Florian Maury ⏚
38 minutes ago

I want to design a Wireguard gateway hosted on a IaaS. The list of authorized public keys is published in a LDAP directory hosted in a private subnet. The IaaS provider provides a Terraform provider, supports user-data and is compatible with create_before_destroy. The list of public keys is expected to rarely change, and changes are expected to be enacted in less than 24h.

I tried to implement this using an immutable approach: the LDAP directory is queried by Terraform/OpenTofu, and the list of public keys is compiled in a cloud-init compatible user-data field. Cloud-init is in charge of generating files, installing packages and deploying the config during startup of a vanilla Ubuntu image. If the generated user-data field changes, the VM is destroyed and recreated with the updated config. The create_before_destroy directive ensures minimal yet non-zero downtime, with the gateway "public" IP being migrated to the new VM at the end of the plan.

For me, the benefits of this approach is that the LDAP server remains unknown and unreachable from the VPN gateway, the list of authorized public keys is static, stable and easily auditable (one just needs to look at the user-data), and risk of configuration drift is minimal (since there is no live reconfig and the instance is destroyed with every change).

People around me seem unconvinced by this approach, waving at a vague availability risk, and preferring a mutable approach, where a systems timer would poll the directory and update in place the Wireguard config.

What is your opinion on this? I am fairly new to Terraform/OpenTofu, so I might be missing a clue here.

#terraform #opentofu #immutable #wireguard #IaaS #IaC #sysadmin #helpwanted

Leonard Cohnen
16 hours ago

How do you secure your #Kubernetes cluster traffic? Do you already use #Cilium's WireGuard encryption? Do you finally want to know under which conditions your traffic is encrypted?

Then join me at my talk at #Kubecon NA's #Ciliumcon.

I'll talk about how you can best secure your traffic. For this we'll look at all of Cilium's different encryption options and also introduce an encryption strict mode to increase the security of your cluster.

More details here:

We've also written a blog post about this:

#kubeconna #kubeconna2023 #ebpf #cni #security #cloud #encryption #wireguard

2 days ago

@oldsysops #WireGuard + #tmux c'est juste magique au quotidien !🤩

2 days ago

@stefano I setup my jails (without template) using #VNet network method as I have IPv6 SLAAC at home and I wanted to use it. Because of this setup, I configured pf rules inside each jail (#unbound, #adguardhome and #wireguard). Now it works like a charm.
I also tested bastille update release to install patch level updates: this is so easy and simple. @fluxwatcher @BastilleBSD

3 days ago

Hmm, #wireguard-Nutzer hier? ich versuche gerade ein Wireguard-Netz aufzusetzen. Die Server-Config scheitert aber an eioner Config-Zeile "Address =" - zumindest meint es da sei ein Fehler drin, ein wg syncconf meint "Line unrecognized." Any idea wie ich den Fehler finde?

3 days ago

@t3kk So far all good. Plex, #wireguard, all works. Testing baremetal restore atm, but this looks like a security update for the most part.

3 days ago

#DSM72 update in progress. Let's see if #WireGuard package will continue to work and just how well #HyperBackup bare metal restore will behave when moving from an updated version to a lower one (if possible at all).

Justin Derrick
4 days ago

@nuintari Yeah, I'd never trust a third party VPN... I've been reading up on #Wireguard on #OpenBSD, and I'll probably spin something up in the lab to test out on a variety of devices.

4 days ago

🔒 Want to boost your online privacy?
Dive into our latest tutorial: "Setup Guide: Using VPN with ProxySocks5 IP." Step-by-step, beginner-friendly.
Enhance your browsing security today. 🌐💡


#WireGuard #VPN #InternetSecurity #Tutorial #ProxySocks5

Jonathan Lamothe
5 days ago
Is it just me or is @mullvadnet not implementing IPv6 correctly? The #WireGuard config I got issues me an address in the fc00::/8 range (which has been reserved but as far as I know not implemented) and can't seem to route traffic to outside hosts. IPv4 works great, though.
DiWoWo ☑️
6 days ago

Endlich geschafft mein #Syncthing aufzusetzen nachdem ich kein geeignetes Netzteil mehr für meinen #RaspberryPi 3 über hatte. So hab ich auch wieder Verwendung für die externe #Festplatte die ich mal für meinen Satreciever gebraucht hatte. Jetzt kann ich mein #Android #Smartphone #synchronisieren und das geht auch prima von aussen über #wireguard

Yonei :marisa_dance:
6 days ago

I managed to set up everything i wanted in Wireguard, i can now route container traffic from client to server and bind ports to the Docker bridge network (of the server).

