Steamymoomilk

cross-posted from: https://sh.itjust.works/post/41026064

Good day, or good evening privacy people! So as many lots of people may know there's 3 ways to build a world for yourself. Start your own business, go into the trades and apprenticeships or go to collage. There is no wrong choice because it is for you to make, i mean its your life after all! But any way today i wanna talk about number three on our roster, i have a very close friend who has chosen to go to collage . He is a pretty smart person as well has immense empathy and sympathy and has decided to follow his intuition to go seek further education. To become a substance abuse therapist, and recently he is getting closer to the end of his collage degree. However for some of the final exams they require a software called "Secure Browser" by Respondus. This is in fact not a Secure browser, wheres the TOR?? This browser is meant to kill all background apps and to eliminate the possibility of cheating, by you guested it SPYWARE!! Now one of the description from my friend is that you MUST use this software to take the quiz or kick rocks and get a bad grade. So we read the TOS which is about what you expect.

"Respondus collects data to operate effectively and to strive to provide you with the best experience with LockDown Browser. You provide some of this data directly, such as when you contact us for support. Some data is obtained by recording how you interact with LockDown Browser by, for example, receiving error reports or usage data from software running on your device. Some data is obtained by how you interact with the assessment delivery system, such as the amount of time spent answering a question. The data we collect within the Help Services depends on the features you use, and includes the following:

Webcam & Microphone Check. The webcam and microphone check streams video and audio from your webcam to the Respondus servers. The video and audio can then be played back by you to ensure the webcam and microphone are working properly. The video and audio recorded during the webcam and microphone check is stored in temporary cache on the Respondus server and is automatically deleted in about an hour. Persistent storage is not used for these recordings, and Respondus does not provide a way to electronically identify the recordings as being transmitted from a specific user. "

aswell on a separate webpage for a general TOS not for secure browser but in general for using any of there software

they collect Webcam & Microphone Check. and System Check. unique System Check ID. Basic personal data (first name, last name) Authentication data (user name) Contact information (may include postal or email address) Pseudonymous identifiers (student ID code assigned by LMS, if applicable) Device identification (IP address) We may disclose your personal data to partner companies where you have agreed to have that information shared

System Check. The System Check gathers certain information from your computing device, the networking environment, and the institution's Learning Management System.

So obviously like any sane person living in the year 2025, and not wanting a data company have, voice, video and as much data they can get out of there ~~Secure Browser~~ RootKit. We both decided and or was predetermined, that it doesnt ~~run~~ infect linux. Because its only for PaidBSD (MacOS) or Windows, So we thought about running a virtual machine of windows 10, but the idea was quickly thrown out because odds are it probably checks for hypervisors. So we decided to take out "old reliable" the 14 pound billet of a computer from circa 2008 aka my lenovo T440p with libreboot and a de-soldered webcam and microphone. Some of you may think im paranoid at this point, but i havent trusted windows since windows 11 came out. Sooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo anyhow

We installed windows 10 and installed "secure browser", we ran a test for the software to make sure it would function without a webcam or mic. And it did!

So end of story right? malware and scummy business solved by FOSS software and soldering iron?

Well for my friend it is solved but for those who are not tech savvy or paranoid they still got con'd. So enough about the past lets talk about the future, My friend has decided to complain to the teacher whom runs the class and requires them to run this software. That there should be alternatives, we have constructed a email which as of writing has been sent. This is paraphrased but the points are all made the same,

" I disliked having to use Lockdown Browser. Since I run Linux it was hard for me to get it to work. I ended up having to get an old laptop and install windows 10 to get it to work. Lockdown Browser does not support Linux. I also disliked the TOS because they are able to use your microphone and camera and that "we may disclose your personal data to partner companies..." I feel as if this is an invasion of privacy as a student. I think colleges are becoming so focused on academic integrity that they overlook what students' information is given towards the company (in this case Lockdown). Like I said before this is forcing students to take video and audio recording of themselves or else they cannot take the test. They also say in the TOS that for the microphone and video the test run is deleted, but they never say what happens to the quiz video and audio. If I would have known this class was going to use Lockdown for its test-taking I would have had second thoughts. https://web.respondus.com/tou-ldb/ "

