Hey guys,
I finally come around and started the journey of self-hosting and decided to get a VPS. After securing it, by making login via public-key default, I installed CasaOS and instantly regretted it since it now can be reached freely from the internet. A while ago, I read that you can limit the incoming connection to only VPN and ssh. And configured a Wireguard-VPN on the server via pivpn. But the server can still be reached from the internet. So what do I have to do now? Is it even the right choice, or am I missing something? How do you guys secure your VPS?
My preferred option is to have the VPS inside a VPC that blocks all external traffic by default. Then I can open up specific ports for specific IP ranges.
The reason I prefer this over a firewall configuration on the VPS itself is that the latter seems far more error-prone to me. For example, I've had problems in the past with ufw and Docker where container ports were still reachable even though access was denied via ufw.