View previous topic :: View next topic |
Author |
Message |
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9691 Location: almost Mile High in the USA
|
Posted: Wed Mar 01, 2023 9:02 pm Post subject: |
|
|
- no-ip and other dynamic dns is unacceptable for smtp. I tried it, I get rejected.
- I want to minimize "trust" of anything I don't own, even if I pay to rent it. I don't trust my ISP but I can block packets that appear to come from within. I won't trust the VPS because I don't fully control the VPS/colo, so it needs to be outside my LAN and hence this extra layer of routing complexity. Because of the lack of trust I want to minimize the amount of data on the VPS/colo, hence the VPN from my LAN to the VPS/colo is a very tempting solution.
- I will most likely NOT use the VPN to the colo/vps for day to day packets though I could. The VPN is only used for incoming IP requests from my static IP allocation to access my home located SMTPd and HTTPd servers along with anything else I may want to have publicly available with predefined IP address.
- I suppose I can keep using my existing VPN endpoint by port forwarding to it, but it doesn't make sense to go from (remote site) (vpn2) (vps) (vpn) (home) (vpn) (vps) (rest of the world). _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 932 Location: Richmond Hill, Canada
|
Posted: Wed Mar 01, 2023 9:42 pm Post subject: |
|
|
Most VPN solutions I know all have a concept "Site-to-Site". In such setup you can think of the VPS site is the Internet and your home-network site will be setup as it is facing Internet and you will secure it as if your ISP provided a static IP at your home-network end point.
One key secure step is to make sure your VPS is always receiving end of tunnel connection. This way you always have the control of when to establish connection. When threats detected you can always disconnect (kind of like unplug the virtual wire)
If possible make you VPS run as read-only. Use pre-configured image, mount file system read-only and lock down any network login. Only allow VPS provider supported console login. This way your VPS node is as dumb and as secure as it can be. And the bonus it become portable in a way you can migrate your pre-configure/pre-set image anywhere.
This conversation piquing my curiosity I wonder if I am able to setup a wireguard site-to-site connection using openwrt as I described. my guesstimate it will take me a month to research and setup. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9691 Location: almost Mile High in the USA
|
Posted: Wed Mar 01, 2023 10:30 pm Post subject: |
|
|
I'm sure you can. I'm pretty sure pfsense can do it too, alas I've not decided a solution yet.
I have been using OpenVPN as my remote site privacy shield so I've had some familiarity with it and likely will use it once more to tunnel from my home site to the VPS/colo.
The thing I'm sort of saddened about is that I would have to have both ISPs paid for while I try to set up the new one. Not only that, I suspect I will need to start paying for the VPS/colo as well during that time as the two are hand in hand with the solution.
The last thing I wish for the new vps/colo is that they do forward dns service as well as reverse DNS and maybe take yet another ISP I have to deal with (DNS, VPS/Colo, home network ISP)... So complicated to host your own internet services at home.... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3150
|
Posted: Wed Mar 01, 2023 10:58 pm Post subject: |
|
|
Quote: | I wonder if I am able to setup a wireguard site-to-site connection using openwrt as I described. my guesstimate it will take me a month to research and setup. | You can set peer IP with mask /0 to bridge 2 networks.
Obviously, this setup is limited to point2point (you can't have more than 1 peer on a single wg interface) and you must disable adding routes by wireguard in favor of doing it yourself.
If you want to connect more sites, you need to setup more wg devices.
Quote: | The last thing I wish for the new vps/colo is that they do forward dns service as well as reverse DNS |
How about hosting your forward DNS on that VPS? It's not particularly sensitive information.
Also, i think all domain registrars host forward DNS for their domains if you wish to use it (I don't). Server providers host reverse DNS themselves and there is really no good reason to host it yourself. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9691 Location: almost Mile High in the USA
|
Posted: Thu Mar 02, 2023 12:50 am Post subject: |
|
|
oh nothing special about forward dns, just that it would be nice to have them hosted by the same company perhaps, just so I don't have to write a separate check...
however I do still like having control of all the record under the domain even if I can't have SOA. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
|