deleted by creator
deleted by creator
You’re going to be limited to what your upstream provider allows with regards to IPv6 traffic, if any at all. You’ll probably need an 4-to-6 or 6-to-4 translation somewhere, and that’s about it.
Just use Proton or a similar service. You’re getting the same thing for free or cheap.
You’re asking for a lot of pain. That’s all I can say. Like SIP, SMTP is one of the most attacked services out there. It has to be public, it has to be on specific ports, and it has to be advertised that it’s available. There’s a reason why people don’t mess with it anymore.
Well the service doesn’t matter. The authentication and authorization to the service does. If whatever you’re running has a solid barrier to entry, then no problems. If it’s open without any challenges, AND it can perform actions that harm your network, then that’s bad news.
If you’re worried about someone getting into your network and hacking something, the tunnels won’t do much to prevent that. What you’re describing is Security Through Obscurity in a way. You’re putting up extra unnecessary barriers that aren’t preventing access to something that isn’t secure in the first place.
Honestly, you’re just making more limitations and overhead by running everything over tunnels locally. There are better ways to secure your local network. If this works for you, and you don’t want to bother with extra steps, just go for it though.
The downsides are performance, and a lot of extra hurdles trying to get other things to interface with any of the other services.
You’ll also be at a disadvantage coming to forums and asking for help, because the preface will be explaining your setup before anyone can really help you with issues.
Your SD card is shot. SD cards aren’t built for sustained read/write cycles, and RPi installs regularly kill them from excessive access to disk from things like logging and DB access.
On HA specifically, you can solve for part of this by reducing all logging to minimal, and then for the bulk of the rest setup something like log2ram to store system logs in RAM and prevent wearing out the SD disk.
A more permanent fix would be to get an SSD instead, but that’s not always an option.
These stats are fine and all, but storage and network is what’s going to get you in the end if you open it up to anyone and everyone and it becomes popular.
It’s not about actually getting it to work, it’s about having it work PROPERLY.
You have multiple routes to the same network right now it sounds like, and you’re almost certainly routing local network traffic over NetBird instead of using local routes. Have you looked at your routing tables?
Okay, so two really big things:
You’re confused a bit on how network routing works. If you’re building something that bridges multiple networks (local + VPN + VPS), you need to know about how to route things to different places. You’re dealing with 3 networks at this point.
You might be misunderstanding how “zero-trust” and local networking fit together. Right now you have some local machines at least, AND a router. You don’t need all of your local machines to individually bridge a gap to your VPS, you want it the other way around.
If the majority of your machines are local, then make that your hub. Everything else should be a client. Adding all these individual nodes to routes in a mesh network makes absolutely no sense, and will definitely cause routing problems, if not something like ARP poisoning (we can’t see your config).
Just make the remote machine clients to your local network and be done with it.
Plenty of player/recorders cheap out there on eBay and elsewhere. Guess it’s a gamble at this point though.
Lol. You just don’t get it.
Friend…Tailscale uses the same Wireguard protocol as everything else. If Tailscale is working, but your solo configs aren’t, it’s not a Wireguard problem, it’s a config problem. Guaranteed.
Tailscale is Wireguard. If it works, then something is wrong with your Wireguard configs.
You might want to put these pertinent details in your post.
If you’re on a cellular network that has CGNAT, Wireguard may not be able to work. Same deal if it’s an IPv6 network.
Then try setting PersistentKeepalive on the client
If Wireguard loses its connection, it doesn’t automatically requery the host and reconnect AFAIK. So if name resolution fails, or you’re on dynamic DNS and the IP changes, it’s not going to fix itself.
MONTHLY?? That’s a bit much, don’t you think?
If you’re regenerating certa that fast, I can’t think of anything that’s going to secure AND easy enough to satisfy automating this.
Whatever tool you want to use to secure the contents of the cert from its initial creation, to distribution, is fine enough. If you want super easy, use an SSH/SCP script. If you want something more elegant, think Hashicorp Vault or etcd.
Ansible is probably more effort than it’s worth (plus securing the secrets of the cert), and any other config mgmt tool won’t deal with the distribution portion simply, so I’d skip all of that.
Minidisc
Are you seeing log activity when your add-on attempts to the contact the service? If not, then increase the log level to something that shows transactions. If you still don’t see any log activity, then your add-ons aren’t hitting the server. Look in your inspector to see if there are any errors from the add-ons.