Mikelius

Is wireguard hosted on opnsense, or an internal device that the port is being forwarded to?

If it’s on opnsense, be sure you route outgoing traffic on that port over the correct gateway, possibly even an extra rule to be sure the proper reply-to is set. Opnsense used to do the gateway routing configuration automatically, but once wg got added to the kernel, you’re now required to manually specify the gateway in your rules for it to work properly.

Also, if you see zero packets, then as others mentioned, try a different mtu. Some service providers (mobile, and even hotels) try to block all VPN traffic altogether and they do this by measuring the mtu of the packets. A little tweaking might get it to work, although I’d expect this to have held true for the VPS too, honestly.

I don’t use those two flags, but have several pis running docker with no issues. They’ve been running (almost) 24/7/365 going on maybe 2 years now with the same sd cards.

Even if it’s removed from fdroid because they want to close source it, I assume my current installations of their apps would be unaffected - just become stale and obsolete over time since they won’t get updates… But as they’re offline anyway, not too concerned in the short term. Hopefully the company respects the privacy amd care of the open source community and won’t take that away from us, though. One way to find out.

I wish there were some descriptions per provider with the ratings. Mullvad gets constant tests by third party against their network and has proven many times they have a no log policy that’s working, yet they got a 4 out of 5…

With only numbers and generic descriptions that don’t quite match the truth, feels like this sheet is a little misleading. Also, I find it ironic that it’s on Google sheets.

I tried Jellyfin so that I could move away from Emby, but the deal breakers for me were:

• No way to view my music library in folders (I organize all my music by genres)
• Terrible performance on Samsung Tizen (my primary tv)
• Can’t stream custom music radio stations by their m3u files

Other things that I didn’t like:

• Doesn’t save the filters I selected when viewing the library previously
• Doesn’t have as much working plugins on home assistant (this may have changed by now?)

I truly do want to go to Jellyfin, but the biggest deal breaker of them all is the lack of support getting it to work on the Samsung TVs efficiently. Perhaps someday it’ll change, but at the moment, I’ll probably stick to Emby but keep an eye out on updates :)

This ^ I start by blocking any new device to the network, even if it needs internet access (e.g. a new mini PC or something) and monitor for odd activity. If the device needs internet activity and has shown no signs of trying to phone going to something suspicious, I grant it from there (note my devices are under constant monitoring though). If it doesn’t need access (tv, home automation, printer, vacuum, etc) it stays where it’s at.

But yeah agreed completely. I avoid all IoT that won’t work without a third party cloud or internet access. Using Nextcloud (which does my rss feeds too), HA, pihole, and Emby (also blocked from internet access via firewall rules) for me. Also a few apps I created for myself for things where there weren’t any useful or good FOSS alternatives for.

Got mine connected to the network so I can take advantage of a local install of Emby, but blocked from Internet access, and every time it makes a DNS request (still blocked, but logged), it’s added to a personal hosts file for the entire network just in case the kill switch doesn’t work for some anomalous reason

Agreed! I tend to see what he can offer on regards to privacy for real life stuff like home address, data broker scrubbing (his extensive lists I mean), etc. But when it comes to the technology portion of it, I go with what I prefer, albiet I still hear what he has to say in case he introduces me to something I didn’t know about before.

Oh gotcha, I misunderstood this post as talking about a self hosted VPN, not external provider. That explains it! :D

Out of curiosity, why not just leave ssh access to the local network so you can only reach it by VPN in the first place? Note I might be misunderstanding what the goal of this was, so feel free to lmk if I’m off the field with my question lol

Just got flashbacks of Lemmings from my childhood when reading this comment, lol

Ah got it. Looked at the open core link on there and like like all the features I use or care about are what’s open source, so there are likely some other things out of scope for myself that aren’t, and that’s why I didn’t notice. Thanks! 👍

Ahh okay, so not necessarily the entire software was a whole, but just a few things that would probably be targeted more towards the Enterprise folks? Assuming you don’t mean the issue boards for codebases, but rather the support requests. Probably why I hadn’t noticed, thanks!

Just curious, what part isn’t open source? I’m running a dockerized instance of it on my local server and have made my own modifications to the rails code in several places to meet my needs closer. Haven’t seen anything that would indicate it wasn’t open source, so just wondering where I should be looking. Unless these comments are related to the .com website and not personal instances

I’ve heard and seen folks say rooting Android is a huge security risk and adds an attack surface, but haven’t seen anything to support the claims, really. Yes it’s less secure for the average person, who doesn’t know anything about security, to root an Android, but to say it’s completely insecure without any supporting explanation (not you in particular, just in general when this is said) doesn’t help. I like to imagine it like installing Linux and being told to trust the distribution you installed, but they disabled root and removed sudo because it’s insecure.

The reason I root is actually for both security and privacy. Without it, I can’t use custom firewall rules to restrict apps and system processes from reaching out to the internet or local network devices (AFWall+), have a local hosts setup (Adaway), run a VPN to my home network (Wireguard), and monitor all app network process calls (PCAPdroid) at the exact same time. It also prevents me from being able to create custom cron jobs and custom system changes I need that have only root access.

Being that I am also home 95% of the time with my phone on my person at all times, physical attack surface is less concerning for me, too.

With that all being said, the (assumed) excuse that “malware” is the security risk with root makes no sense to me because whether or not I have root access, phone malware probably doesn’t need it in most cases since they’re exploiting non-root things so that they can target the majority, not minority. Not to mention I rarely ever even install apps on the phone and most of my web surfing is done on my laptop, not my phone.

Only 2 problems I have with Graphene personally is the need to give Google money, which the irony is just too much, and no option for rooting. Otherwise it seems like a pretty good OS overall. In the meantime, while I wait for those options to be more flexible so I can have full control, I just use a rooted lineage os with all the extra Google stuff (ntp, DNS, etc) stripped and replaced with my own self hosted systems.

This isn’t really a “Linux” problem. Calling it a Linux problem implies all distros do the same thing out of the box because it’s a part of the core system. Systemd has a file, /etc/systemd/resolved.conf which has one line DNS= that you can add the servers you want. It’s as simple as that. If you’re using Dnsmasq for DNS instead, you’d edit the Dnsmasq file. If you’re not using my of those (i.e. you removed systemd-resolved, Dnsmasq, etc) then you can just edit the /etc/reeolv.conf directly without worry of it being overwritten.

While many distros come with systemd out of the box, not all of them do. For example, I use Gentoo with rc and after editing my resolv.conf, never had to worry about it again unless I decided to install a custom DNS software on it later.

I read many replies to your post as “DNS software shouldn’t be allowed to change DNS settings” for the most part, and that doesn’t quite make sense to me. If it’s a problem, remove said software. Browsers are definitely annoying in the DNS front, I won’t disagree with that. Fortunately, they allow you to turn that off though.

Also wish it was open source, but I do trust it. I tend to run Wireshark initially on all new closed source apps I install and obsidian feels truly trustworthy from my perspective. And the power behind it, while keeping the files super simple, is amazing… Combine it with syncthing and it’s a win!

I personally prefer NoScript not for just the privacy stuff, but for the security of knowing that an accidental click to a malicious site using some zeroday JavaScript exploit won’t kick in like it would, had it not been default blocked.

My NoScript profile is also fairly populated with things I’ve trusted over the years, so it’s really only new websites that require JavaScript that I have to worry about.

Maybe just me being over cautious, but just keeps me at ease, personally.

I forward all router logs to a syslog server which then parses and alerts me of “unknown Mac addresses” joining the network as soon as even one log shows up. If you have a syslog server and some way to index/parse those logs, that’s one way to do it