The Trust Assumption is a Vulnerability
If you are still relying on a VPN concentrator and a perimeter firewall to protect your infrastructure, you are already compromised. The concept of "trusted internal network" is a hallucination. In 2023, the only safe assumption is that the threat is already inside the house. A compromised developer laptop, a rogue dependency, or a misconfigured container—any of these turns your "secure private LAN" into a playground for lateral movement.
We need to stop managing network boundaries and start managing identity. This is Zero Trust. It’s not a product you buy; it’s a terrifying realization that leads to a strict architecture.
For those of us operating in Norway, the stakes are higher. With Datatilsynet aggressively enforcing GDPR and the fallout from Schrems II making data transfers to the US a legal minefield, hosting your Zero Trust architecture on local, sovereignty-compliant infrastructure isn't just technical—it's legal survival.
Here is how we build a Zero Trust environment on bare-metal capable KVM instances, like those provided by CoolVDS, without the latency overhead of heavy enterprise tools.
1. Mutual TLS (mTLS): The New Firewall
IP whitelisting is fragile. IPs change. BGP gets hijacked. Cryptographic identity does not. In a Zero Trust model, service A does not talk to service B because they are on the same subnet. They talk because they present a valid certificate signed by your internal Certificate Authority (CA).
You don't need a heavy service mesh like Istio to achieve this. You can implement strict mTLS directly at the Nginx level. This ensures that even if an attacker gains network access to your VPS Norway instance, they cannot query your API without the private key.
Here is a production-hardened Nginx configuration block for enforcing client certificate verification. Note the optimization flags to reduce the handshake overhead on high-traffic NVMe instances:
server {
listen 443 ssl http2;
server_name api.internal.coolvds.net;
# The Server's Identity
ssl_certificate /etc/pki/server.crt;
ssl_certificate_key /etc/pki/server.key;
# The Authority that validates Clients
ssl_client_certificate /etc/pki/internal-ca.crt;
ssl_verify_client on; # Mandatory verification
# Optimization for handshake latency
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
# Pass the common name to the backend for auditing
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_pass http://127.0.0.1:8080;
}
}Pro Tip: Never use the same CA for server and client certificates. If your server keys leak, you don't want to compromise your ability to issue client identities. Use an intermediate CA for your infrastructure components.
2. WireGuard: Mesh Overlays vs. Hub-and-Spoke
Traditional IPsec VPNs are bloated. They run in userspace (often), crash, and eat CPU cycles. For a secure backplane between your CoolVDS instances in Oslo and your remote dev team, use WireGuard. It runs in the Linux kernel (5.6+), meaning context switches are minimal. This is crucial when you are pushing gigabits of traffic.
In a Zero Trust setup, we don't treat the VPN as a gateway to the whole network. We use it to build a mesh where every node can talk only to specific peers. Unlike older protocols, WireGuard fails silently. If a packet comes from an unauthorized key, the server doesn't even send a reject response. It drops it. The port appears closed to scanners.
Below is an interface configuration that strictly limits traffic. We are not setting a default gateway; we are defining allowed IPs explicitly.
# /etc/wireguard/wg0.conf
[Interface]
Address = 10.100.0.1/24
SaveConfig = false
ListenPort = 51820
PrivateKey =
# Peer: Database Server (Internal)
[Peer]
PublicKey =
AllowedIPs = 10.100.0.2/32
# Peer: Admin Workstation (External)
[Peer]
PublicKey =
AllowedIPs = 10.100.0.5/32 3. Identity-Aware Proxy (IAP)
SSH keys are great, until an employee leaves and you have to rotate them across 50 servers. In 2023, you should be putting your management interfaces (SSH, internal dashboards, Kibana) behind an Identity-Aware Proxy.
We use OAuth2 Proxy combined with Nginx. This forces a login via your identity provider (Google, GitHub, or a self-hosted Keycloak) before a request even hits your application. If the user isn't authenticated, the packet never reaches the backend service. This drastically reduces the attack surface.
Configuring OAuth2 Proxy
Run this as a sidecar or a standalone service on your ingress node.
./oauth2-proxy \
--email-domain="coolvds.com" \
--upstream=http://127.0.0.1:8080/ \
--cookie-secret= \
--client-id= \
--client-secret= \
--provider=github This setup works exceptionally well on CoolVDS KVM instances because you have full control over the network stack, unlike shared hosting environments where port binding restrictions often break proxy configurations.
4. The Host-Level Firewall: nftables
Forget iptables. It's legacy code. The modern Linux standard is nftables. It combines code reduction with atomic rule updates. In a Zero Trust environment, the default policy for everything is DROP. We only open what we verify.
Here is a concise nftables set for a web server that assumes hostile traffic by default:
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Accept loopback
iifname "lo" accept
# Accept established/related connections
ct state established,related accept
# Allow SSH (Rate limited)
tcp dport 22 limit rate 10/minute accept
# Allow HTTP/HTTPS
tcp dport { 80, 443 } accept
# Allow WireGuard
udp dport 51820 accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}Why Infrastructure Choice Dictates Security
You cannot build a secure house on quicksand. Zero Trust architecture relies heavily on encryption (TLS everywhere) and packet inspection. This creates CPU overhead. If your hosting provider over-provisions their CPUs (the "noisy neighbor" effect), your handshake times will spike. Suddenly, your secure API adds 200ms of latency, and developers start turning off security to "fix the speed."
This is where the hardware reality of CoolVDS becomes a security feature. We utilize high-frequency CPUs and dedicated NVMe storage tiers. When you are decrypting traffic at line rate or verifying signatures on every request, you need consistent I/O performance.
Furthermore, data sovereignty is part of the trust model. Hosting on CoolVDS ensures your encrypted data resides physically in Norway, connected directly to NIX (Norwegian Internet Exchange). This reduces the physical distance your packets travel, lowering the window of opportunity for interception and ensuring compliance with strict European privacy standards.
Implementation Checklist
- Audit: Identify every flow of traffic. If it's not documented, block it.
- Encrypt: Deploy internal CA and rotate certificates automatically (use Cert-Manager or simple cron scripts).
- Isolate: Use WireGuard to create micro-segments between your database and app servers.
- Verify: Replace direct SSH access with an Identity-Aware Proxy where possible.
Security is not a state; it is a process. But that process is much easier when your underlying infrastructure isn't fighting against you. Don't let high latency kill your security initiative.
Ready to lock down your stack? Spin up a CoolVDS KVM instance in Oslo today and start building your fortress.