In this project I am using vagrant as a VPN gateway service, but I’m unsure of how to secure it further and prevent undesired ssh access (network is set to public):
Here are some of my assumptions from the experimentation along the way to get it working:
I believe the network mode must be set to public, because it requires a DHCP assigned address for a static route to function properly.
Promiscuous mode (which requires bridging), is also required for hosts on both sides of the network to reach each other at their private IP addresses via the VPN gateway.
…But any host can ssh into the vpn because of the “public_network” mode. So how can the service be locked down better? If I only allow one host’s rsa key to be used to access it, is that possible or will this break Vagrant’s ability to function?
Hey there,
in general, I would not recommend Vagrant to manage production infrastructure. It is designed to be used for development, and as such is pretty permissive about access to the guest machine.
One thing of note here is the Vagrant insecure private key. Vagrant injects this into the guest machine in order to connect to it to run commands. This can be changed to a more secure private key by configuring config.ssh.private_key_path. In any case, Vagrant still assumes that it will be able to connect to the guest over ssh (or some other communicator) and requires access to a key that will allow it to do that. So your question:
If I only allow one host’s rsa key to be used to access it, is that possible or will this break Vagrant’s ability to function?
What other options do we have to automate VM deployment for production?
Right. Does this need to be a VM in particular. Could you start up an AWS EC2 instance and then provision that with the VPN software of your choice?
It looks like you have Vagrant inside of a Terraform module. So I assume Terraform has some limitation for what you are trying to do? Otherwise, Terraform would be my suggestion for managing infrastructure in production.
This is for a VPN gateway onsite to help VFX artists connect their machines with any cloud compute for rendering. So the only choices are VM’s or docker, and docker wont support promisc mode and bridging of NIC’s on all platforms, so unless I’m missing something, a VM is the only choice.
This part of the infra presently functions without Terraform.
Well, I’m not too familiar with other tools for automating VMs other than just using the api/cli tools. Which might be a good option?
I’m also not entirely sure what problem you are trying to solve, or the specific requirements/constraints. What I can do is outline some of the problematic things with using Vagrant in production. The things that would keep me up at night are:
the private key situation as mentioned above (I guess you could also manage a Vagrant only key)
synced folders - vagrant by default will sync the directory it’s running from to /vagrant on the guest. This can be disabled
Vagrant will automatically do port forwarding for the communicator it’s using. By default Vagrant uses ssh, so port 22 will be forwarded
the state of the base box. I would probably want to build a base box from scratch to have better control over what is running on the system. This can be done using Packer You could also add some security in this layer if that is applicable.