Here is a small graph of my setup, i will be making a blog post later this week showing how i set everything up!
It’s definitely faster compared to when i was using docker-wireguard-tunnel

#VPN #Wireguard #Docker #Selfhost #Networking #Linux #Routing

A graph showing a site to site port forwarding example with Wireguard Tunnels
JustDude 🛜
1 week ago

Found a really good Ansible repository for installing #PF #Unbound #wireguard and more on #freebsd : thanks to the author!

1 week ago

#Cockpit 301 has been released!

#WireGuard #VPN support is now available on the Network page!

Network devices on the metrics page are now links.

#Linux #server #UI

zeitverschreib :mastodon:
1 week ago

Ich wollte mich ein wenig mit #Wireguard beschäftigen.

Die Einrichtung einer Verbindung ist auf der Fritze recht einfach, für Android gibt es eine nette App. Die Sache lief nach wenigen Minuten rund.

Aber ist es tatsächlich so, dass unter Linux eine ziemliche Menge CLI-Magie nötig ist?

1 week ago

Okay nerds, it's #selfhosted #authentication #askFedi time.

I'm about to move a few parts of my network off-site. Anyone have any input for getting LDAP-based authentication to work across locations?

Like, LDAP+TLS with mutual certificate authentication is just fine, but I don't like the idea of exposing an LDAP port. Though a firewall rule to only allow the other side's IP to access it would probably be okay.

Given that this side still needs to access some internal services, it also makes sense just to #WireGuard it or something, that gives me everything in a manner that I believe is secure, I've yet to hear of any breaks on its encryption... just that if the remote host is compromised I have quite a wide open attack surface.

Any ideas?

#askFediverse #networking #networkSecurity

Meow :verified:
1 week ago

@devxvda I've done similar things. I remember when troubleshooting my #WireGuard VPN tunnel I started getting excited because I thought I had the problem licked as pings were being answered; turns out I was pinging the local end of the tunnel. 😹

@danielotech También tengo #WireGuard pero en un router ( es muy fácil quitar ese que tienes ) pero estaría bien un vídeo de cómo te lo has montado tú..... por cierto ..... me encanta ese registro !! Muy ordenado

Ya tengo mi #RaspberryPi funcionando como #VPN con #WireGuard.
Para que sirve? Por ejemplo para compartir #Netflix sin pagar extras, usar Apps de streaming que bloquean contenido cuando estas fuera de casa (Movistar+) o filtrar publicidad intrusiva en internet. Hago vídeo?

Stefano Marinelli
1 week ago

Make your own VPN - Wireguard, ipv6 and ad-blocking included

I'm going to write a #FreeBSD oriented version as soon as it'll be possible.

#OpenBSD #VPN #Security #IT #SysAdmin #VPS #ipv6 #AdBlock #WireGuard

Que pasada ¡¡¡ Tailscale en el Apple TV ¡¡¡ @_Bilito a ver si la gente de #Wireguard lo saca también ¡¡¡

Yonei :marisa_dance:
1 week ago

Anyone good with networking/Iptables? I have been stuck with this one issue for like 2 weeks now.

I’m using dockerized wireguard both as a server and as a client, i route container traffic from the client to the server to later expose stuff to the clearnet, which works fine with this iptables rule:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination

But, this only works if i have network_mode: "service:wireguard" set in the NGINX container that i pass the port 80 from, this makes port 80 accessible from localhost from within the client container and later from the server too.

My issue is that i want to have a separate network with a subnet of, gateway of with the wireguard client container having the IP and the NGINX container of I can access the NGINX IP from within the Wireguard client container just fine, but how would i route that with Wireguard to make it be accessible from the server? The Wireguard server has in AllowedIPs and the client has

Been searching on forums, wikis and blogs for hours now, yet I’m too dumb to figure this out, anything helps!

#VPN #Wireguard #Docker #Selfhosting #Networking #Linux #Routing #infosec

🕹️ jbz
2 weeks ago

「 Think of innernet as an opinionated configuration system on top of WireGuard that comes with some added features to make life easy, and is friendly with various sizes of networks: one for your organization, one for your project, one for your social circle to create an idealistic alternate internet universe — your imagination's the limit 」

#innernet #WireGuard #VPN

Marek Küthe
2 weeks ago

My APNIC eduroam account works, only this eduroam blocks my WireGuard VPN. My understanding is that this should not be the case. eduroam should allow VPN connections so that you can connect to your home institution.

