Black Cat Blog

Thoughts, Stories, and Ideas

  • Great Therapy Session

    This morning I had a really good therapy session. I am reminded of the importance of therapy in addition to medication when treating depression. My therapist, Nan, is nothing short of incredible. We talked at length about learning, passion, and education.

    I told Nan about one of my goals which is to write a book about computers and networks. I shared with her my topic and intended audience but I was experiencing difficulty overcoming writer’s block. Since perfection in writing is impeding my progress, I had the insight that I would try speech to text. This may facilitate writing and lessen the tendency to seek perfection.

    Then Nan gave me a truly brilliant idea. Since the intended audience is a beginner to the professional side of computers and networks, she recommended that I write it in the form of a letter to a potential student. I was blown away! The sheer simple elegance. Now I have a weekend project. I’m going to start writing and see where this goes.

    Once I put words to paper so to speak, I’ll go back and edit my work. What if I could have the whole damn manuscript written and ready for publication!? That would be awesome. I’d love it if No Starch would take on publishing my book.

    I truly left the session feeling much much better than before. I feel renewed and motivated. I dare say I feel positive.

  • Nightmares

    I am not going to lie … last night was brutal for nightmares. They seemed to keep coming one after another so I am tired. Nightmares do not make for good sleep. Perhaps one day I will learn to control my dreams. I am honestly surprised because I had a decent day yesterday. Time to move on though.

    I hope to hear from VGM today or Monday. I’d like to be earning more money and have more flexibility. First I have to try it and see how it goes. If all goes well, I will reduce the number of hours I am working as a security guard to 16 on the weekends. I am tired of worrying about money and $23 an hour is significant.

    I don’t have any real grand plans for today other than going into work at 2:00PM instead of the usual time. This is okay with me and I don’t mind helping out the boss on occasion. I do have a therapy appointment at 11:00AM today which I am happy about because I need to talk to someone about some weighty issues. Perhaps I will find the concentration to work on my book, but if not, I won’t punish myself.

    I know that tomorrow I will have some good opportunities to work on my book. Since I seem to have writer’s block, I am going to try dictation. I just sent out a quick post on Mastodon to ask what tools might be available. Perhaps writer’s block isn’t really writer’s block but perfection being the enemy of progress. This is one of my mantra’s but I still seek perfection. Seeking perfection is blocking progress.

  • Another Day In The Salt Mines

    Another day and another shift working and toiling to make someone else wealthier. There’s nothing quite like the United State’s definition of freedom: economic freedom only. Have you ever noticed that the same self-righteous MAGAts that advocate locking up as many criminals as possible in dragnets complain that their freedumb is being impinged if laws are passed to help them? I’m sick and tired of the hypocrisy.

    Okay well enough whining on my part. I put Arch Linux – my favorite distro – back on my laptop. I don’t know why in the hell I was running Fedora. Clearly, I wasn’t thinking clearly. I’m happy to be back on the platform that I’ve grown to love. My desktop still uses Arch though. I had some dumb ass idea that Arch would not run that well on a laptop. I was very wrong. Arch is actually more battery efficient than Fedora.

    Well, in any case, I feel good about kicking Fedora to the curb. They capitulated to the age verification movement and they’re allowing AI contributions. As one of my favorite cartoon characters would say, “Uh huh huh huh …. Nope nope nope.” Chicken Hawk was hilarious! I digress. AI writes very poor code. Who knows what security holes are going to open. A good distribution is going down the toilet.

    I’m having fun being back on the fediverse via Mastodon. That’s the only social media that I feel is quality. If you’re already on it and want to follow me, just click on the link at the footer. Hope to see you there!

  • CGNAT and Self-Hosting

    ,

    One of the challenges for home lab enthusiasts with connections behind CGNAT is self-hosting. Due to the limitations of double NAT, you will need to rent a cloud VPS and create a VPN tunnel between the VPS and your router or a server behind the router. Fortunately, this can be done inexpensively and with relative ease. I use Cloudfanatic as they have the unusual blend of cheap with reliable. For $4.50 USD per month it cannot be beat. Let’s get down to business.

