The meatles 👌👌👌👌👌

Sudontplease :P

Grammer is for english class or grammer community’s. Who cares

Yeah is guide is pretty useful! i went with setting up wireguard instead of openvpn. For a while now ive been self hosting alot of my stuff, SearXNG with gluetun tunneling, minecraft server for me and the boys and a Samba Share instead of paying for some dopey cloud storage. Ive gotten ZFS running in a 1tb z1 pool for my containers and plan to add a 10tb Z2 pool for long term storage and backups. i chose to do it in NixOS instead of debian or ubuntu, just because im a little bit of a nut for immutability.

its actually kinda funny i just left a post asking for help setting up wiregaurd server on c/selfhosted and referenced louis’s guide! Also i gotta add thats EPIC you got 10gbps internet, i went with a glinet flint 2 for my router. Because it runs openwrt under the hood, i personally like openwrt alot. there are people that swear by pfsense or opensense because of the bsd network stack, is very well maintained and secure as alot of commercial products like switches and firewalls run pfsense under the hood. for security and vlans pfsense would probably be better from what i heard. But openwrt works pretty well aswell, and i ended up just going with the flint 2 because it has 2.5gb wan in and 1 2.5gb lan. which was more than enough more my measly 1-2gb internet.

so for example, setting 192.168.8.170 on the clients as the only allowed IP aswell as the server would do what i need? thanks for helping trying to navigate my labyrinth of networking :P

For client example [Interface] Address = 10.0.0.3/24 ListenPort = 51820 PrivateKey = magic numbers

[Peer] PublicKey = magic numbers

PresharedKey = magic numbers

AllowedIPs = 192.168.8.170 Endpoint = magic numbers"

For server example

peers = [

{ #friend1 publicKey = “magic numbers and letters”; allowedIPs = [ “192.168.8.170/24” ]; endpoint = “magic numbers and letters”; presharedKey = “magic numbers and letters”; persistentKeepalive = 25; }

{ # My phone publicKey = “magic numbers and letters”; allowedIPs = [ “192.168.8.170/24” ]; endpoint = “magic numbers and letters”; presharedKey = “magic numbers and letters”; persistentKeepalive = 25; }

{# friend 2 publicKey = “magic numbers and letters”; allowedIPs = [ “192.168.8.170/24” ]; endpoint = “magic numbers and letters”; presharedKey = “magic numbers and letters”; persistentKeepalive = 25;

} {# friend 3 publicKey = “magic numbers and letters”; allowedIPs = [ “192.168.8.170/24” ]; endpoint = “magic numbers and letters”; presharedKey = “magic numbers and letters”; persistentKeepalive = 25; }

neat web app! the drawings kinda suck tho, but thats just a skill issue on my part :P

so if i understand this correctly, it runs a docker container to which runs the wireguard server and then you just specify hostname/ip adress for the services, then when sombody tunnels in they have acess to only the services specifide in config file? if so looks pretty useful!, i just question what happens to the rest of the traffic? is it locally routed in my network or client side? im not very familiar with proxys, i know what they are but have never really messed with one. Thanks for sharing

ok ill try to explain to the best of my ability and simply it.

i no longer want to use tailscale, because of accounts. i used to use tailscale for the minecraft server i want my friends to be able to acess only 192.168.8.170 on my local network and all other traffic to not be routed through my vpn but my friends to have acess to there internet on there LAN. example, we can play minecraft on the server on my network and we can be in a group call in signal. meaning friend 1 and 2 are using there internet connection locally, and only 192.168.8.170 being routed.

We also had some connectivity issues with tailscale, where friend 1 would be on and friend 2 would lag out of the server randomly. when if we played a game through steam we wouldnt have any connection issues. my friend is also very forgetful and cant log into his tailscale account, which is another reason why i wanna ditch tailscale.

so my friends wiregaurd config is

Old Client Config

"[Interface] Address = 10.0.0.3/24 ListenPort = 51820 PrivateKey = magic numbers

[Peer] PublicKey = magic numbers PresharedKey = magic numbers AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = magic numbers"

So if i understand the article correctly, i need to change it to

New client config

"[Interface] Address = 10.0.0.3/24 ListenPort = 51820 PrivateKey = magic numbers

[Peer] PublicKey = magic numbers

PresharedKey = magic numbers

AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = magic numbers" Split tunneling: Exclude certain traffic from the VPN

PostUp = ip rule add from 192.168.50.0/24 table main

PostDown = ip rule delete from 192.168.50.0/24 table main

my friends LAN is 192.168.50.0/0 so im assuming were just trying to tell wireguard that anything within my friends subnet doesnt get routed? which means he will still be able to reach HigherGround@'192.168.8.170? and all of his other traffic will be local to him and go through his router?

im confused what “table” and “main” are im assuming its apart of iptables rules? im pretty new to IP tables so forgive me for my lack of understanding. i know its basically a linux purest firewall LMAO,

Then on my server i would edit

This allows the wireguard server to route your traffic to the internet and hence be like a VPN

  postUp = ''
    ${pkgs.iptables}/bin/iptables -A FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
  '';

  # Undo the above
  preDown = ''
    ${pkgs.iptables}/bin/iptables -D FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE
  '';

And make it like this?

