I’m slowly working my way through deploying Pangolin on a VPS to securely expose some services publicly. I came to wonder a bit about how to approach this VPS security-wise. My homelab runs as a Nomad/Consul/Vault cluster, and it would have been nice to have the VPS as a client node as well, allowing me to spin up and manage the Pangolin components with Nomad jobs. However this means that the VPS would need connectivity to the cluster, essentially a Wireguard connection back to my LAN, this got me thinking.

Should I just forego the entire cluster client idea here and instead see the Pangolin VPS as a completely isolated thing, or is there some secure way to tighten down the connection to my local network with Wireguard? I could for instance restrict the AllowedIPs for the VPS to only be able to reach some specific host for the clustering.

Anyone done anything similar and care to share?