diff --git a/pve1/01_uebersicht.md b/pve1/01_uebersicht.md
index bb9550d..38c83f8 100644
--- a/pve1/01_uebersicht.md
+++ b/pve1/01_uebersicht.md
@@ -7,6 +7,18 @@
 | pve1 | 192.168.10.5 | Primärer Proxmox-Host, Fallback-Router |
 | pve2 | 192.168.10.4 | Produktions-Proxmox-Host, aktiver Router |
 
+## VMs / Container auf pve1
+
+| VMID | Name | IP | Zweck | Status |
+|------|------|----|-------|--------|
+| 101 | ubuntu | 192.168.10.10 | Docker-Host (Nextcloud, Gitea, NPM, …) | running, onboot |
+| 104 | opnsense-fallback | — | CARP-Backup OPNsense | stopped, onboot:0 |
+| 105 | finance | 192.168.10.43 | IBKR TWS Trading-VM (Xvfb + noVNC) | running, onboot |
+
+Docs guests: [guests/](guests/)
+
+---
+
 ## Fallback-Router
 
 - **VMID:** 104
diff --git a/pve1/guests/vm105-finance/README.md b/pve1/guests/vm105-finance/README.md
new file mode 100644
index 0000000..db44569
--- /dev/null
+++ b/pve1/guests/vm105-finance/README.md
@@ -0,0 +1,111 @@
+# VM 105 — finance (IBKR TWS Trading-VM)
+
+| | |
+|---|---|
+| **Proxmox** | pve1, VMID 105 |
+| **IP** | 192.168.10.43 (DHCP) |
+| **OS** | Ubuntu 25.10 (Questing Quokka) |
+| **User** | `ubuntu` (sudo), SSH-Key: `/root/.ssh/finance_vm` |
+| **VNC** | noVNC Browser: `http://<VM-IP>:6080/vnc.html` |
+| **TWS** | `/home/tws/Jts/` |
+| **IBC** | `/home/tws/ibc/` |
+
+## Zweck
+
+Dedizierte VM für Interactive Brokers Trader Workstation (TWS).  
+Headless-Betrieb via **Xvfb** (virtueller Framebuffer 1920×1080) + **noVNC** im Browser.  
+IBC automatisiert den Login.
+
+## Stack
+
+```
+VM 105 finance (12 GB RAM, 4 vCPU, 32 GB Disk)
+  └── Xvfb :1 (1920×1080)
+        ├── Openbox (WM, kein Desktop)
+        ├── TigerVNC x0vncserver → Port 5900
+        ├── noVNC + websockify → Port 6080 (Browser-Zugang)
+        └── TWS via IBC (automatischer Login, API Port 7497)
+```
+
+## Services
+
+| Service | Unit | Status |
+|---------|------|--------|
+| Xvfb | `xvfb.service` | autostart |
+| Openbox | `openbox.service` | autostart |
+| VNC | `vncserver.service` | autostart |
+| noVNC | `novnc.service` | autostart |
+| TWS+IBC | `tws-ibc.service` | autostart |
+
+```bash
+# Status aller Services
+systemctl status xvfb openbox vncserver novnc tws-ibc
+
+# noVNC im Browser
+http://192.168.10.XX:6080/vnc.html
+
+# TWS API (local / aus dem LAN)
+Host: 192.168.10.XX  Port: 7497
+```
+
+## Wichtige Pfade
+
+| Pfad | Inhalt |
+|------|--------|
+| `/home/tws/Jts/` | TWS Installation |
+| `/home/tws/ibc/` | IBC Controller |
+| `/home/tws/ibc/config.ini` | IBC Konfiguration (Login, Trading-Mode) |
+| `/home/tws/.vnc/passwd` | VNC-Passwort |
+| `/var/log/tws-ibc.log` | TWS/IBC Startlog |
+
+## Setup-Script
+
+Initiales Setup: [`setup-tws.sh`](setup-tws.sh)
+
+```bash
+# Auf dem Proxmox-Host ausführen (nach erstem Boot der VM):
+ssh -i /root/.ssh/finance_vm ubuntu@192.168.10.XX 'bash -s' < /root/docu/pve1/guests/vm105-finance/setup-tws.sh
+```
+
+## IBC Konfiguration
+
+> IBC (https://github.com/IbcAlpha/IBC) automatisiert TWS-Login und API-Aktivierung.  
