Avatar (Fabio Alessandro Locati|Fale)'s blog

Nebula VPN split configuration

October 31, 2024

We have had Nebula VPN within the Fedora repositories for a couple of years. A couple of months ago, I changed the default systemd service unit. More specifically, this is the change:

-ExecStart=/usr/bin/nebula -config /etc/nebula/config.yml
+ExecStart=/usr/bin/nebula -config /etc/nebula

Although the change is only a few characters, this change allows for a much more flexible use of Nebula. Before this change, the configuration could only be placed in the config.yaml file. After this change, all YAML files in the folders will be read, merged, and used as configuration.

Read More

Forward all your traffic with RedSocks

April 30, 2024

VPNs can be used in different ways based on the desired objective. If the goal is to reach some specific web pages served only within a network, using a proxy will probably do the trick. Another common use for VPNs is to ensure the confidentiality of data transferred between a remote system and a safe site. In this case, we might want to ensure that all traffic from the remote system reaches the safe site via the VPN.

Read More

Use Dante to proxy web traffic

March 31, 2024

A while ago, I posted about using SSH to proxy traffic within a Nebula network context. In the last few months, I changed my implementation because SSH required some steps and accesses that I was not fully happy with.

In the previous iteration, I was using SSH as a SOCKS proxy. The problem, though, is that I need to set up the connection every time and use my SSH credentials, so it becomes difficult to have it always on. A different SOCKS proxy software needs to be used to achieve the same result without SSH.

Read More

Please stop using VPN services for privacy!

March 29, 2024

For many years, VPN companies have advertised their VPNs as a necessary tool for all people who want to preserve their privacy. For the same amount of time, I tried to explain to the people that this view made no sense if not for those company’s sales.

As an example, Onavo, a Meta subsidiary, used to advertise its services, highlighting that, among other advantages, using their product “protects your personal info”. This claim would not be a problem by itself, but it becomes one when a court finds out that this is not actually true and that new courts documents seem to indicate that the behavior was worst than initially thought.

Read More

Use SSH to proxy web traffic

November 28, 2022

As discusse in a previous post, I use nebula to create a VPN connection between the various machines I use. Usually what I really care about this setup is the ability of consuming services those machine expose on my nebula network.

When I travel, I prefer to proxy my data through my nebula network. This allows me to not have to care about the limitations imposed in those networks, as long as I’m able to open my tunnel. The second advantage I have, is that I can choose the location where my traffic leaves my VPN, since I have multiple machines in multiple nations. Another advantage is that I can be sure that no data is visibile by the network manager, even if this is becoming less and less relevant, since the majority of the traffic is encrypted nowadays.

Read More

Nebula on Fedora

June 30, 2022

In the last year, I moved more and more data and services to hardware that I can directly control. A direct consequence of this is that I started to run more hardware at my house. This change has been very positive, but it is suboptimal when not at home. All services I run are secure and could be shared directly on the web, but I prefer a more cautious approach. For this reason, I decided to create a VPN.

Read More

VPN with NAT in Google Cloud

March 1, 2020

Google Cloud provides the capability of terminating a VPN connection with a VPN Gateway. The problem is that the VPN Gateway - at the moment - is relatively limited in capabilities. One of the missing capabilities I would have liked to see implemented is the NAT capability.

VPNs can be used to connect the machines of two different parties. Although this is usually not the best architectural pattern, since a connection on the public internet encrypted at the Transport Layer is often a better option, it’s relatively common in more legacy environments. When a VPN is used in this way, it is very common to incur in an IP space collision, and therefore it becomes required to use some form of NAT. Let’s see how to implement this scenario in Google Cloud without terminating the VPN directly on an instance (which is possible but has its problems, and maybe we’ll be discussing it some point in the future).

Read More