I saw in some guide (not ES official) that I should do something like this: network.host: [tun0, local], is this necessary?
Here is the Section from that guide that writes this:
Bind to VPN IP Address or Interface
You will want to restrict outside access to your Elasticsearch instance, so outsiders can't access your data or shut down your Elasticsearch cluster through the HTTP API. In other words, you must configure Elasticsearch such that it only allows access to servers on your private network (VPN). To do this, we need to configure each node to bind to the VPN IP address, vpn_ip, or interface, "tun0".
Find the line that specifies network.host, uncomment it, and replace its value with the respective server's VPN IP address (e.g. 10.0.0.1 for node01) or interface name. Because our VPN interface is named "tun0" on all of our servers, we can configure all of our servers with the same line:
elasticsearch.yml — network.host
network.host: [tun0, local]
Note the addition of "local", which configures Elasticsearch to also listen on all loopback devices. This will allow you to use the Elasticsearch HTTP API locally, from each server, by sending requests to localhost. If you do not include this, Elasticsearch will only respond to requests to the VPN IP address.
Here is the link: