VPS/remote hosting static IP...

eccerr0r · Posted: Wed Mar 01, 2023 9:02 pm Post subject:

- no-ip and other dynamic dns is unacceptable for smtp. I tried it, I get rejected.
- I want to minimize "trust" of anything I don't own, even if I pay to rent it. I don't trust my ISP but I can block packets that appear to come from within. I won't trust the VPS because I don't fully control the VPS/colo, so it needs to be outside my LAN and hence this extra layer of routing complexity. Because of the lack of trust I want to minimize the amount of data on the VPS/colo, hence the VPN from my LAN to the VPS/colo is a very tempting solution.
- I will most likely NOT use the VPN to the colo/vps for day to day packets though I could. The VPN is only used for incoming IP requests from my static IP allocation to access my home located SMTPd and HTTPd servers along with anything else I may want to have publicly available with predefined IP address.
- I suppose I can keep using my existing VPN endpoint by port forwarding to it, but it doesn't make sense to go from (remote site) (vpn2) (vps) (vpn) (home) (vpn) (vps) (rest of the world).
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

pingtoo · Posted: Wed Mar 01, 2023 9:42 pm Post subject:

Most VPN solutions I know all have a concept "Site-to-Site". In such setup you can think of the VPS site is the Internet and your home-network site will be setup as it is facing Internet and you will secure it as if your ISP provided a static IP at your home-network end point.

One key secure step is to make sure your VPS is always receiving end of tunnel connection. This way you always have the control of when to establish connection. When threats detected you can always disconnect (kind of like unplug the virtual wire)

If possible make you VPS run as read-only. Use pre-configured image, mount file system read-only and lock down any network login. Only allow VPS provider supported console login. This way your VPS node is as dumb and as secure as it can be. And the bonus it become portable in a way you can migrate your pre-configure/pre-set image anywhere.

This conversation piquing my curiosity

I wonder if I am able to setup a wireguard site-to-site connection using openwrt as I described. my guesstimate it will take me a month to research and setup.

eccerr0r · Posted: Wed Mar 01, 2023 10:30 pm Post subject:

I'm sure you can. I'm pretty sure pfsense can do it too, alas I've not decided a solution yet.

I have been using OpenVPN as my remote site privacy shield so I've had some familiarity with it and likely will use it once more to tunnel from my home site to the VPS/colo.

The thing I'm sort of saddened about is that I would have to have both ISPs paid for while I try to set up the new one. Not only that, I suspect I will need to start paying for the VPS/colo as well during that time as the two are hand in hand with the solution.

The last thing I wish for the new vps/colo is that they do forward dns service as well as reverse DNS and maybe take yet another ISP I have to deal with (DNS, VPS/Colo, home network ISP)... So complicated to host your own internet services at home....
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

szatox · Advocate Joined: 27 Aug 2013 Posts: 3150

eccerr0r · Posted: Thu Mar 02, 2023 12:50 am Post subject:

oh nothing special about forward dns, just that it would be nice to have them hosted by the same company perhaps, just so I don't have to write a separate check...

however I do still like having control of all the record under the domain even if I can't have SOA.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?