[HN Gopher] Build your own private WireGuard VPN with PiVPN ___________________________________________________________________ Build your own private WireGuard VPN with PiVPN Author : ingve Score : 402 points Date : 2023-05-05 11:49 UTC (11 hours ago) (HTM) web link (www.jeffgeerling.com) (TXT) w3m dump (www.jeffgeerling.com) | tristanb wrote: | I run my own WireGuard VPN for my home devices, and I have had a | hell of a time getting MDNS to work over it. I tried various | reflectors and couldn't get them to work, has anyone made this | simple? | blutack wrote: | If your router supports OpenWRT that's a good alternative that | doesn't require any additional boxes/boards and is simpler to set | up networking-wise. | | There's a nice UI that generates the QR codes or config files | ready for import into client devices. | | 1: https://openwrt.org/docs/guide- | user/services/vpn/wireguard/b... | alpenbazi wrote: | OpenWRT on a BananaPI R2 with WG wirks like a charm for ~ 2 | years now | flas9sd wrote: | yes the webui now has some convenience options for generating | and importing configs, but there's still a gap (as in default | package installed) in client profile management or network | management on cli. | | What pivpn (and similar tooling wrapping lower level commands) | bring along is this client management and even some network | topology/routing management : https://docs.pivpn.io/wireguard/ | and | https://github.com/pivpn/pivpn/tree/master/scripts/wireguard | | I think it's a interesting spectrum between wg-cli and | tailscale. | goodpoint wrote: | curl | bash ?? For something as critical as a VPN? No thanks. | | You know you can just do apt install wireguard right? | ye-olde-sysrq wrote: | I run wg-easy https://github.com/WeeJeWel/wg-easy for this sort | of thing. I use the docker container, and it's great. "Just | works". | | Also, unrelated, I just decided I don't like the sentiment of | "PiMyProjectName" branding. I know most projects don't _just_ run | on a Pi, and that the intent is to say "you can self-host | thing", but at this point if you want to run a home server sort | of thing, just buy some cheap 100-200 dollar minipc thing. That's | how much you'd pay for a Pi now anyway, and it comes with such | great features as: | | * just establishing an ssh connection doesn't take multiple | seconds | | * the ethernet doesn't go over a usb hub | | * it doesn't run on an sd card that is going to fail within a | year | | I'm pretty dismissive of ARM chips for homelab stuff at this | point. There's super cheap minipcs with "real" processors that | will just destroy even an expensive ARM board. | | Pi's shine with their ability to run both a real/full Linux and | also do gpio type stuff that otherwise is usually an arduino | board. I don't have anything against low-level programming but | damn is it just a lot more fun to do in python. I love the Rpi | zero w 2 products for this, just enough juice to run wifi and a | python loop, plus the gpio pins. Too bad they've been sold out | for literally years. | lxgr wrote: | > I run wg-easy https://github.com/WeeJeWel/wg-easy for this | sort of thing. I use the docker container, and it's great. | "Just works". | | This looks great, thank you! My current home router(s) | fortunately support Wireguard natively, but I'll look into this | if I'm ever again forced to use a shitty CPE. | | > I'm pretty dismissive of ARM chips for homelab stuff at this | point. There's super cheap minipcs with "real" processors [...] | | What makes an ARM SoC a "non-real processor"? I'm typing this | on a laptop with an ARM CPU, and it's the fastest hardware I've | ever worked on. | askiiart wrote: | Sure, some stuff doesn't run on ARM, but a lot does. Plus, | you can get decent ARM processors for cheap, whereas for the | same price the best you'd get would be a Celeron. | sgtnoodle wrote: | The "decent ARM processors for cheap" seem comparable to a | Celeron performance-wise, don't they? | 1vuio0pswjnm7 wrote: | What is conveniently overlooked in these neverending^1 HN | comments that dismiss RPi as "inferior" is that (a) RPi is a | brand, (b) people are familiar with and trust the brand and (c) | when everyone is doing their projects on the same hardware it | avoids compatibility disclaimers like "This is project is | tested on X. It may or may not work on Y." It obviates | consideration of "hardware compatibility". With the RPi people | know exactly what hardware to buy. Even if the hardware is | overpriced or underpowered, synergies are created when everyone | is using the same hardware. IMHO, one cannot discount the value | of that, but these comments downgrading the RPi aways do. Of | course there are better choices for hardware than the RPi, and | perhaps without the supply issues, but good luck getting | everyone to buy the same thing so that projects do not have to | account for "hardware compatibilty". | | 1. Eleven years and counting | marwatk wrote: | I love these things: | | https://www.aliexpress.us/item/3256804116114245.html | | There are a few suppliers, but the 4x Intel NICs open up lots | of possibilities. They're very lower power, but still fast | enough to handle a lot of traffic. | | I run VMWare ESXi on mine and use openwrt for my router on | two ports and then a general purpose server in another VM. | jmole wrote: | I've been curious about the performance gap here - you can open | htop on a pi 4 and see that CPU utilization is relatively low, | ~33% out of 400%, something like that, and yet some operations | seem like they take 5-6x longer than they ought to on a | "normal" computer. | | Is it all down to the file system? Is the CPU just in interrupt | overload all the time? I wish I had a better understanding of | the issue here. | znpy wrote: | What do you expect from a computer that's completely powered | with less than 10W? | AnthonyMouse wrote: | CPU load metrics are averages, typically over e.g. a second. | Many operations take less time than that. If something takes | 300ms on a Pi and 50ms on a PC, the Pi is six times slower in | observed latency but will still only show <33% CPU | utilization when averaged over a second. Some of the metrics | are over even longer periods of time. The Linux load average | metrics are 1 minute, 5 minute and 15 minute. You can have | your ssh handshake take 20 full seconds with a CPU core at | 100% and still see a 0.33 load average. And having three more | cores available does nothing even when the system is busy if | the application is single-threaded. | | The small boards also typically have much slower I/O and less | memory. On a PC with 16GB of RAM running as a server, usually | the whole OS will end up cached in memory. A Raspberry Pi | with less RAM is more likely to have to evict from the page | cache, and then read it back from a slow SD card. | bombcar wrote: | If you need Pi like but not specifically a Pi check out the | Rock5B: https://www.sevarg.net/2023/01/01/battle-of-the- | boards-2023/ | joshbaptiste wrote: | Alternative SBCs I've been looking at are the Orange PI 5, | Khadas VIM1S, NanoPi R6S | | https://hackerboards.com/ | all2 wrote: | You might also take a look at https://ameridroid.com. They | have a bunch of boards. The brand I'm a fan of is ODroid. | yonatan8070 wrote: | The Pis shine primarily in terms of power consumption, under | load, a mini PC could cosume 50W, where a Pi (and other ARM | boards) will do an absolute maximum of 15W. And if you have | multiple devices that run 24/7, that could be a significant | saving | Lendal wrote: | Just have to pay attention and be picky while shopping for | the mini pc. Yes most of them are way over 15W but you can | find them under 15W. My Quieter3Q for instance is fanless & | runs on a Celeron in just 15W. I love it, but one annoyance | is, it does not come back on by itself after a power | interruption. | paol wrote: | > it does not come back on by itself after a power | interruption. | | Most BIOSes have an option for that. Did you check? | zamadatix wrote: | Like others have said, the PCs you're looking at might be | mini in form factor but specced more traditional desktops. | There there are plenty of mini PC options that compete at 15 | watts and lower range. One example I use is | https://www.amazon.com/Computer-Windows-Dual-Band- | Bluetooth-.... This gets you built in 128 GB eMMC, dual | display output, more USB 3, about the same overall CPU | performance but significantly higher single core scores, an | open native SATA slot, Similarly there are boards even | cheaper than this passively cooled, and will pull less than | 15 watts under load as measured from the wall while being in | a preassembled case. | | The best part is it's easier to scale to your needs. E.g. if | a single $200 