Snaky For my setting, originally I set up proxmox cluster by using public ip address, and everything like proxmox port and ssh port are going thru public ip.
I have secured everything under ssh (like sftp and sshfs), enhanced firewall, enable fail2ban, but it looks still insecure.
I then setup a wireguard, and linked all my nodes together by wireguard. I edited corosync, pointing all my node to wg interface ip, corosync looks going thru wg ip, but I still found some ssh traffic between public ip.
I now just change the hosts file on all nodes, commented the public ip with hostname, and added wg ip with all nodes, and do the same to all nodes hosts file. Then restart all the servers. Now all the traffic including pve port, corosync, ssh are in wg interface now.
Refer only, I didn’t follow this link.
https://techbits.io/change-proxmox-ip/
Refer, this link is useful, I just found it recently.
https://gist.github.com/matissime/ee7b5d1e937e751a97b0013caab24915
