October 31, 2024
We have had Nebula VPN within the Fedora repositories for a couple of years.
A couple of months ago, I changed the default systemd service unit.
More specifically, this is the change:
-ExecStart=/usr/bin/nebula -config /etc/nebula/config.yml
+ExecStart=/usr/bin/nebula -config /etc/nebula
Although the change is only a few characters, this change allows for a much more flexible use of Nebula.
Before this change, the configuration could only be placed in the config.yaml file.
After this change, all YAML files in the folders will be read, merged, and used as configuration.
Read More 
April 30, 2024
VPNs can be used in different ways based on the desired objective.
If the goal is to reach some specific web pages served only within a network, using a proxy will probably do the trick.
Another common use for VPNs is to ensure the confidentiality of data transferred between a remote system and a safe site.
In this case, we might want to ensure that all traffic from the remote system reaches the safe site via the VPN.
Read More 
March 31, 2024
A while ago, I posted about using SSH to proxy traffic within a Nebula network context.
In the last few months, I changed my implementation because SSH required some steps and accesses that I was not fully happy with.
In the previous iteration, I was using SSH as a SOCKS proxy.
The problem, though, is that I need to set up the connection every time and use my SSH credentials, so it becomes difficult to have it always on.
A different SOCKS proxy software needs to be used to achieve the same result without SSH.
Read More 
March 29, 2024
For many years, VPN companies have advertised their VPNs as a necessary tool for all people who want to preserve their privacy.
For the same amount of time, I tried to explain to the people that this view made no sense if not for those company’s sales.
As an example, Onavo, a Meta subsidiary, used to advertise its services, highlighting that, among other advantages, using their product “protects your personal info”.
This claim would not be a problem by itself, but it becomes one when a court finds out that this is not actually true and that new courts documents seem to indicate that the behavior was worst than initially thought.
Read More 
November 28, 2022
As discusse in a previous post, I use nebula to create a VPN connection between the various machines I use.
Usually what I really care about this setup is the ability of consuming services those machine expose on my nebula network.
When I travel, I prefer to proxy my data through my nebula network.
This allows me to not have to care about the limitations imposed in those networks, as long as I’m able to open my tunnel.
The second advantage I have, is that I can choose the location where my traffic leaves my VPN, since I have multiple machines in multiple nations.
Another advantage is that I can be sure that no data is visibile by the network manager, even if this is becoming less and less relevant, since the majority of the traffic is encrypted nowadays.
Read More 
June 30, 2022
In the last year, I moved more and more data and services to hardware that I can directly control.
A direct consequence of this is that I started to run more hardware at my house.
This change has been very positive, but it is suboptimal when not at home.
All services I run are secure and could be shared directly on the web, but I prefer a more cautious approach.
For this reason, I decided to create a VPN.
Read More 
March 21, 2022
One of the first issues that I had to solve when I started to use gRPC was how to inject a DB connection pool to the function handling the request.
The DB connection injection is needed because creating a new SQL connection every time there is a new gRPC request (and tearing it down at the end) is a massive waste of resources.
Also, this approach could limit the scalability of the API since the database probably has a limited number of connections it will accept.
Read More 
July 28, 2021
A few years ago, I wrote a blog post on managing CORS headers with Negroni.
Lately, I’ve created a new API server that needed to be accessible from the browser, but this time I used a different technology, more precisely gRPC-Gateway.
Few months after I wrote that blog post, I stopped writing new REST services by hand.
I did not rewrite all the services that used the old paradigm just because they needed a fix or a new feature, but for all new services, I moved to gRPC with gRPC-Gateway.
Read More 
March 1, 2020
Google Cloud provides the capability of terminating a VPN connection with a VPN Gateway.
The problem is that the VPN Gateway - at the moment - is relatively limited in capabilities.
One of the missing capabilities I would have liked to see implemented is the NAT capability.
VPNs can be used to connect the machines of two different parties.
Although this is usually not the best architectural pattern, since a connection on the public internet encrypted at the Transport Layer is often a better option, it’s relatively common in more legacy environments.
When a VPN is used in this way, it is very common to incur in an IP space collision, and therefore it becomes required to use some form of NAT.
Let’s see how to implement this scenario in Google Cloud without terminating the VPN directly on an instance (which is possible but has its problems, and maybe we’ll be discussing it some point in the future).
Read More 
March 21, 2019
After the article on the reasons to use vanity URLs in Go and the one about how to implement a lightweight vanity URLs provider, I’d like to share with you how you can leverage AWS Lambda to implement a vanity URLs provider.
The first thing we will need is to import the github.com/aws/aws-lambda-go package.
This package will provide us with the needed functions to easily integrate our Go code with AWS Lambda.
In our main we will just need to start the Lambda with a handler like this:
Read More 
(Fabio Alessandro Locati|Fale)'s blog