box can get the latest generation CPUs that | will absolutely demolish these cheap ARM boards in perf/watt, | come with PCIe m.2 drives, support higher RAM limits, and | have GPUs that are more on the usable side of things. As a | result it can do the work of multiple devices (if you don't | need them to be physically separate of course) and will last | significantly longer in terms of usability. | vladgur wrote: | Wow thanks for sharing. That's a pretty amazing box, | curious what it's TDP and noise characteristics are | zamadatix wrote: | Wattage for the whole thing is as mentioned, TDP of just | the CPU is 4 to 6 watt (configurable). This particular | one has a fan which will kick in if you run it hard for | long periods, for truefanless I'd suggest the B1 instead. | Or if you go for the splurge. | ElectricalUnion wrote: | If you need to pull 50W from a mini PC constantly, you | probably can't run that same load (without horrible latency, | throughput and stability issues) on a 15W ARM SBC to begin | with. | tlamponi wrote: | But the Pi also needs to run much longer under full load to | achieve the same as a modern mini PC, so it might be still | canceled out in terms of total power use. | | Raspberry Pi chip sets are always older (less efficient | lithography/structure size) ones, as they take over the ones | currently being phased out for industrial use (so they get | them cheap). Those have a hard time to compete with e.g., a | modern Intel N100 CPU which has a TDP of 6W but at the same | time 4 cores with a max freq. of 3.5 GHz and can even use | DDR5 (or LPDDR5 for low power) and is available in many form | factors, often fanless with a metal body as cooler at about | 150EUR (if lucky) to 200EUR and those models then even | including (often multiple) 2.5Gb Ethernet ports and NVMe M.2 | slot. | | That makes it at least for me an easy choice, and I am indeed | looking out for using less power but still getting stuff done | somewhat quickly. | vanilla_nut wrote: | Additionally, my home Pi4 sits in a metal case that acts as a | heat sink so I don't have to use a fan at all. That | translates to: | | - additional energy savings | | - more or less eliminated need to clean out dust or | eventually replace a fan | | - no fan noise, a massive boon if you live in a small | apartment and don't have a closet or basement you can toss | the server into for noise insulation | | I suppose if I did serious number crunching on my home | server, I'd need something beefier... but I've been running a | VPN, a Minecraft server, a streaming media server, and a DNS | server on my Pi4 for more than 3 years now. Only during media | scans do I feel any slowness. | sedatk wrote: | There are fanless mini PCs too: | https://news.ycombinator.com/item?id=35831087 | AnthonyMouse wrote: | The trouble there is if you're actually compute bound, the | Pi's performance is also a lot worse, and if you're not, you | should be comparing the idle power consumption. There are | plenty of PCs that idle at under 10W. | | PCs also support arbitrary amounts of memory, so you can | often avoid needing multiple devices by using virtualization. | manmal wrote: | Indeed. You can build a power saving PC with eg a used Fujitsu | D3401 board and a used Skylake or Kaby Lake CPU, or just get a | used Esprimo P756/757 tower (E90+ for lower idle power) for 100 | bucks or less. Those should idle at ca 15W (without spinning | HDDs). And you can put in 4+ SATA HDDs, which is way more | reliable than using an USB enclosure. Works great as an | Ubuntu/ZFS server or with unRAID. Beats any Synology NAS in | almost every metric. | 0xcde4c3db wrote: | > just get a used Esprimo P756/757 tower (E90+ for lower idle | power) for 100 bucks or less | | Are these still readily available somewhere? All I can find | are a tiny handful of $300+ listings and RAM upgrade spam. | manmal wrote: | I bought a P765 tower last week for EUR 90 (incl shipping) | off a German eBay listing (commercial, so I can even deduct | VAT). Not sure about other parts of the world, sorry! | sgtnoodle wrote: | The Pi 4's Ethernet is pci-e now, and its USB3 ports are as | well. The USB2 ports are still terribly inefficient. | | About 8 years ago, I switched my home server from a pi to an | Intel baytrail based system. I put it all together myself in a | cube shaped case. It is passively cooled and runs off a 12V 2A | power brick. I filled the space for the PSU with two 3.5" hard | drive hot swap bays. I keep one drive in and synchronized to my | desktop over the network, and pop another one in when it's time | to make a cold backup. It's served me very well. | txdv wrote: | Yeah, I agree, I am a geek though and wanted a linux machine | with arm so I could do some assembly hacking on it (nothing | serious). Just the general geek factor I think makes a lot of | people buy it. | | I use the Argon case with ssd over usb, since the sd cards | failed like after 2 weeks. For me it is perfect, I get to host | all my minimal things (vpn, ssh over it, host photos, videos, | run a few services) and it is like super energy efficient, | although that efficiency is more of an ego boost than actual | use. | | I think there are a lot of atom mini pcs which have normal | ethernet and m2 connectors that are a better alternative. | codetrotter wrote: | > it doesn't run on an sd card that is going to fail within a | year | | The Raspberry Pi Compute Module 4 has variants with eMMC, which | is better than using an SD-card. | | Additionally, there are adapters to use NVMe drives and you can | boot from them. I've done so with a few RPi CM4, to varying | degrees of luck. One of them works perfectly, another one did | not. Currently waiting for more of the same adapter I used for | the first one and hopefully this will allow the additional ones | to work as well as the first one is doing. | victor106 wrote: | > I'm pretty dismissive of ARM chips for homelab stuff at this | point | | What about Mac Mini? The latest version runs on M2 | AnthonyMouse wrote: | The cheapest M2 Mini is $600. That's generally overkill for | personal servers. They also have an unknown reliability | record, and the older Mac Minis had a tendency to eat storage | devices by limiting "fan noise" until temperatures were at | the upper threshold of the spec. In the new ones the storage | is permanently attached, which is... worrying. | | One of the better options if you don't need a lot of internal | storage is old laptops. They're cheap, low power, have a | built-in monitor and keyboard and you don't need a separate | UPS (who cares if the internal battery "only" lasts an hour). | Lendal wrote: | The Mac Mini is pretty tempting, but I wanted something even | lower-power. 15W is possible for Celeron mini pcs. They are | around. I ended up getting a Quieter3Q which is a Celeron- | based 15W, fanless and cheaper than a Mac Mini. | mmlkrx wrote: | Another simple solution I installed on my existing server in | actually 5 min via docker run is https://github.com/WeeJeWel/wg- | easy. The interface is very simple, and all in all it took 10 min | to have the VPN up and running, download the client applications, | and connect to it! | vxNsr wrote: | Yea this is the route I took, I'm a sucker for a good gui, and | this is super simple. | | If you use cloudflare for your domain you can use cloudflare- | ddns[0] to automatically update your ip if/when it changes. | | [0] https://github.com/timothymiller/cloudflare-ddns | briancmoses wrote: | At the price Raspberry Pis are being sold (scalped) for it's | discouraging and disappointing to see content creators | continually going to that well. | | You can buy a travel router like the GL.iNet GL-SFT1200 (Opal) | for $39.99. All of Gl.iNet's devices run OpenWRT already. Setting | up Wireguard on OpenWRT is easy, and using Tailscale is even | easier! | | Edit: Jeff's been creating awesome Raspberry Pi content for a | long time and I'm glad that he's not stopping given the current | circumstances. I hope that his audience has an abundant supply of | unused RPis looking to be utilized. | | In Jeff's shoes I'd want to speak to those in his audience who | DON'T have a Raspberry Pi and save them from paying scalpers | prices until things return to normal--assuming that they ever do. | aborsy wrote: | Any concerns over routers made in China? | | It's true that a lot of chips are made in China. Nevertheless, | the question remains. | _joel wrote: | the gl-inet stuff runs OpenWRT just with another interface, | you can flash with vanilla but I've never seen anything dodgy | on the ones I've played with. | [deleted] | chabad360 wrote: | It's actually not simple currently to use Tailscale as an exit | node on GL.iNet routers (due to some conflict with mwan3). | That's