Nice, thank you!

Oh neat! That looks like a perfect fit for me! I saved your post and will come back to it once the biyearly “just f*ing fo it again” motivation hits me once more :D

Yes, I do loose the origin IP and I’m a little bugged by it. It also means that ALL traffic incoming on a specific port of that VPS can only go to exactly ONE private wireguard peer. You could avoid both of these issues by having the reverse proxy on the VPS (which is why cloudflare works the way it does), but I prefer my https endpoint to be on my own trusted hardware. That’s totally my personal preference though.

I trust my VPS provider to not be interested enough in my data to setup special surveillance tooling for each and every possible software combination their customers might have. Cloudflare on the other hand only has their own software stack to monitor and all customers must adhere to it. It’s by design much easier for them to do statistics or snooping.

I am using the smallest tier VPS from IONOS for 1€/month. Good, reliable and trustworthy as it is a subsidiary of 1&1 telecommunications.

Rent a VPS, point DNS to it, have it act as central wireguard peer and connect your server(s). Then bridge incoming traffic to server via socat or firewall rules. Done

Sure it’s easy to set up, but the same behaviour is what I get with my handrolled solution. I rent a cheap VPS with a fixed IP solely for forwarding all traffic through wireguard. My DNS entries all point to the VPS and my servers connect to the VPS to be reachable. It is absolutely network agnostic and does not require any port shenanigans on the local network nor does it require a fixed IP for the internet connection of my home server.

Data security wise the HTTPS terminates on my own hardware (homeserver with reverse proxy) and the wireguard connection is additionally encrypted. There are no secrets or certificates on the rented VPS beyond the bare minimum for the wireguard tunnel and my public key for SSH access.

Shuttling the packets on the VPS (inet to wireguard) is done by socat because I haven’t had the will or need to get in the weeds with nftables/iptables. I am just happy that it works reliably and am happy to loose some potential bandwidth to the kernelspace/userspace hoops.

Nur eine Spur noch, dann wirds besser! Wirklich! Ich kann aufhören wann immer ich möchte!

Do you see that hill? Wouldn’t you like to… see what’s behind it?

Yeah that occurred to me as well. Then I immediately think that maybe we need ☆one more language☆ to fix this. And then I remember that one xkcd comic…

Absolutely true, it was more of a joke because Python is being used for pretty much anything today. I really don’t want to mess with correct indentation in my terminal.

The line between configuration is very messy anyways. So many projects abuse YAML as a domain specific language. Looking at you, HomeAssistant and ESPHome!

Python😎

Exactly. I’ve had 0 issues with it. Sadly they stopped development of their own password manager, so now I am using Bitwaren+Vaultwarden. The UI is better, but the app still feels cumbersome and slow, just like Mozilla’s experiment. For some reason Bitwarden is also really inconsistent & slow in when it shows the Autofill Popup on my keyboard.

Sounds like a great market situation for Aldi or Lidl to expand into!

All hail Firefox Sync!🙌

What? I’ve never had the feeling that nextcloud assumes that. Are you using a special all-in-one docker image? Because I am using the regular one and pair it with db, redis etc. containers and am absolutely happy with it.

Richtig und wichtig. Und außerdem gerade rechtzeitig. Wir müssen so viele offene Lücken stopfen wie es nur geht.

Diese hier wurde ja u.a. durch Die Anstalt ziemlich bekannt. Gibt es weitere?

WhatsApp IST Ende-zu-Ende verschlüsselt und benutzt (fast?) dasselbe Protokoll wie Signal!

Bei Telegram sind die Nachrichten nur transportverschlüsselt, liegen also beim Anbieter frei lesbar rum.

Signal ist nicht nur E2E verschlüsselt, es versucht sogar die Metadaten (“wer schreibt wem und wann?”) zu vermeiden/für die eigenen Server unsichtbar zu machen.

Maybe get a reputable one, the other ones are sadly malware infected in way to many cases. It’s a way for the manufacturer to make an extra buck from the sale.

If you have an AVM Fritz!Box home router you can simply create a new profile that disallows internet access and set the devices you want to “isolate” to that profile. They will be able to access the local network and be accessed by the local network just fine, but they won’t have any outgoing (or incoming) connectivity.