+> Bei neuen TWS-Versionen ggf. `jvmOptions` in `config.ini` anpassen (--add-opens).
+
+```ini
+# /home/tws/ibc/config.ini (Auszug)
+IbLoginId=DEIN_USERNAME
+IbPassword=DEIN_PASSWORT
+TradingMode=live          # oder: paper
+ReadOnlyLogin=no
+AcceptNonBrokerageAccountWarning=yes
+```
+
+## TWS API
+
+TWS muss API aktiviert haben (einmalig manuell in TWS-Einstellungen):  
+Edit → Global Configuration → API → Settings:  
+- [x] Enable ActiveX and Socket Clients  
+- Socket port: **7497**  
+- [x] Allow connections from localhost only *(deaktivieren falls remote)*
+
+## Netzwerk
+
+| | |
+|---|---|
+| Bridge | vmbr0 (VLAN 10, Management) |
+| MAC | BC:24:11:CD:7F:9A |
+| IP | 192.168.10.43 (DHCP) |
+
+## Ressourcen
+
+| | |
+|---|---|
+| RAM | 12 GB |
+| CPU | 4 vCPU (host type) |
+| Disk | 32 GB (thin, local-lvm) |
+
+## Erstellt
+
+2026-06-28 via Cloud-Image (ubuntu-25.10-cloudimg-amd64.img)  
+SSH-Key: `/root/.ssh/finance_vm` (pve1-root → tws-user)
diff --git a/pve1/guests/vm105-finance/setup-tws-installer.sh b/pve1/guests/vm105-finance/setup-tws-installer.sh
new file mode 100644
index 0000000..aa8f18b
--- /dev/null
+++ b/pve1/guests/vm105-finance/setup-tws-installer.sh
@@ -0,0 +1,124 @@
+#!/usr/bin/env bash
+# TWS + IBC Installation auf VM 105 finance
+# Ausführen als tws-User oder ubuntu-User mit sudo
+# Voraussetzung: setup-tws.sh wurde erfolgreich ausgeführt
+set -euo pipefail
+
+TWS_USER=tws
+TWS_HOME=/home/tws
+
+echo "=== TWS Installer herunterladen ==="
+# IBKR bietet stable und latest an; stable bevorzugt für Produktion
+TWS_URL="https://download2.interactivebrokers.com/installers/tws/stable-standalone/tws-stable-standalone-linux-x64.sh"
+INSTALLER="$TWS_HOME/tws-installer.sh"
+
+sudo -u $TWS_USER wget -q --show-progress -O "$INSTALLER" "$TWS_URL"
+sudo chmod +x "$INSTALLER"
+
+echo "=== TWS Installation starten (GUI via DISPLAY :1 / noVNC) ==="
+echo "Öffne noVNC im Browser und klicke den Installer durch:"
+echo "  http://$(hostname -I | awk '{print $1}'):6080/vnc.html"
+echo ""
+echo "Installer wird jetzt gestartet..."
+sudo -u $TWS_USER DISPLAY=:1 "$INSTALLER" &
+echo "Installer PID: $!"
+echo ""
+echo "Nach der Installation bitte dieses Script weiter ausführen."
+echo "Drücke Enter wenn TWS installiert wurde..."
