The company behind pfSense is shady as hell:
https://opnsense.org/opnsense-com/
Also the complete and utter clusterfuck of an attempt to bring Wireguard into the FreeBSD kernel:
- 1 Post
- 31 Comments
Joined 1 year ago
Cake day: June 10th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
2·1 year agoWhat kind of ISP are you dealing with?
And maybe PPPoE.
traceroute --mtu 1.1.1.1Pick the lowest value displayed for
F=xxxxlike e.gF=1492and subtract 80.For my DSL connection the optimal value is 1412.
nonfree drivers accessible right away
Non-free firmware is included in the Debian installer since Bookworm.
Do you really know how Wireguard works?
Updating without a reboot only works for wireguard-go. The default implementation runs in the kernel. An update to it would require kernel live patching.
Wireguard doesn't answer to unsigned packets. Using obscure ports or even port knocking is rather pointless. It's indistinguishable from a closed port.
I'd rather take Casaos out of the equation and target Ubuntus' Wireguard stack instead.
Jellyfin is completely free. I only used it shortly in my LAN environment so I can't give you any numbers. It should roughly be in the same ballpark as plex though.
You can skip fail2ban for SSH. I missed the important bit. Duh…
Never used Plex but had a good experience with Jellyfin.
Just a few thoughts:
- don't cheap out. Building your whole stack on top of free or ultra budget providers is going to backfire eventually
- check the traffic limits if you want to stream 4k content from your NAS
- if latency and bandwidth is a concern, you need to select a VPS provider with good peering. This fully depends on your ISP.
- i'd recommend setting things up with split DNS. Your DNS server would answer with local IPs for queries from within your LAN and with the IP of the VPS for external queries.
- take a look at AdGuard Home
- you can skip fail2ban if you go straight for ssh keys
- 100% wireguard
Du hast hier eine Überschneidung drin. Mit
Address = 100.10.20.120/24definierst du ihm ja, dass der Traffic für das komplette 100.10.20.0/24 Subnetz über den Tunnel gehen soll. Dein Endpoint liegt aber genau in eben diesem Subnetz.100.10.10.100:51820würde hingegen klappen, da die Adresse in einem anderen Subnetz liegt.Wieso verwendest du innerhalb des Tunnels kein LAN IPs? Das sind öffentliche IPs, die du hier zweckentfremdest.
Ich sehe hier nur IPs im gleichen Subnetz. Wie soll Wireguard die IP der Gegenstelle finden? Bei
Endpointsollte eigentlich die externe IP oder Domainname des Servers stehen.
Meine mich zu erinnern, dass es mal mit dem Aufruf von
resolvconfProbleme gab und ein Symlink notwendig war.Könntest du mal deine Config ohne die Keys teilen?
Why are you running two HAProxy instances? You should be able to forward the traffic on your VPS to your homeserver with a firewall rule.
If that’s not an option, this should still be doable using the
X-Forwarded-Forheader. Instead of setting it to single value, you need to append to it:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#syntax
1·1 year agoNetzwerkverbindung ist auf DHCP und du bekommst eine Adresse?
ext4 + mdadm + dm-integrity would solve the bit rot problem. But you’d end up with a lot of parts bolted together and still miss out on the features that btrfs/zfs provide.
Bitte sag mir, dass hier wenigstens verschlüsselt wird.
Cookie banners are usually from the same domain. I doubt you can block them via DNS.
OpenOffice is a zombie at this point.