I am proud of my friend, as he also wants to fight for digital sovereignty, privacy and a better digital world. we discussed this email back and forth onto what it should say. He asked me what i would add, and i flat out gave my rather blunt opinion on the matter. "There should be another option, i understand the microphone and camera requirement because they don't want you to cheat. But it never says whats done with that data on there website, it says what happens to the demo data but not the quiz data! they leave an open ended "we may share your data" which im 99% definitively means there selling it to partners. That end of the day you should say what you think about this software, respectfully and precisely. Its your collage degree, its your collage, its your money. Let them know that you are displeased with this choice."

he then added the part about if he knew this software was going to be used in this class he would have reconsidered taking it. which i think is very fair and to the point of the matter.

To close off this very lengthy post, i want to thank my friend for sharing his experiences with me. And to let other people know about the evil that infects collage software, like Pearson. Which is another topic for another day.

Cheers Steamy

Public Key 405B46E81DCCDB2B310DEF0DA5F0B998E8AC3752

cross-posted from: https://sh.itjust.works/post/40679506

So for Friday night, myself and my friends got rather board. And as the resident "Things collector" i got 2 Maxtor touch sense 2 external hardrives. However those who were alive in 2000's know Maxtor went bankrupt and haven't made hardrives for a very long time. One of these drive i got BRAND NEW, in box at a flea market. sadly time got to the platters first, i spent a few hours trying to reformat or partition them and all i got was write errors. I tried different utility's with no avail and decided to cut my losses, so i asked the boys what we should do with them? Immediately my friend had an idea, to bring out his 9mm and see how a hardrive would fair! We all took turns and they were pretty hard to hit (we made the mistake of drink soda before hand). We eventually landed some shots on the center of the drives and MAN it actually stopped 2 bullets!!! going into this we all expected the disk to be unreadable after the fact, but didnt think the hardrives would stop a 9mm bullet!!

We then took the hdd's apart after are volley of bullets, and alot of the chips were damaged and all the platters were bent. But when we took off the top case, it looked so freakin cool i had to keep it

So for Friday night, myself and my friends got rather board. And as the resident "Things collector" i got 2 Maxtor touch sense 2 external hardrives. However those who were alive in 2000's know Maxtor went bankrupt and haven't made hardrives for a very long time. One of these drive i got BRAND NEW, in box at a flea market. sadly time got to the platters first, i spent a few hours trying to reformat or partition them and all i got was write errors. I tried different utility's with no avail and decided to cut my losses, so i asked the boys what we should do with them? Immediately my friend had an idea, to bring out his 9mm and see how a hardrive would fair! We all took turns and they were pretty hard to hit (we made the mistake of drink soda before hand). We eventually landed some shots on the center of the drives and MAN it actually stopped 2 bullets!!! going into this we all expected the disk to be unreadable after the fact, but didnt think the hardrives would stop a 9mm bullet!!

We then took the hdd's apart after are volley of bullets, and alot of the chips were damaged and all the platters were bent. But when we took off the top case, it looked so freakin cool i had to keep it

So those who know me IRL or cyber stock me. Know that in my free time i do have a very small laser cutting business, i started off with a really crap diode laser and eventually made enough to purchase a full size C02 Laser. Now one of the most important thing that machining has thought me. Is that WORK HOLDING IS BASED. Why indicate a shitty piece of bar stock each time when you can just make a jig/fixture and run thousands with minimal work. So i very much took this to heart and instead of spending 20 minutes to frame a coaster in my laser cutter to make sure it is 100% straight. I took a ratty piece of sheet metal (that i paid WAAAAY to much for $90USD) and made my "ghetto bed". now it was handcrafted the same way a child makes a macaroni picture. Very imprecise, and not flat at all i tried my best at making it flat but well, im a machinist not a metal worker. which truly shows my 1/1 piccaso's masterpiece. So i hear you WHERE IS THIS GOING!! this "ghetto bed" worked very well for small stuff, when family and friends would order something i would quickly throw in my jig load up my file and BAM its ready to go. This bed was purely a proof of concept, from the post i saw on light-burns forum of a guy doing something similar with sheet metal. So fast foward 3 years later and i bought plate 3/4 plate stock (which i paid out the ass for) order it to size and draw up a CAD model. a few thing i learned from the original "ghetto bed" was that the exhaust is underneath the bed and needed some way to quickly slurp up the smoke, for this i have a snorkel i am 3d printing and running downward (still work in progress as we speak) and secondly and most importantly! I wanted threading, i originally drilled 7/16 holes to which i just vaguely threaded bolts and nuts through. But now i have 1/4-20 spaces 1.30 inches across the bed, which will make setting up fixtures more solid and repeatable unlike the original bed. i did go with 1/4-20 for a few reasons, first off its standardized and very cheap for bolts, second and most importantly its a small hole. Which then allows me to drill and re-tap if i strip a thread and it also gives me alot of mounting holes. However having tons of holes were also a nightmare to hand tap and debur the backside.

