• 28 Posts
  • 607 Comments
Joined 1 year ago
cake
Cake day: July 7th, 2023

help-circle



  • Okay, so two really big things:

    1. You’re confused a bit on how network routing works. If you’re building something that bridges multiple networks (local + VPN + VPS), you need to know about how to route things to different places. You’re dealing with 3 networks at this point.

    2. You might be misunderstanding how “zero-trust” and local networking fit together. Right now you have some local machines at least, AND a router. You don’t need all of your local machines to individually bridge a gap to your VPS, you want it the other way around.

    If the majority of your machines are local, then make that your hub. Everything else should be a client. Adding all these individual nodes to routes in a mesh network makes absolutely no sense, and will definitely cause routing problems, if not something like ARP poisoning (we can’t see your config).

    Just make the remote machine clients to your local network and be done with it.









  • MONTHLY?? That’s a bit much, don’t you think?

    If you’re regenerating certa that fast, I can’t think of anything that’s going to secure AND easy enough to satisfy automating this.

    Whatever tool you want to use to secure the contents of the cert from its initial creation, to distribution, is fine enough. If you want super easy, use an SSH/SCP script. If you want something more elegant, think Hashicorp Vault or etcd.

    Ansible is probably more effort than it’s worth (plus securing the secrets of the cert), and any other config mgmt tool won’t deal with the distribution portion simply, so I’d skip all of that.







  • That’s really up to the software again. If you’re not technically inclined enough to run through the code, that’s fine, but you have to trust that other people are.

    Go and search GitHub issues or this project by name for what you’re concerned about.

    Authentication is also not security, btw. It’s just access. If you can be more specific about your concerns in your post, you may get more direct answers.