besides the fact that the cheaper routers in their | lineup are not very performant and as a sibling mentioned, not | capable of running Tailscale. | 7839284023 wrote: | > GL.iNet GL-SFT1200 (Opal) | | According to https://docs.gl-inet.com/en/4/tutorials/tailscale/ | the GL-SFT1200 (Opal) does not support Tailscale but different | models from GL.iNet do. | shocks wrote: | Did you read the article? | | > PiVPN, luckily, runs on any other Pi-like device, though, as | long as it's running a Debian or Pi-OS-like distro. | LeSaucy wrote: | So...Linux? | Shared404 wrote: | To me it sounds a bit more restricted than any Linux. | | Any Debian isn't too bad though. | ryanpandya wrote: | ARM architecture I guess | fuzzbazz wrote: | under Features in [1]: | | * Doesn't need to be a Raspberry Pi(tm), It runs on any | x86_64 system | | [1] https://pivpn.io/ | chaxor wrote: | Base wireguard is pretty easy to setup, especially with wg-quick, | so idk why anything would be required to make it easier. Also, | Rosenpass is quite great and easy to use, which really improves | the security further. Hopefully Rosenpass will become part of the | base implementation at some point. | a_subsystem wrote: | People keep saying this, but it hasn't been true for me. I've | had to reinstall PiVPN a few times, I assume because automatic | updates may have broken it somehow. I tried manually | configuring wireguard every time but just could not get it to | work after hours of trying. PiVPN has always been extremely | easy to install and configure. | dspillett wrote: | Have you tried investigating the config it produces and | comparing that to what you ended up with on your failed | attempts? _Way_ back when I first started using OpenVPN | installing a quick-setup in a VM was how I found a glaring | mistake I 'd been making (with routing, it turned out, not | the OpenVPN config itself). | | Not that it massively matters if you are happy with PiVPN of | course, but understanding more may help you diagnose issues | should PiVPN ever fail. | KaiserPro wrote: | for one or two devices, yes. | | But after that, key and config management becomes a bit more | challenging. | | I have a bout 14 devices on a VPN, so that uses ansible to make | sure all the keys are where they should be, and can be rotated | if needs be. | wolletd wrote: | I have a WireGuard VPN with about 250 devices, most of them | POS machines in the wild. I adopted WireGuard for our first | machines about half a year before the 1.0 release, so there | weren't much tools yet. | | I piggybacked onto the original configuration file format and | built myself https://github.com/WolleTD/wg-setup, which helps | me validating the correctness and uniqueness of new entries, | hacks names into the entries and even updates an internal DNS | zone. | | I really don't have to care much for key rotation, though. As | most of the devices are out of our control anyway, they | aren't allowed to connect to anything inside the VPN. It's | just for us to connect to them. | firstlink wrote: | After skimming both the GitHub and the protocol specification | for rosenpass, I still have no idea what benefit it provides on | top of wireguard and therefore why I should use it. | computershit wrote: | It's below the fold on rosenpass.eu but: | | > Rosenpass is a key-exchange protocol using techniques that | are secure against attacks from quantum computers. It | achieves the same security guarantees as WireGuard, using two | strong post-quantum key exchange methods - Classic McEliece | and Kyber. | | > To use Rosenpass, you don't have to get rid of WireGuard; | Rosenpass handles post-quantum security, WireGuard handles | pre-quantum security and high-speed data transmission. | firstlink wrote: | I saw some references to post-quantum security, but I also | saw references to something called "Post-Quantum Wireguard" | so it seemed like that was handled by some other project, | or at best some sub-component of Rosenpass. | fionaellie wrote: | I use DietPi, which includes WireGuard and other things like | PiHole. I've had my RPi 4 running without issue for more than 2 | years, and can get 200mbps up and down. | 6451937099 wrote: | [dead] | 6451937099 wrote: | [dead] | Toutouxc wrote: | If your main usecase is accessing Home Assistant or exposing a | few HTTP endpoints from your home network, you're maybe stuck | under several NATs and you don't mind Cloudflare, then I can't | not recommend Cloudflare Tunnel. You just run their app on your | home server, set up forwarding as if you were setting up nginx or | something, click a few buttons in their GUI and your home stuff | is online, on HTTPS, with DDoS protection and a nice dashboard. | And you'll likely easily fit into the free tier. | beardog wrote: | If you have the same usecase but DO mind Cloudflare, you can | rent a cheap server and use SSH reverse TCP tunneling (ssh -R | 8080:localhost:80 proxy@example.com) | nirav72 wrote: | Do you have any security cameras configured in Home assistant | showing a live feed? Reason I'm asking - it seems that CF has | some clauses in their TOS that forbids anything but static | content. So audio/video stream is a no-no. I'm also using CF | tunnel. Just not for home assistant because of their | restrictions. For HASS, I go through tailscale. | divyenduz wrote: | I have done something similar with Raspberry Pi and Tailscale. | Really happy with the setup. Almost 6 months in and works like a | charm. | | https://twitter.com/divyenduz/status/1597863894055518208 | bovem wrote: | Hey I saw you are facing some issue with reauthentication on | reboot. If you are running it on a docker container then having | a persistent state directory for tailscale might help | (TS_STATE_DIR=/var/lib/tailscale). | | I use it on my system and it works flawlessly on restarts. | kgersen wrote: | I moved to Tailscale, until I find something simpler, I'm not | moving back. | lostlogin wrote: | Why would that even look like? | | When I set it up it promised a 10 minute install time. For me a | fair portion of that 10 minutes was trying to work out if it | was working as my line speed was higher than I thought | possible. It's scary how quick it is to configure. | SparkyMcUnicorn wrote: | Just install tailscale on something in your home network, and | start it up advertising as an exit node. On your laptop, | select the exit node from the tailscale menu. Now all your | internet traffic will go through that machine. | mightybyte wrote: | Have you tried Nebula (https://nebula.defined.net)? I set up a | personal Nebula network a few months ago and have been very | happy with it thus far. It has the ability to do mesh-style | direct routing so you don't necessarily have to pay the out- | and-back latency cost if you're connecting to a location that | is closer. | tssva wrote: | Tailscale peers will directly connect. | Snawoot wrote: | Or just consider some HTTP over TLS proxy like this one: | https://github.com/Snawoot/dumbproxy | | It may appear a bit more flexible option, especially if | forwarding all traffic to VPN entirely is undesirable. | mdmglr wrote: | I've recently built a VPN into my network using Cloudflare Zero | Trust and Cloudflare Tunnels. Highly recommend over maintaining | Wireguard or anything else. Much more comprehensive security | controls. | fionaellie wrote: | I quickly installed Outline on a free-forever Oracle VPS. This | might be the best option for someone who doesn't want to buy a | RPi, worry about SD card corruption, use any additional | electricity at home, or spend any money. Even with the tiny free | VPS provided for free, I'm getting great speeds of over 200mbps. | And you can choose multiple locations to set up your free VPS. | otterpro wrote: | Before going to a long 3 month trip to Asia last year, I | installed WireGuard on my Raspberry Pi 1 (original model B from | 2012) which was running at home in US. I found PiVPN to be the | easiest way to install Wireguard. I didn't know if I even needed | a VPN but I was glad, and I was able to use internet as if I were | at home. It was weird, but a lot of sites are blocked oversea, | even though it shouldn't. For example, I couldn't access | Homedepot.com. I also couldn't make payment to my Target card as | the website refused connection. Apparently a lot of US business | sites refuse to connect from oversea IP because of too many | hacking attempts, or they just don't want to deal with it. | Anyway, I was glad I had set up a VPN before I left for the trip. | | Also, the original Pi (2012) was able to run Wireguard well | enough for light VPN, although I didn't push it too much since I | didn't use it for anything heavy like video streaming. | FredPret wrote: | I have a US-and-Canada based business and I