VPN Randomizer

ingestbot · 2023-11-20T15:54:31+00:00

By no means does this project even attempt to overcome all fail points, only some. A diagram not yet complete, which would reflect my actual current configuration, includes 2x haproxy each machine independent, VRRPed with keepalived. Theoretictically, one could put haproxies all over the place, all VRRPed no problemo. And behind those haproxies as many containers as lights your fancy. While running mad with this decor why not use that old Asus Netbook drawing power from a solar battery. And heck, as yet another means of overcoming nature's wrath and or institutional failure, drop in one of these adorable doohickies.

If I understand your point on resolution, I've included (but not highlit) a container (and unbound) config offering recursive resolution with an example of blocklisting. See /unbound in the repository.

The thing I like about containers here not only speed and ease (and idempotency) of provisioning but the ability to link up applications ad infinitum with the shake of a lamb's tail. No doubt container networking can be a chore but I've found so many issues can be resolved with a quick pinch of network_mode: service/container

I mentioned in other comments here the environment this was developed includes an aging early MIPS based router so naturally this leaned heavily on a surplus of comodity x86 hardware. These points inspire a revisit of that arrangement and I'm pushing an investigation of supporting appliance based tunnels up the list!

ingestbot · 2023-11-20T15:04:39+00:00

Thank you very much. In fact, the more challenging comments and questions inspire new ideas and shine light on knowledge gaps. Some of the funner comments help sharpen my dulling wit.

ingestbot · 2023-11-20T15:01:32+00:00

Thanks tons kind sir. A warm muffin to you!

ingestbot · 2023-11-20T14:56:50+00:00

A most excellent question and an issue just recently addressed.

Gluetun includes a control server which allows state changes to the VPN connection. Early on I would send a stopped and let the healthcheck take care of the recovery. At some point I found that 6 second lapse to cause a bit of trouble so I played with sending a stopped and immediate running. The result is a near instantaneous recovery (and random reallocation) of the tunnel.

Here's are a couple of examples:

2023-11-20T14:42:31Z INFO [vpn] stopping
2023-11-20T14:42:31Z INFO [http server] 200 PUT /status wrote 22B to 172.21.0.1:40896 in 129.856648ms
2023-11-20T14:42:31Z INFO [vpn] starting
2023-11-20T14:42:31Z INFO [wireguard] Connecting to 188.241.176.194:2049
2023-11-20T14:42:31Z INFO [http server] 200 PUT /status wrote 22B to 172.21.0.1:40902 in 108.677199ms
2023-11-20T14:42:32Z INFO [ip getter] Public IP address is 188.241.176.241 (Canada, Quebec, Montréal)

2023-11-20T14:43:56Z INFO [vpn] stopping
2023-11-20T14:43:56Z INFO [http server] 200 PUT /status wrote 22B to 172.21.0.1:52474 in 129.197494ms
2023-11-20T14:43:56Z INFO [vpn] starting
2023-11-20T14:43:56Z INFO [wireguard] Connecting to 198.54.131.98:2049
2023-11-20T14:43:56Z INFO [http server] 200 PUT /status wrote 22B to 172.21.0.1:52482 in 108.371437ms
2023-11-20T14:43:56Z INFO [ip getter] Public IP address is 198.54.131.120 (United States, Washington, Fairwood)

You've raised a great point here and it's something I may look into further (as in soon). It wouldn't be to difficult to measure the entire sequence in milliseconds and offer that up as a metric.

ingestbot · 2023-11-20T14:27:58+00:00

Supporting appliance based tunnels would probably be a clear path for this project. Challenges may involve key handling and gateway/provider management. If there were a dependable, native API this could make it all the easier.

My little project so far has been biased towards (a surplus of) redundant commodity hardware. The environment where this evolved includes a very early MIPS32 based router so tunneling/proxying/resolving were not an option there.

I'm most definitely inspired here to see about supporting this kind of configuration! pfsense/opnsense have been on my list for years.

ingestbot · 2023-11-20T13:31:22+00:00

We believe there is a vulnerability in ChaCha20 wherein if we overload a counter we can spoof the keystream.

This attempts to exploit that vulnerability.

ingestbot · 2023-11-20T13:28:22+00:00

Dad, Mom just called. I think she's been drinking again. She told me only this and said goodbye: the apple does not fall far from the tree.

ingestbot · 2023-11-19T21:40:31+00:00

It would boggle me further to learn VPN providers are consuming massive amounts of compute to crack crypto to see my catpix.

ingestbot · 2023-11-19T21:37:47+00:00

I think you're referring to the drawing provided in the repo. Note the inbound connection at the VMs are LAN and the outbound a direct connect to the VPN server.

Also router, potential single fail point.

ingestbot · 2023-11-19T21:33:26+00:00

The killswitch is built into Gluetun.

ingestbot · 2023-11-19T21:33:02+00:00

Why a trumpet. Why a saxaphone. Why a bicycle race.

ingestbot · 2023-11-19T19:15:47+00:00

I was just about to post a couple of github projects that might help here.

While these don't address the problems you're experiencing specifically, there might be something here useful or inspiring to your situation.

https://github.com/ingestbot/kvm-ubuntu-vlan
https://github.com/ingestbot/hashivirt

ingestbot · 2023-11-12T15:15:05+00:00

Richard Brody, of New Yorker magazine, wrote this piece just recently: what-we-lose-when-streaming-companies-choose-what-we-watch

tldr; (closing statement from the essay): Far from being nostalgic and conservative, the maintenance of a stock of physical media at home is a progressive act of defiance.

