[HN Gopher] Build your own private WireGuard VPN with PiVPN
___________________________________________________________________
Build your own private WireGuard VPN with PiVPN
Author : ingve
Score : 402 points
Date : 2023-05-05 11:49 UTC (11 hours ago)
(HTM) web link (www.jeffgeerling.com)
(TXT) w3m dump (www.jeffgeerling.com)
| tristanb wrote:
| I run my own WireGuard VPN for my home devices, and I have had a
| hell of a time getting MDNS to work over it. I tried various
| reflectors and couldn't get them to work, has anyone made this
| simple?
| blutack wrote:
| If your router supports OpenWRT that's a good alternative that
| doesn't require any additional boxes/boards and is simpler to set
| up networking-wise.
|
| There's a nice UI that generates the QR codes or config files
| ready for import into client devices.
|
| 1: https://openwrt.org/docs/guide-
| user/services/vpn/wireguard/b...
| alpenbazi wrote:
| OpenWRT on a BananaPI R2 with WG wirks like a charm for ~ 2
| years now
| flas9sd wrote:
| yes the webui now has some convenience options for generating
| and importing configs, but there's still a gap (as in default
| package installed) in client profile management or network
| management on cli.
|
| What pivpn (and similar tooling wrapping lower level commands)
| bring along is this client management and even some network
| topology/routing management : https://docs.pivpn.io/wireguard/
| and
| https://github.com/pivpn/pivpn/tree/master/scripts/wireguard
|
| I think it's a interesting spectrum between wg-cli and
| tailscale.
| goodpoint wrote:
| curl | bash ?? For something as critical as a VPN? No thanks.
|
| You know you can just do apt install wireguard right?
| ye-olde-sysrq wrote:
| I run wg-easy https://github.com/WeeJeWel/wg-easy for this sort
| of thing. I use the docker container, and it's great. "Just
| works".
|
| Also, unrelated, I just decided I don't like the sentiment of
| "PiMyProjectName" branding. I know most projects don't _just_ run
| on a Pi, and that the intent is to say "you can self-host
| thing", but at this point if you want to run a home server sort
| of thing, just buy some cheap 100-200 dollar minipc thing. That's
| how much you'd pay for a Pi now anyway, and it comes with such
| great features as:
|
| * just establishing an ssh connection doesn't take multiple
| seconds
|
| * the ethernet doesn't go over a usb hub
|
| * it doesn't run on an sd card that is going to fail within a
| year
|
| I'm pretty dismissive of ARM chips for homelab stuff at this
| point. There's super cheap minipcs with "real" processors that
| will just destroy even an expensive ARM board.
|
| Pi's shine with their ability to run both a real/full Linux and
| also do gpio type stuff that otherwise is usually an arduino
| board. I don't have anything against low-level programming but
| damn is it just a lot more fun to do in python. I love the Rpi
| zero w 2 products for this, just enough juice to run wifi and a
| python loop, plus the gpio pins. Too bad they've been sold out
| for literally years.
| lxgr wrote:
| > I run wg-easy https://github.com/WeeJeWel/wg-easy for this
| sort of thing. I use the docker container, and it's great.
| "Just works".
|
| This looks great, thank you! My current home router(s)
| fortunately support Wireguard natively, but I'll look into this
| if I'm ever again forced to use a shitty CPE.
|
| > I'm pretty dismissive of ARM chips for homelab stuff at this
| point. There's super cheap minipcs with "real" processors [...]
|
| What makes an ARM SoC a "non-real processor"? I'm typing this
| on a laptop with an ARM CPU, and it's the fastest hardware I've
| ever worked on.
| askiiart wrote:
| Sure, some stuff doesn't run on ARM, but a lot does. Plus,
| you can get decent ARM processors for cheap, whereas for the
| same price the best you'd get would be a Celeron.
| sgtnoodle wrote:
| The "decent ARM processors for cheap" seem comparable to a
| Celeron performance-wise, don't they?
| 1vuio0pswjnm7 wrote:
| What is conveniently overlooked in these neverending^1 HN
| comments that dismiss RPi as "inferior" is that (a) RPi is a
| brand, (b) people are familiar with and trust the brand and (c)
| when everyone is doing their projects on the same hardware it
| avoids compatibility disclaimers like "This is project is
| tested on X. It may or may not work on Y." It obviates
| consideration of "hardware compatibility". With the RPi people
| know exactly what hardware to buy. Even if the hardware is
| overpriced or underpowered, synergies are created when everyone
| is using the same hardware. IMHO, one cannot discount the value
| of that, but these comments downgrading the RPi aways do. Of
| course there are better choices for hardware than the RPi, and
| perhaps without the supply issues, but good luck getting
| everyone to buy the same thing so that projects do not have to
| account for "hardware compatibilty".
|
| 1. Eleven years and counting
| marwatk wrote:
| I love these things:
|
| https://www.aliexpress.us/item/3256804116114245.html
|
| There are a few suppliers, but the 4x Intel NICs open up lots
| of possibilities. They're very lower power, but still fast
| enough to handle a lot of traffic.
|
| I run VMWare ESXi on mine and use openwrt for my router on
| two ports and then a general purpose server in another VM.
| jmole wrote:
| I've been curious about the performance gap here - you can open
| htop on a pi 4 and see that CPU utilization is relatively low,
| ~33% out of 400%, something like that, and yet some operations
| seem like they take 5-6x longer than they ought to on a
| "normal" computer.
|
| Is it all down to the file system? Is the CPU just in interrupt
| overload all the time? I wish I had a better understanding of
| the issue here.
| znpy wrote:
| What do you expect from a computer that's completely powered
| with less than 10W?
| AnthonyMouse wrote:
| CPU load metrics are averages, typically over e.g. a second.
| Many operations take less time than that. If something takes
| 300ms on a Pi and 50ms on a PC, the Pi is six times slower in
| observed latency but will still only show <33% CPU
| utilization when averaged over a second. Some of the metrics
| are over even longer periods of time. The Linux load average
| metrics are 1 minute, 5 minute and 15 minute. You can have
| your ssh handshake take 20 full seconds with a CPU core at
| 100% and still see a 0.33 load average. And having three more
| cores available does nothing even when the system is busy if
| the application is single-threaded.
|
| The small boards also typically have much slower I/O and less
| memory. On a PC with 16GB of RAM running as a server, usually
| the whole OS will end up cached in memory. A Raspberry Pi
| with less RAM is more likely to have to evict from the page
| cache, and then read it back from a slow SD card.
| bombcar wrote:
| If you need Pi like but not specifically a Pi check out the
| Rock5B: https://www.sevarg.net/2023/01/01/battle-of-the-
| boards-2023/
| joshbaptiste wrote:
| Alternative SBCs I've been looking at are the Orange PI 5,
| Khadas VIM1S, NanoPi R6S
|
| https://hackerboards.com/
| all2 wrote:
| You might also take a look at https://ameridroid.com. They
| have a bunch of boards. The brand I'm a fan of is ODroid.
| yonatan8070 wrote:
| The Pis shine primarily in terms of power consumption, under
| load, a mini PC could cosume 50W, where a Pi (and other ARM
| boards) will do an absolute maximum of 15W. And if you have
| multiple devices that run 24/7, that could be a significant
| saving
| Lendal wrote:
| Just have to pay attention and be picky while shopping for
| the mini pc. Yes most of them are way over 15W but you can
| find them under 15W. My Quieter3Q for instance is fanless &
| runs on a Celeron in just 15W. I love it, but one annoyance
| is, it does not come back on by itself after a power
| interruption.
| paol wrote:
| > it does not come back on by itself after a power
| interruption.
|
| Most BIOSes have an option for that. Did you check?
| zamadatix wrote:
| Like others have said, the PCs you're looking at might be
| mini in form factor but specced more traditional desktops.
| There there are plenty of mini PC options that compete at 15
| watts and lower range. One example I use is
| https://www.amazon.com/Computer-Windows-Dual-Band-
| Bluetooth-.... This gets you built in 128 GB eMMC, dual
| display output, more USB 3, about the same overall CPU
| performance but significantly higher single core scores, an
| open native SATA slot, Similarly there are boards even
| cheaper than this passively cooled, and will pull less than
| 15 watts under load as measured from the wall while being in
| a preassembled case.
|
| The best part is it's easier to scale to your needs. E.g. if
| a single $200 box can get the latest generation CPUs that
| will absolutely demolish these cheap ARM boards in perf/watt,
| come with PCIe m.2 drives, support higher RAM limits, and
| have GPUs that are more on the usable side of things. As a
| result it can do the work of multiple devices (if you don't
| need them to be physically separate of course) and will last
| significantly longer in terms of usability.
| vladgur wrote:
| Wow thanks for sharing. That's a pretty amazing box,
| curious what it's TDP and noise characteristics are
| zamadatix wrote:
| Wattage for the whole thing is as mentioned, TDP of just
| the CPU is 4 to 6 watt (configurable). This particular
| one has a fan which will kick in if you run it hard for
| long periods, for truefanless I'd suggest the B1 instead.
| Or if you go for the splurge.
| ElectricalUnion wrote:
| If you need to pull 50W from a mini PC constantly, you
| probably can't run that same load (without horrible latency,
| throughput and stability issues) on a 15W ARM SBC to begin
| with.
| tlamponi wrote:
| But the Pi also needs to run much longer under full load to
| achieve the same as a modern mini PC, so it might be still
| canceled out in terms of total power use.
|
| Raspberry Pi chip sets are always older (less efficient
| lithography/structure size) ones, as they take over the ones
| currently being phased out for industrial use (so they get
| them cheap). Those have a hard time to compete with e.g., a
| modern Intel N100 CPU which has a TDP of 6W but at the same
| time 4 cores with a max freq. of 3.5 GHz and can even use
| DDR5 (or LPDDR5 for low power) and is available in many form
| factors, often fanless with a metal body as cooler at about
| 150EUR (if lucky) to 200EUR and those models then even
| including (often multiple) 2.5Gb Ethernet ports and NVMe M.2
| slot.
|
| That makes it at least for me an easy choice, and I am indeed
| looking out for using less power but still getting stuff done
| somewhat quickly.
| vanilla_nut wrote:
| Additionally, my home Pi4 sits in a metal case that acts as a
| heat sink so I don't have to use a fan at all. That
| translates to:
|
| - additional energy savings
|
| - more or less eliminated need to clean out dust or
| eventually replace a fan
|
| - no fan noise, a massive boon if you live in a small
| apartment and don't have a closet or basement you can toss
| the server into for noise insulation
|
| I suppose if I did serious number crunching on my home
| server, I'd need something beefier... but I've been running a
| VPN, a Minecraft server, a streaming media server, and a DNS
| server on my Pi4 for more than 3 years now. Only during media
| scans do I feel any slowness.
| sedatk wrote:
| There are fanless mini PCs too:
| https://news.ycombinator.com/item?id=35831087
| AnthonyMouse wrote:
| The trouble there is if you're actually compute bound, the
| Pi's performance is also a lot worse, and if you're not, you
| should be comparing the idle power consumption. There are
| plenty of PCs that idle at under 10W.
|
| PCs also support arbitrary amounts of memory, so you can
| often avoid needing multiple devices by using virtualization.
| manmal wrote:
| Indeed. You can build a power saving PC with eg a used Fujitsu
| D3401 board and a used Skylake or Kaby Lake CPU, or just get a
| used Esprimo P756/757 tower (E90+ for lower idle power) for 100
| bucks or less. Those should idle at ca 15W (without spinning
| HDDs). And you can put in 4+ SATA HDDs, which is way more
| reliable than using an USB enclosure. Works great as an
| Ubuntu/ZFS server or with unRAID. Beats any Synology NAS in
| almost every metric.
| 0xcde4c3db wrote:
| > just get a used Esprimo P756/757 tower (E90+ for lower idle
| power) for 100 bucks or less
|
| Are these still readily available somewhere? All I can find
| are a tiny handful of $300+ listings and RAM upgrade spam.
| manmal wrote:
| I bought a P765 tower last week for EUR 90 (incl shipping)
| off a German eBay listing (commercial, so I can even deduct
| VAT). Not sure about other parts of the world, sorry!
| sgtnoodle wrote:
| The Pi 4's Ethernet is pci-e now, and its USB3 ports are as
| well. The USB2 ports are still terribly inefficient.
|
| About 8 years ago, I switched my home server from a pi to an
| Intel baytrail based system. I put it all together myself in a
| cube shaped case. It is passively cooled and runs off a 12V 2A
| power brick. I filled the space for the PSU with two 3.5" hard
| drive hot swap bays. I keep one drive in and synchronized to my
| desktop over the network, and pop another one in when it's time
| to make a cold backup. It's served me very well.
| txdv wrote:
| Yeah, I agree, I am a geek though and wanted a linux machine
| with arm so I could do some assembly hacking on it (nothing
| serious). Just the general geek factor I think makes a lot of
| people buy it.
|
| I use the Argon case with ssd over usb, since the sd cards
| failed like after 2 weeks. For me it is perfect, I get to host
| all my minimal things (vpn, ssh over it, host photos, videos,
| run a few services) and it is like super energy efficient,
| although that efficiency is more of an ego boost than actual
| use.
|
| I think there are a lot of atom mini pcs which have normal
| ethernet and m2 connectors that are a better alternative.
| codetrotter wrote:
| > it doesn't run on an sd card that is going to fail within a
| year
|
| The Raspberry Pi Compute Module 4 has variants with eMMC, which
| is better than using an SD-card.
|
| Additionally, there are adapters to use NVMe drives and you can
| boot from them. I've done so with a few RPi CM4, to varying
| degrees of luck. One of them works perfectly, another one did
| not. Currently waiting for more of the same adapter I used for
| the first one and hopefully this will allow the additional ones
| to work as well as the first one is doing.
| victor106 wrote:
| > I'm pretty dismissive of ARM chips for homelab stuff at this
| point
|
| What about Mac Mini? The latest version runs on M2
| AnthonyMouse wrote:
| The cheapest M2 Mini is $600. That's generally overkill for
| personal servers. They also have an unknown reliability
| record, and the older Mac Minis had a tendency to eat storage
| devices by limiting "fan noise" until temperatures were at
| the upper threshold of the spec. In the new ones the storage
| is permanently attached, which is... worrying.
|
| One of the better options if you don't need a lot of internal
| storage is old laptops. They're cheap, low power, have a
| built-in monitor and keyboard and you don't need a separate
| UPS (who cares if the internal battery "only" lasts an hour).
| Lendal wrote:
| The Mac Mini is pretty tempting, but I wanted something even
| lower-power. 15W is possible for Celeron mini pcs. They are
| around. I ended up getting a Quieter3Q which is a Celeron-
| based 15W, fanless and cheaper than a Mac Mini.
| mmlkrx wrote:
| Another simple solution I installed on my existing server in
| actually 5 min via docker run is https://github.com/WeeJeWel/wg-
| easy. The interface is very simple, and all in all it took 10 min
| to have the VPN up and running, download the client applications,
| and connect to it!
| vxNsr wrote:
| Yea this is the route I took, I'm a sucker for a good gui, and
| this is super simple.
|
| If you use cloudflare for your domain you can use cloudflare-
| ddns[0] to automatically update your ip if/when it changes.
|
| [0] https://github.com/timothymiller/cloudflare-ddns
| briancmoses wrote:
| At the price Raspberry Pis are being sold (scalped) for it's
| discouraging and disappointing to see content creators
| continually going to that well.
|
| You can buy a travel router like the GL.iNet GL-SFT1200 (Opal)
| for $39.99. All of Gl.iNet's devices run OpenWRT already. Setting
| up Wireguard on OpenWRT is easy, and using Tailscale is even
| easier!
|
| Edit: Jeff's been creating awesome Raspberry Pi content for a
| long time and I'm glad that he's not stopping given the current
| circumstances. I hope that his audience has an abundant supply of
| unused RPis looking to be utilized.
|
| In Jeff's shoes I'd want to speak to those in his audience who
| DON'T have a Raspberry Pi and save them from paying scalpers
| prices until things return to normal--assuming that they ever do.
| aborsy wrote:
| Any concerns over routers made in China?
|
| It's true that a lot of chips are made in China. Nevertheless,
| the question remains.
| _joel wrote:
| the gl-inet stuff runs OpenWRT just with another interface,
| you can flash with vanilla but I've never seen anything dodgy
| on the ones I've played with.
| [deleted]
| chabad360 wrote:
| It's actually not simple currently to use Tailscale as an exit
| node on GL.iNet routers (due to some conflict with mwan3).
| That's besides the fact that the cheaper routers in their
| lineup are not very performant and as a sibling mentioned, not
| capable of running Tailscale.
| 7839284023 wrote:
| > GL.iNet GL-SFT1200 (Opal)
|
| According to https://docs.gl-inet.com/en/4/tutorials/tailscale/
| the GL-SFT1200 (Opal) does not support Tailscale but different
| models from GL.iNet do.
| shocks wrote:
| Did you read the article?
|
| > PiVPN, luckily, runs on any other Pi-like device, though, as
| long as it's running a Debian or Pi-OS-like distro.
| LeSaucy wrote:
| So...Linux?
| Shared404 wrote:
| To me it sounds a bit more restricted than any Linux.
|
| Any Debian isn't too bad though.
| ryanpandya wrote:
| ARM architecture I guess
| fuzzbazz wrote:
| under Features in [1]:
|
| * Doesn't need to be a Raspberry Pi(tm), It runs on any
| x86_64 system
|
| [1] https://pivpn.io/
| chaxor wrote:
| Base wireguard is pretty easy to setup, especially with wg-quick,
| so idk why anything would be required to make it easier. Also,
| Rosenpass is quite great and easy to use, which really improves
| the security further. Hopefully Rosenpass will become part of the
| base implementation at some point.
| a_subsystem wrote:
| People keep saying this, but it hasn't been true for me. I've
| had to reinstall PiVPN a few times, I assume because automatic
| updates may have broken it somehow. I tried manually
| configuring wireguard every time but just could not get it to
| work after hours of trying. PiVPN has always been extremely
| easy to install and configure.
| dspillett wrote:
| Have you tried investigating the config it produces and
| comparing that to what you ended up with on your failed
| attempts? _Way_ back when I first started using OpenVPN
| installing a quick-setup in a VM was how I found a glaring
| mistake I 'd been making (with routing, it turned out, not
| the OpenVPN config itself).
|
| Not that it massively matters if you are happy with PiVPN of
| course, but understanding more may help you diagnose issues
| should PiVPN ever fail.
| KaiserPro wrote:
| for one or two devices, yes.
|
| But after that, key and config management becomes a bit more
| challenging.
|
| I have a bout 14 devices on a VPN, so that uses ansible to make
| sure all the keys are where they should be, and can be rotated
| if needs be.
| wolletd wrote:
| I have a WireGuard VPN with about 250 devices, most of them
| POS machines in the wild. I adopted WireGuard for our first
| machines about half a year before the 1.0 release, so there
| weren't much tools yet.
|
| I piggybacked onto the original configuration file format and
| built myself https://github.com/WolleTD/wg-setup, which helps
| me validating the correctness and uniqueness of new entries,
| hacks names into the entries and even updates an internal DNS
| zone.
|
| I really don't have to care much for key rotation, though. As
| most of the devices are out of our control anyway, they
| aren't allowed to connect to anything inside the VPN. It's
| just for us to connect to them.
| firstlink wrote:
| After skimming both the GitHub and the protocol specification
| for rosenpass, I still have no idea what benefit it provides on
| top of wireguard and therefore why I should use it.
| computershit wrote:
| It's below the fold on rosenpass.eu but:
|
| > Rosenpass is a key-exchange protocol using techniques that
| are secure against attacks from quantum computers. It
| achieves the same security guarantees as WireGuard, using two
| strong post-quantum key exchange methods - Classic McEliece
| and Kyber.
|
| > To use Rosenpass, you don't have to get rid of WireGuard;
| Rosenpass handles post-quantum security, WireGuard handles
| pre-quantum security and high-speed data transmission.
| firstlink wrote:
| I saw some references to post-quantum security, but I also
| saw references to something called "Post-Quantum Wireguard"
| so it seemed like that was handled by some other project,
| or at best some sub-component of Rosenpass.
| fionaellie wrote:
| I use DietPi, which includes WireGuard and other things like
| PiHole. I've had my RPi 4 running without issue for more than 2
| years, and can get 200mbps up and down.
| 6451937099 wrote:
| [dead]
| 6451937099 wrote:
| [dead]
| Toutouxc wrote:
| If your main usecase is accessing Home Assistant or exposing a
| few HTTP endpoints from your home network, you're maybe stuck
| under several NATs and you don't mind Cloudflare, then I can't
| not recommend Cloudflare Tunnel. You just run their app on your
| home server, set up forwarding as if you were setting up nginx or
| something, click a few buttons in their GUI and your home stuff
| is online, on HTTPS, with DDoS protection and a nice dashboard.
| And you'll likely easily fit into the free tier.
| beardog wrote:
| If you have the same usecase but DO mind Cloudflare, you can
| rent a cheap server and use SSH reverse TCP tunneling (ssh -R
| 8080:localhost:80 proxy@example.com)
| nirav72 wrote:
| Do you have any security cameras configured in Home assistant
| showing a live feed? Reason I'm asking - it seems that CF has
| some clauses in their TOS that forbids anything but static
| content. So audio/video stream is a no-no. I'm also using CF
| tunnel. Just not for home assistant because of their
| restrictions. For HASS, I go through tailscale.
| divyenduz wrote:
| I have done something similar with Raspberry Pi and Tailscale.
| Really happy with the setup. Almost 6 months in and works like a
| charm.
|
| https://twitter.com/divyenduz/status/1597863894055518208
| bovem wrote:
| Hey I saw you are facing some issue with reauthentication on
| reboot. If you are running it on a docker container then having
| a persistent state directory for tailscale might help
| (TS_STATE_DIR=/var/lib/tailscale).
|
| I use it on my system and it works flawlessly on restarts.
| kgersen wrote:
| I moved to Tailscale, until I find something simpler, I'm not
| moving back.
| lostlogin wrote:
| Why would that even look like?
|
| When I set it up it promised a 10 minute install time. For me a
| fair portion of that 10 minutes was trying to work out if it
| was working as my line speed was higher than I thought
| possible. It's scary how quick it is to configure.
| SparkyMcUnicorn wrote:
| Just install tailscale on something in your home network, and
| start it up advertising as an exit node. On your laptop,
| select the exit node from the tailscale menu. Now all your
| internet traffic will go through that machine.
| mightybyte wrote:
| Have you tried Nebula (https://nebula.defined.net)? I set up a
| personal Nebula network a few months ago and have been very
| happy with it thus far. It has the ability to do mesh-style
| direct routing so you don't necessarily have to pay the out-
| and-back latency cost if you're connecting to a location that
| is closer.
| tssva wrote:
| Tailscale peers will directly connect.
| Snawoot wrote:
| Or just consider some HTTP over TLS proxy like this one:
| https://github.com/Snawoot/dumbproxy
|
| It may appear a bit more flexible option, especially if
| forwarding all traffic to VPN entirely is undesirable.
| mdmglr wrote:
| I've recently built a VPN into my network using Cloudflare Zero
| Trust and Cloudflare Tunnels. Highly recommend over maintaining
| Wireguard or anything else. Much more comprehensive security
| controls.
| fionaellie wrote:
| I quickly installed Outline on a free-forever Oracle VPS. This
| might be the best option for someone who doesn't want to buy a
| RPi, worry about SD card corruption, use any additional
| electricity at home, or spend any money. Even with the tiny free
| VPS provided for free, I'm getting great speeds of over 200mbps.
| And you can choose multiple locations to set up your free VPS.
| otterpro wrote:
| Before going to a long 3 month trip to Asia last year, I
| installed WireGuard on my Raspberry Pi 1 (original model B from
| 2012) which was running at home in US. I found PiVPN to be the
| easiest way to install Wireguard. I didn't know if I even needed
| a VPN but I was glad, and I was able to use internet as if I were
| at home. It was weird, but a lot of sites are blocked oversea,
| even though it shouldn't. For example, I couldn't access
| Homedepot.com. I also couldn't make payment to my Target card as
| the website refused connection. Apparently a lot of US business
| sites refuse to connect from oversea IP because of too many
| hacking attempts, or they just don't want to deal with it.
