In the setups I've seen, once you've connected through VPN you're essentially on...

cthalupa · on Sept 12, 2020

But without the VPN, you're already the equivalent of on the LAN because all of these services are exposed to the public internet.

In the discussion we're having, we're going from a setup where there is no equivalent to a private network because everything is public, to having a private network that only allows you access to the things that were previously public.

magicalhippo · on Sept 12, 2020

No because I have a firewall in front of the SSH, as mentioned. I would assume a firewall is in front of the VPN as well of course.

So either only SSH is exposed to the public, or only VPN is exposed. Without an additional firewall after the VPN, how is my LAN more protected with the VPN vs SSH?

cthalupa · on Sept 12, 2020

Your goal is to protect SSH, not the VPN network. The VPN network is just a tool for protecting SSH.

With your configuration, all that needs to exist is an SSH 0 day to gain access to the server. With a VPN, they need that AND a 0 day for the VPN software to gain access to the server.

You can have a more complex setup with a VPN, but that isn't the discussion here - the discussion is securing SSH. If you want to provide VPN access to an array of other services, or as access to a corporate LAN or similar, then that's another conversation that has to involve the specifics of those services and that configuration. It's not what is being recommended here.

magicalhippo · on Sept 12, 2020

Fair enough, guess I was restricting my view to my bubble. For a single server sure defense in depth should work, assuming you're not running the VPN on the same box.