On Thu, 13 Jun 2024 at 11:08, BD dzidek23@gmail.com wrote:
An example that I have seen working was a ZTNA configuration with Fortinet hardware and SDN for network separation.
That sort of thing will be out of my budget!
I suspect the same thing could be achieved using pfSense and network management (with a nice GUI to control it). Quick search on the Internet for "pfSense zero trust" returned a few interesting sites. Additionally pfSense can serve as a VPN concentrator too.
I spent a bit of time looking into this. The biggest issue for me is that it's FreeBSD and most of our stuff is hosted at DigitalOcean, and they no longer offer FreeBSD as an option. I can of-course look elsewhere, but DO combine the bandwidth of all your services and we're nowhere close to using it all, so putting a VPN which could potentially be fairly heavy traffic somewhere it can use that bandwidth makes sense if I can.
I spent ages playing with Wireguard - there are some useful tools for building the config ([1], [2]) but I never got a configuration which worked properly with my phone over mobile data (or my laptop using mobile data over a hotspot) and as that's one of the main things I needed to achieve I ended up walking away from my attempts (in part because I managed to get the old SSL-based VPN working over those connections by turning off "FastSSL".
I'd like to get this working at some point but a day and half of experimenting and getting nowhere useful was as much (more if I'm honest) as I could afford to allocate to it.
[1] https://www.wireguardconfig.com/ - Configuration builder [2] https://github.com/mvpsnet/wireguard4vps - PHP-based manager
On 27/06/2024 13:57, Mark Rogers wrote:
[Big SNIP]
Hi Mark,
Two things:
1) I've dumped Digital Ocean as all their IP addresses have been blocked by those crooks at UCEProtect. And I mean ALL of them, so it's occasionally impossible to send out email from their servers.
I have migrated most of my kit to Vultr, and they are much better, as cheap, and their network lines and VMs seem faster.
2) You might like to have a look at Shorewall...
Cheers, Laurie.
On Fri, 28 Jun 2024 at 11:55, Laurie Brown laurie@brownowl.com wrote:
- I've dumped Digital Ocean as all their IP addresses have been blocked
by those crooks at UCEProtect. And I mean ALL of them, so it's occasionally impossible to send out email from their servers.
Does anyone actually use uceprotect? (Well, anyone who matters?)
I don't send emails directly from my servers anyway so this isn't an issue (we use mailgun or aws SMTP servers).
I have migrated most of my kit to Vultr, and they are much better, as cheap, and their network lines and VMs seem faster.
I looked at Vultr around the same time we moved to DO (almost a decade ago it turns out). We've never had any issues with DO but I have often thought about using a mixture of the two.
(I think there are better hosts if you have the resources, but in the $5/mo market they're both pretty strong). Hertzner also came up recently as a European-based alternative.
- You might like to have a look at Shorewall...
One weakness of DO is that you're pretty limited to the distros they support. It's never really been an issue but it does limit me here whilst I am sticking with them.
I might have to think about spinning up a VM at Vultr for testing. Google suggests they give a flat 2TB bandwidth regardless of how much stuff I have with them? Seems an odd approach so maybe I misread it. But that would be enough for my purposes I am sure.
On 29/06/2024 12:53, Mark Rogers wrote:
On Fri, 28 Jun 2024 at 11:55, Laurie Brown laurie@brownowl.com wrote:
- I've dumped Digital Ocean as all their IP addresses have been blocked
by those crooks at UCEProtect. And I mean ALL of them, so it's occasionally impossible to send out email from their servers.
Does anyone actually use uceprotect? (Well, anyone who matters?)
I don't send emails directly from my servers anyway so this isn't an issue (we use mailgun or aws SMTP servers).
I have migrated most of my kit to Vultr, and they are much better, as cheap, and their network lines and VMs seem faster.
I looked at Vultr around the same time we moved to DO (almost a decade ago it turns out). We've never had any issues with DO but I have often thought about using a mixture of the two.
(I think there are better hosts if you have the resources, but in the $5/mo market they're both pretty strong). Hertzner also came up recently as a European-based alternative.
- You might like to have a look at Shorewall...
One weakness of DO is that you're pretty limited to the distros they support. It's never really been an issue but it does limit me here whilst I am sticking with them.
I might have to think about spinning up a VM at Vultr for testing. Google suggests they give a flat 2TB bandwidth regardless of how much stuff I have with them? Seems an odd approach so maybe I misread it. But that would be enough for my purposes I am sure.
I'm slow to the discussion (way too busy to check lists at the moment), but...
I use Wireguard quite happily, all be it my configuration is fairly basic. I have a fixed IP address, so that makes things more practical, although I think you should be OK with just a single fixed IP and connecting in and routing through that. Not something I've played with yet.
That said, you may like to take a look at Tailscale (https://tailscale.com/), which takes the hassle out of Wireguard and allows you to manage the links through a central management account (hosted by them, but I think you could setup your own - don't quote me though!). There is a free tier, but if you are looking at a VPS then you may like to look at the $6 a month to see if you need the extra. I haven't used it myself, but several attendees at Portsmouth LUG swear by it.
On 29/06/2024 12:53, Mark Rogers wrote:
On Fri, 28 Jun 2024 at 11:55, Laurie Brown laurie@brownowl.com wrote:
- I've dumped Digital Ocean as all their IP addresses have been blocked
by those crooks at UCEProtect. And I mean ALL of them, so it's occasionally impossible to send out email from their servers.
Does anyone actually use uceprotect? (Well, anyone who matters?)
Yes. I was blocked by both MS (hotmail/outlook) and Google. It was a nightmare to get exemptions from them, and DO couldn't give a flying one.
UCEProtect block an entire Class C if the decide any spam has been sent, and they want payment, monthly, to unblock each single IP. IMO it's a criminal scam, but they don't give one either. That's why I dumped DO for Vultr, who are better anyway, IMO.
Apple was a different story, but another marathon.
I don't send emails directly from my servers anyway so this isn't an issue (we use mailgun or aws SMTP servers).
I have migrated most of my kit to Vultr, and they are much better, as cheap, and their network lines and VMs seem faster.
I looked at Vultr around the same time we moved to DO (almost a decade ago it turns out). We've never had any issues with DO but I have often thought about using a mixture of the two.
I was happy with DO until UCE came along and DO didn't care.
Cheers, Laurie.