VPN dependent.
Debian has the advantage of not using snapd like Ubuntu does. You have to not only remove snaps but also instruct the package manager not you pull in snaps as dependencies and not to favor snap packages.
I have fond memories of Ubuntu being my first distro many years ago but pushing snaps onto users to compete with flatpak is a nuisance.
newsblur
The statement is very informative. The bug happens under increased read/write operations to the same file causing a race condition.
I also found interesting:
Despite the bug being present in OpenZFS for many years, this issue has not been found to impact any TrueNAS systems. The bug fix is scheduled to be included in OpenZFS 2.2.2 within the next week
thanks for the masterclass in CF tunnels.
I am ready to accept everything you’ve said but there is the SSH case that keeps tripping me up. For reference, here is the CF docs on Connecting SSH through CF Tunnels.
Can you help me clear up the misunderstanding here? From the docs it appears you can create a SSH key pair on a client and then copy the public key to the server. It does not appear that the docs state you need to share those keys with CF, so I assume (perhaps incorrectly) that my session will be encrypted with my private key (on client) and public key (on server).
Again, what you said appears to make sense, perhaps SSH is the only edge case that is implemented differently?
hmm, I’m not sure I agree - or perhaps I didn’t explain myself well previously and caused confusion between us.
Yes I agree with you in your description of how cloudflare encrypts -> decrypts -> encrypts; they are allowing you to ride over their network. If you remove cloudflare from the picture entirely, then you just have the internet facing server.
What I’m saying is, if the client and endpoint (server) talk in an encrypted protocol, then cloudflare cannot MiTM the data, only the IP headers. This is similar if you were to connect to any ol’ website over an ISP’s network. If your session is not HTTPS, then your application data can be read. You can have encrypted sessions inside of CF tunnel-network-tunnel.
If your services support encryption, great. But you can also expose a wireguard endpoint so you have the following
wg client --(tunnel to CF)–> CF network --(tunnel to your server)–> wireguard server
the real advantage to CF tunnel is hiding your IP from the public internet, not poking any holes in your firewall for ingress traffic, and cloudflare can apply firewall rules to those clients trying to reach your server by DNS hostname.
interesting, I’ll have to read about this some more then. thanks for pointing me in the right direction
reminds me of the John Oliver episode on Data Brokers where he started buying up data on senators in an effort to get better regulations about tracking data and aggregation bc that seems to be the only way they want to pass bills. Their interests > interests of the people they should be representing
I apologize, I misread the chain of comments. Your explanation is perfectly adequate for someone who has a basic grasp on networking and VPN and tunnels and encryption.
I would just like to add that if your endpoints communicate via an encrypted transport (HTTPS, SSH, etc) then doesn’t matter if cloudflare tries to inspect your packets. There would be 2 layers of encryption while traversing the public web, then 1 layer when traversing CF’s network.
And to some, packet inspection is not a downside since they can offer more protection - but that is totally up to your attack vector tollerence
WARP (a client) just connects you to CF’s network.
If your server is running cloudflared (an outbound-only tunnel) then you can enroll your WARP client to reach your server, while your server is never accessible on the public web. That’s the principal behind Zero Trust.
While techinically yes, WARP can be considered as a VPN, it is just a secure tunnel to an endpoint. In which case you can argue any point-to-point tunnel is a VPN.
discovered tailscale from this post and after reading their “how tailscale works” I was hoping to get some clarification from an activer user (you).
CF tunnels setup an outbound-only tunnel from my private network via cloudflared, I have no ingress holes in my firewall to access my services. cloudflared does all the proxying. Plus my IP changes monthly as I don’t pay for a static one from my ISP. This “outbound-only” connection is resilient to that.
Tailscale is point-to-point (for data plane) connection and only the control plane is “hub and spoke”. This sounds like I need to allow ingress rules on my private network so my server can be connected to? Is this true or where did I misunderstand?
if you’re not doing any weird shit at home, why have blinds in your windows?
honestly, having a spare phone that sits at home is a great solution. Your main phone can be a native pixel/grapheneos (not lineage, graphene has no issues with feature comparability). And the spare phone at run all the apps for, idk, your robot vaccum, smart home, etc. At home you have more control of data and connectivity.
we all have old phones that can be used as spares. My 8 yr old phone is the “remote control” for my house. Using accounts that don’t tie to me, on it’s own vlan, pi-holed, etc
for speech recognition there is “futo voice” which not only works better than Google’s speech talk-to-type by allowing the user to fluently speak, but it also works offline and doesn’t upload voice recordings anywhere. You won’t be able to use it with gboard because google will not allow the use of another talk-to-speech engine with gboard, you’ll have to download another keyboard first.
mobile banking is an unnecessary luxary. Moving money around/paying CC biils often takes days to go through anyway so the urgency of “doing it now” mobily can wait until you’re at your desktop.
Push notifications, I’ll give you. Without any services some apps cannot recieve push notifications. As the other user suggested, using a pixel with grapheneos, you can install sandboxes google services or microG and then have full functionality.
On grapheneOS you can choose which apps have access to internet/data much more fine-grained that what google allows you.
that is on-par with my experience.
If on android, you can visit a google app store mirror (like aurora) which has all apps not locked to a region. Meaning, you can get that transit app.
On iOS, there is no side loading to get around that at the moment.
I echo this.
For the non-tech savy, having one messaging app (Signal/SMS) was excellent because a user can send a message to a contact and it would automatically use signal if the recipient was also using it and use SMS when the recipient wasn’t.
Now I get SMSs and have to gently remind the contact (or just reply in signal).
Or a frantic call from family “hey I can’t message my boss, I have their contact but signal isn’t finding the contact” then having to explain that SMS and signal are different.
worth mentioning that SMS messages are plaintext as they traverse the carrier network. They are also logged by seemingly any equipment that they traverse. Also when they aren’t delivered immediately, they wait in a queue on the network waiting for the receiving device to “phone home” (pun intended 😎).
The caveat here is often times the plaintext message is in an encrypted tunnel (physical wireless layer, and data tunnels in carrier EPC) but at tunnel endpoints, SMSs are nakey
I’d add to this “GMaps WV” (Google maps web view wrapper). It’s available on FDroid and wraps the web version of google maps. I use it to find locations and GPS coordinates and then navigate to them in OSM bc OSM based applications are poor and doing so.
check out Kodi and Plasma Bigscreen. I am eager to set up plasma bigscreen bc it can work with KDE connect.
For backup and sync I use Syncthing. I can specify which folder on which devices I want to sync to which folder on the server.
I use a folder based gallery on my phone so when I move stuff around on my phone (or on my server) it gets replicated on all my devices.
I also have a policy to sync specified folders (and subfolder) with my family’s devices. No more " hey can you send me all the pics from the XYZ trip"
We take a trip. Make a subolder for that trip in a shared folder dump all our pictures there, get home and open the folder on the computer and prune together.