There’s also a sad no ipv6 animation you might randomly get

that's weird, I got the proper star wars without an ipv6. though I did get the "no ipv6" at first

Only problem with HE tunnels is they use IPIP and you need a public v4 for the tunnel to work (this is a protocol limitation, not policy).

@@apalrdsadventures Yeah, I forgot your use case here. I got it backwards, like you had IPv4 but no proper IPv6.

I use Nebula as well, but as a purely closed network (no routing / traffic flow outside of the Nebula subnet).

No IPv6? Just say Nebula doesn't work.

Nebula does v6 on the transport, but it's more designed as a closed network (routing individual IPs) between hosts for secure internal communications.

Jool is kinda a pain to work with because of how traffic bypasses a lot of the normal linux Netfilter, and doesn't work for translating packets from the local system.

@apalrdsadventures there is also cgnatd that can do the local traffic. But you can implement it on a router or in VMs too. The big thing is it gives you a non cgnat ipv4 tunnel over ipv6.

This is a good solution for SSH or other low bandwidth protocols, but not a good solution for generic hosting due to the head-of-line blocking problem when multiplexing multiple TCP streams over a single TCP socket (the SSH session).

Commented before reading the rest of the comments. Y'all already knew this. 🤦🏻‍♂️ 😛

No problem!

I did setup a prototype with IPIP (GIF on BSD) and found that OPNsense wasn't properly configuring GIF for IPv4 in IPv6 (it's normally used for the opposite, IPv6 in IPv4 for Hurricane Electric).

snid reads the TLS SNI, then does a DNS AAAA lookup on the resulting name, and if the name is within the backend cidr range it redirects the session at layer 4 (TCP). So the big difference is pulling out the SNI so you don't have to configure snid itself. Another difference is that SNID codes the IPv6 source address with the IPv4 source of the origin, which is why it uses a /96 instead of a single address. That way, the backend server can get the IPv4 source address in their logs without needing to use PROXY protocol.

@@apalrdsadventures Oooh, I see, thank you for the explanation! I think I do not know enough about TLS SNI to full get the first part, but that's a good reason to learn about it! Even more since it is not the first time I heard about it. That point about know the source IP is really interesting too, in my last iteration of server and service I planned to have a host only running LXC and passing the needed 80/443 ports via socat to a container with HAProxy inside to route the request to other containers, but I never looked at the logs yet since it's still in setup, I may have ruined most of them by erasing the source IP 🤔 Maybe it's time to go back on that idea and leave HAProxy on the host instead...

TLS sends the ClientHello immediately after opening the tcp socket. This contains proposals for crypto algorithms to use, and also the domain name of the server requested. The server responds with the ServerHello which includes the servers certificate. They do this so the server knows which certificate to present to the client, but as a result, the server name is sent unencrypted.

In OPNsense you just add a rule on the firewall to allow the traffic

It depends on your router. But in general it should be an “allow” rule.

Currently, its a UDM-Pro, but I will switch to Opnsense soon. I did create one rule (Internet IPV6) to allow incoming traffic to a device behind the firewall, but I can't ping it yet from the outside, not even the lan public ipv6 from the firewall (with another rule); I am also not able to ping it. Its a CGNAT. I was thinking maybe I need another rule elsewhere

The UDM should be able to do it, but I don't have one to test with.

You can leave it blank.

But cloudflare can still read anything

​@@AWildLeonhow can they read everything while my server is using my own SSL cert and I haven't given my private key to anyone? (I'm also using the full (strict) setup)

@@Lenny3669 He's correct. Cloudflare still decrypts traffic in transit using their cert, then re-encrypts it using your cert before it passes along to your origin. They need to do this to enable the majority of their services, despite the privacy risk it creates. That's a decision I chose knowingly.

@@Lenny3669 not sure how/why my original reply got deleted, but @AWildLeon is correct. Cloudflare presents their cert for your domain to users. They decrypt the traffic in transit, and re-encrypt it with your cert when they proxy it to your origin server. They have to do this to enable the majority of their services despite the privacy risk. I chose to use the tunnel knowing this.

My replies keep getting instantly deleted, but AWildLeon is correct. Cloudflare presents their cert for your domain to users. They decrypt the traffic in transit, and re-encrypt it with your cert when they proxy it to your origin server. They have to do this to enable the majority of their services despite the privacy risk. I chose to use the tunnel knowing this.

Does the dynamic /56 actually change though? Or is it effectively static?

With Orange Cloud, it will not actually add either record to 'real' DNS. 'Real' DNS will point both A and AAAA to Cloudflare's CDN (if you add either an A or AAAA), the record you 'add' just tells CF where the origin is.

draw.io

@@apalrdsadventures Thank you!

MQTT uses TCP transport, so any of the TCP examples. MQTTS will also work with snid if you listen on 8883 (you can -listen multiple times).

They removed section 2.8 from their ToS some time ago, so not anymore, you just have to set a rule to not cache your streamed content if your site doesn't have it in headers already.

They made it more vague, but still don't really want to deal with media streaming.

Remember if you're pretending to be an expert who can teach the teacher on KZbin while you have no idea what you're talking about, you're breaking the entire world's TOS, and probably need to go outside and ride a bike or something. Godspeed.

@@Lenny3669 ok boomer

@@Lenny3669 I was just trying to let everyone know he careful if using with media streaming. Even before it was in their ToS years ago I got my account locked because of media streaming. Just letting everyone know. I asked them why and they said it was against their terms, but couldn't show me where.

That would require your friends to install Tailscale though

Headscale is a godsend.

I've found tailscale breaks IPv6 so that my Mac doesn't resolve AAAA records. Even with MagicDNS disabled and not connected to a trailnet. As soon as I close tailscale things start working

@@apalrdsadventures not necessarily you can always use your vps public ip (ipv4 and ipv6) and then use tailscale / headscale túnel tp “proxy “/ route to where you have CGNAT. Basically the same what you did with WireGuard just simple to setup and no hole punch needed on firewalls. The advantage of headscale is that you can use whatever ipv4 subnet you want for the tailscale network so doesn’t conflict with CGNAT or don’t use ipv4 at all

@@apalrdsadventures they wouldn't! I tried this as a POC, set up a headscale control server + two users (one external and one internal to your network, the internal one publishes your network routes). On the external one (which you can technically host in the same machine as the control server) you can either forward ports 80/443 to an internal nginxproxymanager or you set that up on the VPS and just pass traffic from there to your internal IPs. The second option maintains the client IP as it's passed to the backend as an x-forwarded-for, since you're terminating TLS at the VPS. Traffic into your network may be unencrypted (if you proxy_pass to http) but it's over the wireguard tunnel, so it doesn't really matter. For the jellyfin example you'd set a DNS record for jellyfin.domain.tld pointing to the VPS IP and configure that as the external domain on the jellyfin settings and that's it. Your users go to jellyfin.domain.tld and get served from your internal jellyfin server, no client needed.

draw.io

I just made a VPN video last week! It includes Wireguard.

@@apalrdsadventures I will be diving into that then!

Their history of being very litigious at the slightest hint of license violations

small pp

every time someone uses NAT66 a fairy dies

There's also NPT as the lesser evil... still not great though.