#APNIC #WireGuard #eduroam

Caleb Maclennan
2 weeks ago

@jakub I've been using #innernet for several years now to keep many dozens of systems (including cloud, container, server, desktop, mobile, and even embedded hosts) across three continents and many different local network topologies talking to each other and still love it. The only down side is the difficulty of getting non-Linux hosts (including Android) into the VPN. It can be done with hackery since all the magic is just layered on #wireguard, but to accomplish it you forgo all the magic.

Jakub Jirutka
2 weeks ago

#Innernet, a private network system (aka VPN) that uses #WireGuard under the hood. It’s very similar to Tailscale, but completely #opensource (no proprietary servers run by VC-funded company), simpler by design, similarly easy to set up, uses the WireGuard implementation in the Linux kernel, and is written in a more adequate language for this type of program… #rustlang

MysticBasil 🇺🇦
2 weeks ago

To my German friends. If you use a combination of #FritzBox router, #Vodafone ISP and #MullvadVPN - meaning you are trying to set up #Wireguard on the router itself - be wary, that this setup is known to leak your IPv6 address. On the other hand, if you use Mullvad VPN App on your OS, everything works fine. Not sure who to blame here specifically, but this has been a disturbing revelation to me. Be careful.

Matthias Drexel
2 weeks ago

Danke #wireguird jetzt auch am #Thinkpad den Tunnel zum #Wireguard Server hergestellt

2 weeks ago

Muss die Tage echt mal von #Alpine/wg-quick auf meinen, schon installierten und im Testbetrieb laufenden, #Debian 12 systemd #Wireguard Reverse Proxy wechseln.

So häufig wie wg-quick die Verbindung verliert ist echt nervig.

Matthias Drexel
2 weeks ago

Learning des Tages




2 weeks ago

#BayernWLAn und #VPN (speziell #wireguard, der alles über mein Netzwerk zu Hause tunnelt )
... kann es sein, dass sich das gegenseitig ausschließt? Oder wo müsste ich drehen, damit ich weiterhin eine funktionierende Internetverbindung habe? Oder geht das einfach tatsächlich nicht?

2 weeks ago
2 weeks ago

FYI: since this technique surprisingly appears to be rather unknown to some folks - generating an easily distributable mobile device wireguard QR config:

qrencode -t ansiutf8 < wg.conf | nl

#wireguard #vpn

Meow :verified:
2 weeks ago

TIL that #WireGuard essentially uses two different routing tables to make network routing decisions: it's own the the kernel's. Since I wasn't really aware of this, I got tripped up. The AllowedIPs config parameter creates entries in the kernel routing table and it also governs what traffic WireGuard will route. I used to think I was pretty good with it. Today, I ate humble pie.

Meow :verified:
2 weeks ago

#WireGuard can be tricky to configure and troubleshoot but once you have it down pat, it works like gangbusters. I now have client to client communication working as it should.

@housepanther np. You're welcome...

OFC #WireGuard may have done so since there are some #ISPs that do #CGNAT + #Tunneling [i.e. #L2TP on #DSL is common in #Russia to prevent people from 'blueboxing' by splicing the phone line]...

And in some Corporate setups this may even be desireable to have all the remote workers not able to #P2P as to mitigate #malware propagation...

@housepanther I guess you didn't allow those IP adresses to communicate with each other?

#WireGuard - like any #VPN - is a seperate network interface with seperate routing rules - at least in #pfSense & #OPNsense...

Meow :verified:
2 weeks ago

#wireguard is pissing me off. The peers can ping and communicate with the server but not each other. I've got no idea why . #linux

2 weeks ago

@philipp nutze doch #pihole oder #adguard im Netzwerk. Und für unterwegs dann VPN mit #wireguard um auch auf dem Mobiltelefon die Blocker zu nutzen #privacy

2 weeks ago

@reginagrogan use #pihole or #adguard at home and #WireGuard with VPN on demand on your mobile and yes i hate ads, too 🙈👍 #privacy

Endlich mal das #Wireguard Road Warrior Setup mit OnDemand eingerichtet. Primär um #blocky (pi hole alternative) auch unterwegs nutzen zu können.

