55
linuxxx
6y

It's funny to see when certain stuff works without realizing it.

I've got multiple vpn servers and whenever I connect to one it sets my DNS to my pihole's one (hosted on one of my dedicated servers).

I keep forgetting to change my search engine to duckduckgo and no matter what I search for, no page is/was loading and manually have/had to go to duckduckgo.

Then I suddenly realized: the pihole has blacklisted Google so I literally can't connect to google.com/nl!

Awesome 😊

Comments
  • 6
    Reminds me of a question (also @Condor), you use mullvad and also vps for vpn, why do you trust that either of those won't be compromised? since with physical access both could do whatever if actually raided, without you even knowing, since there's no actual full server signature comparison in openvpn, right?
  • 5
    @JoshBent I don't and can't. But in this day and age when you use an online provider, you can't trust them definitively anyways. And then I'd rather go for a provider (mullvad in this case) which seems to be doing a lot more for privacy than other providers.

    As for the vps, blind faith as well. But it's better than our intelligence agencies possibly getting something while I haven't done anything illegal and if it'd come out that those providers would be fucking it's users over, well, that would be bad for them.

    I can't trust any of them but I can at least trust some a little bit more than others :)
  • 1
    @linuxxx hm, I just feel or have bi-weekly thoughts that, if somebody would do a raid like other vpn providers had in the past and shut their mouth, they could tap into a huge network, which filters most "uninteresting" traffic for free, because if somebody uses vpn, most usually they have more reason than just privacy, even colocation wouldn't solve the issue, because you're not 24/7 at that place, nor even get notifications if a certain authority enters that rack room via system bypass..

    I guess it's just rather for "making it harder" more than "making it impossible", which makes me kind of sad trusting any vpn, be it selfhosted or service bought.
  • 0
    @Condor yeah, I have setup some vpn services for myself before too, it's quite handy to block of anybody else, but have still remote access to e.g. a webcam watching the yard or an internal panel monitoring energy use too

    "I can't fully trust the VPS without physical access to the datacenter and continuous monitoring of the particular rack."

    adding to what I said before, even continous monitoring wouldn't quite help, as you said, all things can be e.g. installed outside of a camera view or mirrored remotely

    so basically you're also trusting the third party with your full network stream, based on, that it would be bad for their image if they'd do anything or it would be somehow known, if they are keeping their mouth shut during an actual raid.

    I don't quite know what I expected from this, but it's sad that there's no actual "magical" solution, that can't be as easily just stormed and absolutely annihilated, if somebody somewhere decides or gets the command to do so.
  • 0
    @Condor where's physical access, there is a way 😅

    what's with encrypted dns though, what do you need for support?
  • 0
    @condor edited my message just after you ++d so I assume you didn't catch it :)
  • 0
    @Condor I know what its for hah, I meant does e.g. windows have the support already, what do you need to config or patch to get that? since it does have to be both on cloudflares side and client too, right?
  • 0
    @Condor I recently picked up the thought again to use a vpn for basically anything, including my phone, but it just feels like you're just switching arms and the new ones being even more filtered, so if they get their hands on it, they have the full stream of all your things, might be just some sort of paranoia too though
  • 0
    @Condor indeed, though I fear that I can't remotely cover as much logs removal, as e.g. mullvad or pia does, many of them even recompiled tons of their software they run with additional flags or removing from source, to remove logs completely as the ready bins usually still do log, if an error/warning gets thrown
  • 0
    @Condor @Linuxxx what's your vpn setup btw? below what I'd go with and wonder if you have the same

    - AES128-CBC (because of AES256 timing attack vuln.)
    - 4096 keys
    - no comp-lzo
  • 1
    @JoshBent
    AES 192
    3K or 4K keys
    No clue tbh
  • 0
    @linuxxx why 192 - as an inbetween of 128 and 256?
  • 1
    @JoshBent I think that 128 is too low but 256 might be cracked soon when 128 is so just choosing the inbetween :)
  • 0
    @linuxxx so 192 won't be cracked before 256 you think?

    @Condor looked into it yet? would be interested, if you find anything else, that would make it easier to choose

    @Condor @linuxxx also what android client do you use, it's ages ago that I used one, so the one isn't even anymore on any repo - mullvad recommends "OpenVPN for Android", is that the choice to go for? as it seems to vaguely have all features by skimming through it, though I didn't yet see if there's an option to drop internet if the connection to the vpn disconnects or various anti leak functions
  • 1
    @JoshBent Yeah I use OpenVPN for android!
  • 0
    @linuxxx ah, it does have persistent tun in the settings too, will play around with it some more then, what about aes192/256 above?
  • 1
    @Condor yeah the app looks quite handy, just has some layout bugs on my phone, also I guess I'll go with aes256 then too, since the more I look, the less people seem to be afraid of it being actually viable

