Vesta Control Panel - Forum

I tried installing openvpn before but failed. I think it is time to revisit this task due to the recent attack.

So downloaded and installed openvpn using this guide
https://www.vultr.com/docs/installing-o ... n-centos-7

by default, openvpn will have this IP address
172.27.224.0/20

Port are 943 for admin and 1194 for vpn connect

I logged on to vestacp and the plan is to block all inbound ip addresses except connection to 80, 443 and 1194
And block all inbound ports except 80, 443 and 1194

(for testing purposes, I only blocked my SSH. Not vesta admin so I wont lock out.)

Then I added an ACCEPT in firewall for 172.27.224.0/20 and what ever is my SSH port.
Problem, Not working.

I cant connect via SSH

Hi there,

So, I am a little lost. It is clear you are trying to install OpenVPN, thats very clear. The purpose is not. Is it to manage VestaCP via the vpn?

My Understanding:

Client (You) -> VPN on same host as VestaCP -> VestaCP (Port 8083 Internal on the VPN)

Is the accurate? I am trying to understand your desired setup so I can provide the appropriate advice.

nextgi wrote: ↑

Tue Apr 10, 2018 5:21 am

Hi there,

So, I am a little lost. It is clear you are trying to install OpenVPN, thats very clear. The purpose is not. Is it to manage VestaCP via the vpn?

My Understanding:

Client (You) -> VPN on same host as VestaCP -> VestaCP (Port 8083 Internal on the VPN)

Is the accurate? I am trying to understand your desired setup so I can provide the appropriate advice.

Thanks for your reply
Yes. To manage vestacp only when connected via VPN. Not only admin but also the SSH and FTP

pipoy wrote: ↑

Tue Apr 10, 2018 12:19 pm

nextgi wrote: ↑

Tue Apr 10, 2018 5:21 am

Hi there,

So, I am a little lost. It is clear you are trying to install OpenVPN, thats very clear. The purpose is not. Is it to manage VestaCP via the vpn?

My Understanding:

Client (You) -> VPN on same host as VestaCP -> VestaCP (Port 8083 Internal on the VPN)

Is the accurate? I am trying to understand your desired setup so I can provide the appropriate advice.

Thanks for your reply
Yes. To manage vestacp only when connected via VPN. Not only admin but also the SSH and FTP

Thank you for confirming.

I do not recommend installing OpenVPN directly on the server you wish to manage. I recommend either getting a separate host and installing something like Pritunl (https://pritunl.com/) or using a VPN service. It is not a good idea to load an instance full of services, this could increase the attack surface. Using an external method such as Pritunl or a VPN provider would be best as you could count on a dedicated IP and you could truly reduce your attack surface.

Also, I am envisioning that setting it up all on one host would most certainly make it in accessible as most VPN services are a bridge to another network. In this case you would be bridging it to its self. This would mean you would have to make the server a client as well and have it connect back to it's self. This loop would be very unstable and most likely not work.

So, I recommend using an external method. The best form of security in this situation is a firewall with an ACL (Access Control List) configured to allow the desired hosts. If you were operating your own Datacenter or even a small self managed network say a colocation, it would be a different story to a slight extent.