I work in a big company, and we are currently working remotely.
Many of the internal services we use such as Gitlab, Jenkins, ArgoCD, etc… are only accessible when I’m connected to the company’s VPN
I’m curious about this setup because I might want to do something similar with the services I have hosted in my multiple VPS machines I’m currently renting.
I assume the setup is something like this:
- Get some servers and install OpenVN or Wireguard Server on them (or pay for some VPN service)
- Get the IPs from these servers or from the VPN provider (assuming they are static)
- Block all incoming traffic to the Gitlab, Jenkins, etc… servers using a Firewall or a Reverse Proxy/Load Balancer
- Create a “whitelist” that allows the VPN IP addresses to connect
Is there anything else I’m missing on this setup?
Also, using something like Express VPN or similar is not viable on this setup, right? I assume I can’t know the IP I’ll be assigned in these case (and I assume they don’t provide a list of IPs they use, because then it would be easy for Netflix and the like to block those IPs from accessing their content)
You’ve pretty much hit it. You need a firewall that blocks all traffic except the VPN, a VPN server behind the firewall, and VPN clients that connect to the VPN server. Then when the clients are connected to the server, they are behind the firewall and able to access the services.
Commercial VPN services will likely not be helpful or necessary, those are generally to provide you anonymity/privacy when connecting to external services. In fact, if you set up your VPN to only allow certain source IPs, it would be harmful to the setup to try to use a commercial VPN in between.
I have something like that for my server at home. I have only one port for wireguard forwarded to my server. Wireguard in turn points to a local DNS (pihole + upstream unbound) that resolves my domain to my own local ip adress of the server.
For the different services I use a reverse proxy pointing to my different containers. Bonus as well since I own the domain I have done DNS challenge to get wildcard certificate for the domain so everything is valid https.
Why would you use enterprise VPN? What is the point? If your stuff accesable only via VPN just roll your own VPN server “self host” and block or rather do not open any ports other than for VPN.
It is good you are thinking about security but honestly stop thinking. If you want to do something… start. Along the way you will figure out the setup quite quickly. It will be an overlay network like ZeroTier or Tailscale or a custom VPN server that lets you access all on the server. That will depend on what you are doing.
I was getting confused by the term VPN being used for both “Commercial” VPNs with a focus on anonymity/privacy vs “Enterprise” VPNs which I guess have a focus on creating a “virtual internal network”
I was just giving the example of my company, which I think pays for the “Enterprise” VPN service.
In my case, I would probably use one smaller VPS with OpenVPN server (or similar) installed and only allow access to the other VPS from the IP of the OpenVPN server
I read about Tailscale during my searches, but I got even more confused. Have to invest some time to try to understand how it works.
VPN services (which advertise as just “VPNs”) are merely selling you access to their own private network (VPN), generally the advantage of which is to make your traffic appear to be coming from a different machine. This is typically advantageous in either being able to make it appear geographically different or to hide the traffic from various corporate or governmental intrusion.
A VPN is just a way to connect computers into a private network much like a LAN, but across the internet.
Yes, exactly VPNs and their usage predate VPN services.
Government and industry were using VPNs (IPSec, PPTP) starting in maybe the 90s or early 00s and the rise of VPN services as a means of privacy is probably a decade old or less.
A VPN simulates nothing, it kind of bridges two networks. You’re able to route your packages directly from outside to you private (company) network, as if you were physically inside of that network.
This technology is as old as the internet, because every dial up connection was exactly like that, but you did not connect to a company network (private up address space), but to the internet (Public address space).
In the early days of what is now considered a VPN (emphasis on encryption, not the network part), you could also dial up to your company and use the same programs for it, e.g. pppd
Try just keep in mind you will need to delete everything… except the notes