Securing Remote Linux Hosts with firewalld and OpenVPN

Securing a Remote Linux Host with firewalld and OpenVPN

Iuri Covaliov’s lab documents the step-by-step process of securing a rented Linux host. The goal is to reduce the exposed attack surface and replace unrestricted public SSH with controlled access via a private administrative VPN.

Why This Matters

In real-world infrastructure, a single edge node often provides controlled access to private services. However, if not properly secured, this can lead to significant security risks. By implementing a strict firewall baseline and introducing a private administrative VPN, administrators can minimize public exposure and separate management traffic from application traffic, thereby reducing the risk of security breaches and potential data losses.

Key Insights

• Firewalld can be used to restrict inbound traffic to explicitly allowed services, as seen in Iuri Covaliov’s lab.
• OpenVPN can be used to create a private management plane, allowing SSH access only to authenticated VPN members, as demonstrated in the lab.
• Split-tunnel mode can be used to route administrative traffic through the VPN while keeping general internet traffic local, as implemented in the lab.

Working Examples

A helper script to generate a ready-to-import OpenVPN profile

./make-ovpn.sh client1

Practical Applications

• Company: Secure hosting providers; Behavior: Implementing firewalld and OpenVPN to secure remote Linux hosts
• Pitfall: Not restricting SSH access; Consequence: Increased risk of security breaches

References:

• https://dev.to/iuri_covaliov/securing-a-remote-linux-host-with-firewalld-and-openvpn-291g
• https://github.com/iuri-covaliov/devops-labs/tree/main/ProtectRemoteHostWithFirewallAndVPN