IPFire protecting private network on Hetzner Cloud

I have successfully installed ipfire on a cloud server at Hetzner. The installation procedure is explained here: https://wiki.ipfire.org/installation/hetzner-cloud

I have configured the green network of ipfire with DHCP as follows:
Start address:
End address:
Primary DNS: → this is the same IP as the web interface of ipfire, is this correct?

Using the web interface of Hetzner I have configured a private network with IP range

This private network is attached to the ipfire cloud server. Then I have created another linux cloud server (running Ubuntu) and attached same private network to it. Via Hetzners web interface I can see that it got as IP address.

However, there’s no connection between ipfire and the Ubuntu server. Usually, when I ran ipfire on a hardware at home, I just plugged in my clients via a Switch to the Ethernet port of the internal green network. Here, in the case of the cloud config, things seem to be different - the IP address of the Ubuntu cloud server seem to be created by Hetzner, not by ipfire. Am I missing DNS entries, routing entries? Any idea?


The Ubuntu server has a public IP (default gw) as well as the internal network IP on separate interfaces. Hetzner supplies the internal IPs 10.0.0.x and is managed thru their Cloud Console with gateway (no need for IPFire DHCP server).

A) On the IPFire box Add a route (to get back to internal subnet) Gateway

B) In the Hetzner Cloud Console under Networks, override the default route for the internal network to go to the IPFire Green IP Destination Gateway

C) The default config allows the Ubuntu server to get directly to the internet via public IP interface without going through the IPFire box (on the internal network). In the Hetzner Console, check if that is the case on the Ubuntu box (gw should be not the public IP):

route -n

You can change the default gateway on the Ubuntu server to use the internal network and route via IPFire (B) above.

sudo ip route del default
sudo ip route add default via dev ens10

route -n

The settings on Ubuntu get reset (via Hetzner DHCP server) on reboot so you will need to script or hardcode them. The public facing interface on the Ubuntu server can be disabled


1 Like

Hi Paul,

thank you very much for the detailed instructions on how to configure my Ubuntu server in the internal network behind ipfire.

I have followed all steps that you describe successfully :slight_smile: . After adding the default route with

sudo ip route add default via dev ens10

I obtain an additional entry
root@ubuntu-2gb-nbg1-1:~# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         UG    0      0        0 ens10

So after establishing a connection to ipfire via OpenVPN as described in the installation tutorial I was able to connect from my desktop machine to the Ubuntu server via ssh:

ssh -i keyfile root@

However, I have two more questions:

  1. How can I check if the DNS entries of the Ubuntu server are correct? To my understanding the domain name resolution of the Ubuntu server should come from ipfire but I am not even sure where/how to configure DNS in ipfire? I would like to use Cloudflare DNS entries in ipfire and these should also be used by the Ubuntu server.
  2. I wonder why there are additional entries including the interface eth0 in the routing table? That is:
root@ubuntu-2gb-nbg1-1:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         UG    0      0        0 ens10     UG    0      0        0 ens10 UH    0      0        0 ens10
169.254.XXX.YYY 172.ZZ.X.X UGH   100    0        0 eth0
172.ZZ.X.X UH    100    0        0 eth0

During configuration of the server by use of the Hetzner Cloud Console I have disabled IPv4 and IPv6 but there seem to still be public IPs connected to the Ubuntu server?

Cheers, Holger

Hi Holger,

  1. The IPFire DNS Server settings are configured under Network → DomainNameSystem.
    The stock Ubuntu server will use a local resolver for DNS.
    You can check by typing dig It will show
    An easy way to point the Ubuntu server at the IPFire DNS resolver is to hardcode the Green IP in Ubuntu’s /etc/resolv.conf
    First, rename the link (which points to the dynamically created file /run/resolvconf/resolv.conf) and create a new file (on Ubuntu):
    sudo mv /etc/resolv.conf /etc/resolv1.conf (later you can rename the file back if you want the default dynamic settings)
    sudo vi /etc/resolv.conf
    insert a line with the IP of the IPFire Green interface
    Running dig again should show as the (IPFire) DNS SERVER replying to the query and it will be visible in the IPFire UI → Status → Connections

  2. The interface and routing is created automatically for the Ubuntu virtual machine by Hetzner. You can disable the unused public interface by sudo ifconfig eth0 down
    I would also setup a ufw firewall ruleset to block all traffic on 172.ZZ.X.X and only allow specific traffic you want on 10.0.0.x.


1 Like

Hi Paul,

thank you very much for your explanations! This solves my networking problems and the Ubuntu server is now part of my internal network behind ipfire.

Actually, I have used netplan for the networking definitions in Ubuntu and modified the file /etc/netplan/ 50-cloud-init.yaml; it now looks like this (check indentation of yaml file):

    version: 2
          dhcp4: no
          addresses: []
            - to: default
              addresses: [,]

I have applied these settings with
netplan try