TheIPW
Sysadmin and FOSS enthusiast. Self-hosting on Proxmox with a focus on privacy and digital sovereignty. Documenting my experiences with Linux, home labs, and the ongoing fight to keep Big Tech out of our hardware.
- 7 Posts
- 24 Comments
The UK PM has just announced an under-16 social media ban.
This is the ‘Trojan Horse’ in action. You cannot enforce a ban without an Age Verification layer, and you can’t have Age Verification without a National Digital ID or biometric database. They are using the ‘child safety’ card to build a mandatory surveillance gate for the entire internet.
Between the new taxes and the constant bans, it’s clear this government has zero respect for personal agency or digital sovereignty. If you aren’t already moving your data off the cloud and into your own home lab, start now. The gap between our current society and a total surveillance state just got a whole lot smaller.
TheIPW@lemmy.mlOPto
Selfhosted@lemmy.world•Why I moved my Plex library to Jellyfin after 14 yearsEnglish
7·1 month agoDedicated PC on LAN talks directly to VPS via Wireguard. The local machine acts as an exit node so when I add a local IP and port to my reverse proxy the whole thing acts like a local network.
I wrote about my setup last month; https://the.unknown-universe.co.uk/home-lab/wireguard-vpn-two-vps/
TheIPW@lemmy.mlOPto
Selfhosted@lemmy.world•Why I moved my Plex library to Jellyfin after 14 yearsEnglish
45·1 month agoYou’re right, I missed that.
I personally use a reverse proxy and Wireguard setup to access remotely.
TheIPW@lemmy.mlOPto
Selfhosted@lemmy.world•Why I moved my Plex library to Jellyfin after 14 yearsEnglish
8·1 month agoI have a dedicated VPS with reverse proxy connected to my network via Wireguard. It acts as the front door to my network so I don’t have to port forward or rely on Cloudflare etc. I used to use Tailscale as the go between but switched to WG recently. Both work fine for streaming content whilst self-hosting all other services including my website.
TheIPW@lemmy.mlOPto
Selfhosted@lemmy.world•Replacing Tailscale with a 2-VPS WireGuard setup (No port forwarding)English
1·2 months agoThe home server is an old, low-powered mini PC running Debian. It acts as the bridge between the WireGuard tunnel and my local LAN.
I’ve just finished migrating one of my AdGuard Home instances onto it today. Its role is now twofold:
Routing: It has ip_forward enabled and a bit of NAT (iptables/nftables) so that traffic arriving from the VPN can actually “hop” onto the local network to reach my other VMs and containers.
DNS: It provides ad-blocking for the tunnel. VPN clients point to this node’s internal WireGuard IP for DNS queries.
Technically, it’s just another WireGuard peer, but with AllowedIPs configured to advertise my 192.168.x.x subnet back to the hub (VPS2). This is what allows VPS1 and my mobile devices to resolve and reach home services without a single open port on my router.
TheIPW@lemmy.mlOPto
Selfhosted@lemmy.world•Replacing Tailscale with a 2-VPS WireGuard setup (No port forwarding)English
4·2 months agoYou’re right, and for a lot of people, one VPS is the sensible choice. I actually addressed this in the post:
"VPS1 is my web-facing server. It handles the public side of things. VPS2 is the VPN hub. At first glance, that probably looks unnecessary. Strictly speaking, it is unnecessary. I could have crammed WireGuard onto VPS1 and called it done. But splitting the roles makes the whole thing cleaner.
One machine serves public traffic. The other handles VPN duties. That means fewer networking compromises, fewer chances of Docker or firewall rules becoming annoying, and a clearer separation between the public-facing stack and the private tunnel. It also means I can change one side without poking the other with a stick and hoping nothing catches fire."
TheIPW@lemmy.mlOPto
Selfhosted@lemmy.world•Replacing Tailscale with a 2-VPS WireGuard setup (No port forwarding)English
6·2 months agoIt’s not that I didn’t like it, I just wanted to back to basics! A simple config file on each machine, job done
TheIPW@lemmy.mlOPto
Selfhosted@lemmy.world•Replacing Tailscale with a 2-VPS WireGuard setup (No port forwarding)English
4·2 months agoExactly that, VPS2 handles the WireGuard port and has no domain pointing to it, so it’s basically hiding in plain sight. VPS1 holds the domain and handles the web traffic.
I keep SSH open on both, but locked down (key-based auth + restricted to my IPs).
Your idea of using the provider firewall (Ionos in my case) as a “mechanical” lock is a good one, block it at the edge and only open it when needed. I’ve thought about doing that, but I’m generally happy relying on a hardened SSH config and the provider’s KVM if everything goes sideways.
TheIPW@lemmy.mlOPto
Selfhosted@lemmy.world•Replacing Tailscale with a 2-VPS WireGuard setup (No port forwarding)English
26·2 months agoThank you for the heads up, turns out it was the custom html code in the code blocks causing the issue. Fixed now.