The keen eyed among you may notice slots on the edges of the bed, i decided to go with slots purely because the original mounting holes are not concentric or symmetrical. So F it slots!

im very happy with the bed, i plan to paint it black to make it not reflective and have played around with the idea of open sourcing/selling bed like this, if people are intreasted of course!

Summer is here and with that comes garage sales! I went looking around and found this beauty, for $10!!! When i went to go purchase it, the very nice 60ish year old man, Boldly said and proclaimed "it doesnt run windows, well it cant because it only has 2gb of ram. but its still a usable machine" So he then said the phrase that every nerd begs to hear, "do you know what linux is?" Me and this man talked for almost and hour about linux and the enshitfaction of windows. He did install antix a lightweight debian based distribution GNU/Linux/SystemDeeznuts distribution on it. and said he ran Antix on his main computer for daily use, I sadly did not ask what his main computer is :(. But i just thought it was so cool and sureal to meet a linux user at a garage sale, like you go to foss conventions and you expect to see some the the nerdiest people that have roamed this planet. But this guy was just so cool, i beckon all the time about windows is a inflated rotting corpse. although i still need it for fusion 360 sadly :(, it was really fun to talk another person so passionate about linux IRL.

  but anyway enough blabbering about this totally rad Linux user,

he had a user account setup to auto login and user named antix which was also the sudo password. I have personally never used Antix but it has alot to offer for lower end computers, some light weight web browsing and some text editing. Obviously there were some thing you could not do or the computer struggled. Playing youtube was the quite the benchmark for this billet of a computer.

But i got quickly board with debian/Antix and i knew from the moment i saw this computer there was 1/2 things i wanted to do with it! the first thing was install FreeBSD. I have always been intrigued by it, a UNIX like OS that was by design meant to replace UNIX and if were not for Linux may have been the windows alternative OS that linux is today. So i grabbed by CD burner and started burn'n! the install went pretty smooth, minus a few small hiccups. first off when it boots, it loads then goes to a blackscreen and stops displaying, i found another person with this computer and wanting to install FreeBSD on it on the FreeBSD forum. I had to punch in a few commands that made it TTY only, i then followed the Handbook and install intel's video drivers. After that i have a fully functioning FreeBSD install!!!! Now for the Fun part installing the window manager! and programs, after installing sway and enabling some system settings. everything clicked together and i had to see how much the CPU struggled with playing video from youtube to compare BSD vs linux . The CPU works very hard for them frames!

All in all, its actually pretty usable. granted not for the average user, i often read hackaday and browse the web via links web browser. and i part of me likes it a little more than my 2020 E14 thinkpad, not spec wise but design wise. this computer is built thiccccccc and has a latch for the screen and inductive buttons for wifi and other functions. and believe it or not the battery life is 4 hours. its a genuine HP with a lithium cell battery, its only a 10watt cpu but to me thats crazy for a 2007 computer!.

And the weirdest thing about this computer, which me and my friend were torn whither if the original owner swapped the HDD for an SSD, because it is relatively quite, however after i opened the bottom covers. It made me very surprised

Its a friggin ipod classic style mini drive!!!!

I recently have been playing around with GPG (its pretty fun!) And decided to make a hat with my public key on it!

