WingNews logo WingNews
top | item 30432865

(no title)

joshavant | 4 years ago

I've hesitated to ever attempt this because every residential ISP I've had refuses to offer static IP addresses.

As well, deploying a server in a Google/Amazon/Microsoft datacenter which could be surreptitiously monitored defeats the theoretical privacy aspects of on-premises mail server hosting inside one's personal residence.

However, today, I looked into the newish movement of 'confidential computing' in the cloud (where data in motion - e.g., in memory - is encrypted and cannot be observed from the OS or hypervisor).

I openly wonder if one solution, then, is to build a secure VM that acts as a simple forwarding proxy to one's home server, gets assigned a static IP from a datacenter, and is deployed on one of these confidential computing instances, ensuring full E2E data privacy and data control?

Any guesses?

discuss

order

deadlyllama|4 years ago

Is confidential computing needed if all you're doing is forwarding packets? Your cloud provider can see the packets as they leave and enter your VM.

If I was building this I'd stand up a VPN (choose your favourite protocol) between the cloud VM and home server. For the cloud end pick something from lowendbox/lowendtalk or just use the cheapest Vultr instance. NAT port forwarding down the tunnel back to your server at home - just a few iptables rules. Job done. Bonus points if you get an IPv6 /64 and route that down the tunnel too.

It's possible to use policy routing at home so that traffic that needs to go down the VPN does, and traffic that can egress through your home internet can too. Replies to incoming connections that came down the tunnel go back up the tunnel. Outgoing SMTP connections go down the tunnel. Outgoing HTTP goes out your normal internet.

oneplane|4 years ago

If surreptitiously monitoring your stuff in a cloud is in your threat model, what makes you think that anything you can do in a general home environment is beyond the reach of a dedicated adversarial actor?

j45|4 years ago

Forwarding proxy sounds like a great idea to try out and report back on. Why wouldn't it work?

Melatonic|4 years ago

Not really an issue - just use something like NoIP. No need to pay Amazon or Google for anything.

deadlyllama|4 years ago

NoIP/DDNS/etc still means a dynamic IP address, with possibly broken reverse DNS, from a dynamic DNS pool.

To send email you need a static IP with correct reverse DNS, or other people's servers will reject your mail (best case) or silently mark it as spam. Welcome to the real world of email deliverability, the worst part of running your own mail server.

Cuuugi|4 years ago

I personally have a pi running DDNS, which is another option i guess.