can be configured per application

wireguard can too using network namespaces

not exclusively as an interface in kernel mode

Which devices are you people running where you want VPN/proxy but don’t have kernel permissions to run wireguard? Firefox on iPhone? Porn on wifi washing machine?

Curious, what is SOCKS5 used for that regular wireguard cannot do? I’m only familiar with the use case of telling Firefox to connect through a SOCKS5 proxy, which may be convenient as a form of split tunneling - only firefox traffic goes through the VPN and everything else through clearnet - but wireguard can be configured into a split tunnel form as well with a bit more work, and works for all software not just the ones aware of SOCKS proxies. Is it for use on a system where your permissions are too limited to turn on wireguard but not so limited that you cannot change Firefox proxy settings?

Talescale is a VPN, “private network” is what P and N stand for. It’s just one with only forwarded ports and no outbound traffic. The question was are forwarded ports important, and yes they are. So important that some users pay for a VPN twice! Once for something like Mullvad with no port forwarding, and once for Talescale for port forwarding. It’s true it has benefits like static IP, but even on my commercial VPN I get the same forwarded IP and port when connecting to the same server, so I don’t want to pay twice.

Using dd to move-resize a partition by writing down the cylinder numbers and moving it piece by piece like some Tower of Hanoi. Wanted to add more space to my root after deleting the Windows partition, which happened to be first. There is apparently no built-in command to do that.

Booted up fingers crossed and everything worked.

I run a Minecraft server. Couldn’t have done it without port forwarding.

New York City reporting in, can confirm the subways have been plastered in Mullvad ads for months. I’m so glad I switched away last year, so that at least I know none of my money is used to spam my own eyeballs. Though in some sense it is nice that VPNs are common in public discourse now.

Didn’t even need to translate to foot-pounds-force, since .50 BMG was already in freedom-loving units.

Airplane mode on Apple has two sub-toggles: wifi and bluetooth (the main toggle controls the cellular antenna). With all three toggled off, find-my does not work. The device just shows up as “offline, location unknown, last seen at…” on the map. Something to watch out for though: for some reason Apple will turn bluetooth back on after a couple days without asking, even with airplane still on. Also, an app running in background could in theory record the GPS coordinates and transmit them to home server once connection is reestablished.

Use wireshark and listen on your ethernet interface. When you use tailscale, are the packets coming in/out from the tailscale server IP or the VPN ip? Check through the ip route routing table and figure out which pathway a packet will take in each use case. Might need to add a route exception specifically for the tailscale server IP to go out on the ethernet device.

PostUp = ip route add 100.64.0.0/10 dev tailscale0

Looks like you need to stick this line in the tailscale service file, since it’s the only time that the existence of the tailscale0 device is guaranteed. If you don’t want to modify the service file inside the package, could you write your own systemd service file and include the tailscale service as a prerequisite?

Also make sure that when you start the VPN first and then tailscale, you don’t get a double tunnel situation where tailscale goes out through the VPN (unless that’s what you wanted).

The exact script would depend on the use case; you’d use commands something like this:

mkdir -p /etc/netns/VPN
sh -c 'echo nameserver 1.1.1.1 > /etc/netns/VPN/resolv.conf'
ip netns add VPN
ip link add tun1 type wireguard
ip link set tun1 netns VPN

Because the wireguard device was created in the default namespace, it will “magically” remember its birthplace, even after you move its mouth (the tun1 device) to a separate namespace. The envelope VPN packets will keep going in/out in the default namespace.

ip netns exec VPN wg setconf tun1 /etc/wireguard/vpn.conf
ip netns exec VPN wg set tun1 private-key /etc/wireguard/vpn-key.private
ip -n VPN addr add 192.my.peer.ip/32 dev tun1

Get the wireguard config file from the VPN website, both mullvad and OVPN have a wizard to generate them. Your assigned private network ip is in the config file. Also get and save your device key.

ip -n VPN link set tun1 mtu 1420
ip -n VPN link set tun1 up
ip -n VPN route add default dev tun1
ip netns exec VPN su myuser -c 'firefox --no-remote'

Now all firefox (and only that firefox) traffic will go through the tunnel. Firefox has its own DNS, if you run another app it will use 1.1.1.1.

I actually do the reverse of this - I create a namespace ETH and move my eth0 device in there and attach dhcpcd to it. Then I create the wireguard tun1 device inside ETH namespace, and move tun1 to the default namespace. Then any software I run can only use the tunnel, because the ethernet device doesn’t even exist there. This keeps the routing table simple and avoids a whole class of issues and potential deanonymization exploits with the split routing table used in traditional single-namespace VPN configurations.

You can set up split tunneling yourself if you run the wireguard/OpenVPN daemon manually and move the “mouth” of the tunnel to a separate Linux network namespace.

OVPN is a 1-to-1 feature clone of mullvad (wireguard, multiple device keys, crypto payments/cash in the mail, no usernames/emails, etc.) AND has port forwarding. Switched to them when mullvad sadly closed their ports, no problems since. Can’t live without port forwarding.

That allows sending packets inside the VPN tunnel, but the outer envelope packets still need to be able to reach the VPN server.

sudo ufw default deny outgoing

I’m guessing this would block the VPN packets themselves as well.

IMHO if you don’t have a globally-reachable address or forwarded port, you are not really a participant of the internet, you are just a receptacle xD

One service I never see mentioned is OVPN. They have a 1-to-1 feature parity with mullvad and were an easy drop-in replacement when mullvad closed their ports:

• wireguard
• port forwarding
• no usernames/emails/registration, only account numbers
• crypto payments/cash in the mail
• same price as mullvad
• multiple device keys
• multihop
• no bandwidth limits
• setup guides
• status dashboard

I used mullvad for years, sad to see them go, and all my scripts basically worked without any change other than the server addresses/public keys. Only downside is they don’t have as many users so not as many servers. I wish more people would join up so I get more IPs to choose from :D