Especially with music, if any of this is plain HTTP (or any other plaintext, non-encrypted protocol) and you live in a lawsuit happy jurisdiction you might end up with piracy letters in the mail.
Especially with music, if any of this is plain HTTP (or any other plaintext, non-encrypted protocol) and you live in a lawsuit happy jurisdiction you might end up with piracy letters in the mail.
Can’t tell if you’re riding the cliche or serious
I’m thinking of building my own and having it use Paperless’ API for invoices, receipts, etc.
I finally gave this a go a few days ago but wasn’t in love with the UI. I’d contribute but it’s written in .NET.
I’ll probably build something myself. One thing I’d like to do is have it integrate with other APIs (like Paperless).
I’d curl
from a machine on the same WiFi network as the phones just to confirm that HTTP is working. That way you’re not dependent on browsers that can be more finicky for debugging.
GL.iNet actually has a decent UI too. When I’m on the road I don’t necessarily love hitting the CLI (okay fine I secretly do); they keep the updates going for a long time too.
I didn’t have a great reason other than mind-blowing performance on my LAN, and with large files (which I have a lot of) performance is better too. Probably I’m not smart enough to answer this well, but I did just see this today: https://www.phoronix.com/review/linux-611-filesystems/2
I’m a huge fan of XFS for network mounts. I think everyone else here is right that the best filesystem will depend on the OS, and picking one to make it compatible with everything has serious tradeoffs.
I’ve just discovered this today too! I’m not even sure how to find my key (Proton user too). I’ve admittedly not spent too much time understanding PGP since basically no one uses it.
pfSense is UNIX-based and those commands are generally included with Linux and probably Linux-specific.
I’m running a Raspberry Pi 4 with an array of hard disks. Essentially the entire OS is on a small SSD but because I have so much data I’ve got two traditional HDD drives with XFS and LUKS disk encryption.
I’d say overall it works fantastically, over 802.11ax and Samba I’m pushing about 600-700 Mbps while transferring to the HDD drives.
I usually play around with travel routers and OpenWRT but if I had an old router laying around maybe I’d do something fun with it.
I have a Bluetooth OBD-II scanner that works with Android/iOS but the app I use kind of sucks. Others I’ve found that claim to be something of a maintenance app suck as well.
Sometimes I wish I were an iOS developer.
I’m thinking about the RS6 a lot but really want to put Alpine Linux on it if I can manage it. My reasoning is I already know how to set up a router from scratch on the command line.
OpenWRT is probably easier but I’ve had bad experiences with its UI (and the distro as a whole) in the past, but the version of it on my GL.inet travel router is pretty rock solid though the UI still annoys me and I’d rather do most configuration via SSH.
Does OpenWRT support multiple WireGuard interfaces and VLANs? This is kind of what I’m wanting.
pfSense (I know, it’s UNIX) looked good on paper too but after playing with it on a VPS the UI just seemed overly complex. I don’t want to learn the ins and outs of some weird UI.
You can strike a balance with higher-end (in quality) consumer or small business networking gear.
If it’s in your budget, I’d suggest buying a simple router like the Ubiquiti Edgerouter X, run some Ethernet and rely on a switch and access points for WiFi (I use Ubiquiti U6 Pro but I wouldn’t be too picky about it). I’ve never been into the “mesh” WiFi networking concept because it doesn’t make sense to use the air as your backhaul (if you can help it).
What I wouldn’t recommend is buying some beefed up consumer all-in-one router. It’ll cost a fortune, your coverage won’t be as good and once it’s time to upgrade you’ll be forced to replace the entire thing.
Hopefully this helps.
Forgot to mention that I run a DNS server for blocking too. When using Tailscale I’ve found it’s important to use their resolver as upstream otherwise App Connectors won’t work (the VPN provider tunnels on each VPS routes to different countries so DNS wasn’t in sync). This kind of sucks but I make do with it after a month or two of App Connectors being very iffy.
Your setup looks more advanced than mine, and I’d really like to do something similar. I’m just going to copy/paste what I have with some addresses replaced by:
VPN_IPV4_CLIENT_ADDRESS
: The WireGuard IPv4 address of the VPN provider’s interface (e.g. 172.0.0.1)
VPN_IPV6_CLIENT_ADDRESS
: The WireGuard IPv6 address of the VPN provider’s interface
VPN_IPV6_CLIENT_ADDRESS_PLUS_ONE
: The next IPv6 address that comes after VPN_IPV6_CLIENT_ADDRESS
. I can’t remember the logic behinds this but I’d found an article online explaining it.
WG_INTERFACE
: The WireGuard network interface name (e.g. wg0) for the commercial VPN
I left 100.64.0.0/10
, fd7a:115c:a1e0::/96
in my example because those are the networks Tailscale traffic will come from. I also left tailscale0
because that is the typical interface. Obviously these can be changed to support any network.
I’m using Alpine Linux so I don’t have the PostUp
, PostDown
, etc. in my WireGuard configuration. I’m not using wg-quick
at all.
Before I hit paste, one thing I’ll say is I haven’t addressed the “kill switch” yet. But so far (~4 months) when the VPN provider’s tunnel goes down nothing leaks. 🤞
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -p
ip link add dev WG_INTERFACE type wireguard
ip addr add VPN_IPV4_CLIENT_ADDRESS/32 dev WG_INTERFACE
ip -6 addr add VPN_IPV6_CLIENT_ADDRESS/127 dev WG_INTERFACE
wg setconf WG_INTERFACE /etc/wireguard/WG_INTERFACE.conf
ip link set up dev WG_INTERFACE
iptables -t nat -A POSTROUTING -o WG_INTERFACE -j MASQUERADE
iptables -t nat -A POSTROUTING -o WG_INTERFACE -s 100.64.0.0/10 -j MASQUERADE
ip6tables -t nat -A POSTROUTING -o WG_INTERFACE -j MASQUERADE
ip6tables -t nat -A POSTROUTING -o WG_INTERFACE -s fd7a:115c:a1e0::/96 -j MASQUERADE
iptables -A FORWARD -i WG_INTERFACE -o tailscale0 -j ACCEPT
iptables -A FORWARD -i tailscale0 -o WG_INTERFACE -j ACCEPT
iptables -A FORWARD -i WG_INTERFACE -o tailscale0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i WG_INTERFACE -o tailscale0 -j ACCEPT
ip6tables -A FORWARD -i tailscale0 -o WG_INTERFACE -j ACCEPT
ip6tables -A FORWARD -i WG_INTERFACE -o tailscale0 -m state --state RELATED,ESTABLISHED -j ACCEPT
mkdir -p /etc/iproute2/rt_tables
echo "70 wg" >> /etc/iproute2/rt_tables
echo "80 tailscale" >> /etc/iproute2/rt_tables
ip rule add from 100.64.0.0/10 table tailscale
ip route add default via VPN_IPV4_CLIENT_ADDRESS dev WG_INTERFACE table tailscale
ip -6 rule add from fd7a:115c:a1e0::/96 table tailscale
ip -6 route add default via VPN_IPV6_CLIENT_ADDRESS_PLUS_1 dev WG_INTERFACE table tailscale
ip rule add from VPN_IPV4_CLIENT_ADDRESS/32 table wg
ip route add default via VPN_IPV4_CLIENT_ADDRESS dev WG_INTERFACE table wg
service tailscale start
rc-update add tailscale default
iptables -A INPUT -i tailscale0 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i tailscale0 -p tcp --dport 53 -j ACCEPT
ip6tables -A INPUT -i tailscale0 -p udp --dport 53 -j ACCEPT
ip6tables -A INPUT -i tailscale0 -p tcp --dport 53 -j ACCEPT
service unbound start
rc-update add unbound default
/sbin/iptables-save > /etc/iptables/rules-save
/sbin/ip6tables-save > /etc/ip6tables/rules-save
tailscale up --accept-dns=false --accept-routes --advertise-exit-node
I’m at the point where I want to just build it but it’s a matter of free time (I’m a full time web developer with a side business). Also, I wouldn’t know where to source car maintenance schedules.
I use Tailscale to do this. I install the software on everything I can, but for resources on the LAN that don’t have Tailscale running I use its Subnet Router feature to masquerade the traffic and connect to those clients.
As for the commercial VPN, it’s a bit more involved. I have a few Exit Nodes (VPS) that take incoming Tailscale traffic destined to the Internet and re-route it via the commercial VPN’s WireGuard network interface.
This was a huge challenge for me (lots of iptables
, ip6tables
rules) but I have it down to a reproducible script I can provide if you’d like an example.
My next goal is to containerize the two VPS servers into one with Docker. Tailscale is a bit annoying that you can’t have multiple Nodes running on the same machine (hence my temporary two VPS solution).
Note: capitalized terms are Tailscale feature names
Plain HTTP means anyone between you and the server can see those credentials and gain access.
It it using HTTP Basic Auth by chance? It would be so easy to put nginx (or some other reverse proxy with TLS) in front and just pass the authentication headers.