I am currently deploying my cloud servers @ Vultr.com – this is one of them.
They have locations in New Jersey, its about 12ms ping to them from my Comcast Cable.
I set up a blank Debian 9 server, SSH’ed in, ssh-keygen to generate RSA keys for passwordless login, setup sudo. Then its ready to go for whatever software. A good idea is to set up LetsEncrypt now and switch over from self-signed snakeoil certs.
Software Used on Server:
Apache2, MySql/MariaDB, PHP, Nextcloud, WordPress, Webmin/Usermin, Postfix (Mail SMTP server as send only), OpenVPN
OpenVPN a tunnel from my Freenas server to my pfsense router:
Established an OpenVPN site-to-site tunnel between my PFsense router and the cloud server. Use OpenVPN config to push a static route. Once the interfaces and networks were up, I needed IPtables to forward the traffic. The goal is to map the internal 192.168.1.1 services onto the public interface.
This means we route a private subnet 192.168.1.1/24 over the VPN iface 10.8.0.1. The system has to be configured with iptables to masquerade it. And additionally forward the port over, in this case we kept the same dport number to make life easier. At this point I can access internal 192.168.1.2-4 resources on the public cloud server hosted at my domain name.
(This likely could have been done with SSH too but I didnt do that)
OpenVPN Remote Access Server – Cloud VPN host:
Uses the OpenVPN Windows Client app to connect in client/server mode. On the server, we generated SSL/TLS keys for the server and the client, and shared them with each client over a secure side-channel (tar.gz over SCP). This “Server” config differs from “site-to-site with Shared secret” as we used previously above. We can choose to automatically push the default gateway and new DNS records, or not, to provide one-click VPN accessibility to a single host running Windows (or Linux/OSX are supported) – it will then DHCP a new IP from the VPN pool (make sure port 67 is allowed from the VPN network 10.8.0.1/24 etc), and if new default gateways and routes are automatically pushes, then IMMEDIATELY the user will show up as existing in a new IP/location of the VPN.