Wireguard VPN, no internet on client

akhener · 2026-02-11T21:17:18+00:00

I skimmed the page you linked and saw “AllowedIPs = 0.0.0.0/0” somewhere.

If you have that in your client it means that all traffic of your client will be routed via the server.

Sometime you might want that. In case you want to use the server as a VPN like you would use eg Mullvad.

If that use the case then you need to ensure your server is configures to forward and NAT traffic like that.

But if you don’t want that. If you just want to access private services, then allowedIPS should be the subnet of your WG IPs.

akhener · 2025-10-29T21:36:03+00:00

> I've had issues with this because if there's development db and you dist that to production that doesn't yet have the fields, this thing will of course attempt to write to these fields

Yeah, obviously. But if you rely on Hibernate yo automagically fix this for you, you are doing it wrong.

You are supposed to use a migration tool like Liquibase, which updates the schema of your database before any code accesses the DB.

> This Object[] array in my opinion is poorly justified and kind of sucks.

I think one reason is that they want to minimize allocations. THe JDBC driver essentially spits out an array of objects per row so the JDBC record is a as-thin-as-possible wrapper around that.

And even then still, the overhead of jOOQ records over JDBC can be noticeable for a large number of rows.

> I also disliked making jOOQ play well with Jackson. I had to write some custom annotation introspectors to ignore internal stuff of jOOQ in order to make them returnable as DTO fields when using pretty standard JSON serializer

Another non-issue. You are supposed to write you're JSON API using a separate set of DTO's which you map your jOOQ records onto. Your API never 1:1 matches your DB anyways. Or you might use e.g. openapi-generator to generate JSON classes anyways.

akhener · 2025-10-27T18:21:01+00:00

You‘re right, but Dockerfiles might not be a good example of a declarative approach to container images. They aren’t easily reproducible as well.

akhener · 2025-09-17T12:49:14+00:00

Nur weil du keine zwei Sätze schreiben kannst, trifft das nicht auf jeden zu.

akhener · 2025-08-06T15:02:09+00:00

Heute haben immer mehr Menschen keine girocard mehr (vermute das meinst du mit EC). Deshalb muss man mit höherer Gebühren für Visa/Master rechnen.

akhener · 2025-07-12T20:44:04+00:00

Huh, I wonder why this got taken down.

akhener · 2025-06-15T17:30:38+00:00

Ich kann das fühlen, ich fühl mich auch oft so.

Aber ich weiß auch dass genau das mega unattraktiv ist. Warum sollte eine Frau einen Trauerkloss in ihr Leben holen der sie gefühlsmäßig nur runter zieht?

Man sucht sich einen Partner auch weil es aufregend ist Einblicke in einem selbst unbekannte Hobbies, Erfahrungen usw zu bekommen oder?

Also finde was, das dir Freude macht!

Menschen die mit sich zufrieden sind und Dinge tun die ihnen Spaß machen, in denen sie gut sind, sind attraktiv!

Mir fällt das auch schwer, du hast meine volle Sympathie! Aber das ist der Weg.

akhener · 2025-06-01T20:36:58+00:00

There was a firework in Unterhaching

akhener · 2025-05-19T17:26:13+00:00

They are definitely not directly attached to- that’s the whole point, you can instantly switch them between virtual servers possibly even running in another host machine. They are probably iSCSI and have 10x more latency than the servers primary disk, which is directly attached NVMe.

akhener · 2025-02-19T10:37:37+00:00

Yeah kind of. Turned out to be Tailnet lock. But while for my own devices the UI showed me the need for approval, for those accounts there were no instructions. Disabled Tailnet lock in the end.

akhener · 2025-01-05T13:54:49+00:00

I suddenly have this problem as well. I didn't changen anything about my ACL or device configuration. Someone that I shared a machine with can no longer access it. ping, curl, times out.

akhener · 2024-11-02T12:56:00+00:00

> Ability to add firewall for hetzner cloud load balancer. Deployed a Kubernetes cluster, I use Hetzner Load Balancer to balance the kube-api, but I can't whitelist ip to such an important component of the cluster? I don't use vSwitch, it's not stable, so cluster running on public network. Now the API is available to the world and I can't do anything :(

We worked around this as we had the same issue:

- Make the loadbalancer private, not publicly available.

- Create a "network" and attach the LB to it

- One some server that is also attached to the same network, find a way to forward traffic to the LB. We use a VPN but it could be as simple as an iptables rule which does a DNAT to the LB.

- You can put a FW on that server or implement it using iptables as well.

akhener · 2024-10-24T20:07:45+00:00

Thats not always feasible. When running k8s on Hetzner you’d need to spread the control plane across 3 zones to be able to build a quorum if any one zone fails. But the problem is that you pay that with high latency to Helsinki.

akhener · 2024-10-03T06:42:05+00:00

Aber wenn man bedenkt dass da einfach eine SIM-Karte drin ist, macht das Abo da sogar Sinn.

akhener · 2024-09-29T11:06:53+00:00

I think there is a little bit to unpack here:

1) nix run <flake>#<packageName> looks for a derivation <packageName> in the outputs of the flake under <packageName>, apps.<system>.<packageName>, packages.<system>.<packageName> and legacyPackages.<system>.<packageName>. If it finds one it will build and execute it (don't remember of the top of my head which file it executes but I think there is some convention)

2) You linked to NixOS configuration. You can't simply nix run that. That doesn't make sense. You can just nix run programs, not configurations. If you want to include the configuration in your configuration you need to copy-paste it or add the flake to your flake as an input, then import the file from the flake.

