So, this is pretty much by the book, but just in case it's helpful...
- I created a new VPS (1GB RAM, 1 CPU). (It is technically stronger than a potato)
- Once up, I did the usual:
- apt-get update; apt-get upgrade
- apt install needrestart
- apt install unattended-upgrades
- apt full-upgrade (kernel was kept back)
- Ensure we're using keys for SSH auth
- Setup firewall (see below)
- Reboot
- Setup veilid-server using these instructions, being careful to ensure I've got the right CPU arch (uname -a to check).
- After setup, systemctl enable veilid-server && systemctl start veilid-server
- Check all is well with journalctl -feu veilid-server (You could also try iftop, if you want to see the server connecting to stuff in real-time).
Now, for my firewall, I'm using nftables. So, I edited nftables.conf. This is an excerpt showing the changes I made for veilid-server. (N.B. I'm just assuming I need to open these. My policy allows outbound traffic already.)
#!/usr/sbin/nft -f
flush ruleset
[some unrelated netdev and mangle stuff here]
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
ct state established,related counter accept
iifname "lo" counter accept
iifname != "lo" ip daddr 127.0.0.0/8 counter reject
tcp flags & (fin | syn | rst | ack) == syn ct state new counter jump TCP
ip protocol udp ct state new counter jump UDP
ip protocol icmp ct state new counter jump ICMP_IN
limit rate 50/minute counter log prefix "nftables denied: " level debug
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
[some ICMP stuff]
chain TCP {
tcp dport { 5150 } counter accept comment "Veilid"
ip protocol tcp counter log prefix "TCP denied: " level debug
ip protocol tcp counter reject with tcp reset
}
chain UDP {
udp dport 5150 counter accept comment "Veilid"
ip protocol udp counter log prefix "UDP denied: " level debug
ip protocol udp counter reject
}
}
And that's pretty much all I did.