3. VPS configuration

The goal of the VPS is to make a bridge between internet and the real server.

The VPS has a public IP : IPV4 : 137.194.14.22 and IPV6 : 2a09:6847:fa10:1410::338.

It is installed under Debian 13 (Trixie)

3.1 Users

root
admin (in group sudo)

Never forget to have a secure ssh login configuration. Configuration is in /etc/ssh/sshd_config. Recommended changes are :

PasswordAuthentication no
PermitRootLogin no

And a little restart : sudo systemctl restart ssh.

3.3 Firewall

Of course, as it is an exposed server, it needs a firewall.

Commands :

sudo ufw status or sudo ufw status verbose or sudo ufw status numbered
sudo ufw enable to start the firewall
sudo ufw delete [rule number] to delete a rule. The rule number can be found with : sudo ufw status numbered
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh to allow 22/tcp
sudo ufw allow http and sudo ufw allow https to allow 80/tcp and 443/tcp
sudo ufw allow 51820/udp to allow 51820 (wireguard server)
sudo ufw allow 2222/tcp to allow 2222/tcp for forgejo ssh

3.4 Wireguard

Look at the wireguard page

3.5 Reverse proxy

Its goal is to forward all traffic from some ports in the VPS to the server.

We use nginx to do that : sudo apt install nginx-full -y

Clear default configuration :

sudo rm /etc/nginx/sites-enabled/default
sudo nginx -t
sudo systemctl restart nginx

and comment the following lines in configuration : sudo nano /etc/nginx/nginx.conf

# include /etc/nginx/conf.d/*.conf;
# include /etc/nginx/sites-enabled/*;

Edit the main one : configuration : sudo nano /etc/nginx/nginx.conf

Add the following lines :

# ----------------------------------------------------
# 1. LAYER 4 TCP PROXY (For SSH and End-to-End HTTPS)
# ----------------------------------------------------
stream {
    # Traffic to port 443 goes straight to the hidden server over WireGuard
    upstream hidden_server_https {
        server 10.0.0.2:443;
    }

    # Traffic to port 2222 goes straight to the hidden server's port 2222
    upstream hidden_server_custom_ssh {
        server 10.0.0.2:2222;
    }

    server {
        listen 443;
        proxy_pass hidden_server_https;
        # Crucial for SSL pass-through: preserves the target domain name
        proxy_ssl_name $hostname; 
    }

    server {
        listen 2222;
        proxy_pass hidden_server_custom_ssh;
    }
}

# ----------------------------------------------------
# 2. LAYER 7 HTTP PROXY (To force HTTPS redirection)
# ----------------------------------------------------
http {
    server {
        listen 80;
        listen [::]:80;
        server_name _; # Catches all domains pointing to this VPS

        # Redirects all plain HTTP traffic to secure HTTPS
        return 301 https://$host$request_uri;
    }
}

Check the syntax : sudo nginx -t

Restart nginx : sudo systemctl restart nginx

3. VPS configuration

3.1 Users

3.2 SSH login

3.3 Firewall

3.4 Wireguard

3.5 Reverse proxy