>I always felt, and still feel, that applied Linux networking is difficult to get started with, mainly due to lack of good guidance. Most of the time I had to dig through small pieces of documentation scattered throughout the internet, trying to put them together to form a systematic overview of the network stack in Linux.
...
>It is extremely frustrating when somebody interested in setting up their own network infrastructure has to at some point get stuck at some convoluted networking concepts, intricate and abstract tools, mysterious errors here and there, or lack of systematic documentation. I wish everyone has some choices other than spending days and weeks trying to figure these out alone, so I decided to write down what I have done, what I have learned and what I have to share with the rest of the internet. I sincerely hope that some day IT operations would be more beginner-friendly, and hosting one's own network infrastructure no longer means headache and mess.
These are exactly my feelings. Stinky.fish makes more sense for a Linux blog. Everything about it stinks until it actually works. :)
I experienced this back when I configured my home Linux boxes as a router, VPN server, firewall, media server, etc. Since I had the time, compiled all of the info I found on random blogs and sites and added them to the Ubuntu Community wiki. That was the 12.x days, when Ubuntu was in its prime and the distro to use.
While these blogs were a great resource, I often found the commands outdated or applied to a different distro. A distro specific wiki solves both those issue. While I don't get the glory of a blog, I just checked an it's nice to see my notes still there for future Denvercoder9's.
I found WireGuard to actually be especially frustrating, because it doesn't really log anything. If you do a single configuration misstep the packets just won't flow. Then good luck figuring out whether it's the authentication that's wrong (or any of the cert checks in the chain), rounting, MTU, firewall or anything inbetween.
It's kinda horrible. Not that IPsec is any better. OpenVPN at least yells something at you.
We recently switched a bunch of stuff from OpenVPN to Wireguard. A number of the links were OpenVPN layer 2 tunnels to pass, of all things, Novell Netware running on IPX (the particular situation precludes switching to TCP/IP for those customers). Now, layer 2 tunneling is being performed using RFC 3378 EtherIP, and it's much more performant, not to mention easier to manage.
Good grief - NetWare with only IPX! Presumably you'll be installing their Y2K patches any day soon 8)
I'm pretty sure NetWare can natively tunnel IPX/SPX over TCP/IP, assuming you are not stuck on 3.12. I don't think you have to fork out for the multi protocol router thing. They will crash regularly until you get the magic combination spot on and then run forever.
A NW 6.5 box will run quite happily as a pretty tiny VM - you could scatter them around as routers to support whatever nightmare of an app you need to run over IPX. Tunnel them over IPSEC or whatever floats your boat.
Meta: Huh. I don’t use “shallow dive” enough. “Deep dive” of course, everyone loves a good deep dive. But what about a shallow dive, or even just “getting your feet wet”? These are useful concepts too. This headline alone revealed a blind spot for me.
> We will be using the local IPv6 addresses fc00::/7 for routing inside our WireGuard network. For example, if we use the subnet fc00:0:0:160::/64, this can be the new Address config on Server:
I just moved from OpenVPN to tailscale, which uses Wireguard, on my personal stuff. I have a similar situation as OP describes at first where my residential account has the ports blocked.
I am quite happy so far, just wish it was innately supported in my consumer grade router, which support vanilla wireguard.
Dumb question but the frp example shows op forwarding to port 443 on local, how then did the spammers get access to port 25 or was there a separate forward rule setup for 25?
It was incredibly so much easier when popular search engines did search instead of "recommendation." The hardest thing is actually finding the thing that exists, in multiple forms, that you set out to find.
For people using wireguard, it was not designed to provide anonymity. Otherwise it is fine for use in Countries with decent protections for their citizens. If you need privacy, you should use OpenVPN.
Quote:
>WireGuard is highly secure, but it’s not designed with privacy in mind.
> WireGuard is highly secure, but it’s not designed with privacy in mind.
I'm sorry, but I must inform you that the Toms guide contains affiliate links to OpenVPN services. However, it is important to note that neither OpenVPN nor WireGuard can guarantee your safety if you are being targeted by government agencies. The guide's attempt from TFA is to promote these VPN services as a solution for anonymity and censorship (deep packets inspection can block all VPN protocols) avoidance is misleading. VPNs are primarily useful for accessing corporate or home resources and viewing geo-blocked streaming content (say from your home network) on insecure networks like hotel or cafe WiFi.
At time of writing, the biggest privacy weakness that WireGuard has is how it assigns IP addresses. When you connect to a VPN service using OpenVPN or IKEv2, you’re assigned a different IP address each time. WireGuard instead gives you the same IP address each time. This is faster, but it means the VPN server must keep logs of your real IP address and connection timestamps.
The address assigned inside the tunnel has nothing to do with your real address, and definitely does not have anything to do with whether or not the VPN server is keeping logs of your real IP address and timestamps of your connection.
OpenVPN and charon keep far more logs of those things by default that wireguard and you have to trust your VPN provider turned them off.
Almost nothing was created with privacy in mind. Security and privacy are different things.