ban customers from | elsewhere in my T's and C's. Simply because I don't know their | laws. | | I don't outright block them because I myself travel, and some | foreign laws apply to their citizens wherever they are. | | I can completely see why you might want to ban overseas IP | connections though, and I'll probably do it soon. | lxgr wrote: | Banning new signups/sales from overseas IPs can make sense | for legal, tax, and shipping reasons - but please do provide | some way for existing customers to access their | subscriptions/orders/accounts from abroad. International | travel is a thing. | FredPret wrote: | I know! This is why I have it enabled - for me. I'm still | worried about breaking some EU law without ever knowing it | though. | eddieroger wrote: | I don't know first hand, nor am I speaking for my employer (who | happens to be one of the two companies you mentioned), but if | it was me, I would assume that if my company doesn't do | business outside of the United States, then may as well deny | traffic for services that wouldn't be available outside of the | United States, since it is more often than not problematic | traffic. This means sometimes legit traffic would be | inconvenienced, as you were, and sorry about that, but it is a | realistic scenario that the small amount of legit pain is worth | the incredibly reduced risk footprint. Of course, baddies could | get VPNs, too, but that's all part of the game. | lxgr wrote: | > I would assume that if my company doesn't do business | outside of the United States | | You forgot to consider "any of my company's existing US- | resident customers temporarily traveling outside of the US". | LVDOVICVS wrote: | My Canadian stepfather died. Family is not close and I'm in | the US. The Canadian newspaper where his obit would be | doesn't allow connections from the US. | | More than a "small amount of legit pain" was the result. | vlovich123 wrote: | Was the site unavailable through archive.is? | | Also, plenty of people live far away from family and have | to deal with death (I'm in the same boat). It sucks but I'm | also curious why the obit was particularly important to you | because as far as I understand that's topically just a | small blurb in the newspaper? My family doesn't do obits so | I'm curious. | | Not to minimize what you went through at all, but it's | interesting in today's times how we expect so much | immediacy. My immediate family escaped the USSR just before | it collapsed but my dad's was family was stuck in Russia | and couldn't leave even after it fell. My father had to | deal with his brother, father, and mother dying within 5 | years or so with no visits in between that time (a | combination of finances + probably fear about traveling | back). Comparatively I personally have a much easier time | in that I at least get to see my family once a year or so. | Again, in no way a comparison as dealing with loss and | living far away from family is always hard. Just a | reflection of how much technology has changed and made | maintaining more closeness easier (eg video calling). | eddieroger wrote: | I am sorry for your loss, and I'm not trying to minimize | your pain. This is the problem with data, it's unfeeling | and cold. You and I are two customers of something | companies with lots more than us, and a spreadsheet doesn't | capture our pains when we feel them. | couchand wrote: | I'm sorry for your loss. Do they have a phone? | ivanhoe wrote: | > it is a realistic scenario that the small amount of legit | pain is worth the incredibly reduced risk footprint. | | Well, I guess it depends on the type of attacks one | experiences, but hackers and spammers who target US-based | businesses are not idiots, they know how to use vpns and tor | and proxies. So on a technical level you get close to nothing | security-wise. You reduce a number of bots and worms randomly | accessing your servers, can stop some script kiddies who | don't know better and make life a bit harder to web scrapers | (but not much) - and that's it. | lxgr wrote: | > Apparently a lot of US business sites refuse to connect from | oversea IP because of too many hacking attempts, or they just | don't want to deal with it. | | Yes, and it's infuriating. For example, it was (and probably | still is) impossible to access the NY MTA's OMNY portal from | many, but curiously not all, European countries. The OMNY | system itself works using foreign cards, but this makes it very | annoying to download receipts for expense reports. | | Another fun one was not being able to cancel some streaming | service from outside of the US due to the service geoblocking | their account management site as well. I actually had to use a | VPN to cancel! | | There are countless other examples. | kybernetyk wrote: | Can't access homedepot from Germany either. I guess it's HD | blocking pesky foreigners | tssva wrote: | If you don't do business in the EU why accept traffic from | there and possibly have to deal with GDPR issues. | oh_sigh wrote: | That's not how GDPR works but it is a common misconception | and I can't really blame non-EU businesses for not taking | the time to understand a foreign law when blocking is so | easy. | systemtest wrote: | It took my team six months to get our company GDPR- | compliant, and that included hiring three external | consultants with extensive knowledge of GDPR and its | implementation across the various EU countries we did | business in. We were a short-term car rental company, we | did not earn money with user-tracking, advertising or | selling user data. But we did process drivers licenses, | user data, trip data. We had to re-write big parts of our | car-tracking module because having it tied to the current | driver (customer) automatically made it personal data, | which can be requested on demand when the customer wants | to. It also limited us on what we could log to our | logging server and store in a database. | | I can understand that an American company does not want | to make such an investment when there is literally 0 | added business value, as EU customers don't shop at that | company. | [deleted] | doix wrote: | What do you mean? That's pretty much how it works. You | load up Homedepot website and they along with a bunch of | 3rd parties that they partner with will start collecting | data about you and storing it. You can't do that to | someone from the EU without getting permission along with | other restrictions. | | For Homedepot to comply with GPDR, they would have to | treat EU and non-EU users differently, or they could just | block EU. Since you're not trying to sell anything to EU | users, blocking them makes things easier. | indeyets wrote: | GDPR doesn't care about where people are located right | now. From the GDPR point of view you still have to treat | EU-residents in a special way, even if they're located in | US right now. | | But EU has less of the leverage if company refuses to do | business in EU -- that's true. | | on the other hand, CCPA is still a thing | lxgr wrote: | > treat EU-residents in a special way, even if they're | located in US right now. | | This part of GDPR has always seemed completely | unpracticable/unenforceable to me. How would a non-EU | company even know that one of their customers is an EU | resident and only temporarily visiting? Most services in | the US aren't asking for my passport, at least. | | Practically, I'd assume that this will be interpreted by | courts to only apply to companies "intentionally doing | business with/commercially targeting EU residents", which | is already the case for similar scenarios (e.g. that's | how, to my understanding, German law requiring _all_ | sites to provide an imprint has been interpreted by | courts). | | In any case, I suppose we'll have to wait for precedent; | I'm not aware of any at the moment. | oh_sigh wrote: | No, it isn't. see article 3, section 2 of the regulation. | You need to offer goods or services to EU citizens for | the law to be in effect. If home Depot doesn't operate in | Europe, doesn't market to Europeans, doesn't ship to | Europe, and doesn't offer any services to Europeans, then | they are not impacted by gdpr. | doix wrote: | > 2. This Regulation applies to the processing of | personal data of data subjects who are in the Union by a | controller or processor not established in the Union, | where the processing activities are related to: | | > (a) the offering of goods or services, irrespective of | whether a payment of the data subject is required, to | such data subjects in the Union; or | | > (b) the monitoring of their behaviour as far as their | behaviour takes place within the Union | | Did I quote the correct section? Doesn't collecting all | the analytics fall