| Anyway, I was glad I had set up a VPN before I left for the trip.
|
| Also, the original Pi (2012) was able to run Wireguard well
| enough for light VPN, although I didn't push it too much since I
| didn't use it for anything heavy like video streaming.
| FredPret wrote:
| I have a US-and-Canada based business and I ban customers from
| elsewhere in my T's and C's. Simply because I don't know their
| laws.
|
| I don't outright block them because I myself travel, and some
| foreign laws apply to their citizens wherever they are.
|
| I can completely see why you might want to ban overseas IP
| connections though, and I'll probably do it soon.
| lxgr wrote:
| Banning new signups/sales from overseas IPs can make sense
| for legal, tax, and shipping reasons - but please do provide
| some way for existing customers to access their
| subscriptions/orders/accounts from abroad. International
| travel is a thing.
| FredPret wrote:
| I know! This is why I have it enabled - for me. I'm still
| worried about breaking some EU law without ever knowing it
| though.
| eddieroger wrote:
| I don't know first hand, nor am I speaking for my employer (who
| happens to be one of the two companies you mentioned), but if
| it was me, I would assume that if my company doesn't do
| business outside of the United States, then may as well deny
| traffic for services that wouldn't be available outside of the
| United States, since it is more often than not problematic
| traffic. This means sometimes legit traffic would be
| inconvenienced, as you were, and sorry about that, but it is a
| realistic scenario that the small amount of legit pain is worth
| the incredibly reduced risk footprint. Of course, baddies could
| get VPNs, too, but that's all part of the game.
| lxgr wrote:
| > I would assume that if my company doesn't do business
| outside of the United States
|
| You forgot to consider "any of my company's existing US-
| resident customers temporarily traveling outside of the US".
| LVDOVICVS wrote:
| My Canadian stepfather died. Family is not close and I'm in
| the US. The Canadian newspaper where his obit would be
| doesn't allow connections from the US.
|
| More than a "small amount of legit pain" was the result.
| vlovich123 wrote:
| Was the site unavailable through archive.is?
|
| Also, plenty of people live far away from family and have
| to deal with death (I'm in the same boat). It sucks but I'm
| also curious why the obit was particularly important to you
| because as far as I understand that's topically just a
| small blurb in the newspaper? My family doesn't do obits so
| I'm curious.
|
| Not to minimize what you went through at all, but it's
| interesting in today's times how we expect so much
| immediacy. My immediate family escaped the USSR just before
| it collapsed but my dad's was family was stuck in Russia
| and couldn't leave even after it fell. My father had to
| deal with his brother, father, and mother dying within 5
| years or so with no visits in between that time (a
| combination of finances + probably fear about traveling
| back). Comparatively I personally have a much easier time
| in that I at least get to see my family once a year or so.
| Again, in no way a comparison as dealing with loss and
| living far away from family is always hard. Just a
| reflection of how much technology has changed and made
| maintaining more closeness easier (eg video calling).
| eddieroger wrote:
| I am sorry for your loss, and I'm not trying to minimize
| your pain. This is the problem with data, it's unfeeling
| and cold. You and I are two customers of something
| companies with lots more than us, and a spreadsheet doesn't
| capture our pains when we feel them.
| couchand wrote:
| I'm sorry for your loss. Do they have a phone?
| ivanhoe wrote:
| > it is a realistic scenario that the small amount of legit
| pain is worth the incredibly reduced risk footprint.
|
| Well, I guess it depends on the type of attacks one
| experiences, but hackers and spammers who target US-based
| businesses are not idiots, they know how to use vpns and tor
| and proxies. So on a technical level you get close to nothing
| security-wise. You reduce a number of bots and worms randomly
| accessing your servers, can stop some script kiddies who
| don't know better and make life a bit harder to web scrapers
| (but not much) - and that's it.
| lxgr wrote:
| > Apparently a lot of US business sites refuse to connect from
| oversea IP because of too many hacking attempts, or they just
| don't want to deal with it.
|
| Yes, and it's infuriating. For example, it was (and probably
| still is) impossible to access the NY MTA's OMNY portal from
| many, but curiously not all, European countries. The OMNY
| system itself works using foreign cards, but this makes it very
| annoying to download receipts for expense reports.
|
| Another fun one was not being able to cancel some streaming
| service from outside of the US due to the service geoblocking
| their account management site as well. I actually had to use a
| VPN to cancel!
|
| There are countless other examples.
| kybernetyk wrote:
| Can't access homedepot from Germany either. I guess it's HD
| blocking pesky foreigners
| tssva wrote:
| If you don't do business in the EU why accept traffic from
| there and possibly have to deal with GDPR issues.
| oh_sigh wrote:
| That's not how GDPR works but it is a common misconception
| and I can't really blame non-EU businesses for not taking
| the time to understand a foreign law when blocking is so
| easy.
| systemtest wrote:
| It took my team six months to get our company GDPR-
| compliant, and that included hiring three external
| consultants with extensive knowledge of GDPR and its
| implementation across the various EU countries we did
| business in. We were a short-term car rental company, we
| did not earn money with user-tracking, advertising or
| selling user data. But we did process drivers licenses,
| user data, trip data. We had to re-write big parts of our
| car-tracking module because having it tied to the current
| driver (customer) automatically made it personal data,
| which can be requested on demand when the customer wants
| to. It also limited us on what we could log to our
| logging server and store in a database.
|
| I can understand that an American company does not want
| to make such an investment when there is literally 0
| added business value, as EU customers don't shop at that
| company.
| [deleted]
| doix wrote:
| What do you mean? That's pretty much how it works. You
| load up Homedepot website and they along with a bunch of
| 3rd parties that they partner with will start collecting
| data about you and storing it. You can't do that to
| someone from the EU without getting permission along with
| other restrictions.
|
| For Homedepot to comply with GPDR, they would have to
| treat EU and non-EU users differently, or they could just
| block EU. Since you're not trying to sell anything to EU
| users, blocking them makes things easier.
| indeyets wrote:
| GDPR doesn't care about where people are located right
| now. From the GDPR point of view you still have to treat
| EU-residents in a special way, even if they're located in
| US right now.
|
| But EU has less of the leverage if company refuses to do
| business in EU -- that's true.
|
| on the other hand, CCPA is still a thing
| lxgr wrote:
| > treat EU-residents in a special way, even if they're
| located in US right now.
|
| This part of GDPR has always seemed completely
| unpracticable/unenforceable to me. How would a non-EU
| company even know that one of their customers is an EU
| resident and only temporarily visiting? Most services in
| the US aren't asking for my passport, at least.
|
| Practically, I'd assume that this will be interpreted by
| courts to only apply to companies "intentionally doing
| business with/commercially targeting EU residents", which
| is already the case for similar scenarios (e.g. that's
| how, to my understanding, German law requiring _all_
| sites to provide an imprint has been interpreted by
| courts).
|
| In any case, I suppose we'll have to wait for precedent;
| I'm not aware of any at the moment.
| oh_sigh wrote:
| No, it isn't. see article 3, section 2 of the regulation.
| You need to offer goods or services to EU citizens for
| the law to be in effect. If home Depot doesn't operate in
| Europe, doesn't market to Europeans, doesn't ship to
| Europe, and doesn't offer any services to Europeans, then
| they are not impacted by gdpr.
| doix wrote:
| > 2. This Regulation applies to the processing of
| personal data of data subjects who are in the Union by a
| controller or processor not established in the Union,
| where the processing activities are related to:
|
| > (a) the offering of goods or services, irrespective of
| whether a payment of the data subject is required, to
| such data subjects in the Union; or
|
| > (b) the monitoring of their behaviour as far as their
| behaviour takes place within the Union
|
| Did I quote the correct section? Doesn't collecting all
| the analytics fall under section B? I'm not a lawyer of
| course, but it seems pretty reasonable to me that if you
| have interest in the EU market, blocking them is easier
| than figuring out if GDPR applies to you or not.
|
| Or you could just not spy on your users of course, but I
| guess I'm too pessimistic to see that as an option a
| company would choose.
