• 5 Posts
  • 669 Comments
Joined 1 year ago
cake
Cake day: July 7th, 2023

help-circle






  • Honestly, you’re just making more limitations and overhead by running everything over tunnels locally. There are better ways to secure your local network. If this works for you, and you don’t want to bother with extra steps, just go for it though.

    The downsides are performance, and a lot of extra hurdles trying to get other things to interface with any of the other services.

    You’ll also be at a disadvantage coming to forums and asking for help, because the preface will be explaining your setup before anyone can really help you with issues.





  • Okay, so two really big things:

    1. You’re confused a bit on how network routing works. If you’re building something that bridges multiple networks (local + VPN + VPS), you need to know about how to route things to different places. You’re dealing with 3 networks at this point.

    2. You might be misunderstanding how “zero-trust” and local networking fit together. Right now you have some local machines at least, AND a router. You don’t need all of your local machines to individually bridge a gap to your VPS, you want it the other way around.

    If the majority of your machines are local, then make that your hub. Everything else should be a client. Adding all these individual nodes to routes in a mesh network makes absolutely no sense, and will definitely cause routing problems, if not something like ARP poisoning (we can’t see your config).

    Just make the remote machine clients to your local network and be done with it.









  • MONTHLY?? That’s a bit much, don’t you think?

    If you’re regenerating certa that fast, I can’t think of anything that’s going to secure AND easy enough to satisfy automating this.

    Whatever tool you want to use to secure the contents of the cert from its initial creation, to distribution, is fine enough. If you want super easy, use an SSH/SCP script. If you want something more elegant, think Hashicorp Vault or etcd.

    Ansible is probably more effort than it’s worth (plus securing the secrets of the cert), and any other config mgmt tool won’t deal with the distribution portion simply, so I’d skip all of that.