ZeroTier VPN for your VPS

Prologue

ZeroTier is my first option for a VPN for my services. Why?

• Doesn't require a login for devices to enter my networks;
• For free, I can add up to 25 devices to my networks;
• If I get to the point where I need more than 25 devices, I can host ZeroTier "roots" myself and have no limits;
• Most importantly, in my experience, ZeroTier just works;

I not only want my services to be secure, but also I want to share some services with friends, which services? Minecraft servers mainly.

So the simpler and faster way for my friends to connect to my network, the best!

Secure way to manage/access your VPS

The most common and important way to access and manage your VPS is through an SSH connection. My preferred distro is Debian, which is more resource-demanding, but has been more stable for me.

The first time you enter your VPS are probably using a password (like on Hostinger); sometimes you already have a Private/Public key to use (Like on AWS EC2). Always use a Private/Public key and make sure only you have it.

...well, that isn't quite enough, it is a good measure though, it will be a challenge for a cracker to invade your system without access to an SSH connection, but we can make it harder, way harder. How? Well, disable SSH connections to the internet, then, no matter if someone has your keys, they can access your VPS's SSH anyway. You will lose your access to the VPS's SSH as well, but that is why you need a VPN, so you can be in a private connection that is not the internet, just you and your VPS, no one else can connect to it (unless you intentionally permit).

How to do that?

Well, not so simple, but not complicated. Firstly, install ZeroTier and connect to a network:

apt update
apt install curl -y
curl -s https://install.zerotier.com/ | bash
zerotier-cli join <network-id>
zerotier-cli info

Then go to the ZeroTier dashboard, enable the VPS, and give it an IP.

After a few seconds, your VPS will have a ZeroTier IP. You can check it with:

ip addr | grep zt

Will be something like 10.147.17.117. Now that you have your IP on the VPN, we can tell SSH to only listen for SSH connections coming from this IP. To do this, we edit one line on the SSHD config file, usually at /etc/ssh/sshd_config:

# Connect only through ZeroTier network
# Ex.: ListenAddress 10.147.17.117
ListenAddress <The ZeroTier VPS IP>

You can restart the SSHD service, and it will no longer receive connections from the public IP, only from inside the VPS. But let's not do that yet, there is a small big problem to solve.

When you restart your VPS, the SSH server will likely start before ZeroTier connects to the VPN, as SSHD now depends on the VPN; it will likely fail to start. Let's fix that by telling systemd to keep restarting the SSHD service till it works:

The systemd file that controls the SSHD service is likely at /lib/systemd/system/ssh.service You can see your path at the Loaded line using the systemctl status sshd.service command. On this file, let's just comment out 1 line, the one that prevents SSHD from restarting if a specific error occurs (the error that happens when the VPS is not started yet):

#RestartPreventExitStatus=255

Then you reload the systemd configs using:

systemctl daemon-reload

And now you can safely restart the SSHD service, applying the VPS-only connection:

systemctl reload sshd.service

Now your public IP from your VPS will no longer work to connect to SSH; only your VPS IP can be used to connect to your VPS using SSH.

Why do this?

Well, now you're locked into a VPS, so it must work for you to be able to access your VPS, yes. But at the same time, any bot that tries random public IPs to find available ports and then tries to gain access to your server will fail. Since they are on the internet, not on your VPS, they will test your IP, and they will not find any SSH port available. So this method makes sure to make your VPS way harder to gain access to.