| ElectricalUnion wrote:
| > You need to offer goods or services to EU citizens for
| the law to be in effect.
|
| You need to not sell goods and services to EU citizens
| for the law to not be in effect.
|
| Even if said citizens are in the US. You don't cease
| being a EU citizen when you're traveling.
| OJFord wrote:
| > For Homedepot to comply with GPDR, they would have to
| treat EU and non-EU users differently, or they could just
| block EU.
|
| Err, or treat everyone in a compliant way?
|
| It's not like you don't already see this within the US
| anyway - particularly California.
| xur17 wrote:
| I believe the California law came after the EU one. And
| it's still easier to just block EU traffic rather than
| spending several weeks implementing GDPR cookie popups.
|
| And if you decide to treat everyone the same way, you
| likely end up with a higher bounce rate for the existing
| US customers. Hence, blocking.
| moffkalast wrote:
| Or they've just forgotten that the world outside ol' Merica
| exists, could be either one.
| Entinel wrote:
| They are an American business that does not deal with
| other countries outside North America. Why would they
| care about the world outside of "ol' Merica?"
| moffkalast wrote:
| Well if they don't want the rest of the world's money,
| that's alright. Someone else will get it instead.
| tssva wrote:
| And they are fine with that just like large numbers of
| retail chains in Europe, Africa, Asia, South America,
| Australia, New Zealand, etc. which don't have a presence
| in the US or other countries outside their own or their
| own economic region. Home Depot does operate stores
| outside the US in Mexico and Canada.
| RockRobotRock wrote:
| Do you know what home depot is? They're a store, that you
| have to like, go to.
| moffkalast wrote:
| Ah my bad. I thought it was like a depot, that you had at
| home. /s
|
| If McDonalds and Aldi can work on multiple continents I'm
| sure it's not logistically impossible.
| kevin_thibedeau wrote:
| Standing up and maintaining a distribution network is non
| trivial, especially for bulky goods that aren't practical
| for mail order shipping. Home Depot doesn't contract out
| locally sourced production like your examples do.
| yardstick wrote:
| Is GDPR that big of a difference now that California has
| its own strict data privacy laws?
| systemtest wrote:
| Yes. Check below for a comprehensive list of differences.
|
| https://www.cookieyes.com/blog/ccpa-vs-gdpr/
| lxgr wrote:
| So if I order something on Home Depot, the shipment is
| delayed, and I want to check on that (or even just find the
| support phone number, some sites block _all_ HTTP requests
| from foreign IPs!) while I 'm traveling out of country, I
| just don't get to do that without a VPN due to GDPR?
| bitlax wrote:
| Did you do anything to handle the event where, say, you lose
| connectivity and the system needs a reboot? Just curious about
| what would be the best way to handle that scenario.
| otterpro wrote:
| While I didn't do this last time, in the future, I would plug
| the Raspberry pi to one of my smart power outlet (ie Kasa
| wifi power outlet) connected via HomeAssistant, so I can
| remotely restart it if Raspberry Pi becomes unresponsive. I
| also have another Raspberry Pi (again, the original 2012), so
| I could add redundancy by running second WireVPN on it, too.
| megous wrote:
| You can have local watchdog process and reboot to failsafe
| configuration on next boot. You can also set a timer to do
| this unconditionally when trying a new network configuration.
| darkwater wrote:
| I also did something similar, plus all my home automation which
| is 98% local-first|only. My trip was just 3 weeks but on the
| first day leaving, between one plane and another, my power
| company had a 4hours extraordinary maintenance cut, my UPS
| didn't last enough and with that blackout the RPi SD card died,
| and I was locked out my LAN for all the trip.
|
| Lesson learned: configure the UPS to communicate with the
| servers and shut them down in a controlled manner when
| batteries are dying.
| momirlan wrote:
| run linux from SSD, can get a cheapo one for less than $25
| these days. the SATA to USB adapter will probably cost as
| much. no more SD issues
| kijiki wrote:
| May or may not work for your usecase, but I have some scripts
| to prepare read-only raspbian images here:
| https://github.com/nolanl/ropi
|
| There are commands to enable/disable read-write mode, so you
| can still make changes and do upgrades.
|
| I've had 0 problems with SDcard death after I started using
| it.
| BrandoElFollito wrote:
| > Apparently a lot of US business sites refuse to connect from
| oversea IP because (...) they just don't want to deal with it
|
| I am French. What I find fascinating is that there are local US
| newspapers (that server a tiny community) that went through the
| effort to do a geoblock from the EU and put a page along the
| lines "we cannot be compliant to Privacy laws in the EU so we
| must block you".
|
| Why do they care at all? How is the EU law relevant to their
| small, local business?
|
| Large companies are different - there could be some litigation
| against their footprint in the EU etc. - but for thosewho just
| live in the US (or anywhere outside the EU) going the extra
| mile to block because of non compliance is really weird.
| mgbmtl wrote:
| Most small local newspapers are owned by huge megacorps. GDPR
| EU laws and some others explicitly say that they can be
| enforced to entities outside the EU. I don't know if it has
| ever been enforced, except for large multinationals.
|
| The US does do that kind of thing though. As a dev, break
| some law, step foot in the US for a conference, get arrested
| (ex: Sklyarov 2001 case, for breaking PDF encryption).
|
| Although for most financial things, it's common in US/CA to
| block non-local IPs. Heck, I was in Mexico and I couldn't
| login to my provincial government tax portal. There are
| constant security issues with those sites.
| BrandoElFollito wrote:
| > GDPR EU laws and some others explicitly say that they can
| be enforced to entities outside the EU
|
| They can tell whatever they want, but it would need to be a
| US court (in that case) who would do the litigation. Which
| they won't.
|
| > The US does do that kind of thing though. As a dev, break
| some law, step foot in the US for a conference, get
| arrested
|
| yes, this is why I mentioned that my point is only for
| local businesses. Travel or business in the EU can/will be
| problematic.
|
| > Heck, I was in Mexico and I couldn't login to my
| provincial government tax portal. There are constant
| security issues with those sites.
|
| Blocking for security is another thing. Maybe a good idea,
| maybe not - but that's another story.
| lxgr wrote:
| > They can tell whatever they want, but it would need to
| be a US court (in that case) who would do the litigation.
| Which they won't.
|
| That's a pretty incomplete view of how jurisdiction
| works. You do probably need a US court ruling to
| _enforce_ a claim against a US entity - but if that
| entity has any EU subsidiaries or assets, you can bet
| that European courts will come after those.
|
| > Blocking for security is another thing. Maybe a good
| idea, maybe not - but that's another story.
|
| As a customer/taxpayer that needs access to a service
| from abroad, I really don't care _why_ I have to jump
| through hoops to cancel a subscription /order or pay my
| taxes owed.
| BrandoElFollito wrote:
| > That's a pretty incomplete view of how jurisdiction
| works. You do probably need a US court ruling to enforce
| a claim against a US entity - but if that entity has any
| EU subsidiaries or assets, you can bet that European
| courts will come after those.
|
| I am not sure you read my post in details - I explicitly
| mentioned that I am talking about local services, without
| any international footprint. And mentioned that in case
| of this footprint - yes, they will be sought after.
|
| This is also exactly waht the US does to enforce their
| "extraterritoriality"
| noizejoy wrote:
| The business may be local but the owner or other
| management or employees may wish to keep all of their
| travel options wide open without fear of some obscure
| foreign law that might hold them individually
| responsible.
|
| The golden days of global network accessibility are
| closing little by little.
| mgbmtl wrote:
| They're maybe local services, but they're not local
| businesses. c.f. my post :)
|
| And they can be enforced not only from assets, but also
| from travel or various financial tools at their disposal.
| (it would be surprising, but for many businesses, it's
| not worth the hassle)
| mattsan wrote:
| I'm sure there are still some people willing to report the
| websites to EU commission, it's a guaranteed fine (less so a
| paycheque, I have no clue if the company has to comply with
| paying it (unless later on they want to expand to the EU))
| BrandoElFollito wrote:
| This is a fine that the EU can issue but why would the
| _local_ business care?
|
| If I was issued a fine by the US, China, India or Japan it
| would directly go to the trashbin. It is their law, and
| their problem, not mine.