under section B? I'm not a lawyer of | course, but it seems pretty reasonable to me that if you | have interest in the EU market, blocking them is easier | than figuring out if GDPR applies to you or not. | | Or you could just not spy on your users of course, but I | guess I'm too pessimistic to see that as an option a | company would choose. | ElectricalUnion wrote: | > You need to offer goods or services to EU citizens for | the law to be in effect. | | You need to not sell goods and services to EU citizens | for the law to not be in effect. | | Even if said citizens are in the US. You don't cease | being a EU citizen when you're traveling. | OJFord wrote: | > For Homedepot to comply with GPDR, they would have to | treat EU and non-EU users differently, or they could just | block EU. | | Err, or treat everyone in a compliant way? | | It's not like you don't already see this within the US | anyway - particularly California. | xur17 wrote: | I believe the California law came after the EU one. And | it's still easier to just block EU traffic rather than | spending several weeks implementing GDPR cookie popups. | | And if you decide to treat everyone the same way, you | likely end up with a higher bounce rate for the existing | US customers. Hence, blocking. | moffkalast wrote: | Or they've just forgotten that the world outside ol' Merica | exists, could be either one. | Entinel wrote: | They are an American business that does not deal with | other countries outside North America. Why would they | care about the world outside of "ol' Merica?" | moffkalast wrote: | Well if they don't want the rest of the world's money, | that's alright. Someone else will get it instead. | tssva wrote: | And they are fine with that just like large numbers of | retail chains in Europe, Africa, Asia, South America, | Australia, New Zealand, etc. which don't have a presence | in the US or other countries outside their own or their | own economic region. Home Depot does operate stores | outside the US in Mexico and Canada. | RockRobotRock wrote: | Do you know what home depot is? They're a store, that you | have to like, go to. | moffkalast wrote: | Ah my bad. I thought it was like a depot, that you had at | home. /s | | If McDonalds and Aldi can work on multiple continents I'm | sure it's not logistically impossible. | kevin_thibedeau wrote: | Standing up and maintaining a distribution network is non | trivial, especially for bulky goods that aren't practical | for mail order shipping. Home Depot doesn't contract out | locally sourced production like your examples do. | yardstick wrote: | Is GDPR that big of a difference now that California has | its own strict data privacy laws? | systemtest wrote: | Yes. Check below for a comprehensive list of differences. | | https://www.cookieyes.com/blog/ccpa-vs-gdpr/ | lxgr wrote: | So if I order something on Home Depot, the shipment is | delayed, and I want to check on that (or even just find the | support phone number, some sites block _all_ HTTP requests | from foreign IPs!) while I 'm traveling out of country, I | just don't get to do that without a VPN due to GDPR? | bitlax wrote: | Did you do anything to handle the event where, say, you lose | connectivity and the system needs a reboot? Just curious about | what would be the best way to handle that scenario. | otterpro wrote: | While I didn't do this last time, in the future, I would plug | the Raspberry pi to one of my smart power outlet (ie Kasa | wifi power outlet) connected via HomeAssistant, so I can | remotely restart it if Raspberry Pi becomes unresponsive. I | also have another Raspberry Pi (again, the original 2012), so | I could add redundancy by running second WireVPN on it, too. | megous wrote: | You can have local watchdog process and reboot to failsafe | configuration on next boot. You can also set a timer to do | this unconditionally when trying a new network configuration. | darkwater wrote: | I also did something similar, plus all my home automation which | is 98% local-first|only. My trip was just 3 weeks but on the | first day leaving, between one plane and another, my power | company had a 4hours extraordinary maintenance cut, my UPS | didn't last enough and with that blackout the RPi SD card died, | and I was locked out my LAN for all the trip. | | Lesson learned: configure the UPS to communicate with the | servers and shut them down in a controlled manner when | batteries are dying. | momirlan wrote: | run linux from SSD, can get a cheapo one for less than $25 | these days. the SATA to USB adapter will probably cost as | much. no more SD issues | kijiki wrote: | May or may not work for your usecase, but I have some scripts | to prepare read-only raspbian images here: | https://github.com/nolanl/ropi | | There are commands to enable/disable read-write mode, so you | can still make changes and do upgrades. | | I've had 0 problems with SDcard death after I started using | it. | BrandoElFollito wrote: | > Apparently a lot of US business sites refuse to connect from | oversea IP because (...) they just don't want to deal with it | | I am French. What I find fascinating is that there are local US | newspapers (that server a tiny community) that went through the | effort to do a geoblock from the EU and put a page along the | lines "we cannot be compliant to Privacy laws in the EU so we | must block you". | | Why do they care at all? How is the EU law relevant to their | small, local business? | | Large companies are different - there could be some litigation | against their footprint in the EU etc. - but for thosewho just | live in the US (or anywhere outside the EU) going the extra | mile to block because of non compliance is really weird. | mgbmtl wrote: | Most small local newspapers are owned by huge megacorps. GDPR | EU laws and some others explicitly say that they can be | enforced to entities outside the EU. I don't know if it has | ever been enforced, except for large multinationals. | | The US does do that kind of thing though. As a dev, break | some law, step foot in the US for a conference, get arrested | (ex: Sklyarov 2001 case, for breaking PDF encryption). | | Although for most financial things, it's common in US/CA to | block non-local IPs. Heck, I was in Mexico and I couldn't | login to my provincial government tax portal. There are | constant security issues with those sites. | BrandoElFollito wrote: | > GDPR EU laws and some others explicitly say that they can | be enforced to entities outside the EU | | They can tell whatever they want, but it would need to be a | US court (in that case) who would do the litigation. Which | they won't. | | > The US does do that kind of thing though. As a dev, break | some law, step foot in the US for a conference, get | arrested | | yes, this is why I mentioned that my point is only for | local businesses. Travel or business in the EU can/will be | problematic. | | > Heck, I was in Mexico and I couldn't login to my | provincial government tax portal. There are constant | security issues with those sites. | | Blocking for security is another thing. Maybe a good idea, | maybe not - but that's another story. | lxgr wrote: | > They can tell whatever they want, but it would need to | be a US court (in that case) who would do the litigation. | Which they won't. | | That's a pretty incomplete view of how jurisdiction | works. You do probably need a US court ruling to | _enforce_ a claim against a US entity - but if that | entity has any EU subsidiaries or assets, you can bet | that European courts will come after those. | | > Blocking for security is another thing. Maybe a good | idea, maybe not - but that's another story. | | As a customer/taxpayer that needs access to a service | from abroad, I really don't care _why_ I have to jump | through hoops to cancel a subscription /order or pay my | taxes owed. | BrandoElFollito wrote: | > That's a pretty incomplete view of how jurisdiction | works. You do probably need a US court ruling to enforce | a claim against a US entity - but if that entity has any | EU subsidiaries or assets, you can bet that European | courts will come after those. | | I am not sure you read my post in details - I explicitly | mentioned that I am talking about local services, without | any international footprint. And mentioned that in case | of this footprint - yes, they will be sought after. | | This is also exactly waht the US does to enforce their | "extraterritoriality" | noizejoy wrote: | The business may be local but the owner or other | management or employees may wish to keep all of their | travel options wide open without fear of some obscure | foreign law that might hold them individually | responsible. | | The golden days of global network accessibility are | closing little by