3 weeks ago


Was für ein Zirkus 😐
Nach ewigen versuchen mit dem eingebauten Konfigurationsdings eine Wireguard Verbindung zu bauen habe ich dann endlich UnnoTed/wiregird gefunden.
Nu ist wieder alles im Lack.

Was sollte ich mit einem Rechner ohne VPN anfangen können 😇😂

#Wireguard #Linux #Mint #Ubuntu

3 weeks ago

@apfelnutzer ja, ich nutze #WaipuTV. Jetzt hast du mich doch glatt ins Grübeln gebracht. Kurzer Blick ins Kundenkonto: Die Mobiloption habe ich nicht abonniert, aber durchaus schon von unterwegs geschaut. Ich kann nur vermuten, dass es daran liegt, dass mein gesamter Traffic mittels #Wireguard #VPN über den heimischen Router läuft, um vom #PiHole auch im Mobilfunknetz zu profitieren.

Federated wireguard network idea
Any feedback welcome.

Let's keep things stupidly simple and simply hash the domain name to get a unique IPv6 ULA prefix.

Then we would need a stupidly simple backend application to automatically fetch pubkeys and endpoints from DNS and make a request to add each others as peers.

Et voilà, you got a worldwide federated wireguard network resolving private ULA addresses. Sort of an internet on top of the internet .

The DNS entries with the public IPv4 / IPv6 addresses could even be delegated to other domains / endpoints which would act as reverse proxy (either routing or nesting tunnels) for further privacy.

Maybe my approach is too naïve and there are flaws I haven't considered, so don't be afraid to comment.

Exact use cases? Idk, but it sounds nifty.

#privacy #networking #VPN #wireguard #infosec

cc: @fediverse

Jan ⚓️
3 weeks ago

Ich habe mir in den letzten 24h zum ersten mal ein #Tailscale Netzwerk aufgebaut (inkl. Selfhosted #Headscale) und bin sehr zufrieden.
Es ist nochmal ein nettes Upgrade von einem schon guten #Wireguard Setup.

Stefano Marinelli
3 weeks ago

Friends of #BSDCafe and the #Fediverse, I have a client who's relocating and moving to a different office. I need to set up a simple internal network for them, and the WAN will be a 200Mbit/sec connection. They could repurpose a PCEngines APU (where I'd install OpenBSD or FreeBSD), or I could deploy a small Mikrotik that does everything, including acting as an access point. There won't be any incoming connections since the datacenter is at another location, and I'll connect via Wireguard. I'm leaning towards the first option, but the second is more straightforward and easily replaceable in case of issues. Any advice?

#Networking #OpenBSD #FreeBSD #Mikrotik #Wireguard #techhelp

There is nothing, and I mean nothing, that matches the relief I get when I change one of my device's raw connections into a #wireguard connection, complete with access to a private #PiHole.

It makes the internet feel wholesome and kind, rather than frighteningly intrusive

IIRC it was 2014,
fwiw , I am available for #tmux pairing on pltRedex 1 , #nix & misc emacs #lisp dsl
( a #racket dsl), #uuagc , keyboard pkgs
atm handle - sameers #pubnix on 2 or on local #ssh (thanks to #tailscale \ #wireguard -pfa)

Lars Roskoden 🕊
3 weeks ago

Dankeschön. An dieser Stelle auch mal die Frage, ob mit dem nun möglichen #wireguard auch der zweite Teil Deines #nextcloudpi-Artikels veröffentlicht werden kann ;)

4 weeks ago
NetSec Kahn :verified_paw:
4 weeks ago

#wireguard is my new favorite VPN for remote connectivity. It's great...

Traveling remotely this week, VPNing back to my home LAN and out to the internet. Huge fan of this.

1 month ago

GNOME is shaping up really nicely for privacy

• Background App indicator
• App permissions
• Device Security Settings
• Mic / Camera* indicators
• Screen Sharing indicator
• Remote Desktop indicator
• Location indicator
• Incrementally better app sandboxing
• VPN (incl Wireguard) support
• Quick Network Toggles

Made possible by #Flatpak #Wayland #PipeWire and our talented community.

#Linux #privacy #WireGuard #VPN #GNOME #freedesktop

* Available in the upcoming GNOME 45 release

A screen of GNOME privacy indicators and quick toggles.

It shows the Screen Sharing, Microhpone and Camera indicators active and in orange. 

