Super cheap VPS that's reasonably safe

I'm looking for a cheap (good if I can get it to the $7-10/yr mark) VPS which is in a non-US/EU location.

Minimal specs: IPv4 (NAT OK), 512MB RAM, 5GB storage, no particular CPU or network requirements. Prefer KVM, and must be stable - nothing that is offline for days at a time. Can't pay crypto.

I'll use it for a "key server". I've got encrypted LUKS keys which get retrieved at boot. So it runs a web server/SQLite which gets about 3 hits per week. Most of the drives being unlocked are in the US/EU so I like to keep the key server somewhere else.

I've got an $8/yr VPS doing the job at the moment, but have run into a very strange problem where a particular IP range can't reach it.

@treesmokah

Comments

  • edited May 28

    I don't really know "super exotic" providers that are cheap.

    For about $6 a month you got some small VPS plan in local datacenter in Mauritius(some island on Indian ocean, close to South Africa). https://cloud.mu/linux-virtual-servers/

    Even more expensive but you got access to locations such as Abkhazia("pseudo" country in Georgia), Lebanon or Iran.
    https://exservers.net/, around $30 a month. Operated by "notorious" Batterflyai Media ltd.

    Eventually something in Russia, a hour or two by car from North Korea, legendary Media Land LLC.
    https://ml.cloud/en/vds starting at $5.

    I'm out of ideas on this pricepoint.
    Friend is cooking something up in Georgia, so he may be able to provide something "cheap" there, but no promises.

    If you want to keep the "key server" hidden, just route this bitch over Tor and host wherever you want. You could include Tor binary in whatever pre-boot software you have. I2P works great in such deployments as well, but takes some time to bootstrap.

    It all depends on your threat model, who is your "opponent". Nobody will want to fuck with feds for such money, even US/EU ones.

    Thanked by (1)tetech
  • freevps in Tokyo for $5 one time payment maybe

  • skorousskorous OGSenpai

    WebHorizon sells NATs in Chile. Maybe that would work?

  • @treesmokah said: If you want to keep the "key server" hidden, just route this bitch over Tor and host wherever you want. You could include Tor binary in whatever pre-boot software you have. I2P works great in such deployments as well, but takes some time to bootstrap.

    Putting it behind something like that is not a bad idea! Thanks for sharing that thought.

    Thanks everyone for the other suggestions too.

  • edited May 28

    @skorous said:
    WebHorizon sells NATs in Chile. Maybe that would work?

    Where do you see this?

  • skorousskorous OGSenpai

    @davide said:

    @skorous said:
    WebHorizon sells NATs in Chile. Maybe that would work?

    Where do you see this?

    Sorry, their sister company. Can never remember which one: natvps.net? Think that's it.

    Thanked by (1)davide
  • edited May 29

    @tetech said:
    I've got an $8/yr VPS doing the job at the moment, but have run into a very strange problem where a particular IP range can't reach it.

    Which provider are you currently using at $8/yr?

    Thanked by (1)nikhm2n
  • jqrjqr OG
    edited May 29

    @tetech said:
    I'll use it for a "key server". I've got encrypted LUKS keys which get retrieved at boot. So it runs a web server/SQLite which gets about 3 hits per week. Most of the drives being unlocked are in the US/EU so I like to keep the key server somewhere else.

    As a fellow encryption-at-rest enthusiast, can you expand on this topic? I've been adding dropbear to initrd and SSH in to provide the passphrase, but your solution sounds so much cooler.

    edit: Is this what you use? https://github.com/johndoe31415/luksrku Incidentally, I also found this interesting project: https://github.com/grazzolini/chkboot

    It's pronounced hacker.

  • AK_KWHAK_KWH Hosting ProviderOG
    edited May 29

    We have almost 13 location in NAT please let me know which one you need
    Openvz node
    Taiwan (1gbps)
    Hongkong (10gbps)
    Japan(10gbps)
    Singapore (10gbps)
    Netherland (1gbps)
    Germany(2gbps)
    Sweden(10gbps)
    Pakistan (1gbps)
    Kvm nodes
    Turkey (1gbps)
    India(1gbps)
    Usa(10gbps)
    Canada(100mbps up 1gbps/down)
    Uk(1gbps)

    Thanked by (2)tetech ehab

    KhanWebHost Cheap Shared Hosting | Cheap KVM VPS (DE,UK,US,FR) | KVM Sale - LES Offers

  • skorousskorous OGSenpai

    @jqr said:

    @tetech said:
    I'll use it for a "key server". I've got encrypted LUKS keys which get retrieved at boot. So it runs a web server/SQLite which gets about 3 hits per week. Most of the drives being unlocked are in the US/EU so I like to keep the key server somewhere else.

