What is the best way to lock down access to a domain? For example: say I self host bitwarden on a VPS, and I have NGINX on the server and use my godaddy domain DNS manager to point bitwarden.domain.com to my VPS ip, this works fantastic, I use certbot to allow me to access bitwarden at https://www.bitwarden.domain.com.
However, now my next goal is to lock the domain down, so that I can only access bitwarden.domain.com while I’m on a VPN, and I’d like to self host as much as I can, what’s the best way to do? Any guides on how to set it all up? I’d want to do this with several different sub domains in the future for things that I want to use a domain for but don’t want exposed. I’d also want to be able to use this VPN to access those domains while I’m on my laptop at work, my desktop at home, my phone at the store or anywhere in between. Thanks!!
How about setting up local DNS server on the VPS and then forcing all VPN traffic to use that DNS? Then you should be able to point the domain to the local address (or maybe even specific port with proxy) without exposing anything to the internet.
I don’t know if it’s efficient or even a good idea, but it seems like it should work. The simplest setup is hosting bitwarden on port 80 or 443 and then setting up the DNS in such way so it points bitwarden.domain.com to localhost.
If I have a server on the cloud, I like to create a new zone for my personal WAN IP. From that zone I allow HTTPS, SSH, whatever I want to be able to hit from my network.
After that, I like to change the default zone to “private” so my server won’t even respond to pings from the rest of the internet. You can also tune the default “public” zone to now allow https/ssh/whatever, but your server will still be pingable.
The biggest issue here is renewing your cert. If Letsencrypt can’t browse to your server from the internet, it will fail to renew. My cronjob to renew the cert temporarily changes the firewall rules to get around this.
The “enterprise” fix for this would be an IPSEC vpn tunnel which you’ll probably have to shell more money out for.
Tailscale - free if less than 3 users, 100 devices(I recommend this for simplicity)
Or Headscale(open source implementation of tailscale control server)
I reckon both have ACLs that could be used for ip ranges, but i suppose you should be able to host your services on the VPNs tailnet(subnet).
Plain wireguard could also work i believe.
A firewall such as UFW will also allow you to have more granularity of access based on interfaces and ip ranges within them.
If you want access only via VPN, why use a domain at all? If you do not expose to the internet, you can still access from outside via VPN. Did I not get your point?
This is what I do. Works like a charm. I have a Synology router that I was able to install a dns module on. W/o that, pihole would probably be the next easiest.
I don’t even think you’d need to go for ACLs, if you’re using Tailscale and don’t mind keeping the VPN on even at home.
You can just put the Tailscale IP Address as a standard A or AAAA record; when your computer queries DNS for this record, it’ll get the Tailscale IP Address back which it will then follow to your desired service. If you’re connected to Tailscale, the connection will go through as you’d expect; if you’re not connected, it’ll simply error.
You could use OpenZiti. It’s a zero trust overlay with many similarities to Twingate but its fully open source so can be self-hosted. I work on the project. Setup the server so that it only accepts connections from the ZT overlay and you are away OP.