Why not upgrade two drives to 12TB ones? May be cheaper.

Thanks sounds like a fun weekend project. My 72 cores are bored most of the time anyways. 😃

Can you recommend me a vulnerability scanner?

Vaultwarden really is great. The offline edits are my only grime with it. Also I dislike how happily the browser extension discards your inputs when you click outside.

If you run opnsense it can do this for you. With an OK GUI.

Which vpn provider do you use for torrents?

Bonus points for creating lots and lots of networks grouping the databases together with only their respective containers.

ip a is a huge mess.

Thank you very much. I knew I needed a few nat rules but was unsure which exactly. I think I will be able to figure it out now. 😃

Jes exactly but without being http/https only and without decrypting the traffic on the vps.

That’s why the forwarded for header won’t work. It’s one layer below.

Thanks. Will checkout Yggdrasil.

That’s not what I want accomplish. The clients connecting to machine B should not know that their traffic was handled by machine A. I will use DNATs to accomplish my goal. It is possible because tailscale can do exactly that. Thank you for your input though.

Maybe I am wrong we will see soon. 🙃

Wow this may have been the missing piece to get my setup working. If I manage to do it will send you an URL to a git repo.

Looks nice. I think I will build two docker containers with wireguard and iptables. This blog will be a great help.

I have heard of it seems like a good option. If you use it please tell me if it can fullfil my requirements.

Mhh I didn’t know headscale exists. Tailscale being proprietary was the main thing keeping me from using it.

Can you elaborate on the IP would not be unique part?

The reason I want to preserve the IP is mostly for fancy graphana plots and tracability. X-Forwarded-For is great but only works for http/https. Also I would like to keep the https termination on machine B.

I will check out netbird.

I was hoping for a solution which allows for other protocols not just https and http. I will take a closer look at grok.

A ssh tunnel could work. I didn’t think of that. I will have to test how this interacts with docker but I think it must be setup directly on the host. I don’t think the ssh tunnel limitation applies since the service will still be reachable from As local network. Speed might be a concern but I will have to test.

I would at least overwrite the Luks header.

Yes. That is possible. However if the hardware configuration/software configuration changes the TPM should trip and prevent decryption.

The attackers would have to break you ssh/terminal/lock screen/other insecure software. However code injection should be impossible because you used custom secure boot keys and ideally a signed unified kernel image. (Can’t even change kernel params without tripping TPM.)

You would not be safe if they did a bus listening attack or if your shell pwd is not safe. If that is your threat vector this may not be a good option for you.

If you have a TPM 2 you can use secure boot (custom keys) to allow Linux to decrypt itself if nothing has changed.