little. | mgbmtl wrote: | They're maybe local services, but they're not local | businesses. c.f. my post :) | | And they can be enforced not only from assets, but also | from travel or various financial tools at their disposal. | (it would be surprising, but for many businesses, it's | not worth the hassle) | mattsan wrote: | I'm sure there are still some people willing to report the | websites to EU commission, it's a guaranteed fine (less so a | paycheque, I have no clue if the company has to comply with | paying it (unless later on they want to expand to the EU)) | BrandoElFollito wrote: | This is a fine that the EU can issue but why would the | _local_ business care? | | If I was issued a fine by the US, China, India or Japan it | would directly go to the trashbin. It is their law, and | their problem, not mine. | | Of course this means that I will not be able to do business | there, if I travel I may be in trouble etc. But again - we | are talking about small local newspapers (and similar | businesses). | ImPostingOnHN wrote: | between the options of: | | A. [re-]architect in in GDPR compliance; | | B. deal with incoming legal documents, likely can't just | discard; | | C. block country representing tiny share of viewership, | | option _C_ seems to present the least hassle | BrandoElFollito wrote: | Option D: ask a local lawyer once (100 USD or so) and | they will confirm that the business can trash such | foreign requests and be done. | | Not sure whether C or D would be more complicated long | term (you need to manage the geoloc somehow, or outsource | and pay for the service) | lxgr wrote: | Additionally, it shows traveling US-based customers that | you care about them. | cronix wrote: | It's just a lot simpler to block than having to keep up with | laws in other countries for businesses who don't even do | business in those countries. It's not like it's hard or time | consuming to implement, and cheaper than your other | suggestion further down of consulting a lawyer every time one | of these pops up, like "do I have to annoy my customers with | these stupid cookie popups every time they visit?" Why should | I have to spend a dime for something that is external to my | company, has nothing to do with it, and have to constantly | keep on top of it? We don't even sell our services there. Why | should I even waste the bandwidth? Our firewalls are sure a | lot less active, as well. Why should I waste time answering | emails from people we don't sell to? It's better to just not | get them. I guess my question to you is why do YOU care if | they're accessible or not? If a (local) business really just | wants to sell within their own (local) country (or even | smaller municipality such as state/county/city), is there | something wrong with blocking everything outside it out and | just not worrying about it? | BrandoElFollito wrote: | > It's just a lot simpler to block than having to keep up | with laws in other countries for businesses who don't even | do business in those countries. | | Exactly, except that it is just simpler to do _nothing_. | | Do you (I assume you are not in either of the countries I | give an examples, nor travel there) worry about laws in, | say, China when you state "Taiwan is an independent | country", or Russia when you say "Russia invaded Ukraine", | or North Korea when you say "NK is a tyranny", or France | when you say "Retirement should be at 60 and not 64". No. | Because the local laws that forbid these statements are, | well, local. Nobody cares outside of these countries. They | could send you letters informing that you did wrong and | that you have to pay 1M USD and you would just put that to | trash. | | > I guess my question to you is why do YOU care if they're | accessible or not? If a (local) business really just wants | to sell within their own (local) country (or even smaller | municipality such as state/county/city), is there something | wrong with blocking everything outside it out and just not | worrying about it? | | I do not care - it is just that I ended serendipitously on | a few of these places and was wondering why they care (I | would not care about the cookie law in Zimbabwe or | Patagonia if I had a web site). | cronix wrote: | Our hacking attempts dropped by approx 85%, and we use | less bandwidth. There are other benefits to blocking | traffic to places where you don't do business. | | > They could send you letters informing that you did | wrong and that you have to pay 1M USD and you would just | put that to trash. | | I think it's just better to not get those letters in the | first place (any more than spam phone calls or texts) and | have to waste time reading them, or having to possibly | consult an attorney over them to see if they have merit. | It's just not something I want to be bothered with, nor | should I. It has nothing to do with the company, what we | do or our customers. | | > Do you (I assume you are not in either of the countries | I give an examples, nor travel there) worry about laws | in, say, China when you state "Taiwan is an independent | country", or Russia when you say "Russia invaded | Ukraine", or North Korea when you say "NK is a tyranny", | or France when you say "Retirement should be at 60 and | not 64". | | We don't say anything like that on our company sites. | BrandoElFollito wrote: | Ah, now I remember how I got to one of these pages. I | wanted to have a look at the local newspaper of Tuttle, | Oklahoma because of a funny (and sad for open source | devs) event that happened there in 2006: | https://www.theregister.com/2006/03/24/tuttle_centos/. It | was blocked for GDPR reasons (at the time at least) | twodave wrote: | If you're going this far, might as well do as the author did and | add a pi-hole to the mix, issue some credentials to your phone | and block ads and/or other stuff via DNS everywhere you go. I | also use this to remote into my work computer from wherever I am, | using my travel laptop, an iPad or even just my cell phone. | abap_rocky wrote: | This is precisely what I do and it's great. Built myself a | workstation desktop last year that I wanted to access remotely | via an older laptop and it's worked beautifully, even when I | was out in Europe for a week last summer. | philsnow wrote: | pihole is really lightweight, you could just run it on your | local laptop and save yourself the hop to your home network for | all DNS requests | twodave wrote: | I could set up pihole on my local laptop. And on my wife's | laptop. And on my kids' phones. And on my work laptop. And... | | Or I could just set it up on one tiny server (doesn't have to | be a pi, but I happen to have one that isn't doing anything | else), point my gateway at it for DNS, and give my whole | family + any VPN connections filtering for free. | BrandoElFollito wrote: | This. I started to tunnel my traffic via my Wireguard VPN (when | outside) to cut these 30% of connections that are blocked by | Pihole. | | Pihole is really a great piece of work. It uses standard | components (dnsmasq, standard lists) and does it well. I used | to have it in a docker container but moved it to the ISP box | when I got a new one (a French ISP called Free provides you | with an Internet box that has a built-in VPN (WG or OpenVPN) | and allows you to create VMs - this is where I ultimately moved | Pihole because it is my DNS and DHCP server) | Hamuko wrote: | I use PiVPN on a Dell Wyse 3040, an absolutely pathetic thin- | client I got for 67EUR from Ebay, to access my home network. It's | the only thing accessible from the outside world and it works | pretty well. Don't remember if I've ever had issues with it. | lenova wrote: | I have never met Jeff (the author of this blog post), but I come | across his work randomly all of the time. Jeff, if you're reading | this, I've always been impressed by your efforts, you're a work | horse! | _joel wrote: | Should follow him on youtube, always fun vids. | geerlingguy wrote: | Thanks! Didn't think this blog post would hit HN, but | apparently it did, while I was on a flight back to the US lol. | I figured most of us here are VPN'ed out. | | It served me well on my trip and I was able to see all the | things from local media that are geo restricted out of the US. | tzs wrote: | Up until late 2014 when I occasionally worked at home, I used | what I called the poor man's VPN. There was one machine at my | company that I had ssh access to from outside and that could | reach all the internal machines I needed. Call that machine | ssh.example.com. | | My requirements for comfortably working from home were: | | 1. Nothing special needs to be done at work. I don't have to ask | for anything new to be installed there, or firewall rules to be | changed, or anything