Its a fun conversation starter at walmart, when somebody asks what it is? It activates my tism, and i get to talk about computer science! Its also important to teach others the importants of encryption especially as of one day ago the EFF made a post talking about yet another bill trying to go after encryption.

The keen eyed among you see i have blocked out certain parts of my key, this is because i have a key for this hat exclusively and would like to see if anybody i talk to about encryption in real life bothers to email me. I know its not much but i enjoy it!

I laser etched the leather, and hand stitched it to the hat.

I know this is more kinda clothing stuff, but it just didnt feel right posting a hat with a gpg key on a fasion/clothing community.

Hope you enjoy My little project >:) hehe

I dont mean to be a bother, but recently i got wiregaurd setup so myself and my friends can access resources such as my server. i have it setup for the client and the server to only allow 192.168.8.170. To be tunneled, so for example my friends can google and resolve DNS just fine and its all in there network, then when they want to access the server it will be at 192.168.8.170 and the docker services will run on ports for example 8080:80. and to be honest it works great for me and friend 1. but for friend 2 DNS doesnt resolve???

he can ping 9.9.9.9 he can acess the services on 192.168.8.170 but he cant resolve DNS when wiregaurded in.

his network has ipv6 and ipv4, my network only has ip4 and friend 1's network is ipv4 only. do you smart people on the internet think ipv6 could be an issue? friend 2 is running linux mint if that matters. I know a little about networking but by no means am an network engineer.

its a slight issue friend 2 really wants to be able to google and play command and conquer pvp at the same time. any help would be greatly appreciated as im kinda stumped!

-edit SOLVED i had a DNS for the client config and i just had to remove it client side.

cross-posted from: https://sh.itjust.works/post/32918493

cross-posted from: https://sh.itjust.works/post/32918427

Hello,

Recently, I've been interested in self-hosting various services after coming across Futo's "How to Self Host Your Life Guide" on their Wiki. They recommend using OpenVPN, but I opted for WireGuard instead as I wanted to learn more about it. After investing many hours into setting up my WireGuard configuration in my Nix config, I planned to replace Tailscale with WireGuard and make the setup declarative.

For context, this computer is located at my residence, and I want to be able to VPN into my home network and access my services. Initially, it was quite straightforward; I forwarded a UDP port on my router to my computer, which responded correctly when using the correct WireGuard keys and established a VPN connection. Everywhere online suggests forwarding only UDP as WireGuard doesn't respond unless the correct key is used.

The Networking Complexity

At first, this setup would be for personal use only, but I soon realized that I had created a Docker stack for me and my friends to play on a Minecraft server running on my LAN using Tailscale as the network host. This allowed them to VPN in and join the server seamlessly. However, I grew tired of having to log in to various accounts (e.g., GitHub, Microsoft, Apple) and dealing with frequent sign-outs due to timeouts or playing around with container stacks.

To manage access to my services, I set up ACLs using Tailscale, allowing only specific IP addresses on my network (192.168.8.170) to access HigherGround, nothing else. Recently, I implemented WireGuard and learned two key things: Firstly, when friends VPN into the server, they have full access to everything, which isn't ideal by no means. not that i dont trust my friends but, i would like to fix that :P. I then tried to set allowed IPs in the WireGuard config to 192.168.8.170, but realized that this means they can only access 192.168.8.170 explicitly, not being able to browse the internet or communicate via Signal until I added their specific IP addresses (10.0.0.2 and 10.0.0.3) to their WireGuard configs.

However, I still face a significant issue: every search they perform goes through my IP address instead of theirs.

The Research

I've researched this problem extensively and believe that split tunneling is the solution: I need to configure the setup so that only 192.168.8.170 gets routed through the VPN, while all other traffic is handled by their local router instead of mine. Ideally, my device should be able to access everything on the LAN and automatically route certain traffic through a VPS (like accessing HigherGround), but when performing general internet tasks (e.g., searching for "how to make a sandwich"), it gets routed from my router to ProtonVPN.

