We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
OpenVPN
OpenVPN
I tried installing openvpn before but failed. I think it is time to revisit this task due to the recent attack.
So downloaded and installed openvpn using this guide
https://www.vultr.com/docs/installing-o ... n-centos-7
by default, openvpn will have this IP address
172.27.224.0/20
Port are 943 for admin and 1194 for vpn connect
I logged on to vestacp and the plan is to block all inbound ip addresses except connection to 80, 443 and 1194
And block all inbound ports except 80, 443 and 1194
(for testing purposes, I only blocked my SSH. Not vesta admin so I wont lock out.)
Then I added an ACCEPT in firewall for 172.27.224.0/20 and what ever is my SSH port.
Problem, Not working.
I cant connect via SSH
So downloaded and installed openvpn using this guide
https://www.vultr.com/docs/installing-o ... n-centos-7
by default, openvpn will have this IP address
172.27.224.0/20
Port are 943 for admin and 1194 for vpn connect
I logged on to vestacp and the plan is to block all inbound ip addresses except connection to 80, 443 and 1194
And block all inbound ports except 80, 443 and 1194
(for testing purposes, I only blocked my SSH. Not vesta admin so I wont lock out.)
Then I added an ACCEPT in firewall for 172.27.224.0/20 and what ever is my SSH port.
Problem, Not working.
I cant connect via SSH
Re: OpenVPN
Hi there,
So, I am a little lost. It is clear you are trying to install OpenVPN, thats very clear. The purpose is not. Is it to manage VestaCP via the vpn?
My Understanding:
Client (You) -> VPN on same host as VestaCP -> VestaCP (Port 8083 Internal on the VPN)
Is the accurate? I am trying to understand your desired setup so I can provide the appropriate advice.
So, I am a little lost. It is clear you are trying to install OpenVPN, thats very clear. The purpose is not. Is it to manage VestaCP via the vpn?
My Understanding:
Client (You) -> VPN on same host as VestaCP -> VestaCP (Port 8083 Internal on the VPN)
Is the accurate? I am trying to understand your desired setup so I can provide the appropriate advice.
Re: OpenVPN
Thanks for your replynextgi wrote: ↑Tue Apr 10, 2018 5:21 amHi there,
So, I am a little lost. It is clear you are trying to install OpenVPN, thats very clear. The purpose is not. Is it to manage VestaCP via the vpn?
My Understanding:
Client (You) -> VPN on same host as VestaCP -> VestaCP (Port 8083 Internal on the VPN)
Is the accurate? I am trying to understand your desired setup so I can provide the appropriate advice.
Yes. To manage vestacp only when connected via VPN. Not only admin but also the SSH and FTP
Re: OpenVPN
Thank you for confirming.pipoy wrote: ↑Tue Apr 10, 2018 12:19 pmThanks for your replynextgi wrote: ↑Tue Apr 10, 2018 5:21 amHi there,
So, I am a little lost. It is clear you are trying to install OpenVPN, thats very clear. The purpose is not. Is it to manage VestaCP via the vpn?
My Understanding:
Client (You) -> VPN on same host as VestaCP -> VestaCP (Port 8083 Internal on the VPN)
Is the accurate? I am trying to understand your desired setup so I can provide the appropriate advice.
Yes. To manage vestacp only when connected via VPN. Not only admin but also the SSH and FTP
I do not recommend installing OpenVPN directly on the server you wish to manage. I recommend either getting a separate host and installing something like Pritunl (https://pritunl.com/) or using a VPN service. It is not a good idea to load an instance full of services, this could increase the attack surface. Using an external method such as Pritunl or a VPN provider would be best as you could count on a dedicated IP and you could truly reduce your attack surface.
Also, I am envisioning that setting it up all on one host would most certainly make it in accessible as most VPN services are a bridge to another network. In this case you would be bridging it to its self. This would mean you would have to make the server a client as well and have it connect back to it's self. This loop would be very unstable and most likely not work.
So, I recommend using an external method. The best form of security in this situation is a firewall with an ACL (Access Control List) configured to allow the desired hosts. If you were operating your own Datacenter or even a small self managed network say a colocation, it would be a different story to a slight extent.