I hate that people think that a VPN is private as in anonymous. But then again, those providers had great marketing.. So now devs and sysops need to call VPNs "tunneled networks".
You're not wrong, but there are VPN services that add on privacy to their wireguard offerings, such as PIA (private internet access). They open sourced the connection code so you can see how they do it[1] using an API that initializes a temporary wireguard connection for you. I've been really pleased with PIA's wireguard setup, which even includes forwarding of an incoming port!
1970-01-01|2 years ago
...
>It is extremely frustrating when somebody interested in setting up their own network infrastructure has to at some point get stuck at some convoluted networking concepts, intricate and abstract tools, mysterious errors here and there, or lack of systematic documentation. I wish everyone has some choices other than spending days and weeks trying to figure these out alone, so I decided to write down what I have done, what I have learned and what I have to share with the rest of the internet. I sincerely hope that some day IT operations would be more beginner-friendly, and hosting one's own network infrastructure no longer means headache and mess.
These are exactly my feelings. Stinky.fish makes more sense for a Linux blog. Everything about it stinks until it actually works. :)
slacka|2 years ago
While these blogs were a great resource, I often found the commands outdated or applied to a different distro. A distro specific wiki solves both those issue. While I don't get the glory of a blog, I just checked an it's nice to see my notes still there for future Denvercoder9's.
izacus|2 years ago
It's kinda horrible. Not that IPsec is any better. OpenVPN at least yells something at you.
easytiger|2 years ago
halJordan|2 years ago
systems_glitch|2 years ago
Old and new systems are running OpenBSD.
gerdesj|2 years ago
I'm pretty sure NetWare can natively tunnel IPX/SPX over TCP/IP, assuming you are not stuck on 3.12. I don't think you have to fork out for the multi protocol router thing. They will crash regularly until you get the magic combination spot on and then run forever.
A NW 6.5 box will run quite happily as a pretty tiny VM - you could scatter them around as routers to support whatever nightmare of an app you need to run over IPX. Tunnel them over IPSEC or whatever floats your boat.
generalizations|2 years ago
unknown|2 years ago
[deleted]
mulmen|2 years ago
bryancoxwell|2 years ago
kagevf|2 years ago
yrro|2 years ago
> Address = 192.168.160.2, fc00:0:0:160::2
Please don't do this. fc00::/7 has been assigned for "Unique Local Unicast" and address ranges must be generated as specified in RFC 4193: https://www.google.com/search?hl=en&q=ipv6%20ula%20generator
Snawoot|2 years ago
You don't even need a client for this, any modern browser can work with it right away: https://github.com/Snawoot/dumbproxy#using-http-over-tls-pro...
garbagecoder|2 years ago
I am quite happy so far, just wish it was innately supported in my consumer grade router, which support vanilla wireguard.
manmal|2 years ago
EDIT: I think I misunderstood your comment, you probably are wishing for tailscale client support in the router?
nirav72|2 years ago
See if your consumer grade router supports flashing OpenWRT. It supports Wireguard.
jarym|2 years ago
sushidev|2 years ago
harry8|2 years ago
We've gone backwards in the past 15 years.
ttsiodras|2 years ago
Many thanks, OP.
sushidev|2 years ago
hkwerf|2 years ago
devStorms|2 years ago
dang|2 years ago
litia|2 years ago
igtztorrero|2 years ago
It would be interesting to make a Github repo titled: how to hack CN goverment !
jmclnx|2 years ago
Quote:
>WireGuard is highly secure, but it’s not designed with privacy in mind.
from
https://www.tomsguide.com/how-to/is-the-new-wireguard-protoc...
nixcraft|2 years ago
I'm sorry, but I must inform you that the Toms guide contains affiliate links to OpenVPN services. However, it is important to note that neither OpenVPN nor WireGuard can guarantee your safety if you are being targeted by government agencies. The guide's attempt from TFA is to promote these VPN services as a solution for anonymity and censorship (deep packets inspection can block all VPN protocols) avoidance is misleading. VPNs are primarily useful for accessing corporate or home resources and viewing geo-blocked streaming content (say from your home network) on insecure networks like hotel or cafe WiFi.
icehawk|2 years ago
At time of writing, the biggest privacy weakness that WireGuard has is how it assigns IP addresses. When you connect to a VPN service using OpenVPN or IKEv2, you’re assigned a different IP address each time. WireGuard instead gives you the same IP address each time. This is faster, but it means the VPN server must keep logs of your real IP address and connection timestamps.
The address assigned inside the tunnel has nothing to do with your real address, and definitely does not have anything to do with whether or not the VPN server is keeping logs of your real IP address and timestamps of your connection.
OpenVPN and charon keep far more logs of those things by default that wireguard and you have to trust your VPN provider turned them off.
jbverschoor|2 years ago
I hate that people think that a VPN is private as in anonymous. But then again, those providers had great marketing.. So now devs and sysops need to call VPNs "tunneled networks".
freedomben|2 years ago
[1]: https://github.com/pia-foss/manual-connections/blob/master/c...