I’m slowly working my way through deploying Pangolin on a VPS to securely expose some services publicly. I came to wonder a bit about how to approach this VPS security-wise. My homelab runs as a Nomad/Consul/Vault cluster, and it would have been nice to have the VPS as a client node as well, allowing me to spin up and manage the Pangolin components with Nomad jobs. However this means that the VPS would need connectivity to the cluster, essentially a Wireguard connection back to my LAN, this got me thinking.

Should I just forego the entire cluster client idea here and instead see the Pangolin VPS as a completely isolated thing, or is there some secure way to tighten down the connection to my local network with Wireguard? I could for instance restrict the AllowedIPs for the VPS to only be able to reach some specific host for the clustering.

Anyone done anything similar and care to share?

  • alto@lemmy.mlOPEnglish
    1·
    2 hours ago

    Yeah I think were on the same track, what I can think of is to do this;

    • Set up firewall rules on my LAN router (which hosts the Wireguard server), restricting access to the Wireguard client coming in from the VPS.
    • Set up firewall rules on the cloud provider to restrict access to anything but my public IP where the Wireguard server is hosted.
    • Do the same in the VPS host internal firewall.
    • Configure the Wireguard server and client config to only allow access to the IPs relevant for the clustering.
    • Set up CrowdSec as part of Pangolin, it’s an integrated feature
    • Move the Newt + service containers exposed via Pangolin to their own isolated VLAN in order to further harden the environment around them
    • Configure Nomad and Consul tokens to only allow the VPS to register the Pangolin services and nothing else