block access to CWP from the Internet

Hello, after having seen https://nvd.nist.gov/vuln/detail/CVE-2022-44877 i started thinking about closing my CWP interfaces from the Internet to protect from future vulnerabilities (we all know that even if we do our best, vulnerabilities are there...)

The option i'm currently scouting are:
use iptables to block cwpsrv ports from anything but my public IP address (having a static IP address)
add a virtual interface and make cwpsrv listen on that IP or 127.0.0.1, than use ssh port forward
setup a VPN (wireguard or openvpn) and make cwpsrv listen on that IP

I see that CWP doesn't support local IPs so probably some of them are not possible, but at least blocking everything using a firewall is an option?

Do you have any other advice?

Thanks

Your approaches all sound fine if you have a static IP address. I would suggest using the higher level CSF over the lower level iptables, if you go that route. You will need to leave ports 2304 (inbound & outbound) & 2443 (outbound) open in order to ping the CWP Pro server that authorizes your IP with the Pro feature set.

You could also use Cloudflare's Tunnel product.