CAPTIVE DNS USING VYOS

Dealing with hardcoded DNS servers on home networks, like those found in smart TVs and Chromecast, presents a challenge for enforcing ad-blocking and tracking prevention. In this guide, we’ll solve this issue by configuring NAT rules on a Vyos router to redirect requests from devices that have hard-coded DNS servers to your own DNS server.

I use Blocky as my DNS server on my home network, but this should work with Pi-Hole and any other DNS server aswell.

In order to disable this, I setup a few NAT rules on my Vyos router to redirect any DNS queries to unknown DNS servers to my Blocky server.

Read more

VYOS AS A REVERSE PROXY LOAD BALANCER

VyOS, the robust open-source network operating system, has recently introduced an exciting new capability – the ability to function as a load-balancing reverse proxy. This integration leverages the power of HAproxy, a battle-tested proxy server, and load balancer, providing VyOS with powerful reverse proxy and application load balancing functionality. While this integration is still in its early stages, and lacks many features, it presents exciting features that will hopefully improve with time.

My particular use case for this feature is to allow me to host services at home, despite being behind CGNAT.

In my previous articles, I described how to configure a site-to-site VPN between two VyOS routers. This is effectively how I bypass my ISPs CGNAT.

Read more

VYOS - WIREGUARD BASED ROAD WARRIOR VPN CONFIGURATION

In our modern, hyper-connected world, where remote work and global access are increasingly vital, the need for secure connectivity to your home or office network has evolved from a luxury to an essential requirement.

Whether you’re a professional in need of remote access to an office network or a passionate home lab enthusiast managing various services, a road-warrior style VPN is your key to top-tier, secure and hassle-free remote server access from anywhere in the world.

Regardless of if you are managing a personal web server, delving into home automation experiments, or overseeing your own cloud services, this guide serves as your trusty roadmap, expanding on the principles covered in our previous post about establishing a site-to-site VPN with WireGuard and VyOS. We now shift our focus to the individual user’s perspective, bridging the geographical gap between your current location and the heart of your network from anywhere in the world. Together, we’ll navigate the process of configuring VyOS to function as a WireGuard VPN server, enabling you to access your digital realm with unwavering security and unrivaled ease.

Read more

VYOS - SITE-TO-SITE VPN USING WIREGUARD AND OSPF

Connecting two sites securely and efficiently is essential for many businesses and individuals.

In this post, we’ll explore how to achieve seamless connectivity between two locations using the powerful combination of WireGuard, a modern and high-performance VPN protocol, and VyOS, a robust and versatile network operating system.

Whether you’re looking to enhance communication between remote offices, create a secure link between your data center and a cloud-based infrastructure, or simply want to connect two geographically separated sites, this guide will walk you through the process, ensuring a reliable and secure connection every step of the way.

To illustrate this process, I will use my own use case as an example. I manage equipment hosted in a colocation data center, which I affectionately refer to as my ‘colo-lab’, and I also maintain a ‘home-lab’.

Read more

USING FREEIPA CA AS AN ACME PROVIDER FOR CERT-MANAGER

I’m using FreeIPA for authentication services in my home lab. It’s extreme overkill for my situation, as I don’t have many users (mainly just me!) but alas I like overkill. :)

I am using FreeIPA’s DNS service to host some DNS subdomains for internal services. The way I have configured these subdomains is through DNS delegations, but since my IPA servers are not accessible from the internet, it breaks both the HTTP-01 and DNS-01 verification challenges from LetsEncypt’s.

Yesterday evening, I was playing around with TrueCommand and have it hosted on one of my IPA internal domains, but as I cannot use LetsEncrypt to issue a certificate for it, I decided to use the CA built into FreeIPA since it supports ACME as well.

Read more

PLAYING WITH MASTODON, THE OPEN SOURCE, FEDERATED SOCIAL NETWORK

I recently started playing with Mastodon, an open source, Twitter-like social network.

In the past, I’ve looked at StatusNet (now known as GNU Social), but at the time it did not seem very intuitive, and had a number of problems which I cannot remember any more.

So far I have been using Mastodon for almost a month, and while the community is very small, I’m finding myself using it more than I do Twitter (or any other social media platform for that matter).

Mastodon is a federated social network, meaning unlike Twitter, Facebook or Instagram, anyone can run their own instance and be able to interact with users on other instances.

Read more

ATHAN ON GOOGLE HOME (VIA HOME ASSISTANT)

Update
I recently migrated my blog from WordPress to Hugo. Due to this migration, the comments that were originally on this post are not present. I hope to migrate them over soon..
Info

I’ve had quite a lot of messages for help with getting this working. The best place to reach me would be via this Matrix room: #hamzahs-chat:intahnet.co.uk.

Please use the Matrix room and avoid using my Instagram, LinkedIn etc.

I have a Google Home which I have been using for various things as I very slowly build my collection of “smart” devices.

One thing I was very interested in making my Google Home do is to have the Athan play when it is time for prayer. Unfortunately, there isn’t any native way to do this with a Google Home at the moment.

Read more

GROWING DATE PALMS FROM SEED

Recently my auntie gave me some Ajwah date fruit she got while she was in Medina in Saudi Arabia. I absolutely love dates and have always heard that dates have a lot of health benefits. While I was enjoying my dates, I decided to Google what the health benefits actually are. Somehow, I came across an article and discovered that it’s actually possible to grow date palms indoors using the seeds. I’m not sure why, but the thought hadn’t crossed my mind that they are grown from seed. Some people have even managed to have some success in crappy weather like we have in the UK.

Read more

CISCO ASA 9.2 ON CISCO ASA 5505 WITH UNSUPPORTED MEMORY CONFIGURATION FAIL

Update
16th November 2015 - It looks like it now works. I am currently running asa924-2-k8.bin on my 5505s, with my 1GB sticks of RAM, and it hasn’t complained! 🙂

The Cisco ASA 5505 officially supports a maximum of 512MB RAM.

Last year I wrote a post detailing a small experiment I done where I upgrade both my Cisco ASA 5505s to use 1GB sticks of RAM, double the officially supported value.

Since then, it has worked great and both boxes have been chilling out in my rack, but recently Cisco released ASA 9.2.

The full list of new features and changes can be read in the release notes, but the feature I was most excited about was BGP support being added.

Read more

SECURING YOUR POSTFIX MAIL SERVER WITH GREYLISTING, SPF, DKIM AND DMARC AND TLS

A few months ago, while trying to debug some SPF problems, I came across “Domain-based Message Authentication, Reporting & Conformance” (DMARC).

DMARC basically builds on top of two existing frameworks, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM).

SPF is used to define who can send mail for a specific domain, while DKIM signs the message. Both of these are pretty useful on their own, and reduce incoming spam significantly, but the problem is you don’t have any “control” over what the receiving end does with email. For example, company1’s mail server may just give the email a higher spam score if the sending mail server fails SPF authentication, while company2’s mail server might outright reject it.

Read more