueprint for low-cost distributed development, offshore projects, or private team labs.
This page is the full README for MSL Setup Pro.
If you just want to start quickly, jump to 2. Quickstart.
1.1. What You Get (Engineer's Perspective)
On a single Proxmox VE node:
- Per-project, fully isolated network segments with VPN-secured access for remote teammates.
- Expose each project's environment to your team without risking the main LAN.
- Secure design --- no packets other than VPN tunnels traverse and DNS inquiry into your corporate or home LAN.
- Automated client provisioning: user registration, certificate generation, and VPN management via Pritunl GUI.
- GUI-based server control (start/stop per project VPN).
- No VLAN-capable switches required.
1.2. What You Get (Manager's Perspective)
- Grant access only to what each partner/freelancer needs, preventing cross-project leaks by design.
- Build a private development cloud for small/mid-size software firms or startups.
- Safer, faster, and cheaper than giving developers full cloud freedom.
- Entirely open-source --- all you need is one small server (even a NUC) and ~¥1,000/month for electricity.
- No vendor lock-in, no subscription required.
Equivalent commercial setups cost millions of yen with maintenance contracts. This achieves the same goal for (almost) zero cost.
1.3. Reference: Commercial Alternatives
| Vendors / Product | Strength | Weakness / Gaps You Can Fill |
|---|---|---|
| Palo Alto Networks "Prisma Access" | Enterprise-grade SASE / ZTNA coverage | Overkill for small on-prem or hybrid labs |
| Zscaler "Zero Trust Exchange" | Global edge presence, strong remote-user security | Needs customization for on-prem virtualized networks |
| Check Point + Perimeter81 | Integrated Zero-Trust WAN | Complex setup, high cost for small deployments |
| StrongDM | Access management (SSH / RDP / DB) | Does not handle virtual-network segmentation or VPN-based multi-tenancy |
| JumpCloud | Wide SaaS IAM coverage | Limited to identity layer, not virtual network control |
1.4. Licensing
Pritunl
Free to use, with optional paid features for enterprise management. A single enterprise license covers all servers in the cluster.
→ Pritunl
Proxmox VE
The core Proxmox VE (PVE) software is open source and licensed under the GNU Affero General Public License v3 (AGPL v3). According to the official Proxmox stance, no "license fee" is charged — meaning there is no cost required to use the software itself. However, paid subscriptions (support contracts) are offered separately.
1.5. Target Audience
- "We already let our developers freely spin up AWS instances to build a fast, distributed development environment. Security? Well… when someone asks that, management and executives of small software houses just glance at the person in charge for help."
- "I have my own development/lab environment at home, so I aggressively spin up VMs and develop there. Other team members? I assume they're each figuring things out on their own?"
- "These days I use WSL and run Linux VMs on my Windows PC. Security if I lose my PC? BitLocker keeps it safe… or so they say. Everyone develops in totally different environments. Integration testing takes forever (lol)."
- "Even in large enterprises, right. Servers are in the server room with strict access control. Basically, no personal data exists in the development environment. NDAs with each employee? Yes, we enforce those. And of course you can only log in through VDI. But the root password for all VMs is the same. And because they're all on the same segment… theoretically, if someone wanted to log in to other VMs? They could, haha."
1.6. Why This Matters
1.6.1. Typical Problems in Cloud Dev Environments
Typical "Pain Points" When Development Environments Live in the Public Cloud:
- Still assigning a public IP directly to the VM and SSHing straight into it
- Because it has a public IP, your untested web application server is actually exposed to the entire Internet
- Development environments across projects are visible to each other
- Spinning up a flood of instances without considering the blast radius
- Network bandwidth dying because of large data transfers
- Approval → Estimation → Approval → Provisioning… What is "development speed" again?
- "Just for testing" instances … left running for six months
- Falling asleep waiting for builds on a weak CPU instance
Result: High cost, low visibility, accidental exposure. Even with best intentions, teams lack the "systemic guardrails" that prevent human error.
