The Perimeter is Dead: Implementing Practical Zero-Trust on Norwegian Infrastructure
If you are still relying solely on a VPN to secure your infrastructure in 2022, you are operating on a security model from 2010. The "Castle and Moat" strategy—where everything inside the firewall is trusted and everything outside is hostile—has failed. The rise of supply chain attacks (remember SolarWinds?) and the persistent threat of ransomware moving laterally through networks proves that we can no longer trust the internal network.
For CTOs and Lead Architects operating in the EEA, specifically Norway, the stakes are compounded by compliance. Following the Schrems II ruling, relying on US-based cloud perimeters effectively puts your compliance posture in a legal grey zone. Datatilsynet (The Norwegian Data Protection Authority) has been clear: reliance on data transfer mechanisms to third countries is risky.
The solution is Zero Trust Architecture (ZTA). "Never trust, always verify." It sounds like a marketing slogan, but strictly defined, it means removing implied trust based on network location. Here is how we build it using standard Linux tools available today.
1. The Death of Static IPs and VPNs
Traditional access control lists (ACLs) allowing traffic from specific IPs are fragile. IPs change. VPN credentials get stolen. Once an attacker breaches the VPN, they have the "keys to the kingdom" and can scan for open MongoDB ports or unpatched internal dashboards.
In a Zero-Trust model, every request—whether it comes from the public internet or the server in the next rack—must be authenticated, authorized, and encrypted. We stop caring about where the request comes from and start caring who is making it.
2. Authenticating the Machine: mTLS
Mutual TLS (mTLS) is the bedrock of service-to-service communication in a Zero-Trust environment. Unlike standard TLS where only the server proves its identity, mTLS requires the client to present a certificate signed by a trusted Certificate Authority (CA).
If you are running a microservices architecture or exposing internal tools (like a Grafana instance or a staging API), do not rely on Basic Auth. Use Nginx with mTLS. This moves authentication to the handshake layer. If the client doesn't have the certificate, Nginx drops the connection before even processing the HTTP headers. It saves CPU cycles and protects against application-layer exploits.
Configuration: Nginx with Client Certificates
First, create your internal CA (do not use a public CA like Let's Encrypt for client auth—you want to control the issuance):
# Generate CA Key and Certificate
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crtNext, configure Nginx to require a valid client certificate signed by your CA. This configuration snippet is standard for Nginx 1.18+ (common on Ubuntu 20.04 LTS).
server {
listen 443 ssl http2;
server_name internal.coolvds-node.no;
# Server Identity (Let's Encrypt or similar)
ssl_certificate /etc/letsencrypt/live/internal/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/internal/privkey.pem;
# Client Identity Verification (mTLS)
ssl_client_certificate /etc/nginx/client_certs/ca.crt;
ssl_verify_client on;
location / {
# Pass the common name to the backend for audit logs
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_pass http://localhost:8080;
}
}Pro Tip: On CoolVDS NVMe instances, the SSL handshake overhead is negligible due to the high clock speed of our processors. However, ensure you are using TLS 1.3 to minimize latency, which provides a faster handshake than 1.2.
3. Authenticating the Human: SSH Certificates
Most DevOps teams manage SSH access by scattering public keys (`id_rsa.pub`) across `~/.ssh/authorized_keys` files on hundreds of servers. This is a nightmare. Key rotation is impossible, and offboarding an employee involves scrubbing every server they ever touched.
Zero Trust demands short-lived, verifiable credentials. Switch to SSH Certificate Authorities. You sign a user's public key with a validity period (e.g., 8 hours). When the certificate expires, access is revoked automatically. No server cleanup required.
Signing an SSH Key
On your secure CA server (an isolated CoolVDS instance with strict firewalls):
# Sign the user's public key
ssh-keygen -s /path/to/ca_user_key \
-I key_id_jdoe \
-n jdoe,root \
-V +8h \
-z 1 \
/home/jdoe/.ssh/id_rsa.pubThen, configure your target servers to trust the CA by adding this to /etc/ssh/sshd_config:
TrustedUserCAKeys /etc/ssh/user_ca.pub
4. The Network Layer: WireGuard Mesh
For communication between nodes (e.g., a database in Oslo and an app server in a secondary location), IPSec is bloated and difficult to configure. OpenVPN is slow.
In 2022, WireGuard is the standard for encrypted overlays. It is in the Linux kernel (5.6+), meaning it offers high throughput with lower CPU usage than user-space VPNs. It follows Zero Trust principles: it is stealthy. It does not respond to unauthenticated packets.
| Feature | OpenVPN | WireGuard |
|---|---|---|
| Codebase Size | 100,000+ lines | ~4,000 lines (Auditable) |
| Handshake | Slow (TLS) | Instant (Noise Protocol) |
| Performance | Context switching heavy | Kernel space (Near line speed) |
A typical WireGuard config for a database node in a Zero Trust mesh looks like this:
[Interface]
Address = 10.100.0.2/24
PrivateKey =
ListenPort = 51820
# Firewall: Default Drop
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = ufw route delete allow in on wg0 out on eth0
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# Application Server Peer
PublicKey =
AllowedIPs = 10.100.0.3/32 5. Infrastructure Matters: The CoolVDS Advantage
Software-defined Zero Trust is useless if your underlying hypervisor is insecure. Many budget providers use container-based virtualization (like OpenVZ or LXC) where the kernel is shared. If an attacker escapes a container on a neighbor's instance, your Zero Trust policies are bypassed because they own the kernel enforcing them.
At CoolVDS, we use KVM (Kernel-based Virtual Machine) exclusively. Each instance has its own isolated kernel and dedicated hardware resources. This provides the hard security boundary required for a true Zero-Trust architecture. Furthermore, our infrastructure is physically located in Norway.
For Norwegian businesses, this is critical. Data residency is not just about where the bits are stored; it's about the legal jurisdiction of the hardware. By hosting on CoolVDS, you ensure that your encrypted tunnels and mTLS handshakes are occurring on hardware subject to EEA law, not the US CLOUD Act.
Conclusion
Zero Trust is not a product you buy; it is a mindset of eliminating implicit trust. By implementing mTLS for services, SSH certificates for humans, and WireGuard for the network mesh, you drastically reduce your blast radius if a breach occurs.
Security introduces overhead. Encryption requires CPU cycles. Handshakes require low latency. Don't run your secure architecture on oversold hardware.
Secure your stack today. Deploy a KVM-isolated, NVMe-powered instance on CoolVDS and build a perimeter that actually works.