The Perimeter is Dead (And Data Sovereignty Just Got Real)
Two weeks ago, the CJEU dropped a nuclear bomb on the hosting industry with the Schrems II judgment. The Privacy Shield is invalid. If you are blindly piping customer data to US-owned hyperscalers, you aren't just risking latency; you are risking legal non-compliance within the EU. But legalities aside, the technical reality of 2020 is that the "castle and moat" security strategy—where we trust everything inside the LAN—is obsolete.
I've cleaned up enough compromised clusters to know exactly how it happens. An attacker compromises a dev environment or a forgotten Jenkins instance, and because the internal network is wide open, they pivot laterally to the production database. Game over. The solution isn't a bigger firewall; it's Zero Trust.
Zero Trust dictates a simple, paranoid maxim: Never trust, always verify. Every packet, every user, every server is hostile until proven otherwise. In this guide, we are going to build a Zero-Trust implementation using the newly mainlined WireGuard protocol (kernel 5.6+) and strict host-level micro-segmentation on CoolVDS instances running Ubuntu 20.04 LTS.
Phase 1: Encrypting the Transport Layer with WireGuard
Legacy VPNs like OpenVPN are bloated userspace monstrosities that eat CPU cycles. For a high-performance environment, we need WireGuard. It lives in the kernel, itβs stateless, and on modern KVM infrastructure like CoolVDS, the handshake is instantaneous.
We will create a mesh where servers communicate only over the WireGuard interface. Public IPs are for ingress traffic (web) only; database replication and admin traffic happen inside the encrypted tunnel.
First, install WireGuard on your Ubuntu 20.04 node:
sudo apt update && sudo apt install wireguardGenerate your keys. Do not do this as root without setting permissions first.
umask 077
wg genkey | tee privatekey | wg pubkey > publickeyHere is a production-ready /etc/wireguard/wg0.conf. Notice strictly defined AllowedIPs. We are not routing all traffic, only traffic destined for the internal mesh.
[Interface]
Address = 10.10.0.1/24
SaveConfig = true
PostUp = ufw route allow in on wg0 out on eth0
PostDown = ufw route delete allow in on wg0 out on eth0
ListenPort = 51820
PrivateKey =
[Peer]
# Database Node
PublicKey =
AllowedIPs = 10.10.0.2/32
Endpoint = 192.168.1.50:51820 Bring up the interface:
sudo wg-quick up wg0Now, verify the handshake. You should see a keepalive status. If you are seeing latency spikes here, check your underlying virtualization. Container-based VPS (OpenVZ/LXC) often struggle with kernel-level WireGuard modules. This is why we deploy strictly on KVM-based CoolVDS instances; the kernel isolation is mandatory for reliable crypto performance.
Phase 2: Identity-Based SSH Access
Passwords are forbidden. In a Zero-Trust model, identity is key. We move purely to Ed25519 keys, which are smaller and faster than legacy RSA.
Generate the key locally:
ssh-keygen -t ed25519 -a 100 -C