|
| Of course this means that I will not be able to do business
| there, if I travel I may be in trouble etc. But again - we
| are talking about small local newspapers (and similar
| businesses).
| ImPostingOnHN wrote:
| between the options of:
|
| A. [re-]architect in in GDPR compliance;
|
| B. deal with incoming legal documents, likely can't just
| discard;
|
| C. block country representing tiny share of viewership,
|
| option _C_ seems to present the least hassle
| BrandoElFollito wrote:
| Option D: ask a local lawyer once (100 USD or so) and
| they will confirm that the business can trash such
| foreign requests and be done.
|
| Not sure whether C or D would be more complicated long
| term (you need to manage the geoloc somehow, or outsource
| and pay for the service)
| lxgr wrote:
| Additionally, it shows traveling US-based customers that
| you care about them.
| cronix wrote:
| It's just a lot simpler to block than having to keep up with
| laws in other countries for businesses who don't even do
| business in those countries. It's not like it's hard or time
| consuming to implement, and cheaper than your other
| suggestion further down of consulting a lawyer every time one
| of these pops up, like "do I have to annoy my customers with
| these stupid cookie popups every time they visit?" Why should
| I have to spend a dime for something that is external to my
| company, has nothing to do with it, and have to constantly
| keep on top of it? We don't even sell our services there. Why
| should I even waste the bandwidth? Our firewalls are sure a
| lot less active, as well. Why should I waste time answering
| emails from people we don't sell to? It's better to just not
| get them. I guess my question to you is why do YOU care if
| they're accessible or not? If a (local) business really just
| wants to sell within their own (local) country (or even
| smaller municipality such as state/county/city), is there
| something wrong with blocking everything outside it out and
| just not worrying about it?
| BrandoElFollito wrote:
| > It's just a lot simpler to block than having to keep up
| with laws in other countries for businesses who don't even
| do business in those countries.
|
| Exactly, except that it is just simpler to do _nothing_.
|
| Do you (I assume you are not in either of the countries I
| give an examples, nor travel there) worry about laws in,
| say, China when you state "Taiwan is an independent
| country", or Russia when you say "Russia invaded Ukraine",
| or North Korea when you say "NK is a tyranny", or France
| when you say "Retirement should be at 60 and not 64". No.
| Because the local laws that forbid these statements are,
| well, local. Nobody cares outside of these countries. They
| could send you letters informing that you did wrong and
| that you have to pay 1M USD and you would just put that to
| trash.
|
| > I guess my question to you is why do YOU care if they're
| accessible or not? If a (local) business really just wants
| to sell within their own (local) country (or even smaller
| municipality such as state/county/city), is there something
| wrong with blocking everything outside it out and just not
| worrying about it?
|
| I do not care - it is just that I ended serendipitously on
| a few of these places and was wondering why they care (I
| would not care about the cookie law in Zimbabwe or
| Patagonia if I had a web site).
| cronix wrote:
| Our hacking attempts dropped by approx 85%, and we use
| less bandwidth. There are other benefits to blocking
| traffic to places where you don't do business.
|
| > They could send you letters informing that you did
| wrong and that you have to pay 1M USD and you would just
| put that to trash.
|
| I think it's just better to not get those letters in the
| first place (any more than spam phone calls or texts) and
| have to waste time reading them, or having to possibly
| consult an attorney over them to see if they have merit.
| It's just not something I want to be bothered with, nor
| should I. It has nothing to do with the company, what we
| do or our customers.
|
| > Do you (I assume you are not in either of the countries
| I give an examples, nor travel there) worry about laws
| in, say, China when you state "Taiwan is an independent
| country", or Russia when you say "Russia invaded
| Ukraine", or North Korea when you say "NK is a tyranny",
| or France when you say "Retirement should be at 60 and
| not 64".
|
| We don't say anything like that on our company sites.
| BrandoElFollito wrote:
| Ah, now I remember how I got to one of these pages. I
| wanted to have a look at the local newspaper of Tuttle,
| Oklahoma because of a funny (and sad for open source
| devs) event that happened there in 2006:
| https://www.theregister.com/2006/03/24/tuttle_centos/. It
| was blocked for GDPR reasons (at the time at least)
| twodave wrote:
| If you're going this far, might as well do as the author did and
| add a pi-hole to the mix, issue some credentials to your phone
| and block ads and/or other stuff via DNS everywhere you go. I
| also use this to remote into my work computer from wherever I am,
| using my travel laptop, an iPad or even just my cell phone.
| abap_rocky wrote:
| This is precisely what I do and it's great. Built myself a
| workstation desktop last year that I wanted to access remotely
| via an older laptop and it's worked beautifully, even when I
| was out in Europe for a week last summer.
| philsnow wrote:
| pihole is really lightweight, you could just run it on your
| local laptop and save yourself the hop to your home network for
| all DNS requests
| twodave wrote:
| I could set up pihole on my local laptop. And on my wife's
| laptop. And on my kids' phones. And on my work laptop. And...
|
| Or I could just set it up on one tiny server (doesn't have to
| be a pi, but I happen to have one that isn't doing anything
| else), point my gateway at it for DNS, and give my whole
| family + any VPN connections filtering for free.
| BrandoElFollito wrote:
| This. I started to tunnel my traffic via my Wireguard VPN (when
| outside) to cut these 30% of connections that are blocked by
| Pihole.
|
| Pihole is really a great piece of work. It uses standard
| components (dnsmasq, standard lists) and does it well. I used
| to have it in a docker container but moved it to the ISP box
| when I got a new one (a French ISP called Free provides you
| with an Internet box that has a built-in VPN (WG or OpenVPN)
| and allows you to create VMs - this is where I ultimately moved
| Pihole because it is my DNS and DHCP server)
| Hamuko wrote:
| I use PiVPN on a Dell Wyse 3040, an absolutely pathetic thin-
| client I got for 67EUR from Ebay, to access my home network. It's
| the only thing accessible from the outside world and it works
| pretty well. Don't remember if I've ever had issues with it.
| lenova wrote:
| I have never met Jeff (the author of this blog post), but I come
| across his work randomly all of the time. Jeff, if you're reading
| this, I've always been impressed by your efforts, you're a work
| horse!
| _joel wrote:
| Should follow him on youtube, always fun vids.
| geerlingguy wrote:
| Thanks! Didn't think this blog post would hit HN, but
| apparently it did, while I was on a flight back to the US lol.
| I figured most of us here are VPN'ed out.
|
| It served me well on my trip and I was able to see all the
| things from local media that are geo restricted out of the US.
| tzs wrote:
| Up until late 2014 when I occasionally worked at home, I used
| what I called the poor man's VPN. There was one machine at my
| company that I had ssh access to from outside and that could
| reach all the internal machines I needed. Call that machine
| ssh.example.com.
|
| My requirements for comfortably working from home were:
|
| 1. Nothing special needs to be done at work. I don't have to ask
| for anything new to be installed there, or firewall rules to be
| changed, or anything like that.
|
| 2. I wanted to be able to refer to work machines by the same
| names they had on the internal network at work, and I wanted to
| access things on the same ports. A script that worked when run
| from my office should work with no changes when run from my
| living room.
|
| 3. It only needed to support host:port combinations that were
| explicitly specified.
|
| Here's what I did. Let's say I've got 3 machines I need to use:
| db.example.com: MySQL server mail.example.com: mail
| server web.example.com: web server
|
| I need to use MySQL on the first (port 3306), IMAPS on the second
| (port 993), and HTTP/HTTPS on the third (ports 80 and 443), and I
| want to use ssh (port 22) on all of them.