I've managed to get ProtonVPN working, but still struggle with integrating WireGuard on my phone to work with ProtonVPN on the server. From what I've read, using iptables and creating specific rules might be necessary to allow only certain devices to access 192.168.8.170 (HigherGround) while keeping their local internet traffic separate.

My long-term goal is to configure this setup so that my friends' local traffic remains on their network, but for HigherGround services, it routes through the VPN tunnel or ProtonVPN if necessary.

My nix Config for wiregaurd (please let me know if im being stoopid with somthing networking is HARRRD)

#WIREGAURD connect to higher ground networking.wg-quick.interfaces = { # "wg0" is the network interface name. You can name the interface arbitrarily. caveout0 = { #Goes to ProtonVPN address = [ "10.2.0.2/32" ]; dns = [ "10.2.0.1" ]; privateKeyFile = "/root/wiregaurd/privatekey"; peers = [ { #From HigherGround to Proton publicKey = "magic numbers and letters"; allowedIPs = [ "0.0.0.0/0" "::/0" ]; endpoint = "magic numbers"; persistentKeepalive = 25; } ]; };

cavein0 = { # Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface address = [ "10.0.0.1/24" ]; dns = [ "192.168.8.1" "9.9.9.9" ]; # The port that WireGuard listens to - recommended that this be changed from default listenPort = 51820; # Path to the server's private key privateKeyFile = "magic numbers and letters";

  # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
  postUp = ''
    ${pkgs.iptables}/bin/iptables -A FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
  '';

  # Undo the above
  preDown = ''
    ${pkgs.iptables}/bin/iptables -D FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE
  '';

  peers = [
    { #friend1 
     publicKey = "magic numbers and letters";
     allowedIPs = [ "10.0.0.3/32" "192.168.8.170/24" ];
     endpoint = "magic numbers and letters";
     presharedKey = "magic numbers and letters";
     persistentKeepalive = 25;
    }
    { # My phone
      publicKey = "magic numbers and letters";
      allowedIPs = [ "10.0.0.2/32" ];
      endpoint = "magic numbers and letters";
      presharedKey = "magic numbers and letters";
      persistentKeepalive = 25;
    }
    {# friend 2
      publicKey = "magic numbers and letters";
      allowedIPs = [ "10.0.0.4/32" "192.168.8.170/24" ];
      endpoint = "magic numbers and letters";
      presharedKey = "magic numbers and letters";
      persistentKeepalive = 25;
    }
    {# friend 3
     publicKey = "magic numbers and letters";
     allowedIPs = [ "10.0.0.5/32" ];
     endpoint = "magic numbers and letters";
     presharedKey = "magic numbers and letters";
     persistentKeepalive = 25;
    }
    
    # More peers can be added here.
  ];
};

};

#Enable NAT networking.nat = { enable = true; enableIPv6 = false; externalInterface = "enp5s0"; internalInterfaces = [ "cavein0" ]; };

services.dnsmasq.settings = { enable = true; extraConfig = '' interface=cavein0 ''; };

Any help would be appreciated thanks

References: Futo Wiki: https://wiki.futo.org/index.php/Introduction_to_a_Self_Managed_Life:_a_13_hour_%26_28_minute_presentation_by_FUTO_software

NixOS Wireguard: https://wiki.nixos.org/w/index.php?title=WireGuard&mobileaction=toggle_view_desktop

Just a FYI, the main portion of the paragraph was put into llama3.1 with the prompt "take the following prompt and fix the grammer, spelling and spacing to make it more readable" Because im bad at english and didnt want to pain people with my choppy sentences and poor grammer

cross-posted from: https://sh.itjust.works/post/32918427

Hello,

Recently, I've been interested in self-hosting various services after coming across Futo's "How to Self Host Your Life Guide" on their Wiki. They recommend using OpenVPN, but I opted for WireGuard instead as I wanted to learn more about it. After investing many hours into setting up my WireGuard configuration in my Nix config, I planned to replace Tailscale with WireGuard and make the setup declarative.

For context, this computer is located at my residence, and I want to be able to VPN into my home network and access my services. Initially, it was quite straightforward; I forwarded a UDP port on my router to my computer, which responded correctly when using the correct WireGuard keys and established a VPN connection. Everywhere online suggests forwarding only UDP as WireGuard doesn't respond unless the correct key is used.