1.7. Cost Efficiency Example
Let's compare AWS EC2 c5d.large (2 vCPUs) with a 2-vCPU VM running on an Intel NUC. The machine used in this project: Intel NUC Pro, Core i7-1360P (12 cores / 16 threads, up to 5.0 GHz).
| Item | AWS EC2 (c5d.large) | 2-vCPU VM on NUC |
|---|---|---|
| Assigned vCPUs | 2 vCPUs | 2 vCPUs |
| Physical CPU | Xeon Platinum 8124M | Core i7-1360P |
| Physical CPU specs | 18C/36T / max 3.5 GHz | 12C/16T / max 5.0 GHz |
| RAM | 4 GB | Custom / as needed |
| Cost | $89/month (~¥13,000) | ~¥200/month electricity (for 2 vCPUs) |
| Storage | EBS (billed separately) | Local NVMe (high-speed, low-latency) |
| Network charges | Charged after 100 GB | None (local LAN) |
| Performance (2-vCPU eq.) | Baseline | ~3.3–3.5× faster in benchmarks |
Benchmarks show ~3.3x higher performance per vCPU compared to EC2.
1.8. Risks & Mitigations
| Risk | Mitigation |
|---|---|
| Hardware failure | Use a secondary node with Proxmox Backup Server |
| Power outage | UPS or planned manual shutdown |
| Overheating | NUCs are rated for 35 °C continuous operation |
| Data loss | Backup to S3-compatible storage |
| Physical access | Keep servers in restricted rooms or home labs |
2. Quickstart
All open-source components --- reproducible setup from scratch.
2.1. Requirements
- One Proxmox VE 9.0+ host
- Internet router (for port forwarding VPN traffic)
- Static IP (for Pritunl)
- Optional: Cloudflare tunnel for GUI access
Required packages (auto-installed by setup scripts):
ipcalc- Network address calculation utilityjq- JSON processing toolzip- Archive extraction utilitywgetorcurl- Cloud-init image downloadsha256sum- Image integrity verification
2.2. Network Design Considerations
You will need to provide the following network addresses, which must be configured appropriately.
a. MainLan (existing vmbr0): (e.g., 192.168.77.0/24 GW: .254)
The network address of your company or home lab's main LAN. This LAN is likely connected to smart speakers, TVs, game consoles, employees' or family members' PCs and smartphones, as well as lab-related VMs.
b. Proxmox PVE's mainlan IP: (e.g., 192.168.77.7)
This becomes the destination IP when adding a static route to the Internet router. (Auto-detected, for display)
c. vpndmzvn (new): (e.g., 192.168.80.0/24 GW: 192.168.80.1)
Route used by VPN clients to access development project subnets. Requires at least a /30 network.
d. Client-distributed IPs: (e.g., 192.168.81.0/24)
Separated for wg and ovpn. Further divided into /28 based on the "number of isolated development segments to be created."
e. Number of isolated development segments (number of projects) to create: (e.g., 8)
Minimum is 2, and must be a power of two: 2, 4, 8, 16, etc.
f. Network address assigned to each project (vnetpjxx) (new): (e.g., 172.16.16.0/20)
Network segment for each project. This IP range is divided according to the "number of isolated development segments to be created."
g. Pritunl mainlan-side IP: (e.g., 192.168.77.10)
This becomes the forwarding destination IP when adding port-forwarding rules on the Internet router.
h. Pritunl vpndmzvn-side IP: (e.g., 192.168.80.2)
Subnet used by Pritunl clients when they exit toward each project's subnet.
i. UDP ports:
Number of isolated development segments (projects) × 2 = (16)
2.3. Installation (Proxmox VE 9.0)
apt update -y
apt install -y git ipcalc jq zip
# Place the downloaded zip file on the server using scp or similar.
unzip msl-setup-pro.zip
cd proxmox-msl-setup
# Phase 1: Network Setup
./01_networkSetup.sh en # Language: en|jp (default en)
# Phase 2: VPN Setup
./02_vpnSetup.sh en # Language: en|jp (default en)
# (Optional) Uninstall
./99_uninstall.sh en # Language: en|jp (default en)3. Known Issues
- Network diagram theme behavior: The color scheme of SVG-based network diagrams does not follow the Proxmox GUI theme (Light/Dark). Instead, it respects the OS / browser
prefers-color-schemesetting.
4. Why This Design Still Matters
Public clouds deliver global scale and strong SLAs — no argument there. But when the goal is controlled, secure, and cost-efficient team development, a well-designed on-prem environment still has a place.
This architecture proves that small software teams, SaaS startups, and serious home-lab engineers can build isolated, compliant, production-grade development labs without burning money or giving up autonomy.
Security, performance, and independence don't have to be trade-offs. They can coexist — by design.