MigratingtoLemmy

As the title says, I want to know the most paranoid security measures you've implemented in your homelab. I can think of SDN solutions with firewalls covering every interface, ACLs, locked-down/hardened OSes etc but not much beyond that. I'm wondering how deep this paranoia can go (and maybe even go down my own route too!).

Thanks!

As most people here might know, Session utilises a TOR-like onion routing system with some changes to route traffic. The username is the public key whilst the password is the private key.

Recently, a new project built on top of this seems to be in the works: https://simplifiedprivacy.com/freespeech/

I'd like to know the community's opinion of session and how much would you trust its technology. Thanks!

I was going through Pine64's page again after I found the latest KDE announcement. With that said, I seem to see a lot of issues with firmware on the Pine, whilst the Librem is just plain out of budget for me. Was interested in how many people here run a Linux mobile as a daily driver, and how has your experience been?

I'm considering purchasing the Pine but I'd like a better screen, more RAM and a better CPU. Don't know if I should wait for a new model to be released (are they even planning to do that? Is the company active?). I will only really use it to browse the Web, and might even look to desolder a couple of parts that I know I won't use.

Thanks.

Edit: I am willing to watch content and use banking apps from the browser. Do you think it'll be fit for me?

Edit 2: overall, I am much saddened about the state of affairs regarding private computing on the go. I desperately hope that Linux on mobile takes off, even though its incubation looks disheartening at the moment. Thank you everyone for your comments.

Hi, I was looking at private CAs since I don't want to pay for a domain to use in my homelab.

What is everyone using for their private CA? I've been looking at plain OpenSSL with some automation scripts but would like more ideas. Also, if you have multiple reverse-proxy instances, how do you distribute domain-specific signed certificates to them? I'm not planning to use a wildcard, and would like to rotate certificates often.

Thanks!

Edit: thank you for everyone who commented! I would like to say that I recognise the technical difficulty in getting such a setup working compared to a simple certbot setup to Let's Encrypt, but it's a personal choice that I have made.

Hi, is there an option to hide a post in Liftoff? I'd like to hide a couple of posts I have in my feed.

Thanks!

Hi everyone,

I've been looking at the Fairphone 4, which has brought me to e/OS since I'm in the US.

I was wondering if it was possible to uninstall microG from the main system and just have it installed in the work profile alongside signature spoofing (since I need a couple of apps for banking/chatting).

Would doing this make e/OS unstable? Would I get updates still? I haven't found any official guides to do this yet (quite grateful that e/OS comes with signature spoofing enabled since the combination of Magisk, Zygisk and LSPosed is too much for my brain sometimes).

Thanks!

Hi everyone. Before anything else, I would like to mention that I do not plan to expose absolutely anything to the internet other than using a VPN, and that's if necessary.

Now, if I understand it correctly, ZigBee compatible devices need a controller attached to the computer to decipher messages? Since we are talking about security, it seems that the ZigBee network has its own encryption technology.

Coming to WiFi which was my original plan, we have established protocols like WPA2. I had intended for all of my IoT devices to be locked in a separate VLAN with no external access.

Which one of them do you think is better for privacy and longevity? I am going to use the basics such as lights, temperature/motion sensors (would like to flash with custom firmware like Tasmota if possible) - alongside some custom devices, which would also be programmed from scratch (ESP32 based). The problem I have with the devices from the latter proposition is that I have to keep on top of security trends myself, but I suppose that's the trade-off one makes with custom devices.

Please tell me what you use at home and why, between Zigbee and WiFi?

Thanks

Hi everyone.

I was trying to research about how to implement SSL on the traffic between my clients and the containers that I host on my server.

Basically, my plan was to use upstream SSL in HAProxy to attempt to achieve this, but in order for that to work, each individual container on my server needs to be able to decrypt SSL. I do not think that is possible and that every container has the necessary libraries for it. This puts a halt on my idea for upstream encryption of traffic from my reverse-proxy to my containers.

