• Creat
    link
    fedilink
    arrow-up
    8
    ·
    5 months ago

    Yeah. Some services you kinda want accessible directly, but ssh really isn’t one of them. Even though it should be safe, as that’s it’s intended purpose, putting a VPN in front of it makes a lot of sense, especially with how easy it is to setup these days. Anything used for administration is systems should be behind one.

    • Wireguard really changed the landscape, for me, and my entire approach to networking. Suddenly, VPNs became fast and easy, and where previously impractical for casual (hobbyist) admins, it made creating enterprise-grade secure subnets easy. It’s astonishingly stable and reliable, such that my initial concerns about cutting off all access except through the VPN - once a truly nerve-wracking concept - is now a no-brainer. It’s made my network administration easier and more secure. My firewalls are simpler.

      Wireguard is one of the biggest high-impact, low-visibility networking game changers I’ve seen in decades.

    • machineunlearning@lemmy.ca
      link
      fedilink
      arrow-up
      5
      ·
      5 months ago

      There is definitely a shift away from traditional VPNs these days since VPN tunnels tend to be more open and permissive. You can obviously secure a tunnel and limit network access, but you are still directly accessing the networks and resources that you do allow, remotely.

      I was running Kasm for a while and I really liked this approach to secure remote access. I could effectively spin up a Ubuntu docker image and access it remotely through the browser. Secured the web portal with my IdP which requires MFA and I would login remotely and launch various apps and desktops.

      They are non persistent in nature, so once you log off and destroy the instance you would effectively get a new desktop the next login.

      Generally works pretty well