|
| I'd ssh to the machine at work that I have ssh access to, with my
| ssh config file including this: Host poor_vpn
| Hostname ssh.example.com User tzs
| UserKnownHostsFile ~/.ssh/poor_vpn.hosts LocalForward
| 7777 db.example.com:22 LocalForward 7778
| db.example.com:3306 LocalForward 7779 mail.example.com:22
| LocalForward 7780 mail.example.com:993 LocalForward 7781
| web.example.com:22 LocalForward 7782 web.example.com:80
| LocalForward 7783 web.example.com:443
|
| I'd add this to /etc/hosts: 10.10.10.1
| db.example.com 10.10.10.2 mail.example.com 10.10.10.3
| web.example.com
|
| (My LAN used 192.168.0.x addresses)
|
| Finally, a little ipfw fiddling on my Mac to bring it all
| together: ipfw add 100 fwd 127.0.0.1,7777 tcp
| from any to 10.10.10.1 22 ipfw add 101 fwd 127.0.0.1,7778
| tcp from any to 10.10.10.1 3306 ipfw add 102 fwd
| 127.0.0.1,7779 tcp from any to 10.10.10.2 22 ipfw add 103
| fwd 127.0.0.1,7780 tcp from any to 10.10.10.2 993 ipfw add
| 104 fwd 127.0.0.1,7781 tcp from any to 10.10.10.3 22 ipfw
| add 105 fwd 127.0.0.1,7782 tcp from any to 10.10.10.3 80
| ipfw add 106 fwd 127.0.0.1,7783 tcp from any to 10.10.10.3 443
|
| On Linux that would have been something like this:
| iptables -t nat -A OUTPUT -p tcp -d 10.10.10.1 --dport 22
| REDIRECT --to-port 7777 iptables -t nat -A OUTPUT -p tcp -d
| 10.10.10.1 --dport 3306 REDIRECT --to-port 7778 iptables -t
| nat -A OUTPUT -p tcp -d 10.10.10.2 --dport 22 REDIRECT --to-port
| 7779 iptables -t nat -A OUTPUT -p tcp -d 10.10.10.2 --dport
| 993 REDIRECT --to-port 7780 iptables -t nat -A OUTPUT -p
| tcp -d 10.10.10.3 --dport 22 REDIRECT --to-port 7781
| iptables -t nat -A OUTPUT -p tcp -d 10.10.10.3 --dport 80
| REDIRECT --to-port 7782 iptables -t nat -A OUTPUT -p tcp -d
| 10.10.10.3 --dport 443 REDIRECT --to-port 7783
|
| That worked great for several years. I've got a script that can
| take a list of files that describe host:port combination and
| generate the ssh config, hosts, and ipfw or iptabes rules so it
| was easy to add or remove machines.
|
| It broke in late 2014 when I switch to MacOS Yosemite. Apple had
| switched to using PF in Lion in 2011 and deprecated ipfw, and
| removed it in Yosemite. By then we had an openvpn setup at work
| and I switched to using that.
| rbut wrote:
| Or just use a Mikrotik router which has Wireguard support built-
| in.
| xioxox wrote:
| Yes. My FritzBox also has built-in Wireguard.
| mobilio wrote:
| This is only for Mikrotiks that uses ARM processor. Some older
| that runs on MIPS doesn't get this update.
| rbut wrote:
| Wireguard support comes with RouterOS 7 (ros7). I'm running
| ros7 on a MIPS device (mAP) and it works fine. What device(s)
| are you talking about?
| vetinari wrote:
| Wireguard is available on all architectures, since RouterOS
| 7.0.
|
| Zerotier is the arm/arm64-only package that you probably had
| on your mind.
| syntaxing wrote:
| With the cost of raspberry pi nowadays, you're better off buying
| something like a GL.iNet GL-SFT1200 for $40.
| JosephRedfern wrote:
| The article explicitly mentions this: "PiVPN, luckily, runs on
| any other Pi-like device, though, as long as it's running a
| Debian or Pi-OS-like distro. Something like a Libre Computer Le
| Potato should work in a pinch, without breaking the bank--
| though if you want faster networking, you'll have to pony up a
| little more cash, at least until the Pi shortage abates."
| blipvert wrote:
| Taking an opportunity here for a completely shameless plug for an
| enterprise-y wg based corporate VPN. Uses mTLS for device auth,
| wg (obvs), OIDC to authenticate users/set up firewall access
| (Azure AD and Keycloak tested). Runs as a redundant cluster and
| can be hooked in via BGP.
|
| Very early and no docs to speak of yet, but raise an issue if
| interested. Works with standard WireGuard app on
| computers/phones, but an integrated app using the API might be in
| the works ...
|
| https://github.com/davidcoles/gpn
| mobilio wrote:
| Or you can use ZeroTier.
| a_subsystem wrote:
| ZeroTier kept having random disconnects, long wait times until
| connection is established/settled, and desktop app
| weirdness/inconsistencies. Have these problems been fixed?
| (Last used it years ago).
| piceas wrote:
| Yes and no in my experience. The past year I have had some
| trouble but the Linux clients seem to be good again. Win11 is
| getting worse for me unfortunately.
| distantsounds wrote:
| And then you hit CPU bottlenecks whenever you do literally
| anything bandwidth intensive. The limits of using hobbyist
| hardware, you get hobbyist level performance. A Raspberry Pi is a
| _horrible_ solution for running Wireguard. You can get a tiny 1L
| PC running on an actual Intel or AMD processor with far more perf
| /$.
| _joel wrote:
| Wireguard doesn't use any aes cpu functions so it actually is
| highly performant on low end chips vs. OpenVPN. True, you're
| still limited by port speed and such but it's fine for most
| people. If you need more then you're not going to be running it
| on a pi (or old laptop etc) anyway.
| FeistySkink wrote:
| I'm not sure what's the max throughput is, but I just tested 50
| Mbit down/80 Mbit up passthrough from a cafe Wi-Fi to my 3B
| with Wireguard (using wg-quick) at home. Seems enough for
| anything I'd use it for.
| geerlingguy wrote:
| My home Internet upload speed is 35 Mbps. A Pi 1 can handle
| that speed, much less a Pi 3 or 4 :)
|
| But the nice thing is PiVPN works great on any little PC. Or
| even a VM.
| FeistySkink wrote:
| That was just my anecdotal point that a Pi can handle
| typical home internet speeds over Wireguard without
| overtaxing the CPU. IMHO, Wireguard's setup is pretty
| trivial as is, especially moving to it after years (decades
| at this point) of various OpenVPN setups that require much
| more tinkering. So no need for external tools. But I'm glad
| they exist for those who find them useful. Either way, keep
| up the good work with your knowledge sharing, I'm a big fan
| of what you do.
| Shared404 wrote:
| Heck, that's more than what most people I know get at home
| xp84 wrote:
| There are some cool HP thin clients available on eBay for a
| fraction of the scarce Pi these days, one of them even has an
| nVme slot so you can put in a real SSD. If I was doing this
| today I'd use one of those.
|
| Presently my "home server" is only used for home assistant, and
| it runs on a 2011 MacBook Pro with a bad keyboard, running
| Debian. It actually runs so well on Linux that the fan doesn't
| even spin, at least not audibly.
| belthesar wrote:
| Jeff does explicitly call this out in his video, but as sibling
| commenters say, it's really a matter of whether that's enough
| for you. Even 20 Mbit symmetrical would be more than enough for
| me to run a stream from a Plex server while serving other web
| or SSH traffic easy enough. What you do say though brings up a
| great point though - if you ran this on a Pi and you're not
| getting the performance you need for your use case, check CPU
| utilization on the Pi, and consider running your VPN on a
| device with more oomph.
| Proven wrote:
| [dead]
| stzsch wrote:
| I keep a pi with wireguard as a way to reboot my homeserver
| remotely if something goes wrong. A gpio pin connected to an
| optocoupler acts as second power switch on the motherboard.
|
| Works well for testing stuff remotely or messing with VPN
| configurations on the server itself without leaving it stranded
| for good.
| eatbitseveryday wrote:
| A nice dynamic DNS provider is afraid.org
| samgranieri wrote:
| I'm using https://github.com/burghardt/easy-wg-quick for this. It
| works beautifully. I simply port forward to my raspberry pi that
| handles all of this.
| gbraad wrote:
| I do tailscale. wireguard and having to host an entrypoint is too
| much trouble
| cloudripper wrote:
| It might be more of a rabbithole, but if you're going the 'self-
| hosting' homelab route, I'm a big fan of OPNsense to give you
| more freedom and control of your network (which has support for
| Wireguard [0]). While ARM support is lacking, it can be run on a
| cheap or spare x86-64 box if you had one.
|
| Otherwise, I really like the premise of Tailscale for quick and
| easy implementation.
|
| [0]: https://docs.opnsense.org/manual/how-tos/wireguard-
| client.ht...
