• 8 Posts
  • 111 Comments
Joined 1 year ago
cake
Cake day: June 19th, 2023

help-circle


  • Keeping the source IP intact means you’ll have troubles routing back the traffic through host B.

    Basically host A won’t be able to access the internet without going through B, which could not be what you want.

    Here’s how it works:

    On host A:

    • add a /32 route to host B public IP through your local ISP gateway (eg. 192.168.1.1)
    • setup a wireguard tunnel between A and B
    • host A: 172.17.0.1/30
    • host B: 172.17.0.2/30
    • add a default route to host B wireguard IP

    On host B:

    • setup wireguard (same config)
    • add PAT rules to the firewall so to DNAT incoming requests on the ports you need to 172.17.0.1
    • add an SNAT masquerade rule so all outbound request from 172.17.0.1 are NATed with host B public address.

    This should do what you need. However, if I may comment it out, I’d say you should give up on carrying the source IP address down to host A. This setup I described is clunky and can fail in many ways. Also I can see no benefits of doing that besides having “pretty logs” on host A. If you really need good logs, I’d suggest setting up a good reverse proxy on host B and forwarding it’s logs to a collector on host A.


  • OpenBSD is the most pleasing expérience I’ve had with an OS. It’s fully contained and has all the tools you need without needing to install anything (eg a DNS, HTTP, SMTP servers, a proxy, a good firewall). All config files look alike and use the same keywords for the same things, making it straightforward to configure everything.

    And regarding RAID 1, I’ve never done it myself, but it totally works out of the box (as well as full disk encryption).







  • Keep in mind that using your own VPS as a VPN doesn’t bring anonymity. You’re simply replacing one IP tied to your name (your ISP) with another one (your VPS).

    You hide your traffic from your ISP, and delegate it to your VPS provider.

    This will be the same for your DNS. If you want true anonymity regarding DNS, you should use someone else’s service, preferably over encrypted channels, eg. cyberia.is DoT.

    I personally use it as a forwarder from a box inside my home (along with others), and use this box as the local DNS when I’m home. This way I know that all DNS traffic is encrypted, and doesn’t leak anything to my ISP or VPS or whatever.




  • For the past year, I’ve been working on an online scavenger hunt. It features many tech related challenges on various topics (web, protocols, crypto, stegano, …).

    This is the project as a whole, but I had to work on many sub-project to bring it to life, out of which:

    • a Pokemon game (assembly)
    • an online scoreboard (go)
    • an encryption tool (go)
    • a crypto hashing tool (go)
    • a cli interface ©
    • many deployment shell scripts
    • … much more

    What I love about this project is that it touches many different topics. I had to setup reverse proxies, complex firewall rules, VPNs, abuse the TCP/IP stack, … I could also work on very useless but fun topics, like creating a tool that answers to ICMPv6 traceroute packets to insert fake hops between the requester and the destination. I’m now close to releasing it, and I wonder what I’ll do when this is over…



  • My account has not seen a single commit in years now, and yet I can let it go… I still “need” it for support on an old project of mine that I share with other people, and to submit changes for projects I care about which are only on GitHub.

    I also keep my account for name squatting purposes, and so people can find the link to my actual repo.

    I don’t think I’ll go all the way to delete my account, but my projects are definitely not reliant on it anymore.