🇨🇦

  • 12 Posts
  • 696 Comments
Joined 3 years ago
cake
Cake day: July 1st, 2023

help-circle


  • Fair points.

    I’ve been lucky enough to have never been behind cgnat, so I keep forgetting about it.


    My bigger concern with tailscale is being required to install software on the client. Not every device I use, I have permission to install a vpn client, nor would I want to.

    For example, I have a fileshare using Filebrowser where I store work related files that I don’t want to loose access to or need access to from multiple machines (non proprietary info, stuff IT/MGT wouldnt get mad at me for ofc. I’ve actually cleared it with my managers, so no worries). That’s also a handy way to (temporarily) share large files with people or provide a way for friends to upload large files to me.

    I also like to access my emby server (using sufficiently limited accounts), from things like the TV in the work break room, or a friends PC while I’m visiting.

    Tailscale is a hurdle that I just don’t need/want.



  • You don’t need a static IP, you just have to keep track of what your current dynamic IP is.

    You can do this with either a free or a paid DNS service.

    There are a few different ‘free dns’ services that will delegate a subdomain of theirs to you at no cost. Admittedly, I’ve never actually used one of these so their names escape me. Hopefully someone else can point one of those out if that’s what you really want.


    I purchased a domain via google domains, when they existed. It’s now transferred to squarespace, because they bought out google domains a few years ago.

    It was around $13/year when I first got it a decade ago. It’s now around $28/year.

    This allows me full control over the domain: I can use as many subdomains as I want to give each service I use it’s own unique name. (Instead of using their own separate ports that you’ve gotta remember) My domain will also forward all inbound email to my gmail account; this lets me use email addresses like <servicename>@mydomain.example. This way, I don’t share my real email and can immediately tell who sold my info to the highest bidder when I get spam. (I could also host my own email service if I really wanted, but I haven’t bothered)

    Add Cloudflare ontop (for free); and it can filter out known attacks, ddos attempts, geofence your services to regions you’ll actually be in, provide/autorenew ssl certs for https, show you usage analytics, cache static data reducing server/network load, etc.

    Ultimately, the paid option is well worth it IMO. $2/month (which I typically pay in 3-10 year blocks) is hardly anything.

    /edit; vpns are good and all, but they require you to setup software on the remote device to connect to it, and that typically routes most if not all your traffic back to the vpn server then out to the internet. That can create speed/bandwidth issues.

    A domain allows you to access your services from any Internet connection with 0 configuration on the client side. Just accessing it like any other website.

    I also host a vpn directly from my network, that I access/find via my domain. This means I’m not dependent on a public service like tailscale, but can still add additional security to access private only services (stuff I don’t expose to the open internet)


  • https://en.wikipedia.org/wiki/Network_address_translation#NAT_hairpinning

    TL;DR Your router sees you trying to reach your external address and routes the connection back to your LAN without leaving the network.

    This does still depend on a functional internet connection however, as your client gets your public IP from a public DNS server over the Internet.

    If you were to run a DNS server locally (I use pihole for this), you could have that DNS respond with your local IP, allowing clients within your LAN to resolve the name without needing to reach out to public DNS. This means your local connections will still work when your internet is down; it also provides more privacy by keeping those requests local and can let you make local-only names that aren’t publicly listed.

    Of the ~28 FQDNs in my setup, only 4 are public. The rest is local/vpn only and not publicly listed due the above. The reverse proxy then drops all connections that don’t use one of those recognised names, before even completing the TLS handshake. (So direct connections from someone port scanning my IP or using a domain name someone else has pointed at my IP are completely ignored/dropped without response. The server doesn’t even send the TLS cert so as to not expose the names defined in it.)


  • proof of the kid and parents thing

    Spend some time around todays parents and their young kids. It’s so incredibly common to see small kids (I’m talking 2-8y/o) just completely enticed by a screen, ignoring everything else around them, and screaming their heads off whenever it’s taken away. It’s become a bit of an epidemic, with many many article’s and videos discussing the topic.

    Here’s the first result I got on YouTube: (having just now listened to it while typing this comment, it actually does a descent job explaining the problem) https://youtu.be/QE_E9Q9jVzU Feel free to do further searching yourself…

    It’s not limited to just children either, they’re just the most susceptible.







  • I try to be in the habit of making a full image onto a demonstrably working spare card every couple weeks.

    That’s a whole lot of writing to an sd card, wearing it out. It may fail by the time you want to read it. You also destroy each previous backup by creating a new one.

    Each of my rpis backup to my main server nightly using dd via ssh. The server then keeps historical backups of those .img files via Borg so I can pull any version from any day of the last year or so.





  • I use Emby instead of Plex or Jellyfin; mostly because it has an Xbox client, and I’ve already got a lifetime licence. One of my most active users only watches via Xbox.

    Really don’t like Plexs centralised user system or the overall direction they’ve been headed for years, so I moved away from that long ago (8+ years ago at least). Jellyfin wasn’t up to par at the time (though they’ve made leaps and bounds of progress in that time), and Emby has always supported more types of devices\clients. Their device limit (the client count limit with premeir) has never come into play for me, but I know there are larger user bases out there where that is a problem.

    Embys development is extremely slow though, taking YEARS to implement simple features or even address major concerns. Plus their support sucks without the community stepping in and providing it on behalf of the staff. Luke (the main dev) is better at copy+pasting candid responses than he is at actually interacting with human beings.