This allows the wireguard server to route your traffic to the internet and hence be like a VPN

  postUp = ''
    ${pkgs.iptables}/bin/iptables -A FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
    ${pkgs.busybox/bin/ip rule add from 192.168.50.0/24 table main
  '';

  # Undo the above
  preDown = ''
    ip rule add from 192.168.1.0/24 table main
    ${pkgs.iptables}/bin/iptables -D FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE
    ${pkgs.busybox/bin/ip rule delete from 192.168.50.0/24 table main
  '';

Right? or is step 4 on the client still? its not very clear in the article thanks for helping out!

gronk use ms paint to describe. gronk bad at explaining so he draws pretty pictures :P

Honestly for saying it deanonizes people is a bit of a fibracation. Yes theoretically a threat actor could figure out what clould flare DNS sever it is. But that really doesnt do much realistically. For example qouting the researcher “i live in new york and my closest data center is in new Jersey”. Realistically what can a hacker do with that, other than know you live somewhere near new Jersey. The threat actor would gain very little and the information they supposedly gained isnt verifiable. You live near NJ but to the threat actor they would assume you live in NJ. Which is a red hairing, and thats not even bring up VPN’s or TOR into the equations. Which 99% of journalist use all the time for amenity. So in conclusion the information they gain is about the same as saying “i may or may not be near this cloudflare server”

"What do you mean mr computer man? I just turned on my chrome book and am watching tiktok while writting this comment. Mr computer man why cant i just unlock everything. Stop using fancy techno bable like TCIP and AES? I just want a sticky note with the master key, i also want the key to narinia and the ability to teleport. Mr techno man, please and thank you. Mr robit give me the master key like in 1995 hackers with the shitty ass mini glasses and the random terminal output "

Some people speak of things they dont comprehend and try to give advice beyond there intelligence.

I never used a proxy. I have it setup that gluetun opens port 8080 as the network host. So all traffic is routed through gluetun, i verified it by installing traceroute in the searx container.

Thats my whole stack

yeah its S tier!

Give cave johnson the lemmons?

Barbra age 23 works nighshift

It depends on the model of the computer. I have personally librebooted a t440p thinkpad and although perhaps a usb controller can be reprogrammed. Id fine that highly unlikely, i had to buy a specific programmer, then realized the kind people on the libre boot form recommended a raspberry pi to program the ROM chips on the thinkpad. I then had to deconstruct the thinkpad to get acess to the 2 chips on the motherboard housing 2 firmwares. For the BIOs, i believe that it is highly unprobable for a usb port to re-program a usb HID device like a keyboard, mouse or camera. There a specific chips that are ESP programmers they are designed in a very particular way and exclusively are for programing and reading. Most chips are read only chips on USB devices for long jevity. And technically you can reprogram them, however you need an ESP programmer to connect to them and flash. And lets say theoretically you reprogram them with malware, it would be extremely hard to guess the manufacture of the usb controller chip as well as the layout of what pin does what. It was very complex to program an bios chip and certain models of computers have multible chip for certain things like firmware blobs. I think the artical is highly theoretical and never showed any real exploits being used in the wild. Im not an electronics engineer or anything but from what i know about playing with libre boot and arduinos it sounds unrealistic like 1995s hackers/watch dogs to reprogram usb bus’s with a built in usb bus.

“If a malware flashes a ROM then you buy their laptop and erase the hdd or ssd or buy a new hdd/ssd, then you flash coreboot to the computer. After all this the malware can still remain in the firmware and you would never know unless the malware makes itself obviously known by a ransom attack or stealing all your crypto or something.”

This is untrue, the previous owner can theoretically get a virus that if the virus takes advantage of architecture exploits or zerodays. It could install a malicious firmware blob within your bios. The odds of this a rather rare and would rather half to be a widespread issue with the chipset. Or a threat actor would need to know the exact firmware and model of your motherboard. Flashing a new bios or updating your bios clears the chip that stores your boot firmware.

Malware lives on storage, an ssd or hardive can harbor malware as an infected OS. Some malware can live in RAM, but ram is cleared on a power cycle. If you got a used laptop and you update the bios and reinstall your os your fine, the OS should have proper sandboxing and seperated permissons. The cpu being old in certain models can be mitigated with patches and bios updates. However newer also doesnt mean more secure, certain am4 cpus had architectural flaws. At pwn-to-own buch of hackers using zero days to unlock heated seats on a tesla without paying the stupid subscription because of the CPU flaw and ram buffers.

And if you want to get tin foil hatty. How do you know you werent man in the middled when you bought a laptop from a retailer. What if a bad actor installed or tampered with the new laptop you bought. And now is less secure than a second hand laptop because joe down the street doesnt care what you do with the laptop as long as he gets paid. Or vice versa, how do you know joe didnt install malware on the pc so he can sell your information on the dark web??

And realistically there are alot of an attack surface for any device. Lets say you have your laptop and sombody steals it. Your using LUKS full disk encryption right? Lets say you did for this example, your headers for decryption are plaintext on boot. So a threat actor can use brutforce to crack your disk. You can setup LUKS to have your headers on a separate disk that you take with you. Its the equivalent of taking away a lock and a key. So all the threat actor is left with is a door. I can go on for hours about potential attack surfaces, TPM, secure boot, Intel management engine, ISP’s, SSD’S vs HDD’s.

“Privacy and Security are a mindset not a tool, device or service”

S tier play, say i want all my money to go to the local childrens hospital aswell as the truck. If it happend to be real (which its not) you helped out sick kids. And you make the spanmer on the other end feel like the peice of shit they are!!

89℅ of all search traffic is through google search. I dont like microsoft or apple, but 89% is ridiculously high and a monopolistic by all means. I hope google sells chrome