I'm about to move a few parts of my network off-site. Anyone have any input for getting LDAP-based authentication to work across locations?
Like, LDAP+TLS with mutual certificate authentication is just fine, but I don't like the idea of exposing an LDAP port. Though a firewall rule to only allow the other side's IP to access it would probably be okay.
Given that this side still needs to access some internal services, it also makes sense just to #WireGuard it or something, that gives me everything in a manner that I believe is secure, I've yet to hear of any breaks on its encryption... just that if the remote host is compromised I have quite a wide open attack surface.
To my German friends. If you use a combination of #FritzBox router, #Vodafone ISP and #MullvadVPN - meaning you are trying to set up #Wireguard on the router itself - be wary, that this setup is known to leak your IPv6 address. On the other hand, if you use Mullvad VPN App on your OS, everything works fine. Not sure who to blame here specifically, but this has been a disturbing revelation to me. Be careful.
TIL that #WireGuard essentially uses two different routing tables to make network routing decisions: it's own the the kernel's. Since I wasn't really aware of this, I got tripped up. The AllowedIPs config parameter creates entries in the kernel routing table and it also governs what traffic WireGuard will route. I used to think I was pretty good with it. Today, I ate humble pie.
Federated wireguard network idea
Any feedback welcome.
Let's keep things stupidly simple and simply hash the domain name to get a unique IPv6 ULA prefix.
Then we would need a stupidly simple backend application to automatically fetch pubkeys and endpoints from DNS and make a request to add each others as peers.
Et voilà, you got a worldwide federated wireguard network resolving private ULA addresses. Sort of an internet on top of the internet .
The DNS entries with the public IPv4 / IPv6 addresses could even be delegated to other domains / endpoints which would act as reverse proxy (either routing or nesting tunnels) for further privacy.
Maybe my approach is too naïve and there are flaws I haven't considered, so don't be afraid to comment.
Noch ist die Informationslage dünn, aber alle die können, sollten auf ihrer Fritz!Box das aktuell veröffentlichte Update FRITZ.OS 7.57 (7.31) einspielen. Offenbar hat AVM eine (schwerwiegende) Sicherheitslücke gefixt.
@kuketzblog
Dankeschön. An dieser Stelle auch mal die Frage, ob mit dem nun möglichen #wireguard auch der zweite Teil Deines #nextcloudpi-Artikels veröffentlicht werden kann ;)
I know I've been talking a lot about Tailscale recently, but this is important enough to involve another mention - the latest version of Tailscale in the app store now supports VPN On Demand, a feature that let's you inform iOS when the VPN should and should not be activated, including whitelisting or blacklisting wifi networks. This was the final feature that Tailscale was lacking that vanilla Wireguard for iOS has had for a very long time. https://tailscale.com/kb/1291/ios-vpn-on-demand/ #Tailscale#wireguard
It also means that the #wiki or your digital #privacy have a good #base to start with. There will always be something, more or maybe even less for you. Other operating systems or just other services/apps that others or you prefer instead. And that's fine, we all even have options to choose from and don't have to rely only on #Microsoft & Co.
Friends of #BSDCafe and the #Fediverse,
I want to share a funny incident that happened yesterday. A client called me, a bit annoyed, because they received a security report stating that their firewall is not secure.
Their firewall is a perfectly updated #OpenBSD machine, responsible for NAT from the internal LAN to the outside and only allowing an incoming #wireguard connection.
So, I asked them to send me the report. A lot of words were used to say that they detected the use of #Linux 2.6 and thus deemed it insecure.
How they came up with detecting Linux 2.6, I have no idea. I responded - I'll be curious to see their response in turn.
So, at home I have a laptop with a 4TB magnetic 2.5" external USB drive, which has a bunch of #western movies on it. This laptop has #nginx web server installed on it which allows access to the westerns. It also has #wireguard which is connected to a #vps I have in the US somewhere (not bragging, just saying). The connection at home is a 6Mbit/800k residential DSL line. Right now I am in the woods nowhere near home on another laptop, which is connected to my cell phone via hotspot, and which also has Wireguard connected to the same VPS. Through this VPN I am currently watching tonight's western. The Cariboo Trail [1950]
Если вы всё ещё используете wireguard туннелирование, то пора уже задуматься в переходе на более продвинутые вещи (Shadowsocks, Vless, Vmess).
Тучи сгущаются и опыт "китайских товарищей" перенимается
Роскомпозором семимильными шагами.
У Wireguard инициализацию соединения давит ТСПУ (Техническое Средство противодействия угрозам). Ваш провайдер интеренета доступа к их потрохам не имеет. Примитивный и пока рабочий способ расшевелить Wireguard - включить и выключить авиарежим в смартфоне, и туннель должен заработать. Смартфон считает что wg туннель жив и не инициализирует его заново, а для ТСПУ (железок РКН) после этого просто летает какой-то трафик по Х/udp, не поддающийся анализу и блокировке.
Способ временный, имейте в виду. Денег этим упырям подвезли пару камазов.
OC Webmesh: An Attempt at distributed, zero-trust Federated Networks (github.com)
Hey there!...