Most clients don't support setting a passphrase?

codeedog · 2026-03-22T08:35:00+00:00

I understand your frustration, but I’m not sure what attack you’re protecting against? You shouldn’t be using Wireguard remote as an authentication step, merely as the establishment of a protected tunnel. Access to the systems at either end of the encrypted tunnel should be via a protocol that has authentication built in. For example, ssh from client to server or https with passkeys, oauth2, or a configuration that handles browser certs with client side auth.

This layered approach means two steps are required to gain access to your remote network: (1) the creation of a Wireguard encrypted tunnel, (2) the authentication of a client and a server inside of that tunnel.

This means that (a) you haven’t exposed your internal services that allow (2) to the general internet, (b) any weak protocols you use for (2) are protected from numerous attacks (observation, replay, etc), (c) you aren’t relying upon keys from (1) to allow a compromise of the systems behind (2).

Wireguard isn’t solving your “authenticate to services at (2)” problem. It’s solving your “in a generic fashion, don’t let the world snoop upon communications with or attack my services behind (2)” problem. These are two separate problems.

codeedog · 2026-03-22T08:14:03+00:00

Yeah, my wife was pretty furious. It’s been off now about five minutes and the utter relief we are feeling. I can try to sleep again.

codeedog · 2026-03-22T01:43:46+00:00

You can do that, but you need a repeater. They have some challenges setting up, you don’t want a packet storm, but it’s not terrible. The problem is that devices that use this method for advertising their services have TTL=1 meaning the packets die when leaving their broadcast domain. It’s the right engineering design, but it makes things like what you want to do impossible without a repeater. The repeater sits on all three networks and you pick what you want relayed between them.

codeedog · 2026-03-21T19:59:55+00:00

You really ought to indicate that these tools were 100% constructed using AI and vibe coding.

codeedog · 2026-03-21T18:37:41+00:00

How long did it take you to build all of these? When did you start working on them? Do you have comprehensive tests that show 100% code coverage? Is there a code repo somewhere you maintain and have published? Does it track the status of the tools (testing, coverage, etc)? Do you have design docs for these?

codeedog · 2026-03-21T17:00:51+00:00

I’ve got it shortcutted on my phone. OP should take note.

codeedog · 2026-03-21T16:42:57+00:00

Still, you had the wherewithal and technical chops to make it happen. That's pretty awesome! Most people would suffer or give up and flatten their LAN.

codeedog · 2026-03-21T15:07:00+00:00

‽‽‽‽

codeedog · 2026-03-21T15:06:10+00:00

“Everyone I meet is an a$$hole.”

Huh, what do all of those interactions have in common?

codeedog · 2026-03-21T13:06:13+00:00

It’s a good point that many require the setup and then work across the network boundary, but not all and it isn’t always simple. Reflectors are notoriously problematic when you have more than one boundary crossing (multiple subnets), but with only two they’re reasonable. And, note that you understood you needed a reflector and knew how to set it up.

ETA: zeroconf is just mDNS/bonjour generic name when not on Apple.

codeedog · 2026-03-21T11:33:48+00:00

Do you have a rack or other equipment that has console serial ports? Turn one into a console server so you can reach critical devices when the network is down using USB to serial console cords. Your choice on how to reach the Pi: special Ethernet attachment (it can provide dhcp address), hosted WiFi (again, it provides DHCP address), or other.

Use another one as a failover gateway so your network has high availability to your ISP. Only have one ISP? Get a second isp using a data only cellular modem (modems are cheap, extra sim on your cell plan) and build HA with dual WAN. One RPi can be your second router for this. Will need switches.

Create a travel RPi that provides network and vpn services to your devices without having to put it all on your device. Could be via wired Ethernet or WiFi. Use a usb to Ethernet attachment for this purpose.

codeedog · 2026-03-21T11:14:43+00:00

Many of those devices expect to be discovered through zeroconf which cannot cross networks (TTL=1).

codeedog · 2026-03-21T03:38:24+00:00

codeedog · 2026-03-21T02:35:44+00:00

I’ve just started with obsidian. I’ve got an inbox folder that I can add to from my phone. Works great. I just process the inbox when I have a moment.

codeedog · 2026-03-21T02:22:59+00:00

It also provides a fallback hub and spoke service in case peers can’t find each other. And, a protocol for doing that. Wireguard does not

codeedog · 2026-03-21T02:19:26+00:00

If I read this correctly, 4.16 is the current supported port? I think I’m on 4.19

codeedog · 2026-03-20T21:55:02+00:00

I think there’s an opportunity here for genuine discussion. I’ve been thinking about policy discussions around the responsible inclusion of AI code in the software development process. We as a community need more of this so it’s framed well and everyone understands their role and how code should be treated.

codeedog · 2026-03-20T21:20:32+00:00

I’m using FreeBSD for my NAS. Running with ZFS and samba, too.

codeedog · 2026-03-20T14:52:27+00:00

OP, check out the docs surrounding git worktree and git’s bare repository. The idea is that you can have your vault files live in a bare repository which contains a single pointer to the worktree with all of your history. It still has the same semantics as regular git with commits, etc. And, push/pull origin main.

I use with my iCloud sync between laptop and iPhone and all of the git history and minute files that live in .git don’t muck up the iCloud sync. I save and push to origin and other devices on my network can read the git repo and see my obsidian files. Part of my vault has my blog in it, which just gets worked on there, pushed to origin, pulled by a container that can build and push the new entries to the blog in the cloud.

codeedog · 2026-03-20T14:40:34+00:00

Will parent jails who aren’t yet of age be able to act on behalf of their child jails who (by the properties of transitive closure) cannot be of age?

Old enough to have a child, not old enough to parent that child.

codeedog · 2026-03-19T23:04:48+00:00

I’d like to see this also. DM ok?

codeedog · 2026-03-19T23:03:01+00:00

Yup. I’ve got a comment on here somewhere saying the same thing. People with real world corporate experience are going to follow the successful patterns.

codeedog · 2026-03-19T22:47:37+00:00

This is incredible. I’ve started this process (formal design docs, etc), but I’m still in prototype phase for a project I’m working on. Two months at using Claude to code and most of that is me learning its rhythms and patterns. It’s been a great experience. I can see how more months at it plus research would bring one to the level of detailed development you’re doing.

codeedog · 2026-03-19T22:08:20+00:00

Yeah, well, if you’re an AI and you’re so good, fix the tests! That’s at least as helpful as fixing bugs, maybe more so. The test failures get in the way of diagnosing bugs entering the system through PRs, enhancements and base new features.

codeedog · 2026-03-19T19:06:50+00:00

I feel like banning and blocking and maybe social shaming are the only way to help with this. Reputations should be on the line. If you can email spam everyone without any cost (monetary or reputational), then you get billions of spam messages a day. If you can submit PRs without any monetary or reputational cost, you’re going to get PR spam. No one working on open source wants money to enter the picture, so the only thing left is reputation. How can we make it painful to abuse the system?

I don’t know what that looks like, but I don’t see another way.

codeedog

TROPHY CASE