There is also quick toggles for VPN, Wi-Fi, Bluetooth, ...

And Background App indicator.
1 month ago

🎉 DEFGUARD massive 0.7.0 🎉

1. Forward auth for reverse #proxy
2. Remote user enrollment
3. User onboarding after enrollment
4. Email/#SMTP support
5. Send debug/support information
6. Native #FreeBSD #Wireguard #Kernel support
7. #OPNSense Plugin
8. UI #React Components Library

Full release notes:

#security #vpn #OpenSource #openid #privacy #selfHosted #SelfHosting

Jonathan Lamothe
1 month ago
Dear #LazyWeb,
On a #Linux system, is there a way for a non-root user to set up a personal #WireGuard connection that is not available to other users?
Stefano Marinelli
1 month ago

#OPNsense team just posted on another social:

Our #WireGuard plugin rewrite will hit 23.7.3 this week. You'll be able to restart each instance separately now and the status page has also been replaced with info gathered from a JSON-enabled API endpoint.


Jonathan Lamothe
1 month ago
Does anyone happen to know if there's a way to configure a #WireGuard #VPN to only handle #UDP traffic, leaving #TCP traffic to run over the regular network?
Stefano Marinelli
1 month ago

An old Banana Pro, running OpenBSD 7.3. It serves as a backup, using CARP, for the primary OpenBSD router (currently a Raspberry PI 4). Performs exceptionally well, handling VPNs (both Wireguard and others like Tailscale, OpenVPN, etc.) seamlessly, #ipv6 tunneling with #HE, and whenever the Raspberry goes down (for maintenance, etc.), it takes over the network without anyone noticing.

On #Linux, it was a bit unstable and needed a reboot every 5/7 days. On OpenBSD:

6:06PM up 60 days, 3:43, 1 user, load averages: 0.00, 0.05, 0.05.

#OpenBSD #router #backup #uptime #VPN #Wireguard #networking #BananaPro #RaspberryPi

Luci :v_trans: :arch:
1 month ago

Anyone else struggle to get #wireguard working on #linux ?

1 month ago

I know I've been talking a lot about Tailscale recently, but this is important enough to involve another mention - the latest version of Tailscale in the app store now supports VPN On Demand, a feature that let's you inform iOS when the VPN should and should not be activated, including whitelisting or blacklisting wifi networks. This was the final feature that Tailscale was lacking that vanilla Wireguard for iOS has had for a very long time.
#Tailscale #wireguard

Justin Derrick
1 month ago

I've got plans to build a VPN for my friend's kid's iPads & Phones... Planning for #WireGuard on #OpenBSD but looking for #AdBlock ideas/tools like #DNS #Blocklist.

Can anyone recommend some tutorials or sources for blocklists that would be suitable for kids?

1 month ago

Just to get this straight in my head: fundamentally, #Wireguard and #QUIC both support true #multihoming? 🫣

Also, both in a way support multiple concurrent "streams"? So if I take my glasses off, they look "the same"? 🤯

Andrew Tropin
1 month ago

A quick and practical WireGuard in Guix stream:

#guix #wireguard #vpn #guile #scheme

2 months ago


I have a #Nextcloud instance on both and they federate with each other, so I can share stuff from my private instance with my public facing instance, tunneled through #wireguard.

2 months ago

Was benutzt ihr privat als selfhosted VPN-Lösung?

#vpn #openvpn #wireguard

@hkrn same with #L2TP & #IPsec, not just #OpenVPN and #WireGuard.

What does however still work through the #IronFirewall is #SSH-Tunneling and @torproject #TorBridges.

#WhatsMissing are more #meek, #webtunnel & #snowflake as well as #obfs4 #Bridges.

Well, I asked people I know who implemented #Wireguard the way I want it to, and it appears they won't tell me because $REASONS, so I'll ask here:

I have a Wireguard server #selfhosted, currently with 1 subnet (10.X.X.0/24). I want to add another subnet to it and have the same server route it so my parents gave THEIR home server accessible, but not MY home server accessible.

I am thinking about having 2 Wireguard interfaces on my server, wghub1 and wghub2.

Config in wghub1 would make 10.X.X.0/24 for my home server and my own access, and then wghub2 would provide access to 10.Y.Y.0/24 or something.

My parents only have 1 device they have to get access to, but I still want them to have their own VPN.

