#1 2017-11-06 21:47:24

tinloaf
Trusted Member
Registered: 2017-11-06
Posts: 3

Kernel module suggestion: WireGuard

Hi,

I just bought a LES server (from Inception Hosting) and I'd like to build a VPN tunnel to some other server (for the curious: [0]). WireGuard seems to be the perfect choice for this because of its low footprint. However, that would require the appropriate kernel module.

I could imagine that lots of people have VPN running on their LES boxes. Would loading the WireGuard module on the hosts be possible? My eternal gratitude would be the result. wink

Kind regards,

Lukas

[0] I want to run my weechat on the LES box, to reduce the attack surface on my main server. However, because of the IRC block, it looks like I need to route the traffic via my main server. wink

Offline

#2 2017-11-07 08:53:18

mikho
Low End Mod
From: Hell and gore == Sweden
Registered: 2013-03-02
Posts: 1,600
Website

Re: Kernel module suggestion: WireGuard

tinloaf wrote:

I want to run my weechat on the LES box, to reduce the attack surface on my main server. However, because of the IRC block, it looks like I need to route the traffic via my main server. wink

Using a LES box to reduce the attack surface on your main server is not a nice move, it is a shared IPv4 and if your LES box gets attacked, EVERYONE will know. You would probably end up terminated for that reason also.....

Offline

#3 2017-11-09 00:04:34

WSS
Trusted Member
Registered: 2016-12-22
Posts: 404

Re: Kernel module suggestion: WireGuard

Most people utilizing VPNs use OpenVPN for compatibility and support.  You just need to enable TAP/TUN in SolusVM.

Also, running any services through LES which cause it to get attacked generally get your service terminated, as Viking Mik stated.


RbyeR4Nm.png

Offline

#4 2017-12-07 22:01:22

tinloaf
Trusted Member
Registered: 2017-11-06
Posts: 3

Re: Kernel module suggestion: WireGuard

Absolutely, I understand that. In fact, the public-facing IP of my IRC bouncer (weechat, actually) is still the one of my "real" root server. I'm tunneling the data back through my main server - so, no DDOS threat for the NAT IP wink However, I want to mitigate the effect of someone taking the weechat process: If I run this on my main server, someone finding an exploit in weechat could get to all my cryptographic keys, emails etc. I'd like not them not to. wink

Regarding the VPN: I went with tinc and I'm very satisfied.

Offline

Board footer

Powered by FluxBB