I want to say Dreams of Code (or his other channel Dreams of Autonomy?) did a video on VOS setup where he secured the connection between VPS and home. I think he used Tailscale. I’ll see if I can find the video.
this post was submitted on 12 Sep 2025
28 points (100.0% liked)
Selfhosted
52440 readers
1280 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Firewall rules on outbound traffic from the VPS to the LAN would do it. Allow traffic to the hosts and ports that the VPS needs to reach and block everything else.
But I think that's kind of where the problem lies; if we're talking about external firewalls applied on the cloud provider, then I need an external IP for my homelab network to use in the rules, which defeats the point of Pangolin to begin with. And if we're talking about the firewall inside the VPS, like ufw or whatever, then that would be forfeit if a bad actor would gain root access on that host, they would just disable the rules. This is kind of where my thinking is at currently.
A layered defense is always best. Nothing is 100%, but knowing your threat model will help define how far you have to go and how many layers you want in the way. Defending against State level actors looks different than swatting the constant low effort bot traffic. You're right, if a bad actor gets root on your machine, all security is forfeit. The goal is to minimize that possibility by keeping applications and packages updated and only allowing necessary connections to the machine. You mentioned wireguard or tail scale. Set that up first. Then set up the host firewall to only allow outbound traffic onto the VPN to the required ports and endpoints on the LAN. If the VPS isn't hosting any public facing services, disable all traffic except the VPN connection from and to the public Internet both on the cloud provider's firewall and the host firewall. If it is hosting publicly accessible services then use tools like fail2ban and crowdsec to identify and block problem IPs.
Yeah I think were on the same track, what I can think of is to do this;
- Set up firewall rules on my LAN router (which hosts the Wireguard server), restricting access to the Wireguard client coming in from the VPS.
- Set up firewall rules on the cloud provider to restrict access to anything but my public IP where the Wireguard server is hosted.
- Do the same in the VPS host internal firewall.
- Configure the Wireguard server and client config to only allow access to the IPs relevant for the clustering.
- Set up CrowdSec as part of Pangolin, it's an integrated feature
- Move the Newt + service containers exposed via Pangolin to their own isolated VLAN in order to further harden the environment around them
- Configure Nomad and Consul tokens to only allow the VPS to register the Pangolin services and nothing else