Is that possible? Is it just about creating wghub2, creating configs for it and then wg-quick up? Has anyone tried that?

@Deiru @drq +9001%
#SSH-Tunneling is nifty and easier as well as faster to setup than #WireGuard, #OpenVPN and espechally #IPsec as well as #L2TP.

Homelab advice needed

So I've had a idea for my home lab for the past few weeks. I don't ever want to point a domain at my home router's public ip but I still want to host some services like game servers. Cloudflare Tunnels doesn't work for anything other than http/https as far as I can tell so that won't work.

I was thinking of getting a low power vps and setting up some kind of router OS (probably PFsense) and connecting that to my homelab via wireguard. Then the vps would have a public ip I could point my domain at, but I've never used a vps so I'm not really sure if this is feasible.

Anyone got some advice?

#homelab #vps #wireguard

2 months ago

I've discovered something about #Wireguard and it being "stateless". It's not as easy to know for certain if a particular device is connected. You can ping their #VPN IP from the server, but for example with #PiVPN, running pivpn -c with #OpenVPN would clearly show which users were definitely connected. With wireguard though it just lists all known users that have been created, but not their connection status. This "stateless" thing is weird. I get it, but it's weird.

#Cybersecurity #Security

@animemer @thecatcollective
- #ZFS, #Ceph, #IPFS and espechally #LTFS are FLOSS & Industry Standards.
- #CinemaDNG & #OpenEXR as well as #TIFF are #OpenFormats.
- #FLAC is the go-to for #Audiophiles
- #SIP & #ZRTP are the only #MultiVendor #VoIP protocols and run every #IP phone that isn't a #SCIP or #GSMK #CryptoPhone...
- #OpenVPN, #WireGuard, #IPsec & #L2TP are the only major #VON rptocols, also #OpenSource
- #LibreOffice ofc.

Andrew Tropin
2 months ago

The funny things about really good software projects, that sometimes they are so good and complete already that there is no fuss around them, they just work and do the job done.

Mailing lists are quite, new commits are rare. Sometimes it can even feels that they are unmaintained or dead, but in fact they are more than alive.

What other cool "almost complete" projects do you know?

#notmuch #pass #wireguard

Stefano Marinelli
2 months ago

#Zerotier is an excellent VPN system. I've been using it for years in specific situations, and I find it efficient and convenient. While I usually rely on #Wireguard and manage everything manually, it's not always the best solution.

Just now, I needed to quickly bridge two distant networks without involving #Wireguard and #VXLan, so I set up an active bridge using Zerotier in just a minute.

#ZerotierVPN #NetworkBridge #Efficiency #ITTools #VPN

2 months ago

Yesterday I migrated my home server from #archlinux to #freebsd
I set static IPv4 and it’s gateway, and I tough that IPv6 with SLAAC set gateway automatically, like the IP address. Unfortunately no. I spent time to investigate and understand why I cannot communicate with others using IPV6. I searched in my #pf rules but it was not the right direction 😅
#adguard and #unbound are working like a charm.
#wireguard is set and configured but in IPV4 only. Now I will search if I can set it with IPV6 and how.
In parallel I will reinstall my #PaperMC server (#minecraft server).

Siempre he tenido el hobby de administrar servidores. Y con el #Fediverso he visto otra oportunidad de retomarlo. Os presento la máquina dónde está alojada esta humilde instancia.

Un #ODroid HC4 de 4 núcleos y 4 GB de memoria con disco #SSD. Lo de al lado es mi router con #OpenWrt (con #Wireguard y #Adblock )

Para complementar también tiene un servidor #torrent con #Plex para ver en el #Chromecast 🏴‍☠️. Todo con #Docker.

Un servidor con forma de tostadora y un disco duro insertado como si fuera una tostada
Stefano Marinelli
2 months ago

Good morning, friends of the #BSDcafe and #fediverse
I'd like to share some details on the infrastructure of with you all.

Currently, it's quite simple (we're not many and the load isn't high), but I've structured it to be scalable. It's based on #FreeBSD, connected in both ipv4 and ipv6, and split into jails:

* A dedicated jail with nginx acting as a reverse proxy - managing certificates and directing traffic
* A jail with a small #opensmtpd server - handling email dispatch - didn't want to rely on external services
* A jail with #redis - the heart of the communication between #Mastodon services - the nervous system of BSDcafe
* A jail with #postgresql - the database, the memory of BSDcafe
* A jail for media storage. The 'multimedia memory' of BSDcafe. This jail is on an external server with rotating disks, behind #cloudflare. Aim is georeplicated caching of multimedia data to reduce bandwidth usage.
* A jail with Mastodon itself - #sidekiq, #puma, #streaming. Here is where all processing and connection management takes place.