    @Linuxxx where did you get your nat servers btw? and also found this, ironically it is on github, but could come in handy for the future to check out things, even offline: https://github.com/fxding/greader
  • 2
  • 0
    @linuxxx awesome, thanks
  • 1
    @JoshBent Welcome! Would love to know (if you get one or more of those things) how you'll use them!
  • 1
    @linuxxx as a vpn (-network), don't think that, that low resources are good for anything else? 😅
  • 1
    @JoshBent Not really indeed hahaha but a good one!
  • 1
    @linuxxx how did you find them btw?
  • 1
    @JoshBent That nat vps provider thingy?
  • 1
  • 2
    @JoshBent Not entirely sure anymore as it's a while ago but either through duckduckgo or through lowendtalk.com :)
  • 1
    @linuxxx oh, I actually also tried to find some good ones on lowendtalk haha, but they only had providers that are non existent anymore, that redirect to ads or that don't even have a domain 😅
  • 1
    @JoshBent In that case, you're very welcome ;-)
  • 1
    @linuxxx how has your experience been with them so far? and anything I should look out for, like e.g. locations that might be overstressed with instances etc?
  • 1
    @JoshBent I don't monitor that, to be very honest but I do use my Singapore/France/Bulgaria locations very often and those work very good with VPN (solid 50mbs down and that's my connection speed, a little lower with Singapore but to be fair that's very far away so not surprising) without any downtime as far as I can tell :-)
  • 1
    @linuxxx awesome, wonder what types of fun I can do with an actual vpn network, for example I remember you were playing with the thought of chaining them, which seems interesting and I think the android app makes it easy too iirc
  • 1
    @JoshBent I couldn't make the chaining work but I've got one vps on one of my dedicated servers which puts everything through to tor :-)
  • 1
    @linuxxx have any links on that? sounds interesting
  • 1
    @JoshBent Lost the link but I just logged in to my dedi->openvpn-to-tor vps and got the history. Not sure about the exact setup but you might be able get something to gether from my commands :-):

    export OVPN=tun0
    IPTABLES -A INPUT -i $OVPN -s 10.8.0.0/24 -m state --state NEW -j ACCEPT
    IPTABLES -t nat -A PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:53530
    IPTABLES -t nat -A PREROUTING -i $OVPN -p tcp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040
    IPTABLES -t nat -A PREROUTING -i $OVPN -p udp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040

    I know that 9040 is the tor port and tun0 is my openvpn connection!
  • 1
    @linuxxx hah thanks, will see, if I can make it work 😁
  • 1
    @linuxxx just noticed, those nat vps ask quite for a lot of info during checkout, did you actually provide that all?
  • 2
    @JoshBent Yeah, not much of a choice so yeah haha. They require legal billing info so although I dislike it, so be it.
  • 1
    @linuxxx hm, sucks, wonder if there's ones that don't need all that crap 😶
  • 1
    @JoshBent haven't found one yet. If you do please let me know!
  • 1
    @linuxxx
    will do, was damn close, but then that host asked for all data too 🙄
  • 0
    @linuxxx I got too lazy after going through atleast ~200 providers and just bought for now off of i-83 too, will keep you updated if I find anything sometime though, btw does apt update also take ages for you?
  • 0
    @linuxxx also how do you deal with ipv6? did you get that to work or do you block it somehow?
  • 1
    @linuxxx found a PR from one of the openvpn installer maintainers, that stops the ipv6 from leaking, so that works for me, would be still interested how you solved that
  • 1
    @JoshBent Apt is fast for me!
    Haven't looked into that 😅
  • 0
    @linuxxx you're all about privacy and didn't check for vpn leaks? is this linuxxx? 😵
  • 1
    @JoshBent Checked for DNS leaks, never thought of ipv6...
  • 1
    @linuxxx glad I mentioned it then 😊
  • 1
    @linuxxx how did you get pi-hole installed btw? I tried it on all sorts of hardware and os and it always 403 after install and after you fix that, it has other issues
  • 1
    @JoshBent I literally followed their site haha
  • 1
    @linuxxx you mean just curl and pipe it to bash?
  • 1
    @JoshBent Yeah although I did quicky look at the code just in case
  • 0
    @linuxxx weird, on scaleway it drops to 403, but after fixing it - it has the same issue as on my dedicated root (which doesn't do the 403 atleast), where I have port 53 etc redirected, it shows everything is fine, but it just doesn't pass through any DNS requests
  • 1
    @JoshBent Hmm that's weird....
  • 0
    @linuxxx it seemed to be failing to fetch its dependencies, that fixed it, but now it won't block anything I put into it, how can this be so hard 🤣
  • 0
    @linuxxx hah, maybe it's easier with a vpn, it's up and running, but it seems to block something that devrant needs to run, even though I whitelisted or even deactivated some filters, did you have to apply some magic to make it e.g. run with devrant?
  • 1
    @JoshBent It works fine with me and tbh 😅
Add Comment