• 3 Posts
  • 20 Comments
Joined 1 year ago
cake
Cake day: June 15th, 2023

help-circle

  • Idk man, it seems pretty irresponsible to me to write a blogpost with stuff that you got from ChatGPT without understanding it. People will assume that if you wrote a blogpost on this then you know what you’re doing. ChatGPT gets stuff wrong all the time, and we’re talking about firewall configuration here. If it misconfigured some stuff it could leave you and your readers vulnerable to all kinds of shit.

    In this case it seems to me that (luckily) there’s just a bunch of redundant routing, but the next time it could be leaking your and your readers’ torrent traffic out of the VPN tunnel, leaving you vulnerable to legal repercussions for piracy.

    Please don’t authoritatively post stuff that you got from the automatic bullshit generator without understanding it.


  • Nice, I recently went through the same struggle of setting up this configuration based on that LinuxServer post. My main nitpick on this is that automating the ip route configuration for the qBittorrent container is a pretty important step which is not explained in the post. Leaving any manual steps in any Docker setup is pretty bad practice.

    Since you’re using LinuxServer’s QBT image a good way to do this is to make use of their standard custom init scripts. You can just mount a script with the ip route commands to /custom-cont-init.d/my-routes.sh:ro on the container and it will be run automatically on each startup.

    Another nitpick is that the PostDown commands in the wireguard configs are useless since you’re running them in Docker.




  • I indeed have a domain name pointing to the VPS IP, with Caddy managing TLS. Other apps are exposed this way, and I will do the same for the qBittorrent WebUI as well. I like having Caddy as a single gateway where I can apply security configs and monitor all traffic, I was hoping I would be able to pass torrent traffic through it as well but everybody seems very much against it.

    I already have wireguard setup as you describe so I guess I’ll just give up on passing torrent traffic through the proxies and just open a localhost port on the qBittorrent container…


  • andscape@feddit.itOPtoSelfhosted@lemmy.worldProxying torrent traffic to homeserver
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    2
    ·
    2 months ago

    Resetting the “time since last being told I don’t know shit on the internet” back to 0 once again…

    I already have an existing and working setup used for other apps, it’s close to the one described in this blogpost. Yes, it’s complicated and inefficient, but it has reasons to be. I want to keep my qBittorrent configuration as close to this setup as reasonably possible for consistency. If your point is that it’s counterproductive to follow this setup then… fair enough. I can just route traffic from the VPS to an exposed port on the local qBittorrent container over Wireguard, but that wasn’t my preferred solution.

    Running a torrent client through a proxy doesn’t isolated a process.

    I was talking about network isolation, not process isolation.

    make sure your traffic is routing there properly

    That was pretty much what I was asking for help with.




  • I’m guessing what you mean is setting up port forwarding in Wireguard…

    The thing is ideally I would want all connections in and out of my homeserver’s Docker network to go through the local Caddy proxy, so the app containers are isolated. That still means having at least the local Caddy acting as a TCP proxy, even if the VPS Caddy is bypassed. If that’s too much of a hassle though I can instead just expose a port on the qBittorrent container directly to the homeserver’s localhost, and forward that with wireguard to the VPS.


  • By “set up wireguard to route through the VPS” you mean having wireguard forward a port from the VPS to a port on the homeserver at its wireguard IP address?

    qBittorrent will still need to publish the right IP address to peers though, right? So I will need to configure the proxy VPS’s IP address in qBittorrent…

    Also that means binding a port on the qBittorrent container directly to the homeserver localhost. I’ve managed to keep the app containers isolated so far and it’d be nice to keep that, but if proxying the traffic is too annoying I guess I can just say fuck it and go with it.



  • Thank you for the links, I had found a few of these but some are new. The basic idea is there, I’ll see if any of these can work for us. I’m growing more convinced though that hosting a whole app for this super simple use case might not be worth it, I think we might pivot to just hosting a really basic static page for it.


  • This is way too overkill for what we need. I’m sorry, I’ve been intentionally vague about the context for this but I guess it’s too unclear. We’re an activist group planning a protest. We might have to get this set up literally tomorrow and every penny comes out of (mostly my) pocket. We’re also all paranoid about opsec and anonymity, which is why the requirement about avoiding corporate services is there. Perhaps I should have posted this in a privacy focused comm instead, I apologize.





  • andscape@feddit.itOPtoLemmy@lemmy.mlInstance blocks and Threads
    link
    fedilink
    English
    arrow-up
    2
    ·
    11 months ago

    Other people in that thread have pointed out that it isn’t showing posts being delivered to Threads despite the block. That should be testable with other instances, but not Threads since it’s not receiving any content from Mastodon at the moment. The concerning thing there is the user still being able to view content from people they’ve blocked, but that seems to be a bug if it’s reproducible.


  • andscape@feddit.itOPtoLemmy@lemmy.mlInstance blocks and Threads
    link
    fedilink
    English
    arrow-up
    6
    ·
    11 months ago

    In the EU companies can’t scrape personally identifiable information without consent, even if it’s already publicly available. IANAL, and there’s probably ways they can sneak around the GDPR, but at least it’s not a free for all. It’s unclear though how it works for federation. It’s definitely not the same legally though.


  • andscape@feddit.itOPtoLemmy@lemmy.mlInstance blocks and Threads
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    2
    ·
    11 months ago

    The reason for not directly federating content to Threads isn’t so nobody there can ever see my amazing posts, it’s so Meta can’t easily profile me. Scraping public posts on a different platform would probably be illegal, at least in the EU, and reposts don’t give them a lot of data about me. Federating content, however, would give them most of the same data that Mastodon has on me without even having to ask.


  • andscape@feddit.itOPtoLemmy@lemmy.mlInstance blocks and Threads
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    11 months ago

    This post from Eugen Rochko mentions that blocking Threads at the user level “stops your posts from being delivered to or fetched by Threads”. Basically, the user-level instance block is bidirectional.

    Limited federation mode is a different feature, at the admin level. It doesn’t really affect the delivery of posts in either direction, it just hides the blocked instance’s content from the global feed. Defederation on the other hand is indeed bidirectional, but again it’s on the admin level rather than users’.