The Networking Complexity

At first, this setup would be for personal use only, but I soon realized that I had created a Docker stack for me and my friends to play on a Minecraft server running on my LAN using Tailscale as the network host. This allowed them to VPN in and join the server seamlessly. However, I grew tired of having to log in to various accounts (e.g., GitHub, Microsoft, Apple) and dealing with frequent sign-outs due to timeouts or playing around with container stacks.

To manage access to my services, I set up ACLs using Tailscale, allowing only specific IP addresses on my network (192.168.8.170) to access HigherGround, nothing else. Recently, I implemented WireGuard and learned two key things: Firstly, when friends VPN into the server, they have full access to everything, which isn't ideal by no means. not that i dont trust my friends but, i would like to fix that :P. I then tried to set allowed IPs in the WireGuard config to 192.168.8.170, but realized that this means they can only access 192.168.8.170 explicitly, not being able to browse the internet or communicate via Signal until I added their specific IP addresses (10.0.0.2 and 10.0.0.3) to their WireGuard configs.

However, I still face a significant issue: every search they perform goes through my IP address instead of theirs.

The Research

I've researched this problem extensively and believe that split tunneling is the solution: I need to configure the setup so that only 192.168.8.170 gets routed through the VPN, while all other traffic is handled by their local router instead of mine. Ideally, my device should be able to access everything on the LAN and automatically route certain traffic through a VPS (like accessing HigherGround), but when performing general internet tasks (e.g., searching for "how to make a sandwich"), it gets routed from my router to ProtonVPN.

I've managed to get ProtonVPN working, but still struggle with integrating WireGuard on my phone to work with ProtonVPN on the server. From what I've read, using iptables and creating specific rules might be necessary to allow only certain devices to access 192.168.8.170 (HigherGround) while keeping their local internet traffic separate.

My long-term goal is to configure this setup so that my friends' local traffic remains on their network, but for HigherGround services, it routes through the VPN tunnel or ProtonVPN if necessary.

My nix Config for wiregaurd (please let me know if im being stoopid with somthing networking is HARRRD)

#WIREGAURD connect to higher ground networking.wg-quick.interfaces = { # "wg0" is the network interface name. You can name the interface arbitrarily. caveout0 = { #Goes to ProtonVPN address = [ "10.2.0.2/32" ]; dns = [ "10.2.0.1" ]; privateKeyFile = "/root/wiregaurd/privatekey"; peers = [ { #From HigherGround to Proton publicKey = "magic numbers and letters"; allowedIPs = [ "0.0.0.0/0" "::/0" ]; endpoint = "79.135.104.37:51820"; persistentKeepalive = 25; } ]; };

cavein0 = { # Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface address = [ "10.0.0.1/24" ]; dns = [ "192.168.8.1" "9.9.9.9" ]; # The port that WireGuard listens to - recommended that this be changed from default listenPort = 51820; # Path to the server's private key privateKeyFile = "magic numbers and letters";

  # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
  postUp = ''
    ${pkgs.iptables}/bin/iptables -A FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
  '';

  # Undo the above
  preDown = ''
    ${pkgs.iptables}/bin/iptables -D FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE
  '';

  peers = [
    { #friend1 
     publicKey = "magic numbers and letters";
     allowedIPs = [ "10.0.0.3/32" "192.168.8.170/24" ];
     endpoint = "magic numbers and letters";
     presharedKey = "magic numbers and letters";
     persistentKeepalive = 25;
    }
    { # My phone
      publicKey = "magic numbers and letters";
      allowedIPs = [ "10.0.0.2/32" ];
      endpoint = "magic numbers and letters";
      presharedKey = "magic numbers and letters";
      persistentKeepalive = 25;
    }
    {# friend 2
      publicKey = "magic numbers and letters";
      allowedIPs = [ "10.0.0.4/32" "192.168.8.170/24" ];
      endpoint = "magic numbers and letters";
      presharedKey = "magic numbers and letters";
      persistentKeepalive = 25;
    }
    {# friend 3
     publicKey = "magic numbers and letters";
     allowedIPs = [ "10.0.0.5/32" ];
     endpoint = "magic numbers and letters";
     presharedKey = "magic numbers and letters";
     persistentKeepalive = 25;
    }
    
