Hetzner Cloud

This guide focuses on configuring Hetzner Cloud Firewalls for Actvt remote monitoring on Hetzner Cloud servers.

Prerequisites

Hetzner Cloud account
Server running Ubuntu 20.04+ or similar Linux distribution
Basic familiarity with Hetzner Cloud Console or hcloud CLI

For required ports, see Prerequisites.

Hetzner Cloud Firewall Configuration

Method 1: Using Hetzner Cloud Console

Navigate to Firewalls
- Go to Hetzner Cloud Console
- Select your project
- Click "Firewalls" in the left sidebar
- Click "Create Firewall"

Create Firewall Rules

Name your firewall: actvt-monitoring

Inbound Rules:

SSH Rule:

Port: 22
Protocol: TCP
Source: Your IP address (recommended) or 0.0.0.0/0
Description: SSH access

HTTP Rule:

Port: 80
Protocol: TCP  
Source: 0.0.0.0/0
Description: Let's Encrypt verification

WebSocket Rule:

Port: 4096
Protocol: TCP
Source: 0.0.0.0/0 (or restrict to your IP range)
Description: Actvt WebSocket server

Apply Firewall to Server
- After creating the firewall, click "Apply to resources"
- Select your server
- Click "Apply"

Method 2: Using hcloud CLI

First, install the hcloud CLI:

# Install hcloud CLI (Linux/macOS)
curl -L https://github.com/hetznercloud/cli/releases/latest/download/hcloud-linux-amd64.tar.gz | tar xz
sudo mv hcloud /usr/local/bin/

# Configure with your API token
hcloud context create actvt-monitoring
# Enter your Hetzner Cloud API token when prompted

Create firewall and rules:

# Create a new firewall
hcloud firewall create --name actvt-monitoring

# Add SSH rule (replace YOUR_IP with your actual IP)
hcloud firewall add-rule actvt-monitoring \
  --direction in \
  --source-ips YOUR_IP/32 \
  --protocol tcp \
  --port 22 \
  --description "SSH access"

# Add HTTP rule for Let's Encrypt
hcloud firewall add-rule actvt-monitoring \
  --direction in \
  --source-ips 0.0.0.0/0 \
  --protocol tcp \
  --port 80 \
  --description "Let's Encrypt verification"

# Add WebSocket rule for Actvt
hcloud firewall add-rule actvt-monitoring \
  --direction in \
  --source-ips 0.0.0.0/0 \
  --protocol tcp \
  --port 4096 \
  --description "Actvt WebSocket server"

# Apply firewall to your server
hcloud firewall apply-to-resource actvt-monitoring \
  --type server \
  --server YOUR_SERVER_NAME_OR_ID

Verify Configuration

Check that your firewall is properly configured:

# List firewall rules
hcloud firewall describe actvt-monitoring

# Test connectivity (from your local machine)
telnet YOUR_SERVER_IP 4096
nc -zv YOUR_SERVER_IP 4096

Additional Security Considerations

Restrict WebSocket Access

For production environments, consider restricting port 4096:

# Remove the open WebSocket rule
hcloud firewall delete-rule actvt-monitoring \
  --direction in \
  --source-ips 0.0.0.0/0 \
  --protocol tcp \
  --port 4096

# Add restricted WebSocket rule
hcloud firewall add-rule actvt-monitoring \
  --direction in \
  --source-ips YOUR_OFFICE_IP/32 \
  --protocol tcp \
  --port 4096 \
  --description "Actvt WebSocket (restricted)"

Multiple IP Ranges

To allow access from multiple IP ranges:

# Add multiple source IPs
hcloud firewall add-rule actvt-monitoring \
  --direction in \
  --source-ips 203.0.113.1/32,198.51.100.0/24 \
  --protocol tcp \
  --port 4096 \
  --description "Actvt WebSocket (multiple IPs)"

For troubleshooting connectivity, see the Troubleshooting Guide.

Prerequisites​

Hetzner Cloud Firewall Configuration​

Method 1: Using Hetzner Cloud Console​

Method 2: Using hcloud CLI​

Verify Configuration​

Additional Security Considerations​

Restrict WebSocket Access​

Multiple IP Ranges​