    We will be getting around the CGNAT restriction by using WireGuard. The neat thing with WireGuard is that you do not have to worry about random IP changes. This will be all updated on the WireGuard VPN endpoint. I need access to my home network so it will be routed appropriately.

    Here is an overview of the topology. Public IP addresses will be represented using the standard RFC5737 192.0.2.0/24 range. This is the exact solution that I use.

    [Home:CGNAT]<---------------->[VPS:192.0.2.1]
Network: 192.168.1.0/24       WG: 192.168.128.1/32       
WG: 192.168.128.2/32              fd00:f1ce:fd0d:1776::1
    fd00:f1ce:fd0d:1776::2

    Let’s work on the VPS-side first since that is the easiest one. I am running AlmaLinux 10 on the server. In the code blocks, commands beginning with hash marks need to be run as root. The first step is to enable IP Forwarding so that traffic gets passed between the WireGuard and public interfaces.

    # sysctl -w net.ipv4.ip_forward=1
# sysctl -w net.ipv6.conf.all.forwarding=1
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# echo "net.ipv6.conf.all.forwarding=1" >>     /etc/sysctl.conf

    Once IP forwarding is configured, we can begin the WireGuard side of the configuration. In the next step we will be generating the VPS private and public keypair.

    # dnf install epel-release wireguard-tools
# cd /etc/wireguard
# wg genkey | tee private.key | wg pubkey > public.key
# touch wg0.conf
# openssl rand -base64 32 > preshared.key

    Below is my server configuration which has been sanitized. You will have to provide your specific keys. Put the config below in your wg0.conf file that you created in the previous step. While a pre-shared key is not a requirement, it is a strong recommendation because this key provides extra protection against quantum-level attacks.

    [Interface]
PrivateKey = <Server Private Key>
Address = fd00:f1ce:fd0d:1776::1
Address = 192.168.128.1
ListenPort = 51820

[Peer]
PublicKey = <Home Public Key>
PresharedKey = <Your Preshared Key>
AllowedIPs = fd00:f1ce:fd0d:1776::2, 192.168.128.2/32, 192.168.1.0/24

    Once this configuration has been completed, it is time to configure the firewall to allow WireGuard traffic in-bound and forwarding between the WireGuard and public interfaces. Here is how to do this.

    # firewall-cmd --permanent --zone=public --add-service=wireguard
# firewall-cmd --permanent --zone=trusted --add-interface=wg0
# firewall-cmd --permanent --zone=trusted --add-forward
# firewall-cmd --permanent --zone=public --add-forward
# firewall-cmd --reload

    Once the VPS-side has been configured, we can set up the machine that is going to act as the end point at home. I have a VM that is running all of the services that I self-host. This VM also acts as my WireGuard tunnel endpoint. You have an array of options but this keeps things simple. Remember to copy the public key from your home end point to the VPS configuration and vice versa. Please do the same with the pre-shared key.

    The first and most important step is to enable routing on the home endpoint.

    # sysctl -w net.ipv4.ip_forward=1
# sysctl -w net.ipv6.conf.all.forwarding=1
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# echo "net.ipv6.conf.all.forwarding=1" >>     /etc/sysctl.conf

    Install WireGuard

    # dnf install wireguard-tools
# cd /etc/wireguard
# wg genkey | tee private.key | wg pubkey > public.key
# touch wg0.conf

    Configure WireGuard.

    [Interface]
PrivateKey = <Home Private Key>
Address = fd00:f1ce:fd0d:1776::2
Address = 192.168.128.2/32

[Peer]
PublicKey = <Server Public Key>
PresharedKey = <Pre-shared Key>
AllowedIPs = fd00:f1ce:fd0d:1776::1, 192.168.128.1/32
Endpoint = 192.0.2.1:51820
PersistentKeepalive = 25

    The firewall on the home side of the WireGuard tunnel is more complex because NAT must be enabled so that communication works bi-directionally.

