Most of my web services are behind my vpn, but there are a couple I expose publicly for friends/family to use. Things like emby, ombi, and some generic file sharing with file browser.

One of these has a long custom path setup in nginx which, instead of proxying to the named service, will ask for http basic auth credentials. Use the correct host+path, then provide the correct user+pass, and you’ll be served an openvpn configuration file which includes an encrypted private key. Decrypt that and you’ve got backdoor vpn access.

I keep vaultwarden behind a vpn so it’s not exposed directly to the net. You don’t need a constant connection to the server; that’s only needed to add/change vault items.

This does require some planning though; it’s easy to lock yourself out of your accounts when you’re away, if you don’t incorporate a backdoor of some kind to let yourself in in an emergency. (lost your device while away from home for example)

My normal vpn connection requires a private key and a password that’s stored in my vault to decrypt it. I’ve setup a method for retrieving a backup set of keys using a series of usernames, emails, passwords, and undocumented paths (these are the only passwords I actually memorize); allowing me to reach vaultwarden where I can retrieve my vault with the data needed to login to everything else properly.

Usually that does the trick for me too; but this morning it just would not cooperate no matter what I tried.

Seems to be playing ball again, for now.

I have a feeling this is more to do with Android/Google not wanting to give up control more than anything. If googles stuff always works, but third party stuff is mysteriously always glitchy; users are going to gravitate to google and their ever growing monopoly…

Thank you! You gave me the hint I needed.

I didn’t know there was a quick setting button (the buttons in the notification tray) and have been struggling to find the accessibility options people have mentioned.

That button in the tray seems so much more reliable. Thanks again!

I tried. I couldn’t get it to work again, so wanted to look at other options alongside looking for help/solutions.

But just as it decided to stop working, despite my efforts; it’s suddenly started working again.

Sigh…

Vaultwarden is just a self-hosted server for Bitwardens clients. It’s Bitwardens android client I’ve been having issues with.

That’s an interesting option. It’s the Bitwarden app I’ve been having issues with; though I’m not sure how much of that is Bitwardens fault vs Android itself.

I’ll give that a look, thanks :)

I’m so tired of seeing this overblown reaction to ancient non-news.

Yes, there are some minor vulnerabilities in Jellyfin; but they really really aren’t concerning.

Unauthenticated, a random person could potentially (with some prior knowledge of this specific issue, and some significant effort randomly generating media UUIDS to tryout) retrieve/playback some media unauthorized. THATS IT. That’s the ONLY real concern. And it’s one you could mitigate with a fail2ban filter if you were that worried about it.

The other ‘issues’ here, are the potential for your already authenticated users to attack each others settings. Who do you share your server with that you’re concerned about them attacking each other???

Put this to bed and stop fussing over it. It’s genuinely not worth your time or attention. Exposing Jellyfin to the net is fine.

Dev comment on the situation: (4 days ago) https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2825240290

Where in the world did you get that idea?

VPNs serve three functions:

• add a layer of encryption so your local network operator and ISP can’t inspect your traffic, its contents and its true destination. (this is what OP is looking for)

• make it appear to the service you are connecting to, that you are connecting from a different location than where you actually are. (for example make Netflix think you’re in a different region to show you different content)

• provide secure access to private services that are not exposed directly to the Internet. IE securely connecting devices on seprate LAN networks together over the Internet via an encrypted tunnel. This is a VPNs true purpose and how they are primarily used in Professional/Comercial settings. (pretty much every corporation you’ve ever interacted with runs a VPN that connects its stores/warehouses/offices together)

I really don’t like the idea of every device automatically having a publicly reachable IP.

There’s certainly situations where that would be nice; but I’m quite fond of most equipment and services being behind a router and it’s firewall, requiring explicit configuration to be exposed to the open net.

Nobody outside my home network ever needs access to my toaster… (btw, why tf is my toaster wifi enabled…?)

My ISP blocks the ports needed for mail hosting :/

Pretty sure I’d have to go through them to get the rdns PTR records pointed at my domain too. PITA

Actually it looks like Caddy is supposed to set those automatically (I’m used to Nginx which doesn’t).

You’ll have to look at why the upstream isn’t accepting them then. I’m not familiar with that particular app.

X-Forwarded-For

And

X-Real-IP

The application you’re proxying also has to listen to these headers. Some don’t, some need to be told they’re ok to use. (if you enable them, but don’t have a proxy in front, users can spoof their ip using them)

https://blog.cloudflare.com/updated-tos/

Finally, we made it clear that customers can serve video and other large files using the CDN so long as that content is hosted by a Cloudflare service like Stream, Images, or R2.

I will always recommend Borg backup just because of it’s compression+de-duplication algorithms:

550gb of raw data, 20 historical backups going back over a year (10.98tb of data total), only 400gb of disc space used to store them all…

You can backup directly to remote servers via ssh, nfs, or directly between two borg instances, optionally encrypted in transit and at rest.

Borg is a CLI tool normally, but there are a number of GUI frontends you can use if you really want: Vorta, BorgWeb, and BorgWarehouse for example. (I’ve not used any of these, just examples from a google search)

This has actually been one of the biggest reasons I’ve been hesitant too. Looking at that list, my bank isn’t on it (a regional credit union), nor is my credit card provider which also has an app for management.

Ontop of that, there’s a provincial ID app that’s recently rolled out. It’s become somewhat important for reaching certain government services and can only really be transfered from one working device to another unless you go through the whole process to have it issued again.

I have no idea if that will work on graphine and I don’t have a second device to transfer it to while I wipe this and put a new ROM on it.

I do want to try GraphineOS, but I think I’m going to wait for my next device and start from scratch with that.

That does leave me with a question though. If you do install GraphineOS or another os/rom and it’s not working out for you; how hard is it to get back to factory, or at least back to a ‘standard’ android install?

FileBrowser

Create share links allowing anyone with the link (+ optional password) to browse and download individual files, or whole folder contents.

If someone needs to send me a file, I can create a user for them in a few seconds; so they can upload to that as well.

Sounds about right.

It may inflate the numbers for now, but overall I think it’s just going to have a negative impact. I may have decided to play with it at somepoint, I’m just somewhere between disinterested and distrusting of the tech. Now that it’s been shoved down my throat though, I adamantly REFUSE to touch Gemini. Installing it on my devices and giving it all my data without consent is absurd overreach and should be a felony.

I definitely recommend it, particularly using docker compose. It’s made it incredibly easy to add, remove, and modify software installs; keeping everything independent and isolated from each other.

This also makes backups and rolling back updates to individual projects much easier when you do run into problems.

Hmm, I wonder if the failed updates are only direct installs vs docker.

I run two piholes, a primary on a rpi 3b running pios, and a secondary on my main server. Both are installed via docker and both updated without issue (besides the password thing).

I like having the primary DNS on a separate machine; it’s kind of important and I like to mess with the main server a lot…