The company behind pfSense is shady as hell:
https://opnsense.org/opnsense-com/
Also the complete and utter clusterfuck of an attempt to bring Wireguard into the FreeBSD kernel:
The company behind pfSense is shady as hell:
https://opnsense.org/opnsense-com/
Also the complete and utter clusterfuck of an attempt to bring Wireguard into the FreeBSD kernel:
What kind of ISP are you dealing with?
And maybe PPPoE.
traceroute --mtu 1.1.1.1
Pick the lowest value displayed for F=xxxx
like e.g F=1492
and subtract 80.
For my DSL connection the optimal value is 1412.
nonfree drivers accessible right away
Non-free firmware is included in the Debian installer since Bookworm.
Do you really know how Wireguard works?
Updating without a reboot only works for wireguard-go. The default implementation runs in the kernel. An update to it would require kernel live patching.
Wireguard doesn’t answer to unsigned packets. Using obscure ports or even port knocking is rather pointless. It’s indistinguishable from a closed port.
I’d rather take Casaos out of the equation and target Ubuntus’ Wireguard stack instead.
Jellyfin is completely free. I only used it shortly in my LAN environment so I can’t give you any numbers. It should roughly be in the same ballpark as plex though.
You can skip fail2ban for SSH. I missed the important bit. Duh…
Never used Plex but had a good experience with Jellyfin.
Just a few thoughts:
Why are you running two HAProxy instances? You should be able to forward the traffic on your VPS to your homeserver with a firewall rule.
If that’s not an option, this should still be doable using the X-Forwarded-For
header. Instead of setting it to single value, you need to append to it:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#syntax
Did you enable forwarding via sysctl?
sysctl net.ipv4.ip_forward
This should report 1
You only need the masquerade rule.
iptables -t nat -A POSTROUTING -s 10.11.13.0/24 -o enp3s0 -j MASQUERADE
Not OP but DynDNS entries will always point to your current external IP and are renewed every hour.
Internally I run an AdGuard Home instance for adblocking. All my domains are rewritten by it to use the local IP while I’m in the same network.
Wow, this looks incredible! I always wanted to to deploy something like Authelia or Authentik but they seemed way too heavy for my purpose.
Whats the runtime memory usage of the docker container?
Cookie banners are usually from the same domain. I doubt you can block them via DNS.
The best workaround I found was to move everything multiple people should have access to into its own vault and add users as managers to that vault.
It’s also the cleanest approach.
OpenOffice is a zombie at this point.