InEnduringGrowStrong@sh.itjust.works

Some subjects you might wanna look into.

1. NAT hairpin, also called NAT loopback If you’re sending packets to your ISP’s public IP from inside your LAN and it fails, your ISP modem (or whichever device does the NAT, probably doesn’t support NAT hairpin.

2. Split-horizon DNS That’s when you configure your own DNS for your hosted services, but with a different config on your LAN (which would point towards your services LAN IP) and another config with your public DNS provider (which would point to your public IP)

3. Carrier NAT This could break your chances of having a reachable service as they likely won’t make a port forwarding rule for you in their stuff.

4. IPv6 address types Link-local addresses are within fe80::/10 (kinda similar to how 169.254.0.0/24 is used in ipv4). This IP wouldn’t be reachable from the outside.
   Global unicast addresses are all in 2000::/3, this would be reachable from the outside.

5.IPv6 DNS Make sure to configure both A (ipv4) and AAAA (ipv6) records with the right info. Although if your LAN devices only have ipv4 addresses and you’re doing Split-horizon, you could theoretically omit the AAAA on your LAN

6. Phone DNS shenanigans.
   Some recent phones ignore the DNS they receive through DHCP and instead use something like Google’s which breaks split-horizon and can confuse troubleshooting. This wasn’t in the SSID settings, but in a global “private DNS” setting.

As for your problems, it depends.
There might be a way to make this work without the VPS, but I don’t have all the info.
That said, a VPS or something like a cloudflare tunnel could come in handy. I usually prefer to host directly but still, that’s an option if port forwarding doesn’t work with your ISP.
You’d configure the DNS for your services to the VPS IP and configure the VPS to reach your stuff.
Using the VPS kinda also gets rid of NAT hairpin problems although it is inefficient to go through the VPS from the LAN with the downside of not working when your Internet is down.
You can still use the VPS and Split-horizon DNS if you wanna have local availability from your LAN when your Internet is down.

Good luck

mTLS is great and it’s a shame Firefox mobile still doesn’t support it.

Yea but I didn’t realize the vaultwarden project didn’t also release client software.
I had looked into running my own vaultwarden, but without open source clients it’s maybe a bit moot. Although I guess the web interface can be considered a client, OS or browser integration is a convenient feature.

Vaultwarden ?

Edit: Nvm, that’s just the server part

I hear ya.
I get 1-6 meetings in the same time slot, people don’t care to check so I don’t care to show.
I decide which meetings are important for actually moving stuff forward and screw the rest.

There’s only ever one guy who complained to my boss…
I didn’t show up for a meeting for a Friday 7pm, invite sent at like 4:58pm the same day for some inane and absolutely not urgent subject.
I saw that invite come in, chuckled, closed my laptop, went home and ignored it.

Later that night, the guy went nuts and CC’d everyone’s bosses because he had wasted the full hour and obviously no one showed up to his meeting “even though I made sure to check everyone’s calendar and everyone was available and you’re all unprofessional”.

I don’t do emails notifications on phones as a rule unless you wanna pay my rate 24/7, but I had forgotten to do my time sheet so I was logged in doing that…

I dabble in a bit of passive aggressiveness in the face of corporate bullshit, so I finished my timesheet and hit propose new time… Sunday 3:21 am…
“Checked your calendar and it was available. Sorry for the inconvenience.”
Closed my laptop and fucked off.

The guy went nuclear over several emails.
Sent a quick email to my boss “Just a heads-up, I think I angered someone by not attending their 7pm meeting they sent at 4:58pm and proposing an equally ridiculous time”

Never heard from the guy again and the next week he wasn’t in the company AD anymore.

Probably went full tilt cookie monster in the coke jar or something.

Pfff, there’s barely any double-booking in that calendar.

Source:
I sacrifice myself to the useless meeting altar so that others can focus on actual work in peace.

USB 3 micro B

Haven’t had to use port forwarding for gaming in like 30 or so years, so I just looked up Nintendo’s website…

Within the port range, enter the starting port and the ending port to forward. For the Nintendo Switch console, this is port 1024 through 65535

LMAO, no thanks, that’s not happening.

For your question, you could likely route everything through a tunnel and manage the port forwarding on the other end of the tunnel.

Hmmm… There are as many ounces in a cup as there are bits in a byte.
Maybe the first byte fit in a cup.

Ultimately, do whatever you think you’ll be able to keep up with.
The best documentation system is useless if you keep putting it off because it’s too much work.

It can be in git even if you’re not doing ‘config as code’ or ‘infrastructure as code’ yet/ever.
Even just a text file with notes in markdown is better than nothing. Can usually be rendered, tracked, versionned.
You can also add some relevant files as needed too.

Like, even if your stuff isn’t fully automated CI/CD magic, a copy of that one important file you just modified can be added as necessary.

Are you trying to recover data here?
Seems like you didn’t use it and (maybe?) don’t have data to lose here?

Yea I’ve been using nextcloud for a while and it’s fine.
I remember when I used owncloud before nextcloud was even a thing and the upgrade experience was absolute shit.
These days it’s just fine.

What’s nice is it provides a similar level of protection to using a VPN with PKI, but just for that specific subdomain. While a VPN would be have to be connected manually before use (or all the time), this is built-in.

The odds of someone breaking through the mTLS and breaking through that application’s security at the same time are much smaller than either separately.
If you don’t have a valid cert, you’re dropped by the reverse proxy before anything even gets passed to the server behind it.

I’m a big fan of it.

Not really, although now that I have certs for those anyway, maybe I should.
More like I’m using some services on the go that I want to always work, whether I’m on the LAN or on the go.
Opening home automation or 3d printers to the Internet is unwise to say the least.
mTLS in the reverse proxy for those allows me to have more security without having to establish a VPN first.

I’m just doing mutual TLS to authenticate clients which I use the pricate CA for.
I could use the orivate CA for the server instead of lets encrypt and trust that on devices, but letsencrypt is easy enough and useful for other things that I open publicly. mTLS avoids needing a vpn for more sensitive services

My local library offers a 3d printing service.

I run a private CA for client SSL.
For traditional server SSL I just use let’s encrypt, although I already have the domain (less than $10 a year) for my public facing stuff, and just use a subdomain of that one for my homelab.

I have a container with openssl for the private CA and generating user certs as well as renewing the let’s encrypt ones. I just use openssl without anything fancy.
The output folder is only mounted rw in that one container
I only ever mount the subfolders in read-only in other containers that need those certs.
All these containers are running on the same server so I don’t even have to copy anything around, the containers don’t even need connectivity between them, it’s just mounted where needed.

I configure nginx with text condig files.
No clue how or where that is in your setup, but presumably somewhere where you configure the proxypass and server names.

in nginx:

server {
...
location / {
    ...
    proxy_pass https://redacted.......;
    proxy_pass_request_headers on;
    proxy_pass_header   Set-Cookie;
    proxy_set_header HOST $host;
    proxy_set_header Referer $http_referer;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Host $server_name;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
...
  }
}

I think the was a trusted proxy setting in owncloud itself that needed to be set too, or maybe I’m thinking of another service.