smiletolerantly

joined 11 months ago
[–] smiletolerantly@awful.systems 22 points 6 hours ago* (last edited 6 hours ago) (1 children)

Hi. I am a software engineer with a background in IT security. My girlfriend is a literal network security engineer.

I showed her this thread and she said: don't bother, just use http on your local network.

Anyways, I am going to disengage from this thread now. Skepticism against things one doesn't fully understand can be healthy, but this is an insane mix of paranoia and naïveté.

You are not a target; the things you are afraid of will never happen; and if they did, they would not have the consequences you think they would.

Your router will NOT magically expose your traffic to the internet (what would that even mean?? Like, if it spontaneously started port forwarding to your Jellyfin server (how? By just randomly guessing the port and IP???), someone would still need to actively request that traffic, AND know your login credentials, AND CARE).

Your ISP does not give a shit about you owning or streaming copyrighted material over your local network. It has no stake in that.

Graphene is not an ultimate arbiter of IT security, but the reason it "distrusts networks" is because you take your phone with you, constantly moving into actual untrusted networks (i.e. ones you do not own).

Hosting Jellyfin on Graphene will not make it more secure, whatsoever.

If every device is assumed compromised, and compromising devices with knowledge that you watch media is a threat in your model, then even putting an SD card with media in your phone and clicking play is dangerous. Which is stupid.

If you actually assume your router is malicious, then please assume that when you initially downloaded your VPN client, it was also compromised and your VPN is not trustworthy.

The way I see it, you have two options:

  1. educate yourself on network security to the point of being able to trust your network setup; or
  2. forget about hosting anything
[–] smiletolerantly@awful.systems 11 points 6 hours ago

This isn't really true. Even IF your router would fail catastrophically in the right way to expose your Server to the internet, or of it actually "ratted your traffic out" to the ISP and the ISP cared (which it does not), it's not illegal to hist Jellyfin, or put media on it which you own (which is not discernible from just.... Media being streamed).

Also your ISP has no part in your local network traffic.

[–] smiletolerantly@awful.systems 19 points 7 hours ago* (last edited 6 hours ago)

Smh. I get wanting to be connected to a VPN, but being locked out of your own local network is just stupid.

[–] smiletolerantly@awful.systems 15 points 7 hours ago (3 children)

This does not encrypt during transit, and my network is not a trusted party.

Then honestly, you have other problems than setting up Jellyfin.

For real though, if you think someone is (or might be) listening in on your local network, i.e. have physical access or compromised one of your machines, then the Jellyfin traffic is the least of your problems. Pick your battles. What's the worst that could happen here - someone gets to know your favorite show?

They do, because if ProtonVPN blocks LAN connections then the only other option is exposing the server to the WAN

Ah, I see. On your PC you should just be able to set a static route over the physical interface for 192.168.0.0/24 (or whatever your local network is) which takes precedence over the VPN. For android.... Oof, no idea. Probably need root.

[–] smiletolerantly@awful.systems 30 points 8 hours ago (9 children)

What are you talking about. Please clarify if this is actually true:

I don’t plan to access it anywhere but home.

This would mean that you only want to access Jellyfin when you, and the device you are watching your show/movie on, are at home, where the Pi/server also is.

Is this correct?

If so, then questions about VPN, Certificates, DNS,.... do not matter.

  1. host Jellyfin on the Pi, e.g. with IP 192.168.10.20 on your local network
  2. open the Jellyfin app on your TV/Phone/PC, connect to http://192.168.10.20:8096/
  3. done

Now you can access it at home, and only at home. I honestly fail to see where a VPN would even come into the equation here (again, if you wish to ONLY watch when you are at home, as you've said).

[–] smiletolerantly@awful.systems 3 points 2 days ago (1 children)

Yeah, true. I think there's no way around being pushy/almost manipulative.

"I fortunately no longer have WhatsApp. Especially with things concerning our children, I would NOT trust Facebook with that. I am completely open to using something else, does not have to be Signal - do you use any secure and private messenger apps where we can create a group?"

It's an uphill battle for sure. And you have to think about and set your own limits. I hate using WA, but for some contacts, it's better than having NO contact.

[–] smiletolerantly@awful.systems 4 points 2 days ago (3 children)

Hm, I don't have too many of those. The one large one I have was on Signal already, but that's mostly luck.

If it's a >10 people group that has already been established on WA, you're probably out of luck. If a group has not been established yet, your best bet is probably to be super proactive: "Yes, good idea, let's do make a group! Here, I've set up the Singal group, just scan this QR code to join! Oh, you don't have signal? Oh, nevermind, it's super quick to set up, and then you can simply join via the QR! I'd really hate to see you not be part of the group chat, but of course it's up to you if you want to join..."

[–] smiletolerantly@awful.systems 6 points 2 days ago (5 children)

Most of them. Family is fully on Matrix/Signal/Threema. Close friends are all on Signal. Some acquaintances are still WA-only, but I've stopped telling people that I have WA/Telegram, so new contacts are Signal/Matrix/Threema only.

