Why I Want a VPN in Front of Everything

Public SSH on the internet is manageable, but I’d rather:

  • connect to my VPS through a VPN (like IPsec),
  • expose fewer direct services,
  • and keep most internal ports completely invisible.

I already prefer IPsec for VPN setups, so it fits my style.

VPN as a First Layer

The idea:

  1. I connect from my devices to the VPS via IPsec.
  2. The VPN assigns me a trusted internal IP.
  3. Firewall rules only allow:
  • SSH from that VPN IP range,
  • private ports (Vault, proxies, etc.) from VPN addresses,
  • minimal public exposure for necessary HTTPS endpoints.

Benefits for My Design

  • Cleaner separation between:
  • “the whole internet”,
  • “my authenticated devices”.
  • Less noise on SSH and internal ports.
  • Easier to reason about where traffic is supposed to come from.

It also aligns with my general goal: use multiple layers (VPN, firewall, PKI) instead of relying on just one control.