I have been running my own VPS appliances for UniFi, UISP and recently Omada for a few years now. Tom’s video about Cloudflare Zero Trust made me want to use them, instead of using my Pritunl server to get access when I’m not home.
Currently busy migrating from Digital Ocean to Hetzner. Hetzner is cheaper but also provides a bit more freedom when it comes to stuff like pfSense in the cloud.
The issue I’m trying to tackle is making stuff like UniFi, UISP and Omada work with Cloudflare Zero Trust. Accessing the web UI won’t be a problem at all. Making the informs work would be possible too I guess, since it’s HTTP based. But stuff like STUN is gonna be an issue, I assume.
So this leaves me with 2 options:
- Leave these ports open to the internet and only use the tunnels for the web interface.
- Find a way to make this more secure.
So I’ve been tinkering with pfSense on a Hetzner VPS and it works quitte well. My test UniFi server is being routed through, and doesn’t even need a public IP4 by itself. As UniFi, Omada and UISP all use different ports, I could use 1 firewall for them, using the same IP.
I’m not really experienced with pfSense, but what can I do to make this more secure? Some restrictions based on Geographical location? Maybe some IPS/IDS? Anything else?
Or maybe this would be a bad idea overall? Perhaps there’s another way to not have any ports open on the controllers?
Really curious what other people think.