I trust code more than politics.
Wireguard was written with the explicit goal of having sane, secure defaults.
Wireguard is much easier because it simply refuses to give you the choice to do things incorrectly.
Security my beloved
I totally feel you w.r.t. openvpn or ipsec, since it’s easy to do something wrong.
This is one reason I've avoided selfhosting for this long. I am not a network engineer, and I have no plans to be. That means if I am managing an entire server from my physical home location, that's a recipe for disaster. There's simply no way to ensure you've done things correctly, especially since a lot of the selfhosting community has an... aversion to good security practices (which is why I had to make this post to begin with).
w.r.t. the certificate thing, you could set up a reverse proxy and do HSTS to ensure nobody can load up a rogue CA on your devices.
Would that work while having ProtonVPN still enabled?
trust on first use
My favorite food
This would let you use a self-signed certificate if you do desired.
Jellyfin clients don't accept self-signed certificates, as I mentioned. Is there a way around that (or does HSTS somehow solve it)? From what I've learned about HSTS up until know, it is simply there to require the use of proper certificates and HTTPS. Am I wrong about that?
I wish it were that simple, but as I mentioned that would require paying for ProtonVPN to allow LAN connections (which isn't the worst thing in the world, but I'd prefer to avoid subscriptions where possible) and clients don't allow self-signed certificates.
I know. It's very unfortunate, but I understand why.
You don’t need a VPN for LAN connections.
ProtonVPN by default blocks LAN connections, and can only be changed using their paid tier.
You want to use it only locally (on your home), but it can’t be a local-only instance.
By "local-only" I meant on-device
You want to e2ee everything, but fail to mention why.
Privacy and security.
There is no reason to do that on your own network.
Networks are not a trusted party in any capacity.
I do not know why you want to use a VPN and what you want to do with it. Where do you want to connect to?
A VPN such as ProtonVPN or Mullvad VPN are used to displace trust from your ISP into your VPN provider and obscure your IP address while web browsing (among other benefits that I don't utilize).
What is the attack vector you’re worried about? Are there malicious entities on your network?
These are good questions but not ones I can answer briefly.
Alright, I'm slowly learning, bare with me here:
- ProtonVPN is always-on and blocks connections without VPN
- Jellyfin and Headscale are hosted on the Pi (or does Headscale need its own server?)
- Tailscale and a Jellyfin client are installed on the phone
Then:
- Will that will run fully on the LAN?
- Will it be encrypted during transit?
- Does ProtonVPN need to allow LAN connections?
So:
- ProtonVPN is installed on my Android phone
- Android has
Always-on VPNenabled - Android has
Block connections without VPNenabled - Host Jellyfin on my Raspberry Pi 5
- Install Headscale on my Raspberry Pi 5
- Install Headscale on my Android phone
- Install a Jellyfin client on my Android phone
- Configure everything
And that will work? It will be encrypted during transit? And only run on the LAN? Does ProtonVPN need to allow LAN connections (I assume it does)?
Does Headscale conflict with ProtonVPN/Mullvad VPN (i.e. can I use those alongside Headscale)? Android has a limited number of VPN slots, so that's why I ask.
You could do a vpn hosting by yourself.
I'm uneasy about this, because I don't trust myself to do it securely. VPNs are a very complex piece of software, so I highly prefer to stick with widely used setups (i.e. "stock" VPN software such as ProtonVPN, Mullvad VPN, etc.)
I still want security in transit, no matter where it is being broadcast from.
but I’d suggest reconsidering the Pi
It's what I have on hand at the moment. I don't have proper server hardware yet.
and a microSD to host Jellyfin.
Beyond that, SD cards are terrible for this kind of task and you’d be much better served with an SSD as your boot/data drive for robustness. I can’t even count the number of failed SD cards I’ve had over the years.
I will keep this in mind, thank you!
Neither one of these are a good fit unless you plan on sticking to very specific audio and video codecs to avoid all transcoding and your upload speeds are capable of serving the full bitrate of your files.
