Kill the VPN: Why Norwegian Systems Architects Are Moving to Zero-Trust
The concept of a "trusted internal network" is the most dangerous lie in modern infrastructure. If you are still relying on a single VPN gateway to protect your soft underbelly of development servers and databases, you are operating on a security model from 2010. In 2022, with the explosion of remote endpoints and the legal sledgehammer of Schrems II, the perimeter is dead. Identity is the new firewall.
I speak to CTOs across Oslo and Bergen every week who are terrified of two things: Ransomware moving laterally through their "secure" VLANs, and Datatilsynet (The Norwegian Data Protection Authority) auditing their data transfers to US-owned clouds. The solution to both is the same: Zero-Trust Architecture (ZTA) combined with strict data sovereignty.
This isn't high-level theory. This is a technical breakdown of how we build Zero-Trust environments on bare-metal Linux and KVM infrastructure today.
The Legal Imperative: Schrems II and Sovereignty
Before we touch the config files, understand the constraint. Since the Privacy Shield was invalidated, hosting customer data on US-controlled hyperscalers (even in their European availability zones) carries legal risk. The US CLOUD Act allows extraterritorial data seizure.
Pro Tip: Data residency is not data sovereignty. Hosting on a US cloud's server in Oslo is residency. Hosting on a Norwegian-owned provider like CoolVDS in Oslo is sovereignty. For GDPR compliance in 2022, this distinction is critical.
Phase 1: Encrypting the Transport (WireGuard Mesh)
IPSec is bloated. OpenVPN is slow. In a Zero-Trust environment, we assume the network is hostile. Every packet between your app server and your database must be encrypted. For this, we use WireGuard. It's been in the Linux kernel since 5.6, and on Ubuntu 20.04 LTS, it is the gold standard for high-performance mesh networking.
Unlike a hub-and-spoke VPN, we want a mesh where every server talks directly to every other server securely. Latency matters. On CoolVDS NVMe instances, the encryption overhead of WireGuard is negligible because we expose modern CPU instruction sets (AES-NI) directly to the KVM guest.
Configuration: Setting up a Mesh Node
Here is a production-ready wg0.conf for a database node. Note the use of AllowedIPs to enforce strict routing policies—only specific peers can talk to this interface.
# /etc/wireguard/wg0.conf
[Interface]
Address = 10.10.0.5/24
ListenPort = 51820
PrivateKey =
# Web Server Peer (Only allow traffic from the web server IP)
[Peer]
PublicKey =
AllowedIPs = 10.10.0.2/32
Endpoint = 192.168.1.50:51820
PersistentKeepalive = 25
Bring it up:
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0Phase 2: Mutual TLS (mTLS) for Application Identity
Network encryption protects the pipe. mTLS protects the door. In a Zero-Trust model, services don't accept connections just because they come from port 443. They require a valid client certificate signed by your internal Certificate Authority (CA).
This effectively blocks unauthorized access even if the firewall is breached. If an attacker gets on your network but doesn't have the client certificate, Nginx will drop the handshake.
Nginx mTLS Configuration
This configuration snippet enables client verification. I've deployed this on high-traffic Magento stores hosted on CoolVDS to lock down the admin panel completely.
server {
listen 443 ssl http2;
server_name admin.internal.coolvds.com;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# The Magic of Zero Trust
ssl_client_certificate /etc/nginx/ssl/ca.crt;
ssl_verify_client on;
location / {
if ($ssl_client_verify != SUCCESS) {
return 403;
}
proxy_pass http://backend_upstream;
}
}Phase 3: SSH Certificate Authorities
Stop using static SSH keys. Managing authorized_keys files across 50 servers is a nightmare and a security risk. If a developer's laptop is stolen, you have to rotate keys everywhere.
The 2022 standard is SSH Certificate Authorities. You sign a user's public key with a validity period (e.g., 8 hours). When the certificate expires, access is revoked automatically.
Host Configuration (sshd_config):
# /etc/ssh/sshd_config
TrustedUserCAKeys /etc/ssh/user_ca.pub
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u
AuthenticationMethods publickeySigning a Key (On your secure CA machine):
ssh-keygen -s user_ca -I "dev_access" -n root,deploy -V +8h id_rsa.pubThe Hardware Reality: Encryption Costs CPU
Moving to Zero-Trust means you are encrypting everything. East-West traffic (server-to-server) is no longer cleartext. This puts a heavy load on the CPU context switching and I/O interrupts.
This is where infrastructure choice dictates success. Shared hosting or container-heavy platforms often have "noisy neighbors" that steal CPU cycles, causing jitter in your encryption handshakes.
| Feature | Standard VPS | CoolVDS KVM |
|---|---|---|
| Virtualization | Container (LXC/OpenVZ) | Hardware KVM |
| AES-NI Pass-through | Shared/Emulated | Native Direct Access |
| Network Latency (Oslo) | Variable | < 2ms (NIX connected) |
At CoolVDS, we use KVM exclusively. This ensures that your encrypted tunnels get dedicated CPU time slices. When we benchmarked WireGuard throughput on our NVMe-backed instances versus standard SATA VPS, we saw a 40% reduction in latency purely due to faster I/O handling during the handshake process.
Micro-Segmentation with NFTables
Finally, assume the host is compromised. Prevent lateral movement. iptables is legacy; nftables is the modern replacement in Debian 11 and Ubuntu 20.04. It offers atomic rule updates and better performance.
Here is a strict nftables set that drops everything by default—the essence of Zero Trust.
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
# Allow loopback
iif lo accept
# Allow established connections
ct state established,related accept
# Allow WireGuard VPN traffic
udp dport 51820 accept
# Allow SSH only from VPN interface (Management)
iifname "wg0" tcp dport 22 accept
}
chain forward {
type filter hook forward priority 0;
policy drop;
}
chain output {
type filter hook output priority 0;
policy accept;
}
}Conclusion
Zero-Trust is not a product you buy; it's a discipline you practice. It requires moving security from the network edge to the application and user identity. In the post-Schrems II era, combining this architecture with Norwegian data sovereignty is the only way to ensure long-term compliance and security.
Don't let legacy infrastructure bottleneck your encryption. Deploy a CoolVDS NVMe instance today and build a security architecture that actually withstands the modern threat landscape.