I found an easy and quite elegant way to secure HestiaCP by using Tailscale and wanted to share it with the community.
- Install Tailscale (free) on your server and authenticate. Also connect your local computer to the Tailscale network.
- Block all traffic except for port 80 (http) and 443 (https) via the firewall of your cloud provider. Do not block the ports in the HestiaCP firewall.
- Use the Tailscale internal IP-address that you will find in Tailscale to connect to the HestiaCP dashboard, SSH and other services.
After following the steps above it is also possible to create a DNS name within Tailscale and issue SSL certificates for it. More about this in the Tailscale documentation: DNS in Tailscale · Tailscale.
Though this might break some of the more advanced functionality, it works perfectly with the basic setup for the few WordPress websites that I run.