I haven't tried playing videos from my Raspberry Pi, but I've been able to run extremely modern video codecs on some pretty old hardware without any issues. Since I've never had issues with video codecs, I'm not experienced in what hardware can and can't handle it.
Run in at home and get Tailscale setup with a Headscale server, or just use Tailscale straight out of you want. That’s the simplest.
I have no idea how to do this. Do you have any resources? Does it cost a subscription fee?
A better option would be getting an OpenWRT router
This is what I have planned. OpenWrt Two my beloved
You’ll have many different options for decentralized and NAT traversing VPNs with this option. GL.Inet Flint is a great choice.
I also don't know how to do this. Resources are much appreciated :)
Just run it on the LAN and don’t expose it to the Internet.
This would require paying for a VPN to allow LAN connections, which is an option but not my preferred one.
HTTPS only secures the connection, and I doubt you’re sending any sensitive info to or from Jellyfin
This is a matter of threat model, and I would prefer not to expose my TV preferences unencrypted over the network.
but you can still run it in docker and use caddy or something
Does Caddy require a custom DNS in order to point the domain to a local IP address?
The bigger target is making sure jellyfin itself and the host it runs on are updated and protected.
This is easy with securecore, since it updates daily. The rest of the semantics for the actual hosting side aren't too difficult.
!lemmysilver
Other people beat me to it on the other post, but none here!
Sharing privacy and security setups, the digital equivalent of leaving a detailed map to your treasure chest and then wondering why pirates are interested.
There's actually two distinct ideas here:
- "Sharing your setup leads to insecurity" If this were true, then software being open source would make it insecure. It simply isn't true, most of the time. While yes, making your setup public can lead to spotted flaws that can be exploited, in general it has no effect so long as you can trust the system you use. For example, I could give you my encrypted KeePass database file, and feel relatively certain that my passwords are safe. It isn't a good idea for me to do that, because it leads to an increased attack surface, but until you manage to brute force the password for it or a zero day is found in how the database is stored, my passwords are still safe.
- "Sharing your setup makes you a target" To a degree, this can be true. The Streisand effect is evidence that this can happen. Again, though, as long as you anonymize some specific portions of your setup that can directly be used to exploit you, you will remain safe. I've shared my setup in the past (although it's quite outdated by now), because I trust the way it is set up.
Hello there!
First off, good for you for looking out for the privacy of others!
Unfortunately, you can't force privacy onto someone. That has to be a choice the person makes for themself. If you want your teen to live a private life, talk to them about it. Explain the dangers of social media, and don't try to sidestep the issue, just be honest. Avoid trying to "trick" someone into privacy, because that leads to bad outcomes down the road.
Using GrapheneOS is your best bet for a private phone. If you want to maintain some control over the device, have your teen use a secondary profile and restrict which apps can be installed using the owner profile that only you have access to. This also adds the benefit of being able to restrict access to the device (if that's your thing) just by restarting it, since the teen won't be able to unlock it. I'm not here to tell you how to be a parent.
Social media I’m not sure if fediverse stuff is the right path especially for lemmy, since it’s just tech nerd stuff and politics which isn’t interesting really unless they go out of their way to find smaller communities.
I agree with this, and it's currently a downside to less mainstream social media. It will always be tailored to a specific community until it grows or becomes mainstream. If you really want your teen to use only open source apps, Bluesky is a good open source option while still being mainstream.
My parents probably want tracking features so it’ll probably be Find My or a 3rd party app like life360
You can talk with them about alternatives, such as an Airtag or other similar devices, or having no tracking at all. One point you can bring up is that it's quite easy to trick those tracking apps (turning off the device, turning off location, turning on Airplane Mode, using a mock location app, leaving the device at home, etc.) so they aren't very useful. Again, I'm not here to tell you how to parent.
It’s just kinda hard trying to blend being a functional member of society and maintain your mental well being and privacy.
This is why privacy is a choice. It's up to the person how private they want to be, but the most you can do is educate about privacy and raise some alternatives.
In general, it depends on how much control you want to have over the digital life of your teen. The more control you have, the less autonomy the teen has and the more likely it is that the teen will resent the practices you put in place. However, the less control you have, the higher the risk of bad things happening. It's up to you which path to take. Something I learned is that you can never have total control, because people are crafty, but people are also very understanding and can adapt to their environment.