TheIPW@lemmy.mlto
Selfhosted@lemmy.world•Turns out I have been updating wrong all this time! 🤦🏼English
27·2 months agodist-upgrade and full-upgrade are essentially the same command but yeah, I won’t be using apt upgrade again in the future! Like I said in my post, the joys of being self taught is that you learn by my making mistakes and that’s part of the “fun” 🤣
Fossify messages. Not the most feature filled app, does only the basics but because I don’t use SMS as my main communication method it is more enough to receive the odd 2FA text
TheIPW@lemmy.mlto
DeGoogle Yourself@lemmy.ml•Proton Drive vs. NextCloud vs. Filen for cloud storage
0·3 months agoSince they publish their client-side source code (https://mega.io/developers), anyone can verify that the encryption actually happens locally on your device before a single byte is uploaded.
Unlike Google or Microsoft where you just have to hope they aren’t scanning your files for ads or AI training (which they are!) Mega’s transparency means if there was a backdoor in the client code, the FOSS community would have flagged it years ago, it gives independent researchers a chance to check the behaviour. As an offsite backup is crucial, for me Mega is one of the better providers, not saying they are perfect but good enough for now.
TheIPW@lemmy.mlto
DeGoogle Yourself@lemmy.ml•Proton Drive vs. NextCloud vs. Filen for cloud storage
0·3 months agoThe two I use are Nextcloud and Mega. Nextcloud is my primary location and I have a script that runs daily to replicate the Nextcloud with Mega. I chose Mega because it has end to end encryption and Mega cannot see your data. They also cannot recover your account if you forget your password. They have had issues/controversy in the past but these days they are, in my eyes a solid choice. I also make use of their S3 bucket so that my Proxmox Backup Server can save offsite so technically Nextcloud is included in that as well!
Which phone and message app are you using? I also don’t see a way to view photos or files and which camera app?
Obviously GrapheneOS is the best way to go for privacy but if you do stick to OEM Android then make sure you’re using apps like the Fossify suite. I use their apps with all contacts and calendar synced via davx and self hosted on Nextcloud.
What about KeePass, where is that data backed up?
TheIPW@lemmy.mlOPto
Privacy@lemmy.ml•Google’s Sideloading Crackdown: Why It’s a Threat to Everyone’s Privacy and Freedom
1·3 months agoSteamOS and Proton are kind of paving the way. It’ll be interesting to see if Steam Frame can take that further, especially on mobile/ARM, and shake up the usual players.
TheIPW@lemmy.mlOPto
Privacy@lemmy.ml•Google’s Sideloading Crackdown: Why It’s a Threat to Everyone’s Privacy and Freedom
2·3 months agoYes, Android is open source. But the thing is, Google’s clampdown on sideloading isn’t just about the OS code itself. It’s really about controlling the whole app ecosystem and making it harder for people to install apps outside of Google’s own channels.
Sure, folks can fork Android and make their own versions — that’s been happening for years with projects like LineageOS. But the tricky part is keeping all the apps working smoothly without Google’s proprietary stuff like Play Services. Without that, a lot of apps just don’t behave right, and the user experience takes a hit.
So basically, just having Android’s code open isn’t enough to keep it truly open and easy to use. The real control is in the ecosystem around it, and that’s what Google’s tightening grip is all about.
TheIPW@lemmy.mlOPto
Privacy@lemmy.world•BrowserGate: Technical breakdown of LinkedIn’s covert browser extension fingerprintingEnglish
4·3 months agoThanks for the feedback. You’re right, it’s really just scanning for known extension IDs, not poking around your entire computer. Saying “computer scan” might sound a bit dramatic, but the privacy risk is still pretty serious given what info they can guess from those extensions.
About the home lab and network side — I get that LinkedIn isn’t scanning your whole network or anything. What I meant is more about how you can block or filter those sneaky requests at the network level, like with DNS blocking or firewall rules, so they never even get sent out. It’s not a classic home lab threat, but if you’re running your own DNS or network filters, it’s a handy extra layer to keep things tighter.
Sure, switching browsers or faking your user agent works too, but not everyone wants to give up Chromium or LinkedIn completely. That’s why I mentioned a few different ways to protect yourself.
Appreciate the note on wording — I just wanted to show why this isn’t just some minor browser oddity and why it’s worth thinking about from a privacy and network defence angle.
TheIPW@lemmy.mlOPto
Privacy@lemmy.world•BrowserGate: Technical breakdown of LinkedIn’s covert browser extension fingerprintingEnglish
3·3 months agoSpot on. If you can see a user has certain VPN clients, IDEs, or specific advocacy tools installed, you’ve essentially built a psychological profile of an employee’s home environment without them ever clicking ‘Accept’. It’s a massive GDPR Article 9 violation (Special Category data) hidden in plain sight.
TheIPW@lemmy.mlOPto
Privacy@lemmy.world•BrowserGate: Technical breakdown of LinkedIn’s covert browser extension fingerprintingEnglish
5·3 months agoMostly, yes. Firefox doesn’t use the specific Chromium internal resource API that LinkedIn is exploiting for this. However, since the script relies on hidden GET requests, I still recommend Multi-Account Containers to isolate LinkedIn entirely, plus a custom uBlock Origin filter just to be sure.









It is a fair bit of homework but for those of us who use Linux on a daily basis, we’d rather do the legwork once to have a private, predictable system than deal with the out-of-the-box bloat.
Regarding updates: that’s exactly why I focused on Group Policy tweaks rather than simple registry hacks or UI toggles. Policies are designed for enterprise environments where IT managers would be furious if an update reset their security configurations, so they tend to survive major build updates much better than standard settings, it’s not foolproof but it is the best way to stay ahead!