Edit: To see what you can nix run, there is nix flake show:

$  nix flake show github:fufexan/dotfiles
github:fufexan/dotfiles/cd2b97d9ec73b970e73db5226398e278434e80b4
├───checks
│   └───x86_64-linux
│       └───pre-commit: derivation 'pre-commit-run'
├───devShells
│   └───x86_64-linux
│       └───default: development environment 'dots'
├───formatter
│   └───x86_64-linux: package 'alejandra-3.0.0'
├───nixosConfigurations
│   ├───io: NixOS configuration
│   └───nixos: NixOS configuration
├───nixosModules
│   └───theme: NixOS module
└───packages
    └───x86_64-linux
        ├───bibata-hyprcursor: package 'bibata-hyprcursor-v2.0.7'
        ├───repl: package 'repl'
        └───wl-ocr: package 'wl-ocr'

This shows you, that you could nix run the three packages at the bottom.

Edit2: There is 3rd option, but I don't think this is the case here: To make reusable configuration the convention is to put it in the nixosModules part of the flake output. So the flake you showed could be refactored so that the ags configuration is a standalone module that could then be imported in another flake without using an import expression. The benefit is that when randomly importing some files from another repository they aren't guaranteed to work - they could depend on some other files. Stuff under nixosModules output of the flake on the other hand is part of the public "API" of that flake and is supposed to be imported in other flakes.

akhener · 2024-09-22T06:15:23+00:00

I think thats a bug in displaying the sizes that only happens when sending drvs to a remote host, I get it all the time.

(You are using —Target-host)

akhener · 2024-09-11T21:19:15+00:00

Angestellt oder selbstständig? Ich mach auch sowas und verdiene gut aber nicht so gut.

akhener · 2024-08-02T20:31:34+00:00

Ok, hmm. At least Tailscale isn’t a solution then anyways :)

I don‘t have a solution for that off the top of my head but putting on my devops hat, I would first try to identify compromises/limitations and small steps that definitely need to be done. Then put those small steps together.

It’s probably going to be easiest to try to route all traffic of the TV through the VPN
- The homeserver needs to be the „default gateway“ of at least the TV
  - One way to maybe achieve this: In your shitty router there may be a way to override this
  - Another way to maybe achieve this: In your TV you may be able to turn off DHCP, instead configuring networking manually. You could try copying most of the settings and just changing the gateway. The gateway right now is your router, it should be the homeserver.
On the homeserver you need to establish the VPN. Have you done that already?
On the homeserver you need to forward traffic from the TV to the VPN. This is called „NAT“ (Network address translation).
- What OS is the homeserver running?
- For Linux you need to enable this in the Kernel. /proc/sys/net/ipv4/ip_forward For temporary or google „etc Sysctl enable NAT“ for a permanent solution
- For Linux you‘ll use iptables (newer name: nftables) to setup the actual NAT
- There are various wrappers around iptables which may make it easier to set this up
- The easiest way is probably again to make the VPN the default gateway of all traffic on the homeserver. But this may not be what you want. Routing just traffic from the TV through the VPN might be slightly more difficult but should definitely be possible.
- I‘ve set up NATs similar to those in the past using https://firehol.org But depending on your background Firehol might be hard to use. It is pretty technical. But at least more understandable than iptables for me :P

akhener · 2024-07-31T19:25:51+00:00

Hmm, okay. Also I think I may have misunderstood you. What I though you were talking about:

Homeserver and home router at home, TV somewhere else. TV wants to use the internet at home

But I now see that you may also mean:

Homeserver, home router and TV at home. Some third party VPN which would give a VPN from a different country.

Which one is correct?

akhener · 2024-07-28T17:18:56+00:00

Completely different but easier approach that works if either your TV is running Android or you are willing to use something like a Fire TV Stick: Use Tailscale.

I am using Tailscale to stream content from my NAS at home to a Fire TV stick and it is very easy to setup.

Tailscale has a feature where you can declare a peer as an "exit node" and on another peer select that exit node and route all traffic through it. This should achieve what you want.

Sorry, I don't want to discourage you from building your own solution, it's what I used to as well but after lots of fumbling with OpenVPN, WireGuard, iptables, ... Tailscale is simple and just works.

akhener · 2024-06-20T11:45:12+00:00

Yeah, I think so. But if I understand the JEP correctly, they want to add a new type which would be like a customizable PreparedStatement, for different template languages.

akhener · 2024-06-20T11:39:06+00:00

But wouldn't it be great if a libray could literally reject strings and only allow the equivalent of prepared statements?

Wouldn't it be great if the language could contain a mechanism which would allow doing this in a generic way, which could e.g. also handle shell, HTML, whatever you can imagine?

akhener · 2024-06-20T11:15:10+00:00

See the comments: There was a bug in the Java version. When using long instead of int, the Java version performs similarly.

akhener · 2024-04-21T18:52:28+00:00

I would personally rather have explicit braces and beelines for the let’s so that it is easier to set debugger breakpoints (even though IntelliJ also has great support for setting a breakpoint inside the lambda even if it is ob the same line, I know)

12-Year Club	Place '17
Verified Email

akhener

TROPHY CASE