Huh, didn't know. Thanks. I guess Hetzner is the right answer in both cases then 😄

[–] smiletolerantly@awful.systems 19 points 2 days ago (2 children)

Do you want all of that to be managed (DB, mailboxes, web-hosting,...) or just reliable hardware in "the cloud"?

For the latter, Hetzner.

Yeah!! A house only has speculative value! There's no fundamental value in a house! Just like bitcoin, if you can't sell your house, it's worthless!

.. .what do you mean, "a place to live in"?

The title gave me a stroke

84
submitted 1 month ago* (last edited 1 month ago) by smiletolerantly@awful.systems to c/ich_iel@feddit.org
 

Danke!! Endlich sagt wer was!

 

Schadenfreude 🙂

 

Five years ago, I bought a Supernote A5. It was (and mostly still is) a great device for reading and writing on an eInk display, and it runs plain old linux.

The deciding reason I went for this device instead of the competition is that I was "under the impression" that they were about to enable full SSH access to the device! Awesome!

"Why were you under that impression?", I hear the skeptics ask. Well, their spokesperson has stated that they would do so. Via mail, and on reddit, publicly, multiple times. I was still torn, so sent them a DM, asking if this was ineed factual. "Yes", they said, "the next quarterly update will enable SSH access!".

Great!

Well, it's been 5 years. They did not follow through. A couple updates were published, none contained the promised functionality, the spokesperson stopped answering questions about SSH. The last software update I received is from 2.5yrs ago. Mentions of the original Supernote A5 have largely been scrubbed from their website.

Let me be clear, the device still functions perfectly. But it is in danger of becoming e-waste because it is so needlessly complicated to get stuff on the device. I'm currently in need of an ebook reader with (ideally) OPDS capability, and I am pretty confident I'd be able to get something like koreader running on this, or at least just run a script to sync files over SSH. Also, I frankly feel wounded in my pride having a Linux device in my possession which refuses to do my bidding (I'm joking of course, but also I am 100% serious).

Here's all I know:

  • plugging it in via USB, the device reads as an MTP device, with access only to the documents/books/... stored on it
  • you can place an update.zip file (obtained from the SN website) into the root of that MTP directory, and upon reboot, the device will update. To me, this appears to be the most promising route of gaining access.
  • unfortunately, the zip file is encrypted. The decryption key clearly has to be known to the device, but since I have no access to it,...

I'm a software engineer, but I have zero knowledge of the "dark arts", so to speak. If anyone could help me (or point me into the right direction!), I would really be grateful. I don't want this (generally nice) product to turn into a paperweight instead of a paper replacement :(

 

Basically, the title. After years of inactivty, I'll be taking music (cello) lessons again, with my teacher of yesteryear, from whom I've moved half a country away.

She has suggested Zoom but is open to alternatives. I don't particularly like Zoom, plus I have a feeling better quality can be had through a custom solution - but I'm at a bit of a loss as to what exactly would be a good fit for this project.

Maybe Jitsi? Does someone here have experience with it and could tell me if it's possible to set something like a "target" audio quality?

For hardware, I basically have two options. Both are already in use, for different things, and have sufficient processing capabilities - albeit no GPU:

  • host everything at home. Plus: lowest possible latency from me to the server. Not sure how much that is worth though.
  • root server in the Hetzner cloud: much faster network speed. Again though, not sure how beneficial that is, the ultimate bottleneck will always be my upload speed (40Mbit)

OK, I realize that this post is a but of a random assortment of thoughts. I'd be really happy about suggestions and / or hearing about other's experiences with similar use-cases!

28
submitted 9 months ago* (last edited 9 months ago) by smiletolerantly@awful.systems to c/selfhosted@lemmy.world
 

Hi,

not sure where else to post this. For a while now, I've unsuccessfully been trying to get WireGuard to work with Crunchyroll.

Setup is as follows:

  • dedicated server hosts a wg-quick instance in [neighboring country]
  • OPNSense acts as peer on a single IP
  • I have a rule for routing the entire traffic of some source device via that IP

This works just fine. Handshake successful, traffic is routed via the server. traceroute shows the server as the hop immediately after my device's local gateway. The connection is stable, and fast.

...except for Crunchyroll. The site / app itself is fine, but I can not, for the life of me, get a video to play. It just keeps loading forever.

I don't think this is an issue with CR recognizing that I'm not where I say I am - looking online, it seems pretty easy to use CR with a VPN. I've also tried from multiple other devices, all with the same symptom.

If anyone has suggestions, I'd love to hear them 😅

EDIT: ~~It was MTU. Had to manually set it to 1500 on both devices.~~

Nope, still the same issues. I was using the fallback interface there briefly.

EDIT: It WAS MTU related, I had to enable MSS clamping on the OPNSense.

view more: next ›