like that. | | 2. I wanted to be able to refer to work machines by the same | names they had on the internal network at work, and I wanted to | access things on the same ports. A script that worked when run | from my office should work with no changes when run from my | living room. | | 3. It only needed to support host:port combinations that were | explicitly specified. | | Here's what I did. Let's say I've got 3 machines I need to use: | db.example.com: MySQL server mail.example.com: mail | server web.example.com: web server | | I need to use MySQL on the first (port 3306), IMAPS on the second | (port 993), and HTTP/HTTPS on the third (ports 80 and 443), and I | want to use ssh (port 22) on all of them. | | I'd ssh to the machine at work that I have ssh access to, with my | ssh config file including this: Host poor_vpn | Hostname ssh.example.com User tzs | UserKnownHostsFile ~/.ssh/poor_vpn.hosts LocalForward | 7777 db.example.com:22 LocalForward 7778 | db.example.com:3306 LocalForward 7779 mail.example.com:22 | LocalForward 7780 mail.example.com:993 LocalForward 7781 | web.example.com:22 LocalForward 7782 web.example.com:80 | LocalForward 7783 web.example.com:443 | | I'd add this to /etc/hosts: 10.10.10.1 | db.example.com 10.10.10.2 mail.example.com 10.10.10.3 | web.example.com | | (My LAN used 192.168.0.x addresses) | | Finally, a little ipfw fiddling on my Mac to bring it all | together: ipfw add 100 fwd 127.0.0.1,7777 tcp | from any to 10.10.10.1 22 ipfw add 101 fwd 127.0.0.1,7778 | tcp from any to 10.10.10.1 3306 ipfw add 102 fwd | 127.0.0.1,7779 tcp from any to 10.10.10.2 22 ipfw add 103 | fwd 127.0.0.1,7780 tcp from any to 10.10.10.2 993 ipfw add | 104 fwd 127.0.0.1,7781 tcp from any to 10.10.10.3 22 ipfw | add 105 fwd 127.0.0.1,7782 tcp from any to 10.10.10.3 80 | ipfw add 106 fwd 127.0.0.1,7783 tcp from any to 10.10.10.3 443 | | On Linux that would have been something like this: | iptables -t nat -A OUTPUT -p tcp -d 10.10.10.1 --dport 22 | REDIRECT --to-port 7777 iptables -t nat -A OUTPUT -p tcp -d | 10.10.10.1 --dport 3306 REDIRECT --to-port 7778 iptables -t | nat -A OUTPUT -p tcp -d 10.10.10.2 --dport 22 REDIRECT --to-port | 7779 iptables -t nat -A OUTPUT -p tcp -d 10.10.10.2 --dport | 993 REDIRECT --to-port 7780 iptables -t nat -A OUTPUT -p | tcp -d 10.10.10.3 --dport 22 REDIRECT --to-port 7781 | iptables -t nat -A OUTPUT -p tcp -d 10.10.10.3 --dport 80 | REDIRECT --to-port 7782 iptables -t nat -A OUTPUT -p tcp -d | 10.10.10.3 --dport 443 REDIRECT --to-port 7783 | | That worked great for several years. I've got a script that can | take a list of files that describe host:port combination and | generate the ssh config, hosts, and ipfw or iptabes rules so it | was easy to add or remove machines. | | It broke in late 2014 when I switch to MacOS Yosemite. Apple had | switched to using PF in Lion in 2011 and deprecated ipfw, and | removed it in Yosemite. By then we had an openvpn setup at work | and I switched to using that. | rbut wrote: | Or just use a Mikrotik router which has Wireguard support built- | in. | xioxox wrote: | Yes. My FritzBox also has built-in Wireguard. | mobilio wrote: | This is only for Mikrotiks that uses ARM processor. Some older | that runs on MIPS doesn't get this update. | rbut wrote: | Wireguard support comes with RouterOS 7 (ros7). I'm running | ros7 on a MIPS device (mAP) and it works fine. What device(s) | are you talking about? | vetinari wrote: | Wireguard is available on all architectures, since RouterOS | 7.0. | | Zerotier is the arm/arm64-only package that you probably had | on your mind. | syntaxing wrote: | With the cost of raspberry pi nowadays, you're better off buying | something like a GL.iNet GL-SFT1200 for $40. | JosephRedfern wrote: | The article explicitly mentions this: "PiVPN, luckily, runs on | any other Pi-like device, though, as long as it's running a | Debian or Pi-OS-like distro. Something like a Libre Computer Le | Potato should work in a pinch, without breaking the bank-- | though if you want faster networking, you'll have to pony up a | little more cash, at least until the Pi shortage abates." | blipvert wrote: | Taking an opportunity here for a completely shameless plug for an | enterprise-y wg based corporate VPN. Uses mTLS for device auth, | wg (obvs), OIDC to authenticate users/set up firewall access | (Azure AD and Keycloak tested). Runs as a redundant cluster and | can be hooked in via BGP. | | Very early and no docs to speak of yet, but raise an issue if | interested. Works with standard WireGuard app on | computers/phones, but an integrated app using the API might be in | the works ... | | https://github.com/davidcoles/gpn | mobilio wrote: | Or you can use ZeroTier. | a_subsystem wrote: | ZeroTier kept having random disconnects, long wait times until | connection is established/settled, and desktop app | weirdness/inconsistencies. Have these problems been fixed? | (Last used it years ago). | piceas wrote: | Yes and no in my experience. The past year I have had some | trouble but the Linux clients seem to be good again. Win11 is | getting worse for me unfortunately. | distantsounds wrote: | And then you hit CPU bottlenecks whenever you do literally | anything bandwidth intensive. The limits of using hobbyist | hardware, you get hobbyist level performance. A Raspberry Pi is a | _horrible_ solution for running Wireguard. You can get a tiny 1L | PC running on an actual Intel or AMD processor with far more perf | /$. | _joel wrote: | Wireguard doesn't use any aes cpu functions so it actually is | highly performant on low end chips vs. OpenVPN. True, you're | still limited by port speed and such but it's fine for most | people. If you need more then you're not going to be running it | on a pi (or old laptop etc) anyway. | FeistySkink wrote: | I'm not sure what's the max throughput is, but I just tested 50 | Mbit down/80 Mbit up passthrough from a cafe Wi-Fi to my 3B | with Wireguard (using wg-quick) at home. Seems enough for | anything I'd use it for. | geerlingguy wrote: | My home Internet upload speed is 35 Mbps. A Pi 1 can handle | that speed, much less a Pi 3 or 4 :) | | But the nice thing is PiVPN works great on any little PC. Or | even a VM. | FeistySkink wrote: | That was just my anecdotal point that a Pi can handle | typical home internet speeds over Wireguard without | overtaxing the CPU. IMHO, Wireguard's setup is pretty | trivial as is, especially moving to it after years (decades | at this point) of various OpenVPN setups that require much | more tinkering. So no need for external tools. But I'm glad | they exist for those who find them useful. Either way, keep | up the good work with your knowledge sharing, I'm a big fan | of what you do. | Shared404 wrote: | Heck, that's more than what most people I know get at home | xp84 wrote: | There are some cool HP thin clients available on eBay for a | fraction of the scarce Pi these days, one of them even has an | nVme slot so you can put in a real SSD. If I was doing this | today I'd use one of those. | | Presently my "home server" is only used for home assistant, and | it runs on a 2011 MacBook Pro with a bad keyboard, running | Debian. It actually runs so well on Linux that the fan doesn't | even spin, at least not audibly. | belthesar wrote: | Jeff does explicitly call this out in his video, but as sibling | commenters say, it's really a matter of whether that's enough | for you. Even 20 Mbit symmetrical would be more than enough for | me to run a stream from a Plex server while serving other web | or SSH traffic easy enough. What you do say though brings up a | great point though - if you ran this on a Pi and you're not | getting the performance you need for your use case, check CPU | utilization on the Pi, and consider running your VPN on a | device with more oomph. | Proven wrote: | [dead] | stzsch wrote: | I keep a pi with wireguard as a way to reboot my homeserver | remotely if something goes wrong. A gpio pin connected to an | optocoupler acts as second power switch on the motherboard. | | Works well for testing stuff remotely or messing with VPN | configurations on the server itself without leaving it stranded | for good. | eatbitseveryday wrote: | A nice dynamic DNS provider is afraid.org | samgranieri wrote: | I'm using https://github.com/burghardt/easy-wg-quick for this. It | works beautifully. I simply port forward to my raspberry pi that | handles all of this. | gbraad wrote: | I do tailscale. wireguard and having to host an entrypoint is too | much trouble | cloudripper wrote: | It might be more of a rabbithole, but if you're going the 'self- | hosting' homelab route, I'm a big fan of OPNsense to give you | more freedom and control of your network (which has support for | Wireguard [0]). While ARM support