    # More peers can be added here.
  ];
};

};

#Enable NAT networking.nat = { enable = true; enableIPv6 = false; externalInterface = "enp5s0"; internalInterfaces = [ "cavein0" ]; };

services.dnsmasq.settings = { enable = true; extraConfig = '' interface=cavein0 ''; };

Any help would be appreciated thanks

References: Futo Wiki: https://wiki.futo.org/index.php/Introduction_to_a_Self_Managed_Life:_a_13_hour_%26_28_minute_presentation_by_FUTO_software

NixOS Wireguard: https://wiki.nixos.org/w/index.php?title=WireGuard&mobileaction=toggle_view_desktop

Just a FYI, the main portion of the paragraph was put into llama3.1 with the prompt "take the following prompt and fix the grammer, spelling and spacing to make it more readable" Because im bad at english and didnt want to pain people with my choppy sentences and poor grammer

Hello,

Recently, I've been interested in self-hosting various services after coming across Futo's "How to Self Host Your Life Guide" on their Wiki. They recommend using OpenVPN, but I opted for WireGuard instead as I wanted to learn more about it. After investing many hours into setting up my WireGuard configuration in my Nix config, I planned to replace Tailscale with WireGuard and make the setup declarative.

For context, this computer is located at my residence, and I want to be able to VPN into my home network and access my services. Initially, it was quite straightforward; I forwarded a UDP port on my router to my computer, which responded correctly when using the correct WireGuard keys and established a VPN connection. Everywhere online suggests forwarding only UDP as WireGuard doesn't respond unless the correct key is used.

The Networking Complexity

At first, this setup would be for personal use only, but I soon realized that I had created a Docker stack for me and my friends to play on a Minecraft server running on my LAN using Tailscale as the network host. This allowed them to VPN in and join the server seamlessly. However, I grew tired of having to log in to various accounts (e.g., GitHub, Microsoft, Apple) and dealing with frequent sign-outs due to timeouts or playing around with container stacks.

To manage access to my services, I set up ACLs using Tailscale, allowing only specific IP addresses on my network (192.168.8.170) to access HigherGround, nothing else. Recently, I implemented WireGuard and learned two key things: Firstly, when friends VPN into the server, they have full access to everything, which isn't ideal by no means. not that i dont trust my friends but, i would like to fix that :P. I then tried to set allowed IPs in the WireGuard config to 192.168.8.170, but realized that this means they can only access 192.168.8.170 explicitly, not being able to browse the internet or communicate via Signal until I added their specific IP addresses (10.0.0.2 and 10.0.0.3) to their WireGuard configs.

However, I still face a significant issue: every search they perform goes through my IP address instead of theirs.

The Research

I've researched this problem extensively and believe that split tunneling is the solution: I need to configure the setup so that only 192.168.8.170 gets routed through the VPN, while all other traffic is handled by their local router instead of mine. Ideally, my device should be able to access everything on the LAN and automatically route certain traffic through a VPS (like accessing HigherGround), but when performing general internet tasks (e.g., searching for "how to make a sandwich"), it gets routed from my router to ProtonVPN.

I've managed to get ProtonVPN working, but still struggle with integrating WireGuard on my phone to work with ProtonVPN on the server. From what I've read, using iptables and creating specific rules might be necessary to allow only certain devices to access 192.168.8.170 (HigherGround) while keeping their local internet traffic separate.

My long-term goal is to configure this setup so that my friends' local traffic remains on their network, but for HigherGround services, it routes through the VPN tunnel or ProtonVPN if necessary.

