I’m slowly working my way through deploying Pangolin on a VPS to securely expose some services publicly. I came to wonder a bit about how to approach this VPS security-wise. My homelab runs as a Nomad/Consul/Vault cluster, and it would have been nice to have the VPS as a client node as well, allowing me to spin up and manage the Pangolin components with Nomad jobs. However this means that the VPS would need connectivity to the cluster, essentially a Wireguard connection back to my LAN, this got me thinking.
Should I just forego the entire cluster client idea here and instead see the Pangolin VPS as a completely isolated thing, or is there some secure way to tighten down the connection to my local network with Wireguard? I could for instance restrict the AllowedIPs for the VPS to only be able to reach some specific host for the clustering.
Anyone done anything similar and care to share?
A layered defense is always best. Nothing is 100%, but knowing your threat model will help define how far you have to go and how many layers you want in the way. Defending against State level actors looks different than swatting the constant low effort bot traffic. You’re right, if a bad actor gets root on your machine, all security is forfeit. The goal is to minimize that possibility by keeping applications and packages updated and only allowing necessary connections to the machine. You mentioned wireguard or tail scale. Set that up first. Then set up the host firewall to only allow outbound traffic onto the VPN to the required ports and endpoints on the LAN. If the VPS isn’t hosting any public facing services, disable all traffic except the VPN connection from and to the public Internet both on the cloud provider’s firewall and the host firewall. If it is hosting publicly accessible services then use tools like fail2ban and crowdsec to identify and block problem IPs.
Yeah I think were on the same track, what I can think of is to do this;