+read -r
+
+echo "=== IBC herunterladen ==="
+IBC_DIR="$TWS_HOME/ibc"
+sudo -u $TWS_USER mkdir -p "$IBC_DIR"
+
+# Aktuelle Version von GitHub ermitteln
+IBC_LATEST=$(curl -s https://api.github.com/repos/IbcAlpha/IBC/releases/latest | grep '"tag_name"' | cut -d'"' -f4)
+echo "IBC Version: $IBC_LATEST"
+
+IBC_URL="https://github.com/IbcAlpha/IBC/releases/download/${IBC_LATEST}/IBCLinux-${IBC_LATEST}.zip"
+sudo -u $TWS_USER wget -q --show-progress -O "$IBC_DIR/ibc.zip" "$IBC_URL"
+sudo -u $TWS_USER unzip -q -o "$IBC_DIR/ibc.zip" -d "$IBC_DIR/"
+sudo chmod +x "$IBC_DIR"/*.sh "$IBC_DIR/scripts"/*.sh 2>/dev/null || true
+
+echo "=== IBC Konfiguration erstellen ==="
+# TWS-Pfad ermitteln (Standard-Installpfad)
+TWS_PATH=$(find "$TWS_HOME" -name "jts.ini" 2>/dev/null | head -1 | xargs dirname 2>/dev/null || echo "$TWS_HOME/Jts")
+
+sudo -u $TWS_USER tee "$IBC_DIR/config.ini" > /dev/null <<IBCCONF
+# IBC Konfiguration für TWS
+# Dokumentation: https://github.com/IbcAlpha/IBC/blob/master/userguide.md
+
+[Logon]
+IbLoginId=DEIN_IBKR_USERNAME
+IbPassword=DEIN_IBKR_PASSWORT
+TradingMode=live
+# TradingMode=paper
+
+[TWS]
+ReadOnlyLogin=no
+AcceptNonBrokerageAccountWarning=yes
+AutoClosedown=no
+ClosedownAt=
+
+[API]
+OverrideTwsApiPort=7497
+AcceptIncomingConnectionAction=accept
+AllowedAddresses=
+
+[Logging]
+LogToConsole=yes
+IBCCONF
+
+echo "=== IBC Start-Script anpassen ==="
+# IBC nutzt twsstart.sh oder StartTWS.sh je nach Version
+IBC_SCRIPT=$(find "$IBC_DIR" -name "twsstart.sh" -o -name "StartTWS.sh" 2>/dev/null | head -1)
+if [ -z "$IBC_SCRIPT" ]; then
+  echo "WARNUNG: IBC Start-Script nicht gefunden, manuell prüfen in $IBC_DIR"
+else
+  echo "IBC Start-Script: $IBC_SCRIPT"
+fi
+
+echo "=== tws-ibc Systemd-Service erstellen ==="
+sudo tee /etc/systemd/system/tws-ibc.service > /dev/null <<TWSSERVICE
+[Unit]
+Description=TWS via IBC (Interactive Brokers Controller)
+After=novnc.service openbox.service
+Requires=xvfb.service
+
+[Service]
+User=$TWS_USER
+Environment=DISPLAY=:1
+Environment=HOME=$TWS_HOME
+WorkingDirectory=$IBC_DIR
+ExecStart=$IBC_DIR/twsstart.sh
+Restart=on-failure
+RestartSec=30
+StandardOutput=append:/var/log/tws-ibc.log
+StandardError=append:/var/log/tws-ibc.log
+
+[Install]
+WantedBy=multi-user.target
+TWSSERVICE
+
+sudo touch /var/log/tws-ibc.log
+sudo chown $TWS_USER:$TWS_USER /var/log/tws-ibc.log
+
+sudo systemctl daemon-reload
+
+echo ""
+echo "=== Installation abgeschlossen ==="
+echo ""
+echo "WICHTIG: Vor dem Start von tws-ibc.service:"
+echo "  1. IBC-Credentials eintragen:"
+echo "     sudo nano $IBC_DIR/config.ini"
+echo "  2. IBC-Start-Script prüfen:"
+echo "     ls $IBC_DIR/"
+echo "  3. Service aktivieren:"
+echo "     sudo systemctl enable --now tws-ibc"
+echo ""
+echo "TWS manuell testen (ohne IBC):"
+echo "  sudo -u tws DISPLAY=:1 $TWS_PATH/tws"
+echo ""
+echo "Logs:"
+echo "  tail -f /var/log/tws-ibc.log"
+echo "  journalctl -u tws-ibc -f"
diff --git a/pve1/guests/vm105-finance/setup-tws.sh b/pve1/guests/vm105-finance/setup-tws.sh
new file mode 100644
index 0000000..2bdb386
--- /dev/null
+++ b/pve1/guests/vm105-finance/setup-tws.sh
@@ -0,0 +1,142 @@
+#!/usr/bin/env bash
+# Setup-Script für VM 105 finance: Xvfb + noVNC + TWS + IBC
+# Ausführen als ubuntu-User (sudo-fähig), nicht-interaktiv:
+#   ssh -i /root/.ssh/finance_vm ubuntu@192.168.10.43 'bash -s' < setup-tws.sh
+set -euo pipefail
+
