qenya/nixfiles
1
0
Fork 0
Code Issues 5 Pull requests Actions Activity

Restrict SSH to incoming connections over a VPN #12

New issue
Open
opened 2024-06-19 19:18:45 +00:00 by qenya · 3 comments
qenya commented 2024-06-19 19:18:45 +00:00
Owner
Copy link

Right now, machines accept SSH connections from the open Internet. This isn't a problem per se, since authentication is correctly implemented, but it's not ideal.

For defence in depth, I'd like to set up a WireGuard VPN connecting all the machines, with SSH connections only permitted from within the network.

Right now, machines accept SSH connections from the open Internet. This isn't a _problem_ per se, since authentication is correctly implemented, but it's not ideal. For defence in depth, I'd like to set up a WireGuard VPN connecting all the machines, with SSH connections only permitted from within the network.
qenya commented 2024-06-19 19:20:53 +00:00
Author
Owner
Copy link

@randomnetcat has recommended Tailscale, but I feel sure it's realistic to implement this manually, and I'd rather not rely on a third party.

A cursory search suggests that NAT traversal with WireGuard isn't too hard.

@randomnetcat has recommended Tailscale, but I feel sure it's realistic to implement this manually, and I'd rather not rely on a third party. A cursory search suggests that [NAT traversal with WireGuard isn't too hard](https://nettica.com/nat-traversal-hole-punch/).
qenya commented 2024-07-19 19:19:30 +00:00
Author
Owner
Copy link

WireGuard introduced in c60728e7aa seems to be working fine! It would be nice to have a mesh network rather than hub-and-spoke but possibly that's a bit optimistic with all the NAT involved.

Will leave it a while to test for robustness before restricting SSH.

WireGuard introduced in c60728e7aa seems to be working fine! It would be nice to have a mesh network rather than hub-and-spoke but possibly that's a bit optimistic with all the NAT involved. Will leave it a while to test for robustness before restricting SSH.
qenya commented 2024-07-26 23:29:33 +00:00
Author
Owner
Copy link

Split WIreGuard config out to a separate module in order to let @randomnetcat's devices connect. It's now a bit closer to a mesh network! But still not quite as advanced as Tailscale.

Split WIreGuard config out to [a separate module](https://git.qenya.tel/qenya/birdsong/) in order to let @randomnetcat's devices connect. It's now a bit closer to a mesh network! But still not quite as advanced as Tailscale.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
flakes
lix
multihost
No results found.
Labels
Clear labels   
blocked

   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
blocked
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: qenya/nixfiles#12
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?