is lacking, it can be run on a | cheap or spare x86-64 box if you had one. | | Otherwise, I really like the premise of Tailscale for quick and | easy implementation. | | [0]: https://docs.opnsense.org/manual/how-tos/wireguard- | client.ht... | babuloseo wrote: | I have tried a lot of wireguard installation solutions, this one | is pretty great. | indeyets wrote: | WireGuard/Tailscale are fine if you don't need to deal with | state-wide censorship. They might be blocked quite easily. | | Outline/Shadowsocks has better chances to keep working (though it | is not a true vpn, more like a private proxy) | https://getoutline.org/ | Denvercoder9 wrote: | In what way is WireGuard easier to block than SOCKS? | indeyets wrote: | that's "shadowsocks" | | wireguard is fingerprintable. it's trivial to look at packets | and see "this is wireguard". and block the packets | | Outline traffic looks much more like noise (pre-shared keys, | lack of handshake, ...) | Denvercoder9 wrote: | > that's "shadowsocks" | | I'm not familiar with the software, but according to | Wikipedia it's a client to connect to a SOCKS5 proxy: | | > Shadowsocks is not a proxy on its own, but (typically) is | the client software to help connect to a third-party SOCKS5 | proxy, which is similar to a Secure Shell (SSH) tunnel. | | Are you saying that's incorrect? | indeyets wrote: | that's oversimplification. raw socks5 is a low-level | thing without encryption. | | shadowsocks puts a solid cryptolayer on top of it, | designed specifically to be hard to detect. its Chinese | origin gives a hint here: it is created to circumvent | detection by "great firewall" | | outline builds a user-friendly toolset on top of it | fasthandle wrote: | Shadowsocks is defunct now. Has been for a while; a | connected server's IP can be detected and blocked within | hours. That means Outline's defunct in a lot of places too. | What's currently 'hot', in large part, is v2ray [1], be | that vless, vmess, trojan, etc. | | [1] https://zh.m.wikipedia.org/wiki/V2Ray | [deleted] | Severian wrote: | The one problem I encounter with Wireguard is the use of UDP. | Some publicly accessible Wifi nets at shops don't allow UDP at | all, and this effectively breaks use of the VPN. | | Yeah, there are utilities like setting up udptunnel or udp2raw | and similar, but what a headache. I really don't agree with | Wireguard's developers justification that it makes speeds | terrible. Who cares? It'll be terrible using those utilities | anyway. Give us the option, JFC. | mr_mitm wrote: | Yeah, OpenVPN even supports authenticated web proxies, which is | a really nice feature for tunneling. But I realize that I'm | probably far from a typical user. | OrderlyTiamat wrote: | VPN over TCP really is quite a bit slower than over UDP, which | makes it quite undesirable for me. I think it's quite | reasonable of them not to want to complicate the wg project by | adding and maintaining the option of UDP over TCP. Remember, wg | is supposed to be a minimal project. If you really need TCP | traffic, you could always use openVPN. | | With quic on the way, this problem will diminish with time | anyway. | uriah wrote: | There's complicating the protocol and complicating the | client. It would definitely be nice if they would add a | solution to this to the official clients, particularly mobile | ones. VPN over UDP is quite a bit slower than over TCP when | the ISP blocks/throttles the UDP traffic... | cyberpunk wrote: | A little trick for this is to listen on udp/53 which is almost | always unblocked, even before captive portals | unethical_ban wrote: | Actually, I found ATT blocking inbound port 53 to my home. | Maybe udp 443 could work? | KaiserPro wrote: | yeah high rates of data over port 53 tends to trigger a lot | of firewalls. I've never had much success with it. | | 443 is much more likley to be let past, with the popularity | of QUIC. | threeio wrote: | I once used port 53 for all my communications at a hotel that | was charing metering bandwidth by the gb... it was a magical | weekend of DNS passthrough with video calls, etc. | | 53 is my go to port when the network is wonky. | digitallyfree wrote: | This is the reason why I still stick with OpenVPN on TCP 443 | for my selfhosted VPN. Yes performance suffers a bit but it | works absolutely everywhere including behind campus/corp | firewalls as no one blocks TCP 443. I've tried running a | seperate UDP instance on a different port for situations where | I need higher performance but for my use cases TCP works fine. | | From my experience UDP 53 like another commenter suggested does | not always work as some firewalls forcibly route all UDP 53 | packets to their own local DNS server in order to prevent | people from using their own. | | As a bonus OpenVPN has the "port-share" option which allows you | to share the port with other services like an SSL web server. | SSLH is also an option if you want to host both your VPN and a | HTTPS site on TCP 443. | jrm4 wrote: | Personally, if you're looking for "your own private" thing, I'm a | much bigger fan of Tinc. The wireguards and zerotiers seem more | appropriate for bigger, more corporate things? | | I do wish Tinc had a slightly easier onboarding process, but once | it's up, there's a great deal of stuff that I see people dealing | with that Tinc users don't have to much think about, especially, | e.g. the Mesh deal. | spaniard89277 wrote: | I don't think there are a lot of stuff easier to set up than | ZeroTier, honestly. For me it has been a godsend. | jasonjayr wrote: | Tinc was my goto for years, but there is a non-trivial | performance penalty for it's userspace implementation. | | If you can enumerate all your endpoints into wireguard, and | squint, it'll kinda-sorta act like a mesh. | | And if you want to go a little crazy with it, You can run | https://github.com/m13253/VxWireguard-Generator + babeld, and | get routing around failures in the mesh. | nirav72 wrote: | Wireguard has a dead simple onboarding process as well. For | users you want to grant access - providing a QR code and them | installing the wireguard client app on their mobile device is | all that is needed. Also wireguard server itself is a easy | setup and has very little overhead. Took me like few minutes to | install and setup on a raspberry pi 3. Of course, you do have | to open up a port on your router. That's the only downside. | I've since switched to Tailscale for that specific reason. | carride wrote: | Algo project still works well. Very quickly launch a WireGuard | VPN to several popular cloud providers, or any Linux instance you | already have access to, including your rPi. | | https://github.com/trailofbits/algo | sobkas wrote: | For me HPE ProLiant MicroServer G10+ is better solution but I | couldn't find wireless pcie card that reliable could be used as | AP. I have QNAP QWA-AC2600 bought in Europe but Linux driver is | crippled and sets regulatory region to US because ROM doesn't | have it set properly. And there is no way to change it. Driver | developers think it's a feature and won't revert it. I really | appreciate that driver developers know better than me where I use | hardware, but for now I don't want to use US settings in for | example Poland. Or all frequencies are tagged as not for AP use. | My question is, is there any pcie card that could be used as AP? | geokon wrote: | Anyone know if these kinds of setups get your around the Chinese | firewall? Or is this kind of traffic pretty fingerprintable? | npteljes wrote: | Many VPNs get around it just fine, according to the random | experiences I saw online. The issue is not technical, but | legal: the traffic is fingerprintable, and that the parties | involved (user, ISP) are legally required to store some of the | traffic, and to make that available for authorities to check | later [0]. I imagine that they handle this like how they handle | other law enforcement - by applying it when they feel like. So | at the end of the day, don't get caught. | | [0] | https://en.wikipedia.org/wiki/Cybersecurity_Law_of_the_Peopl... | Snawoot wrote: | Wireguard is known to be fingerprintable[1]. But at this moment | it is unlikely UDP traffic will be filtered by Chinese GFW[2]. | But this may change any moment. | | [1]: | https://lists.zx2c4.com/pipermail/wireguard/2018-September/0... | | [2]: | https://gfw.report/publications/usenixsecurity23/en/#sec:res... | fest wrote: | I don't think it's true that UDP is completely unfiltered. | | I tried setting up a Wireguard site-to-site tunnel for $WORKs | Chinese office to access EU office- it stopped working within | a day. | vrglvrglvrgl wrote: | [dead] ___________________________________________________________________ (page generated 2023-05-05 23:00 UTC)