With that said, ChatGPT suggested I use Kubernetes with a service mesh like Istio. The idea was intriguing so I started to read about it; but before I dive head-first into using k3s (TBH it's overkill for my setup), is there any way to implement server-side encryption with podman containers and a reverse-proxy?

After writing all of this, I think I'm missing the point about a reverse-proxy being an SSL termination endpoint, but if my question makes sense to you, please let me know your thoughts!

Thanks!

Hi everyone, this is a continuation of my previous post: https://lemmy.world/post/7542500

Tl;Dr: Do Suricata/snort/Security onion have mechanisms to perform DPI if one provides them with a valid certificate? Any other open source software I should be looking at that can do DPI?

Background:

I have been trying to find ways to masquerade Wireguard traffic as normal HTTPS traffic to circumvent blocks by networks which do not like such traffic. It is quite easy to identify Wireguard traffic with a default setup because their method of implementing SSL is different from normal HTTPS, and most packet analysers can pick up that Wireguard traffic is passing through.

With that said, I have come across 3 methods to alleviate this problem:

(before you implement these, make sure to convert Wireguard traffic into TCP using udp2raw or updtunnel and force operations on port 443)

1. Use stunnel - seems to be a project that has been around for a while. Encrypts data using SSL, makes it look like HTTPS.
2. Use obfsproxy - created by the TOR project, can be used alongside OpenVPN.
3. Use wstunnel - refer to this tutorial.

The alternatives are mainly: use OpenVPN (which can use stunnel or obfsproxy) or Softether (which uses SSL for its VPN).

Question:

I would like to test said software in a comparison of their efficacy against firewalls employing DPI. Which is why I'm looking at FOSS which can do DPI. Does anyone do this for their network at home? This will be for private use only, I won't be allowing any external access on my network.

Thanks!

Edit: I realise that this might not be much of a problem for a lot of people, but regardless of whether one is facing this problem or not, I believe it is important to keep abreast of such technology and engage with it to improve one's digital privacy. There is no doubt that such networks exist, and whether one actively engages with them or not is up to the user. In fact, the question is about DPIs, so I'd like to know if anyone has any experience working with FOSS DPIs in their homelab/at work. Thanks!

ChatGPT led me to tunsafe however the project seems to be abandoned?

I'm trying to find ways to convert wireguard traffic into plain HTTPS so as to not trigger some advanced DPI. So far, I have come across udp2raw and updtunnel which convert the traffic to TCP, but AFAIK the SSL used in Wireguard triggers DPIs.

Does anyone have a workaround? Thanks!

Everyone, there seems to be a way go achieve this:

Wireguard (change port to 443) + udp2raw or udptunnel to convert packets to TCP + stunnel (configured on both client and server - used by OpenVPN to encapsulate traffic in TLS).

This is basically what OpenVPN does, and theoretically this should do OK. I haven't tested it however, so if you have, please let us know!

Hi everyone, I'm trying to add specific subscriptions to a certain group, but how do I create said groups? Also, I don't see an option to create a group from the page of a channel I want to subscribe to.

I have attached a screenshot with this post, could someone help? Thanks!

Before anything else, I would like to say that I admit systemd has brought great change to GNU/Linux. sysvinit wasn't the best, and custom scripts for every distro is a pain I'd rather not have.

With that said, Poettering now works for Microsoft, systemd has basically taken over all of the common/popular distributions (if this is about the argument of "systemd making it easier for developers", disclaimer: I don't know. I'm not a developer), and this has led to a rampant monopolisation of the init system.

Memes aside, this has very real consequences. If you don't want another CentOS-style "oof, sorry, off to testing" debacle happening with your init system, might want to look at the more "advanced" distributions that let you choose the init system.

I am well aware that systemd works well for the most part, and that gamers and most other people likely don't care - which is fine, at least for now. I do expect to see a massive turnover in sentiment if something ever happens to systemd (not that I'd like for that to happen, but no trusting RedHat anymore), but I suppose we'll get to it when we do.

My sentiments are well enunciated in this recent post on the Devuan forum: https://dev1galaxy.org/viewtopic.php?id=5826

Cheers!