The company behind pfSense is shady as hell:

https://opnsense.org/opnsense-com/

Also the complete and utter clusterfuck of an attempt to bring Wireguard into the FreeBSD kernel:

https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/

What kind of ISP are you dealing with?

And maybe PPPoE.

traceroute --mtu 1.1.1.1

Pick the lowest value displayed for F=xxxx like e.g F=1492 and subtract 80.

For my DSL connection the optimal value is 1412.

nonfree drivers accessible right away

Non-free firmware is included in the Debian installer since Bookworm.

Do you really know how Wireguard works?

Updating without a reboot only works for wireguard-go. The default implementation runs in the kernel. An update to it would require kernel live patching.

Wireguard doesn’t answer to unsigned packets. Using obscure ports or even port knocking is rather pointless. It’s indistinguishable from a closed port.

I’d rather take Casaos out of the equation and target Ubuntus’ Wireguard stack instead.

Shelter?

Did you enable forwarding via sysctl?

sysctl net.ipv4.ip_forward

This should report 1

You only need the masquerade rule.

iptables -t nat -A POSTROUTING -s 10.11.13.0/24  -o enp3s0 -j MASQUERADE

Holepunching is trivial for IPv6.

That’s a lot of eloquent words to describe how you have to put people into strictly defined categories, otherwise you get confused and angry.

Lemmy is the LGBT/woke Old Reddit clone

*checks comment history*

Children need a man as a father, not a spineless cuck.

https://lemmy.world/comment/693917

Cisgender is a slur:

https://lemmy.world/comment/726144

Where did the big bad woke touch you?

Not OP but DynDNS entries will always point to your current external IP and are renewed every hour.

Internally I run an AdGuard Home instance for adblocking. All my domains are rewritten by it to use the local IP while I’m in the same network.

https://en.wikipedia.org/wiki/Split-horizon_DNS

Wow, this looks incredible! I always wanted to to deploy something like Authelia or Authentik but they seemed way too heavy for my purpose.

Whats the runtime memory usage of the docker container?

The instance doesn’t really matter that much, to be honest. You need to write an interesting toot, use fitting hashtags and kindly ask for boosts.

Cookie banners are usually from the same domain. I doubt you can block them via DNS.

The best workaround I found was to move everything multiple people should have access to into its own vault and add users as managers to that vault.

It’s also the cleanest approach.