That sounds cool, I will definitely do some reading. Thanks!
wheresmysurplusvalue
joined 2 years ago
During my research I came across ngrok, maybe this could be useful in your situation. I also came across zrok, which seems like an open source version of the same thing based on OpenZiti. Both of them seem like ways to give public portals to your private services. So you could give your friends access that way without them needing to use a VPN.
Just wrote up my use case here
These certificates are custom certificates generated for Nebula clients, I don't think Let's Encrypt can issue them. In this case I have a trusted machine at home which acts as a CA and signs certificates for all other hosts on the network. The certificate is used to authenticate the host, and also can include custom attributes to be used in firewall rules. So the problem I'd need to solve is keeping track of certificate expiry and renewing the certificates, or issuing new certificates when I add new attributes to a set of hosts.
Good feedback, thanks. Making sure all my devices are properly firewalled is another concern of mine, since all this NAT traversal stuff is basically a way to bypass firewall rules which are there for a reason. I think most of these solutions have firewalls/ACLs built in. But it does mean that I would rely on their firewall implementation and can't switch it out for something else.
My use case is I'm hosting a number of services on machines inside my home LAN, and also a few services on a VPS. Two family members use a few of the services hosted in the LAN and on the VPS. For things inside the LAN, for now I've given them WireGuard credentials to access them, but this gives them full access to my LAN. On the VPS they can access a http server from the public internet.
I also travel a bit, so I connect via WireGuard to encrypt my traffic and have access to my LAN services at the same time. Tailscale offers "exit node" functionality which seemed to work when I tried it.
So my main goals are:
- Encrypt my mobile traffic through a secure tunnel back home, no need to pay for or trust a VPN provider
- Ability to give users role-based access to my privately hosted services from anywhere
- Close almost all ports on all machines including the VPS, no publicly hosted services at all (maybe not even ssh)
- Simplify access to my services in general. Generally just want to be able to e.g. type the same URL and access a service, regardless of whether I'm at home or on a public network. But there are probably other solutions for this point alone.
That is, if "we" are the ones who have the quantum computers
the German foreign minister responded, “Are you saying that our doctors in the field in Gaza aren’t telling the truth? Are you saying that the international media is lying?”
I haven't read it myself yet, but there is some discussion about the book (and Strong herself) in this video by Lady Izdihar
Nope because in this case our client has to request a budget and justify it, so in this case they asked for too much and have to explain what went wrong
I bought a N5105 mini pc (Intel, 4 cores) from AliExpress to home-roll my own router, with the idea that I could run a few other services in containers on the same device. I think hardware-wise I'm ok, but since I built it from scratch, it's possible something isn't optimal how I configured the software. But this thing should be able to do gigabit speeds no problem. Maybe I'll try again next weekend. Thanks for the inspiration and glad you were able to resolve the buffer bloat!
Anyone had success doing this in OpnSense/pfSense? I tried following a guide when I first set up OpnSense, but the changes made my bufferbloat rating worse, so I reversed the changes and haven't tried since.
Btw there is this test you can use to test buffer bloat: https://www.waveform.com/tools/bufferbloat
And you probably want to test it using a wired connection first.
Ah, yeah I recognize the cert rotation page. That docs page doesn't say it, but they do use a custom certificate, described a little bit here:
I think Let's Encrypt issues certs for validating that you own a (public) domain name, but for my use, these certs aren't associated to a domain name, just a machine not accessible to the public internet. I'll do some research to see if I can self host something that would allow other hosts to request a renewed cert automatically.