Thank you!

Thanks!

How would you do this? What would be the steps you take to create a double NAT + Firewall + DHCP server with the OpenWRT router behind the main router?

Thank you! Could you explain a bit about what travelmate does under the hood? I’d like to know the basics of how it operates.

If you’re talking about k8s or similar, the initial time investment is heavy. After that though, it’s not very hard to get containers running with HA, better network segmentation and compatibility across run times. Containers are a lot more portable too, and allow granular levels of isolation and security.

Also, I personally think SELinux is somewhat hard to do well.

Wait, you don’t use containers?

More like, if you wanted the storage under the LUN to be shared through the VM. Essentially, mount the LUN into the VM and then run NFS/SMB from the VM as a NAS. Works out pretty well since with a little bit of trickery you can have a NAS that is also HA (assuming the storage pool doesn’t go down).

With that said, I’m very interested too.

Unless I completely misunderstood your question

Ah, CG-NAT, is it? There are workarounds

I’m interested in why you’re terminating TLS on your VPS instead of doing it on your home network

How about running your wireguard server on a VPS and then connecting to the same interface as clients from your mobile and home network? No ports open on your side!

It is easier, but it can be considered as feature-bloat if you don’t really need the breadth of capabilities that it offers. Aside from that, OpenBSD has made specific choices to make it more secure than FreeBSD by default, though the configuration will depend upon the user.

It’s also more fun to DIY it and you no longer need to rely on a specialist version of BSD. You are closer to the source, so to speak.

Some reasons might just be philosophical, others can be technical if you have specific configuration that you’d want to achieve.

Thanks, I’ve read the guide. Would like to know what you’ve added on top

If the switch is managed (I’m assuming it supports L3 functions which means inter-VLAN routing), then it’s possible to hop VLANs on the switch.

Well written article. Could you point to the instructions you followed to set up OpenBSD as your router + Firewall?

VLAN hopping can be done on outdated firmware if one is somewhat determined, AFAIK

libvirt does support “clustering” at least in some capability, you can live migrate VMs between hosts

The problem is that their Web interface and firmware in general are not updated (at all). I think it’s even possible for script kiddies to hack into such managed switches, which forms the reasoning behind my comment.

Does your switch produce its Web interface over TLS?

I did realise that, and apologies for my tone earlier.

With that said, this seems to be a slight bias - unless the PCB has some nefarious spy-chip built inside, hardware is hardware, regardless of where it comes from.

That TP-link is a dumb switch. Unless you’re telling me that someone is going to find an opening in the firmware and hack their way into the ARP table or something (in which case the threat model here just became state actors and I don’t think the OP is safe with this equipment), I don’t think it affects much, if anything.

Now, if I’m mistaken and that is actually a managed switch; god help them with network security.

I didn’t know libvirt supported HA