All communicate through a private LAN (in bridge) and is set up for VPN connection to external machines - in case I want to move some services, replicate or add them. The VPN connection can occur via #zerotier or #wireguard, and I've also set up a bridge between machines through a #vxlan interface over #wireguard.

Backups are constantly done via #zfs snapshots and external replication on two different machines, in two different datacenters (and different from the production VPS datacenter).

#sysadmin #tech #servers #ITinfrastructure #BSD

2 months ago


- Multiple #VPN Locations (networks/sites) - with the possibility to define access to the selected Location (all users or only #Admin group).

- Multiple Gateway’s for VPN Location (**high availability/failover**) - supported on a cluster of routers/firewalls for #Linux #FreeBSD #OPNSense

More details:

#floss #devops #docker #selfhosted #SelfHosting #wireguard #identity #Kubernetes #OpenSource #release #security #privacy #homeLab

Stefano Marinelli
2 months ago

Old customer infrastructure based on #Proxmox 5 and an ancient #Dell server running an outdated #pfSense.
They asked me to update everything because the ERP provider (a small software house) accessing via #VPN claims the pfSense version is too old. I agree and decide to upgrade Proxmox.

On the old Dell, I install #OpenBSD and, in agreement with the ERP provider, a #Wireguard VPN.

After a few days, they 'recall' me because, for their internal compliance and following their '#security manual,' they need to enter the password manually every time they connect, and Wireguard doesn't support user/password concept.

They ask for the possibility to change the PSK with each access to ensure that the one in their configuration files is not the current one - an absurd operation. I don't have a maintenance contract and can't take this responsibility, as it doesn't make sense. Clearly, they agreed on Wireguard without even knowing what it was.
To avoid issues, I ask them what to install instead. They suggest #OpenVPN might be acceptable. I proceed accordingly. They contact me again: 'The version of OpenVPN is not suitable, and OpenBSD is not certified according to our security procedures.' I ask them to tell me what is certified. They respond: '#Debian 7, #Wheezy - and the version of OpenVPN from Debian 7.'
I politely point out that Debian 7 reached its End of Life in 2016, and even the extended LTS has been unsupported for 3 years. They don't care, they must abide by their manual - it's safe for them.

The customer asks me to accommodate them anyway, but I reflect on the fact that when they inevitably get compromised, it will be my fault for installing something so outdated today.

I declined the job - limiting myself to updating Proxmox.

I'm not sure if I'm more offended by the bureaucracy of certain 'internal manuals' or by the closed-mindedness of certain colleagues who can't stand up against such dynamics.

#ITSecurity #InfrastructureUpgrade #ClientIssues #IT #SyaAdmin

Gary Hawkins
3 months ago

Somehow found myself going down a rabbit hole diagnosing weird #wireguard problems on my network at home

Is there an Android app that can turn VPNs on and off based on location?

#Android #vpn #Wireguard

@devilsdesc @leyrer
Hier sowas ala "privacy to go" gerne auch mit anderen Tools als #pihole und #wireguard #VPN ?

Ich wüsste nicht, wann ich das in einen Talk kloppen könnte… 🥺


Everytime is the perfect time for a small #selfhosted "privacy to go" project with #pihole (or #adguard ) and #wireguard #vpn at home or a cloudserver that respects #privacy like @Hetzner_Online does:

I never ever would go online with my #iphone or #macbook anymore without a proper line of #Defense against #ads #tracking and even #malware

"Please no advertisment" sticker on a satellite dish on a roof.

@climagic well, #WireGuard in it's premise is basically "What if we take #SSH-#Tunneling and make it a dedicaded #VPN protocol?" and that is a good thing...

Jonatan Steuernagel
4 months ago

I should update my #introduction to say:
Follow me for unhinged rants about the tech rabbit holes I go down. Currently including, but not limited to: #Wireguard #Kubernetes #BGP #Containers #Linux #Programming #Development #Networking #Git #Selfhosting #Homelab

@marcan @lanodan the only cases where one would need even more Power are setups like High-Bandwith #VPN Gateways like some huge #pfSense if one needs 40+ GBit/s throughput on #OpenVPN or #WireGuard.