| babuloseo wrote:
| I have tried a lot of wireguard installation solutions, this one
| is pretty great.
| indeyets wrote:
| WireGuard/Tailscale are fine if you don't need to deal with
| state-wide censorship. They might be blocked quite easily.
|
| Outline/Shadowsocks has better chances to keep working (though it
| is not a true vpn, more like a private proxy)
| https://getoutline.org/
| Denvercoder9 wrote:
| In what way is WireGuard easier to block than SOCKS?
| indeyets wrote:
| that's "shadowsocks"
|
| wireguard is fingerprintable. it's trivial to look at packets
| and see "this is wireguard". and block the packets
|
| Outline traffic looks much more like noise (pre-shared keys,
| lack of handshake, ...)
| Denvercoder9 wrote:
| > that's "shadowsocks"
|
| I'm not familiar with the software, but according to
| Wikipedia it's a client to connect to a SOCKS5 proxy:
|
| > Shadowsocks is not a proxy on its own, but (typically) is
| the client software to help connect to a third-party SOCKS5
| proxy, which is similar to a Secure Shell (SSH) tunnel.
|
| Are you saying that's incorrect?
| indeyets wrote:
| that's oversimplification. raw socks5 is a low-level
| thing without encryption.
|
| shadowsocks puts a solid cryptolayer on top of it,
| designed specifically to be hard to detect. its Chinese
| origin gives a hint here: it is created to circumvent
| detection by "great firewall"
|
| outline builds a user-friendly toolset on top of it
| fasthandle wrote:
| Shadowsocks is defunct now. Has been for a while; a
| connected server's IP can be detected and blocked within
| hours. That means Outline's defunct in a lot of places too.
| What's currently 'hot', in large part, is v2ray [1], be
| that vless, vmess, trojan, etc.
|
| [1] https://zh.m.wikipedia.org/wiki/V2Ray
| [deleted]
| Severian wrote:
| The one problem I encounter with Wireguard is the use of UDP.
| Some publicly accessible Wifi nets at shops don't allow UDP at
| all, and this effectively breaks use of the VPN.
|
| Yeah, there are utilities like setting up udptunnel or udp2raw
| and similar, but what a headache. I really don't agree with
| Wireguard's developers justification that it makes speeds
| terrible. Who cares? It'll be terrible using those utilities
| anyway. Give us the option, JFC.
| mr_mitm wrote:
| Yeah, OpenVPN even supports authenticated web proxies, which is
| a really nice feature for tunneling. But I realize that I'm
| probably far from a typical user.
| OrderlyTiamat wrote:
| VPN over TCP really is quite a bit slower than over UDP, which
| makes it quite undesirable for me. I think it's quite
| reasonable of them not to want to complicate the wg project by
| adding and maintaining the option of UDP over TCP. Remember, wg
| is supposed to be a minimal project. If you really need TCP
| traffic, you could always use openVPN.
|
| With quic on the way, this problem will diminish with time
| anyway.
| uriah wrote:
| There's complicating the protocol and complicating the
| client. It would definitely be nice if they would add a
| solution to this to the official clients, particularly mobile
| ones. VPN over UDP is quite a bit slower than over TCP when
| the ISP blocks/throttles the UDP traffic...
| cyberpunk wrote:
| A little trick for this is to listen on udp/53 which is almost
| always unblocked, even before captive portals
| unethical_ban wrote:
| Actually, I found ATT blocking inbound port 53 to my home.
| Maybe udp 443 could work?
| KaiserPro wrote:
| yeah high rates of data over port 53 tends to trigger a lot
| of firewalls. I've never had much success with it.
|
| 443 is much more likley to be let past, with the popularity
| of QUIC.
| threeio wrote:
| I once used port 53 for all my communications at a hotel that
| was charing metering bandwidth by the gb... it was a magical
| weekend of DNS passthrough with video calls, etc.
|
| 53 is my go to port when the network is wonky.
| digitallyfree wrote:
| This is the reason why I still stick with OpenVPN on TCP 443
| for my selfhosted VPN. Yes performance suffers a bit but it
| works absolutely everywhere including behind campus/corp
| firewalls as no one blocks TCP 443. I've tried running a
| seperate UDP instance on a different port for situations where
| I need higher performance but for my use cases TCP works fine.
|
| From my experience UDP 53 like another commenter suggested does
| not always work as some firewalls forcibly route all UDP 53
| packets to their own local DNS server in order to prevent
| people from using their own.
|
| As a bonus OpenVPN has the "port-share" option which allows you
| to share the port with other services like an SSL web server.
| SSLH is also an option if you want to host both your VPN and a
| HTTPS site on TCP 443.
| jrm4 wrote:
| Personally, if you're looking for "your own private" thing, I'm a
| much bigger fan of Tinc. The wireguards and zerotiers seem more
| appropriate for bigger, more corporate things?
|
| I do wish Tinc had a slightly easier onboarding process, but once
| it's up, there's a great deal of stuff that I see people dealing
| with that Tinc users don't have to much think about, especially,
| e.g. the Mesh deal.
| spaniard89277 wrote:
| I don't think there are a lot of stuff easier to set up than
| ZeroTier, honestly. For me it has been a godsend.
| jasonjayr wrote:
| Tinc was my goto for years, but there is a non-trivial
| performance penalty for it's userspace implementation.
|
| If you can enumerate all your endpoints into wireguard, and
| squint, it'll kinda-sorta act like a mesh.
|
| And if you want to go a little crazy with it, You can run
| https://github.com/m13253/VxWireguard-Generator + babeld, and
| get routing around failures in the mesh.
| nirav72 wrote:
| Wireguard has a dead simple onboarding process as well. For
| users you want to grant access - providing a QR code and them
| installing the wireguard client app on their mobile device is
| all that is needed. Also wireguard server itself is a easy
| setup and has very little overhead. Took me like few minutes to
| install and setup on a raspberry pi 3. Of course, you do have
| to open up a port on your router. That's the only downside.
| I've since switched to Tailscale for that specific reason.
| carride wrote:
| Algo project still works well. Very quickly launch a WireGuard
| VPN to several popular cloud providers, or any Linux instance you
| already have access to, including your rPi.
|
| https://github.com/trailofbits/algo
| sobkas wrote:
| For me HPE ProLiant MicroServer G10+ is better solution but I
| couldn't find wireless pcie card that reliable could be used as
| AP. I have QNAP QWA-AC2600 bought in Europe but Linux driver is
| crippled and sets regulatory region to US because ROM doesn't
| have it set properly. And there is no way to change it. Driver
| developers think it's a feature and won't revert it. I really
| appreciate that driver developers know better than me where I use
| hardware, but for now I don't want to use US settings in for
| example Poland. Or all frequencies are tagged as not for AP use.
| My question is, is there any pcie card that could be used as AP?
| geokon wrote:
| Anyone know if these kinds of setups get your around the Chinese
| firewall? Or is this kind of traffic pretty fingerprintable?
| npteljes wrote:
| Many VPNs get around it just fine, according to the random
| experiences I saw online. The issue is not technical, but
| legal: the traffic is fingerprintable, and that the parties
| involved (user, ISP) are legally required to store some of the
| traffic, and to make that available for authorities to check
| later [0]. I imagine that they handle this like how they handle
| other law enforcement - by applying it when they feel like. So
| at the end of the day, don't get caught.
|
| [0]
| https://en.wikipedia.org/wiki/Cybersecurity_Law_of_the_Peopl...
| Snawoot wrote:
| Wireguard is known to be fingerprintable[1]. But at this moment
| it is unlikely UDP traffic will be filtered by Chinese GFW[2].
| But this may change any moment.
|
| [1]:
| https://lists.zx2c4.com/pipermail/wireguard/2018-September/0...
|
| [2]:
| https://gfw.report/publications/usenixsecurity23/en/#sec:res...
| fest wrote:
| I don't think it's true that UDP is completely unfiltered.
|
| I tried setting up a Wireguard site-to-site tunnel for $WORKs
| Chinese office to access EU office- it stopped working within
| a day.
| vrglvrglvrgl wrote:
| [dead]
___________________________________________________________________
(page generated 2023-05-05 23:00 UTC)