Objective: Create a SOCKS5 SSH tunnel over two VPS instances and add some basic security such as fail2ban

Boot script to create the FIRST VPS in the SOCKS5 SSH Tunnel:
#!/bin/bash

# Host file entry for node 2
/usr/bin/echo -e "10.10.10.10 proxy" >> /etc/hosts

# Add user and SSH dir
useradd ghost
/usr/sbin/usermod ghost --password '$6$m6GqgmWQWbFFpf5G0'
/usr/bin/mkdir /home/ghost/.ssh
/usr/bin/chmod 0700 /home/ghost/.ssh

# Add node 2's SSH fingerprint to knownhosts
/usr/bin/cat < /home/ghost/.ssh/known_hosts
proxy,10.10.10.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyrHT4=
EOF
/usr/bin/chmod 0644 /home/ghost/.ssh/known_hosts

# SSH keys to use when accessing second node
# Create private key
cat < /home/ghost/.ssh/id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
52qM9MRDwaUzQTy/DP3GAAAADWdsZWJAcmV5cy5uZXQ=
-----END OPENSSH PRIVATE KEY-----
EOF
/usr/bin/chmod 0600 /home/ghost/.ssh/id_ed25519
# Create public key
cat < /home/ghost/.ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzP3G ghost@proxy
EOF
/usr/bin/chmod 0644 /home/ghost/.ssh/id_ed25519.pub

# Add client's public key to authorized keys so they can SSH onto this box, note you ned to change this to match your client's id_ed25519.pub
cat < /home/ghost/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZ2OEniGm ghost@proxy
EOF
/usr/bin/chmod 0600 /home/ghost/.ssh/authorized_keys

# Set permissions
/usr/bin/chown -R ghost:ghost /home/ghost/.ssh

# Create known ECDSA Fingerprint
/usr/bin/cat < /etc/ssh/ssh_host_ecdsa_key.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoLpoK15oKoLxoSu7uEpuQ=
EOF
/usr/bin/chmod 0664 /etc/ssh/ssh_host_ecdsa_key.pub
/usr/bin/chown root:root /etc/ssh/ssh_host_ecdsa_key.pub

/usr/bin/cat < /etc/ssh/ssh_host_ecdsa_key
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
QAAAAgNJowGzZrIAQk90zHRiBn381E3RfbTcElgYfmaVAyecIAAAAA
-----END OPENSSH PRIVATE KEY-----
EOF
/usr/bin/chmod 0640 /etc/ssh/ssh_host_ecdsa_key
/usr/bin/chown root:ssh_keys /etc/ssh/ssh_host_ecdsa_key

# Turn selinux on
/usr/sbin/setenforce 1

# Set root password
/usr/sbin/usermod root --password '$6$m6GqgmWQWbFn$slSfPFpf5G0'

# SSH hardening
/usr/bin/sed -i 's/#\?\(PermitRootLogin\s*\).*$/\1 no/' /etc/ssh/sshd_config
/usr/bin/sed -i 's/#\?\(PubkeyAuthentication\s*\).*$/\1 yes/' /etc/ssh/sshd_config
/usr/bin/sed -i 's/#\?\(PermitEmptyPasswords\s*\).*$/\1 no/' /etc/ssh/sshd_config
/usr/bin/sed -i 's/#\?\(PasswordAuthentication\s*\).*$/\1 no/' /etc/ssh/sshd_config
/usr/bin/echo -e "AllowUsers ghost" >> /etc/ssh/sshd_config
/usr/bin/systemctl reload sshd

# Enable Services
# By default firewalld allows sshd
/usr/bin/systemctl enable --now firewalld
/usr/bin/systemctl enable --now sshd

# Set timezone
/usr/bin/timedatectl set-timezone Asia/Singapore

# fail2ban SSH config
# fail2ban-client status sshd - shows blocked ips
/usr/bin/dnf install epel-release -y
/usr/bin/dnf install fail2ban -y
/usr/bin/systemctl enable fail2ban --now
/usr/bin/cat <  /etc/fail2ban/jail.local
[DEFAULT]
bantime = 86400
findtime = 600
maxretry = 3
banaction = iptables-multiport
[sshd]
enabled = true
EOF
/usr/bin/systemctl restart fail2ban