    As a fellow encryption-at-rest enthusiast, can you expand on this topic? I've been adding dropbear to initrd and SSH in to provide the passphrase, but your solution sounds so much cooler.

    edit: Is this what you use? https://github.com/johndoe31415/luksrku Incidentally, I also found this interesting project: https://github.com/grazzolini/chkboot

    I'm not sure what he's using but clevis/tang is one of the more popular ones. Most distro have support.

    Thanked by (1)jqr
  • @jqr said: As a fellow encryption-at-rest enthusiast, can you expand on this topic? I've been adding dropbear to initrd and SSH in to provide the passphrase, but your solution sounds so much cooler.

    Mine is nothing that complicated. What I do is install alpine (sometimes but rarely RHEL) on a small (1-2GB) partition and use it as a "thin" hypervisor. Everything runs in LXC containers (could use docker instead, I suppose). So in /etc/fstab,

    /dev/mapper/crypt-root /var/lib/lxc btrfs defaults,noatime,compress=lzo,noauto 0 0
    

    And then a script (openrc for alpine, systemd otherwise) for unlocking/mounting the partition at boot time. That script reads a uuid from a config file and contacts a web server for the LUKS key. This works fine for a low-spec KVM, down to 256MB and 5GB disk. It's about 70 lines but the essence is:

    key=$( curl -fs -H "X-LXD-Id: ${uuid}" -H "X-LXD-Ping: ${pt}" "${url}/key" 2>/dev/null )
    echo "${key}" | cryptsetup open ${bdev} crypt-root${n}
    mount /dev/mapper/crypt-root${n}
    

    From the encryption perspective, this is not intended to stop someone serious about getting your stuff who can image RAM or whatever. The main scenarios are (a) if a provider goes bust and their unwiped disks end up somewhere like eBay, or (b) if an provider's entire server gets seized due to a neighbor and your stuff is on the same disk [this happened to me with a Hetzner reseller] and you're uncomfortable with people poking through your stuff for no reason. With this approach, basically all they get is a vanilla alpine partition.

    The main function of the backend server is to return the LUKS key, i.e. disabling the VPS is done by deleting the key. Beyond that, it also does some "integrity checking" to see if the VPS has been moved, it handles provisioning of new VPSes, and you can flag a partition to be re-keyed on the next boot. The hypervisor monitors network connectivity and if it is lost forces a reboot to refresh the key.

    Encryption aside, I find this is pretty good for HA. Containers are imaged and full/incremental backups sent to a MinIO cluster.
    There's an internal network (tinc) inside each container so the container can be restored to pretty much any VPS anywhere if a provider goes down. I route public stuff through a few "entry points" which tend to be my more reliable VPSes and they fan it out to redundant backends on the internal network using HAProxy.

    End result might look something like this on a node:

    node035:~# df -k
    Filesystem             1K-blocks    Used Available Use% Mounted on
    devtmpfs                   10240       0     10240   0% /dev
    shm                       499668       0    499668   0% /dev/shm
    /dev/vda1                2505544  945004   1416040  41% /
    tmpfs                     199868     216    199652   1% /run
    cgroup_root                10240       0     10240   0% /sys/fs/cgroup
    /dev/mapper/crypt-root   6275072 3070452   2800844  53% /var/lib/lxc
    node035:~# lxc-ls -f
    NAME       STATE   AUTOSTART GROUPS IPV4                   IPV6 UNPRIVILEGED
    db1        RUNNING 1         -      10.0.3.9, 172.16.0.16  -    true
    http1      RUNNING 1         -      10.0.3.20, 172.16.0.35 -    true
    node035:~# lxc-attach -n http1
    [root@http1 ~]# ifconfig
    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 10.0.3.20  netmask 255.255.255.0  broadcast 10.0.3.255
            ether 00:16:3e:85:68:02  txqueuelen 1000  (Ethernet)
            RX packets 259490  bytes 589979591 (562.6 MiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 505982  bytes 68146826 (64.9 MiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 172.16.0.35  netmask 255.255.255.0  broadcast 172.16.0.255
            ether 00:16:3e:10:12:0a  txqueuelen 1000  (Ethernet)
            RX packets 83303351  bytes 6102267867 (5.6 GiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 67648280  bytes 8929022562 (8.3 GiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
            inet 127.0.0.1  netmask 255.0.0.0
            loop  txqueuelen 1000  (Local Loopback)
            RX packets 312828  bytes 62308314 (59.4 MiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 312828  bytes 62308314 (59.4 MiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    [root@http1 ~]#
    

    Not super complex but keeps the stress manageable. When Carrier-1 in Dallas lost power a few days ago, I had about 5-6 VPSes go offline, but DNS updated automatically and everything failed over OK & kept ticking along, apart from a bazillion monitoring notifications.

    Long reply, but you did ask!