My nix Config for wiregaurd (please let me know if im being stoopid with somthing networking is HARRRD)

#WIREGAURD connect to higher ground networking.wg-quick.interfaces = { # "wg0" is the network interface name. You can name the interface arbitrarily. caveout0 = { #Goes to ProtonVPN address = [ "10.2.0.2/32" ]; dns = [ "10.2.0.1" ]; privateKeyFile = "/root/wiregaurd/privatekey"; peers = [ { #From HigherGround to Proton publicKey = "magic numbers and letters"; allowedIPs = [ "0.0.0.0/0" "::/0" ]; endpoint = "79.135.104.37:51820"; persistentKeepalive = 25; } ]; };

cavein0 = { # Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface address = [ "10.0.0.1/24" ]; dns = [ "192.168.8.1" "9.9.9.9" ]; # The port that WireGuard listens to - recommended that this be changed from default listenPort = 51820; # Path to the server's private key privateKeyFile = "magic numbers and letters";

  # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
  postUp = ''
    ${pkgs.iptables}/bin/iptables -A FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
  '';

  # Undo the above
  preDown = ''
    ${pkgs.iptables}/bin/iptables -D FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE
  '';

  peers = [
    { #friend1 
     publicKey = "magic numbers and letters";
     allowedIPs = [ "10.0.0.3/32" "192.168.8.170/24" ];
     endpoint = "magic numbers and letters";
     presharedKey = "magic numbers and letters";
     persistentKeepalive = 25;
    }
    { # My phone
      publicKey = "magic numbers and letters";
      allowedIPs = [ "10.0.0.2/32" ];
      endpoint = "magic numbers and letters";
      presharedKey = "magic numbers and letters";
      persistentKeepalive = 25;
    }
    {# friend 2
      publicKey = "magic numbers and letters";
      allowedIPs = [ "10.0.0.4/32" "192.168.8.170/24" ];
      endpoint = "magic numbers and letters";
      presharedKey = "magic numbers and letters";
      persistentKeepalive = 25;
    }
    {# friend 3
     publicKey = "magic numbers and letters";
     allowedIPs = [ "10.0.0.5/32" ];
     endpoint = "magic numbers and letters";
     presharedKey = "magic numbers and letters";
     persistentKeepalive = 25;
    }
    
    # More peers can be added here.
  ];
};

};

#Enable NAT networking.nat = { enable = true; enableIPv6 = false; externalInterface = "enp5s0"; internalInterfaces = [ "cavein0" ]; };

services.dnsmasq.settings = { enable = true; extraConfig = '' interface=cavein0 ''; };

Any help would be appreciated thanks

References: Futo Wiki: https://wiki.futo.org/index.php/Introduction_to_a_Self_Managed_Life:_a_13_hour_%26_28_minute_presentation_by_FUTO_software

NixOS Wireguard: https://wiki.nixos.org/w/index.php?title=WireGuard&mobileaction=toggle_view_desktop

Just a FYI, the main portion of the paragraph was put into llama3.1 with the prompt "take the following prompt and fix the grammer, spelling and spacing to make it more readable" Because im bad at english and didnt want to pain people with my choppy sentences and poor grammer

Old Client Config

Solution somewhat found! so i didnt understand what wireguard allowIPS really did, well i did but it was confusing. So what i did before was have 10.0.0.2/32 only, this allowed users of the VPS to have acess to my local network. i swapped it to where there was only 192.168.8.170 only and that made it to where i could ONLY acess the service and no other webpage or dns. the solution was to set on the server side, for peers allowed ip adresses to be "192.168.8.170/24" and "10.0.0.2/32, this allows each user to have there own IP adress within the server. so for example my phone has 10.0.0.2/32 and 192.168.8.170. THE CLIENT SIDE MUST MATCH!!! Which is what i missed before, my guess on why this is important is so your network manager on whatever your client os is running, knows that it can only acess 192.168.8.170 and anything within the 10.0.0.2/32 subnet. The reason why you NEED 10.0.0.2/32 is so the client can have an ip adress to talk to the server internally. at least i think im just a guy who dicks around with pc's in his free time :P.

so having 192.168.8.170/24 and 10.0.0.2/32 on both the wireguard client config and the server enforces that the client cannot acess anything but those adresses and subnets.

i still would like to setup split tunneling, because on my server if i wanna VPN from my server to protonVPN my wiregaurd server doesnt connect. but im glad i got it to this state, thanks for helping out everybody :)