# Update System
/usr/bin/dnf update -y

# Cleanup
/usr/bin/shred -uvzn 3 /tmp/firstboot.exec
/usr/bin/shred -uvzn 3 /tmp/firstboot.log
history -c

# Restart
/usr/sbin/reboot now

Boot script to create the SECOND VPS in the SOCKS5 SSH Tunnel:
#!/bin/bash

# Add user and SSH dir
useradd ghost
/usr/sbin/usermod ghost --password '$6$m6GqgmWQWbFn$slSfYPH7gPFpf5'
/usr/bin/mkdir /home/ghost/.ssh
/usr/bin/chmod 0700 /home/ghost/.ssh

# Add second nodes public key to authorized keys so they can SSH onto this box
cat < /home/ghost/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaqM9MRDwaUzQTy/DP3G ghost@proxy
EOF
/usr/bin/chmod 0600 /home/ghost/.ssh/authorized_keys

# Set permissions
/usr/bin/chown -R ghost:ghost /home/ghost/.ssh

# Create known ECDSA Fingerprint
/usr/bin/cat < /etc/ssh/ssh_host_ecdsa_key.pub
ecdsa-sha2-nistp256 AAAAE2Vj8oVVclZwFM0rHT
EOF
/usr/bin/chmod 0664 /etc/ssh/ssh_host_ecdsa_key.pub
/usr/bin/chown root:root /etc/ssh/ssh_host_ecdsa_key.pub

/usr/bin/cat < /etc/ssh/ssh_host_ecdsa_key
-----BEGIN OPENSSH PRIVATE KEY-----
blxNt2SK7z8WJC08AreBHfDA8FR5kSivEsMbkwKeBg6nFNVZKh2USM/A8oVVclZwFM0rHT
4AAAAhAOmW6+U40mePKNaKrNPNVu9C3o3hlVk6ers7KKHs6UZnAAAAAAECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----
EOF
/usr/bin/chmod 0640 /etc/ssh/ssh_host_ecdsa_key
/usr/bin/chown root:ssh_keys /etc/ssh/ssh_host_ecdsa_key

# Turn selinux on
/usr/sbin/setenforce 1

# Set root password
/usr/sbin/usermod root --password '$6$m6GqgmWQWbFn$slSfY7IMHS'

# SSH hardening
/usr/bin/sed -i 's/#\?\(PermitRootLogin\s*\).*$/\1 no/' /etc/ssh/sshd_config
/usr/bin/sed -i 's/#\?\(PubkeyAuthentication\s*\).*$/\1 yes/' /etc/ssh/sshd_config
/usr/bin/sed -i 's/#\?\(PermitEmptyPasswords\s*\).*$/\1 no/' /etc/ssh/sshd_config
/usr/bin/sed -i 's/#\?\(PasswordAuthentication\s*\).*$/\1 no/' /etc/ssh/sshd_config
/usr/bin/echo -e "AllowUsers ghost" >> /etc/ssh/sshd_config
/usr/bin/systemctl reload sshd

# Enable Services
# By default firewalld allows sshd
/usr/bin/systemctl enable --now firewalld
/usr/bin/systemctl enable --now sshd

# fail2ban SSH config
# fail2ban-client status sshd - shows blocked ips
/usr/bin/dnf install epel-release -y
/usr/bin/dnf install fail2ban -y
/usr/bin/systemctl enable fail2ban --now
/usr/bin/cat <  /etc/fail2ban/jail.local
[DEFAULT]
bantime = 86400
findtime = 600
maxretry = 3
banaction = iptables-multiport
[sshd]
enabled = true
EOF
/usr/bin/systemctl restart fail2ban

# Set timezone
/usr/bin/timedatectl set-timezone Asia/Seoul

# Update System
/usr/bin/dnf update -y

# Cleanup
/usr/bin/shred -uvzn 3 /tmp/firstboot.exec
/usr/bin/shred -uvzn 3 /tmp/firstboot.log
history -c

# Restart
/usr/sbin/reboot now

To create the two hop SSH tunnel from your client run:
ssh -i /home/bmon/.ssh/id_ed25519 -tL 1337:127.0.0.1:1338 -p 22 phantom@proxy ssh -TD 1338 -p 22
Then connect to local host on port 1337 using firefox to browse via the IP of the second hop.

Objective: Become familiar with installing and configuring VyOS
Installed the LTS version of VyOS on a VM with 2 NICs.
Default username/password is vyos/vyos.
Performed some basic config such as SSH and IP connectivity.
Plan is to obtain a second NIC for a baremetal box and use VyOS to make it a home router.
A good guide is https://blog.kroy.io/2020/05/04/vyos-from-scratch-edition-1/
VyOS does not have a GUI, unlike pfsense.