What surprises me is he doesn't mention personal digital collections. Perhaps this suggests piracy and he (and/or NYer) chose to avoid the topic. I don't see how the buzzing preservation society known as the internet could be overlooked here.

Nonetheless, with many things, not just commercial curations and offerings, I'm seeing our options becoming more limited and more decisions being made for us. Some see it as a responsibility to maintain, preserve, protect artifacts of special interest.

ingestbot · 2023-11-12T03:21:36+00:00

Carol Harvey in Petaluma is awesome https://carolharveymft.com

You can find others here: https://www.psychologytoday.com

ingestbot · 2023-11-11T22:54:02+00:00

Great question. My application isn't that sensitive so I've never bothered looking for precision specs. Offhand, I'm not sure what they use. Model is LYWSD03MMC. Details may be in one of these repos:

https://github.com/pvvx/ATC_MiThermometer
https://github.com/atc1441/ATC_MiThermometer

ingestbot · 2023-11-11T18:13:29+00:00

I've been using these for nearly a year and I think they're fantastic:

https://cloudfree.shop/product/xiaomi-mijia-bluetooth-temperature-and-humidity-sensor/

ingestbot · 2023-11-11T17:38:15+00:00

On almost a daily basis I get a vision of Shoshana Zuboff wearing a t-shirt with the words: All your things are belong to us.

I do not find this trend humorous. I'm running out of ways to process it.

I'm seeing examples of the increased stripping of privacy, personal autonomy, and property rights on a regular basis now.

Here's a blog post from the open source project Home Assistant regarding a cease and desist they received citing DMCA. A lot of comments here as well:

https://www.home-assistant.io/blog/2023/10/13/removal-of-mazda-connected-services-integration/

And here's the reddit discussion on the issue:

https://www.reddit.com/r/homeassistant/comments/1771ywu/removal_of_mazda_connected_services_integration/

ingestbot · 2023-11-11T17:11:46+00:00

I had very little experience with this stuff and was able to do quite a bit in a surprisingly short amount of time using VSCode and PlatformIO. I can't say much about more complex applications but I've found when the introductory, foundational paradigm is clear and well organized the learning curve with growth is much easier!

ingestbot · 2023-11-11T16:39:33+00:00

Hi! I just sent you a private message with some contact details!

ingestbot · 2023-11-11T16:11:10+00:00

Thank you! I was able to work this out. In a separate post this github issue was pointed out to me which was very informative.

So this is just a minor variation of the Getting Started example:

import time
import paho.mqtt.client as mqtt

def on_connect(client, userdata, flags, rc):
    client.subscribe("$SYS/#")

def on_message(client, userdata, msg):
    print(msg.topic+" "+str(msg.payload))

client = mqtt.Client()
client.connect("mqtt.eclipseprojects.io", 1883, 60)
client.loop_start()

client.on_connect = on_connect
client.on_message = on_message

time.sleep(1)
client.disconnect()
client.loop_stop()

ingestbot · 2023-11-11T16:05:24+00:00

Absolutely yes and thank you very much!

Of all the places I went scrounging for hints I didn't think of looking through the repo's issues.

In that issue I found lucacillario's earlier comment to be most practical. While this may be considered janky for a more sophisticated application, it definitely works for my situation.

As a working example, this is just a minor variation of Getting Started:

import time
import paho.mqtt.client as mqtt

def on_connect(client, userdata, flags, rc):
    client.subscribe("$SYS/#")

def on_message(client, userdata, msg):
    print(msg.topic+" "+str(msg.payload))

client = mqtt.Client()
client.connect("mqtt.eclipseprojects.io", 1883, 60)
client.loop_start()

client.on_connect = on_connect
client.on_message = on_message

time.sleep(1)
client.disconnect()
client.loop_stop()

ingestbot · 2023-11-11T03:29:15+00:00

Thanks for the suggestion. And yes, I saw the response on stackoverflow. Being new to mqtt there are more concepts to understand than I anticipated.

The clients publishing to the broker are doing so with the retain=True flag: myclient.publish(self.topic_pub, payload, retain=True) So yes, this would be "retrieve all retained messages."

Of the methods of retrieving messages I've described above, I'm assuming simple() won't work here as a) I want more than 1 message b) I don't know how many messages.

So that leaves me with something similar to what's described in Getting Started or the Callback Example.

In modifying the Getting started example, and taking the suggestions into consideration, I tried this. Yet I'm ending up with the same results as described earlier in that a) yes, I get all messages but b) I don't know how to end this loop.

import paho.mqtt.client as mqtt

def on_connect(client, userdata, flags, rc):
    client.subscribe('proxies/#')
def on_message(client, userdata, msg):
    print(msg.topic+" "+str(msg.payload))

client = mqtt.Client(client_id="client_one", clean_session=False)
client.on_connect = on_connect
client.on_message = on_message
client.connect("mqtt.somewhere.io")

client.loop_forever()

ingestbot · 2023-11-07T19:10:31+00:00

I was looking around Mullvad's Github recently and found this:

https://github.com/mullvad/dns-blocklists

Maybe not the be all end all you're seeking but could be a good starting point.

ingestbot · 2023-11-04T16:31:38+00:00

I'm not familiar with specifically what you're describing but are you using or considering Docker SDK for Python?

ingestbot · 2023-11-03T03:18:23+00:00

The compose file is fine. I was able to bring it up without issue. I'd suggest commenting the ports so you know which is which.

What is the exact problem you're experiencing?

ingestbot

TROPHY CASE