Mind you that #LUKS - aside from the encryption of the key in the header, uses #AES256 by default for a long time and is pretty efficient even prior to #AESni.

So no, in most cases the impact is purely synthetic and not really of any impact...

Stefano Marinelli
4 months ago

On my #iPhone, I've been using an automatic #Wireguard tunnel to access my LAN and use my ad-free DNS while I'm out ( . On #Tasker for #Android, I've tried to recreate the same setup, but it doesn't seem to be reliable. However, I had bought VPN Client Pro years ago, and it's been working flawlessly. #Google #Pixel7

5 months ago

The #Unifi networking stack/ecosystem is hit and miss, especially as it relates to software quality. My latest was spending at least an hour troubleshooting why a new #WíreGuard VPN would crash the UI and fail to work.

I used only their tools for setup. From /var/log/messages:

invalid config: configuration syntax is invalid: invalid base64 string: base64 string contains invalid characters: .vpn/wireguard/servers.privateKey

The UI had generated an invalid key. And then would crash.

I just learned that #Wireguard will automatically and correctly clamp any private 32-byte key.

For example:

$ openssl rand -base64 32

Even though the first and last bytes are not properly clamped above, when generating the public key, the wg(8) tool will clamp it. Further, when bringing up the interface, Wireguard will also clamp it.

See and (search for "curve25519_clamp_secret")


Kevin P. Fleming
5 months ago

If you're a user of WireGuard, Ansible, and systemd-networkd, you may be interested to know that I've just published version 2.0.0 of my 'ansible-systemd-network' roles collection. The addition in this version is a role to manage WireGuard tunnels 🙂

#Ansible #WireGuard #systemd

6 months ago

#WireGuard becomes the first VPN app on #FDroid to be built reproducibly! This means that WireGuard on F-Droid is now guaranteed to be 100% (bit-by-bit) equal to the WireGuard the developer builds.

If you're using WireGuard from F-Droid, please export your tunnels and re-install to switch to the developer's signature and continue receiving updates.

More details in the official WireGuard announcement:

New to reproducible builds? Check out

Morten Linderud
6 months ago

The Wireguard android app is now Reproducible and distributed with Jasons own signing key.

Pretty cool.

#Wireguard #ReproducibleBuilds

Timo Zimmermann
6 months ago

I’ve been running #opnsense with a #wireguard on demand profile on my phone for a quarter. I’m basically always connected via WireGuard except when on my own wifi. It worked flawlessly so far. Not a single issue.

I’d like to see things like this make it to consumer tech.

One click - the router sets up the firewall, dynamic DNS if needed (owned by the vendor is good enough for most) and shows a QR code to provision the app.

Working VPN for anyone willing to read a one page manual.

Freifunk Rhein-Sieg e.V.
6 months ago

Uns ist der technische Durchstich im Test gelungen. 500 MBit/s im Downstream mit #VPN via #WireGuard bei 1 GBit/s Anbindung des #Supernodes. #Freifunk 4.0 🤗

Terence Eden
7 months ago

Arse. Looks like #MozillaVPN doesn't support command-line usage.
There is a #CLI app - but it doesn't work on headless #Linux servers.
So I either need to manually set up #WireGuard or get a refund.
Not ideal!

8 months ago

you can use #Wireguard from a cloud VM (say, using pi-vpn, which is extremely easy to setup and manage if you're confortable with a #Linux CLI) and share Wireguard profiles with your friends, then use the default Wireguard #LAN IP space to LAN #games across the internet

great way to host things like #Minecraft privately, without exposing #game server ports on the public internet

8 months ago

@Edent Mullvad VPN. #WireGuard possible, a lot of countries, no abo and easy to use.

D2I 🕊
8 months ago

#WireHole is a combination of #WireGuard, #Pi-hole, and #Unbound in a docker-compose project with the intent of enabling users to quickly and easily create a personally managed full or split-tunnel WireGuard VPN with ad blocking capabilities thanks to Pi-hole, and DNS caching, additional #privacy options, and upstream providers via Unbound.

Dave Townsend
8 months ago

@fred if I had one complaint about #wireguard it would be the difficulty diagnosing issues with it

tfw you mess around with your #wireguard settings for an hour, just to finally realize the config was correct all along but you forgot to forward the right port through the router 😭