+VNC_PASS="${VNC_PASS:-$(openssl rand -base64 12 | tr -d '/+=')}"
+
+echo "=== [1/6] System-Update ==="
+sudo apt-get update -qq
+sudo DEBIAN_FRONTEND=noninteractive apt-get upgrade -y -qq
+
+echo "=== [2/6] Pakete installieren ==="
+sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq \
+  xvfb \
+  openbox \
+  tigervnc-standalone-server \
+  novnc \
+  websockify \
+  openjdk-21-jre \
+  wget \
+  unzip \
+  xdotool \
+  x11-utils \
+  x11-xserver-utils \
+  fonts-dejavu \
+  dbus-x11 \
+  libxtst6 \
+  libxi6 \
+  ca-certificates \
+  curl
+
+echo "=== [3/6] tws-User anlegen ==="
+if ! id -u tws &>/dev/null; then
+  sudo useradd -m -s /bin/bash tws
+fi
+sudo mkdir -p /home/tws/.vnc /home/tws/.config/openbox
+sudo chown -R tws:tws /home/tws
+
+echo "=== [4/6] VNC-Passwort setzen (automatisch) ==="
+echo "$VNC_PASS" | sudo -u tws vncpasswd -f | sudo -u tws tee /home/tws/.vnc/passwd > /dev/null
+sudo chmod 600 /home/tws/.vnc/passwd
+sudo chown tws:tws /home/tws/.vnc/passwd
+
+echo "=== [5/6] Systemd-Services erstellen ==="
+
+sudo tee /etc/systemd/system/xvfb.service > /dev/null <<'EOF'
+[Unit]
+Description=Virtual Framebuffer 1920x1080
+After=network.target
+
+[Service]
+User=tws
+ExecStart=/usr/bin/Xvfb :1 -screen 0 1920x1080x24 -ac -nolisten tcp
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+sudo tee /etc/systemd/system/openbox.service > /dev/null <<'EOF'
+[Unit]
+Description=Openbox Window Manager on DISPLAY :1
+After=xvfb.service
+Requires=xvfb.service
+
+[Service]
+User=tws
+Environment=DISPLAY=:1
+Environment=HOME=/home/tws
+ExecStart=/usr/bin/openbox-session
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+sudo tee /etc/systemd/system/vncserver.service > /dev/null <<'EOF'
+[Unit]
+Description=TigerVNC x0vncserver on DISPLAY :1
+After=xvfb.service
+Requires=xvfb.service
+
+[Service]
+User=tws
+Environment=DISPLAY=:1
+ExecStart=/usr/bin/x0vncserver -display :1 -rfbport 5900 -SecurityTypes VncAuth -PasswordFile /home/tws/.vnc/passwd
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+sudo tee /etc/systemd/system/novnc.service > /dev/null <<'EOF'
+[Unit]
+Description=noVNC Websocket Proxy
+After=vncserver.service
+Requires=vncserver.service
+
+[Service]
+User=tws
+ExecStart=/usr/share/novnc/utils/novnc_proxy --vnc localhost:5900 --listen 0.0.0.0:6080
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Openbox autostart (leer)
+sudo -u tws tee /home/tws/.config/openbox/autostart > /dev/null <<'EOF'
+# TWS wird via tws-ibc.service gestartet
+EOF
+
+echo "=== [6/6] Services aktivieren ==="
+sudo systemctl daemon-reload
+sudo systemctl enable --now xvfb openbox vncserver novnc
+
+# Kurz warten damit Services hochfahren
+sleep 3
+sudo systemctl is-active xvfb vncserver novnc || true
+
+VM_IP=$(hostname -I | awk '{print $1}')
+
+echo ""
+echo "========================================"
+echo " Basis-Stack erfolgreich eingerichtet"
+echo "========================================"
+echo ""
+echo "  noVNC Browser:  http://${VM_IP}:6080/vnc.html"
+echo "  VNC Passwort:   ${VNC_PASS}"
+echo "  VNC Port:       5900"
+echo ""
+echo "  BITTE NOTIEREN: VNC-Passwort wird nicht erneut angezeigt"
+echo "  Ändern mit:     sudo -u tws vncpasswd /home/tws/.vnc/passwd"
+echo ""
+echo "Nächster Schritt: TWS + IBC installieren:"
+echo "  ssh -i /root/.ssh/finance_vm ubuntu@${VM_IP} 'bash -s' < setup-tws-installer.sh"
+echo ""