    @AK_KWH said: We have almost 13 location in NAT please let me know which one you need

    Thanks, what is the pricing on these?

    I'm thinking through treesmokah's idea of putting Tor in the middle and how that might work.

  • AK_KWHAK_KWH Hosting ProviderOG
  • jqrjqr OG

    @skorous said:
    I'm not sure what he's using but clevis/tang is one of the more popular ones. Most distro have support.

    Interesting. Both are available in NixOS. I'll check them out. Thanks!

    @tetech said:
    From the encryption perspective, this is not intended to stop someone serious about getting your stuff who can image RAM or whatever. The main scenarios are (a) if a provider goes bust and their unwiped disks end up somewhere like eBay, or (b) if an provider's entire server gets seized due to a neighbor and your stuff is on the same disk [this happened to me with a Hetzner reseller] and you're uncomfortable with people poking through your stuff for no reason. With this approach, basically all they get is a vanilla alpine partition.

    Woah. Thank you so much for the detailed write-up! This, by the way, is my exact use case. When NexusBites (pun intended) went belly-up, I kicked myself for not taking the time to encrypt my data there.

    It's pronounced hacker.

  • Not_OlesNot_Oles Hosting ProviderContent Writer

    @tetech said:

    Not super complex

    :)

    @jqr said:

    not taking the time to encrypt my data

    Recently I have been enrypting more, and also more often. Mostly I have still been using ccrypt, which I guess is better than Rot13. Maybe the time is coming has arrived for me to switch to a more complex, more automagic method.

    Thanks for the explanations and discussion in this thread! <3

    I hope everyone gets the servers they want!

  • jqrjqr OG

    @Not_Oles said:
    Maybe the time is coming has arrived for me to switch to a more complex, more automagic method.

    I've also had good luck with ecryptfs, to atuomagically encrypt $HOME in Debian: https://wiki.debian.org/TransparentEncryptionForHomeFolder

    Rot13

    I used to have this as my email signature for a long time, and more than one person claimed to be able to translate it in their head. 😁

    "Vs lbh pna ernq guvf, lbh arrq gb trg ynvq."

    For the lazy among us:

    "If you can read this, you need to get laid."

    Thanked by (2)Not_Oles AlwaysSkint

    It's pronounced hacker.

  • skorousskorous OGSenpai

    @jqr said:

    @skorous said:
    I'm not sure what he's using but clevis/tang is one of the more popular ones. Most distro have support.

    Interesting. Both are available in NixOS. I'll check them out. Thanks!

    If I can help out lemme know. I do this on most of my boxes and have already blundered my way through figuring out the quirks.

    Thanked by (1)jqr
  • jqrjqr OG

    @skorous said:
    If I can help out lemme know. I do this on most of my boxes and have already blundered my way through figuring out the quirks.

    Thanks so much for the offer. I'll try to carve some time to try it this weekend.

    It's pronounced hacker.

  • @tetech said:

    @treesmokah said: If you want to keep the "key server" hidden, just route this bitch over Tor and host wherever you want. You could include Tor binary in whatever pre-boot software you have. I2P works great in such deployments as well, but takes some time to bootstrap.

    Putting it behind something like that is not a bad idea! Thanks for sharing that thought.

    I ended up doing something like this. Key server running a .onion. One disadvantage with this is that Tor hides a lot of the "anti-tampering" stuff, e.g. it becomes harder for the key server to detect if the VPS has been moved to a "sandbox".

    What I've done is basically a "bastion" where the client "knocks" and asks for a token, then opens a (random) port and the key server connects to it (routed over Tor so key server isn't exposed) and provides the token which is passed back in subsequent requests.

    Seems to work, but needs more testing to see how robust it is.

    Thanked by (1)treesmokah
  • edited June 7

    HostVDS, the cheapest VPS I know, and it is relatively stable. https://btc-vps.com/bitcoin-vps/hostvds (AFFILIATE LINK WARNING mod edit)

    Cloud VDS: 1 vCPU, 1 GB RAM, 10 GB NVMe Storage, 500GB Traffic ($1 per extra 1TB), 50 Mbps Bandwidth, 0.5TB Traffic, 1 IPv4 ($0.59/mo for an extra IPv4), Linux OS, as low as $0.99/month (or $0.00133/h).

    Location: America (US), Amsterdam (NL), Dallas (US), Finland (FI), France (FR), Moscow (RU), Netherlands (NL), Paris (FR), Russia (RU)

  • @boby said:
    HostVDS, the cheapest VPS I know, and it is relatively stable.

    @AK_KWH posted something less than half the price in this same thread, and if you're going to suggest a provider please give the link to their site, not to some aff generator, or make it clear to everyone what you're doing. That's not good form. Thanks.

Sign In or Register to comment.