Hope this helps!
- JumpDeleted
Permanently Deleted
Even tho some privacy respecting search engines like brave and startpage too showing me captchas.
I've never had a captcha with DuckDuckGo, if you want to give that a try. Otherwise, metasearch engines like SearXNG act as a proxy between you and other search engines.
From my search i finded that adguard or any other dns servers establish dnsotls-ds.metric.gstatic.com this connection in order to check the status of the private dns enabled or not. To block this i have to use a no-google blocklist which leads to inconvinience.
Good to know. It's up to you whether you want to trade privacy for convenience.
No gecko based android browsers provide option to change dns provider.
GrapheneOS's browser Vanadium is a good option if you want to move away from Firefox-based browsers, but it's not easy to install anywhere other than GrapheneOS. If you're up to try, here's how.
Brave is making too much background connections which is annoying.
Brave can be hardened to minimize most of those, but I agree it is annoying that there are still background connections.
Also it would be nice to know leaking my location to dnsotls-ds.metric.gstatic.com leads to any consequences. Or is it just a private dns current status checking url ?
Besides Google being able to see every time you ping the domain, there's not much else going on. It's unlikely that it's leaking any private data, so it's relatively harmless. It's not ideal that it connects to it, but it doesn't pose too large of a threat.
- JumpDeleted
Permanently Deleted
Even tho am using proton VPN (free) with private dns enabled
Do make sure
Block connections without VPNis enabled. I know ProtonVPN had issues with leaks in the past, but it's been resolved. I don't know if it was only resolved for GrapheneOS devices, or ProtonVPN as a whole. You may look into Orbot if you're willing to put up with the slow network speeds, to fully lock down any leaks from the VPN side.dnsotls-ds.metric.gstatic.com this domain directly connects to my real isp and leaks my real location.
Where did you find this out? I'm assuming from your DNS provider, but which one do you use?
Am using private dns in order to block trackers in my bloated phone.
This is reasonable, but it won't protect you if no DNS query is made in the first place (i.e. directly connecting to the IP address, rather than a domain name). In this case, however, it looks like it is creating a DNS query, but be careful because DNS based filtering isn't magic. If you pay for ProtonVPN (or Mullvad VPN, which is a better VPN in my opinion) you can have greater control over what gets blocked.
Debloating is not an option for me as i lack a laptop and bootlocker is not unlocked, i tried many ways to debloat but all i can do is disable system apps
Thanks for the information, and that's unfortunate. I've messed around debloating cheap Android phones, but you can barely scratch the surface from a user standpoint.
I don’t installed any proprietary apps even whatsapp or banking apps to never sent my data to them.
dnsotls-ds.metric.gstatic.com is a Google-owned domain, used for DNS over TLS. I don't know much about it, as I don't use a custom DNS provider, but check if your DNS provider is using Google's DNS as a backend or a fallback. That may be where it's coming from.
The issue is just system apps trackers. Am using ironfox with ublock and tor with noscript.
Check IronFox's DNS settings, and set a custom DNS over TLS server, if you'd like.
Any way to prevent this vpn leak ?
Since you're using a custom DNS, this likely isn't a VPN leak, but more likely a DNS leak. If you want to simplify things, using your VPN's DNS can help prevent misconfigured custom DNS solutions, so it reduces the risk of a leak. This will remove some of the filtering you have in place, though.
My threat model is to hide my traffic from isp as my isp is a spyware privacy invader.
It seems your threat model is hiding traffic from your ISP, minimizing telemetry, and using as much open source software as possible. If you prioritize only hiding traffic from your ISP, using your VPN's DNS would achieve this, but there are known cases (especially on iOS) of the system bypassing the VPN and connecting directly anyways.
Best of luck!
Yes!
My list of open source software lists LibreTrack as an open source delivery tracking app for Android and Linux.
The only other providers I would use are Mullvad VPN or IVPN, both of which are paid.
I agree it is ridiculous.