    # firewall-cmd --permanent --new-policy=wg-to-lan
# firewall-cmd --permanent --zone=trusted --add-interface=wg0
# firewall-cmd --permanent --zone=trusted --policy=wg-to-lan --add-ingress-zone=trusted
# firewall-cmd --permanent --zone=trusted --policy=wg-to-lan --add-egress-zone=public
# firewall-cmd --permanent --zone=trusted --policy=wg-to-lan --set-target ACCEPT
# firewall-cmd --permanent --zone=trusted --add-forward
# firewall-cmd --permanent --zone=public --add-masquerade
# firewall-cmd --permanent --zone=public --add-forward
# firewall-cmd --reload

    Now we can bring the tunnel up. Do the following on both the VPS and the home sides.

    # systemctl enable --now wg-quick@wg0

    Once the tunnel is brought up, we can do some verification and testing. On the home side, you should see something similar to the following:

    # sudo wg
interface: wg0
  public key: <Home Public Key>
  private key: (hidden)
  listening port: 58512

peer: <VPS Public Key>
  preshared key: (hidden)
  endpoint: 192.0.2.1:51820
  allowed ips: fd00:f1ce:fd0d:1776::1/128, 192.168.128.1/32
  latest handshake: 1 minute, 1 second ago
  transfer: 49.61 MiB received, 438.12 MiB sent
  persistent keepalive: every 25 seconds

# ping -c 5 192.168.128.1
PING 192.168.128.1 (192.168.128.1) 56(84) bytes of data.
64 bytes from 192.168.128.1: icmp_seq=1 ttl=64 time=19.4 ms
64 bytes from 192.168.128.1: icmp_seq=2 ttl=64 time=19.7 ms
64 bytes from 192.168.128.1: icmp_seq=3 ttl=64 time=18.0 ms
64 bytes from 192.168.128.1: icmp_seq=4 ttl=64 time=18.3 ms
64 bytes from 192.168.128.1: icmp_seq=5 ttl=64 time=22.9 ms

--- 192.168.128.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 17.993/19.646/22.872/1.737 ms

    On the VPS, do the same thing:

    # wg
interface: wg0
  public key: <VPS Public Key>
  private key: (hidden)
  listening port: 51820

peer: <Home Public Key>
  preshared key: (hidden)
  endpoint: <Home IP>:58512
  allowed ips: fd00:f1ce:fd0d:1776::2/128, 192.168.128.2/32, 192.168.1.0/24
  latest handshake: 45 seconds ago
  transfer: 2.27 GiB received, 259.69 MiB sent

# ping -c 5 192.168.128.2
PING 192.168.128.2 (192.168.128.2) 56(84) bytes of data.
64 bytes from 192.168.128.2: icmp_seq=1 ttl=64 time=18.0 ms
64 bytes from 192.168.128.2: icmp_seq=2 ttl=64 time=18.0 ms
64 bytes from 192.168.128.2: icmp_seq=3 ttl=64 time=18.2 ms
64 bytes from 192.168.128.2: icmp_seq=4 ttl=64 time=19.2 ms
64 bytes from 192.168.128.2: icmp_seq=5 ttl=64 time=19.3 ms

--- 192.168.128.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 17.961/18.527/19.331/0.603 ms

    If you get results similar to the ones above, than the tunnel itself has been established between the two end points. The next step is to see if the VPS can reach your home network. The address I am pinging here represents my default gateway on the LAN. Again, you should see results similar to the ones below.

    # ping -c 5 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=22.0 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=63 time=20.6 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=63 time=20.6 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=63 time=20.2 ms
64 bytes from 192.168.1.1: icmp_seq=5 ttl=63 time=20.0 ms

--- 192.168.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 20.031/20.694/22.026/0.707 ms

    From here, the sky is the limit. On the VPS, side though you will need to set up some port forwarding for access to services that are not http/https related. If you intend to host a website, use your favorite reverse proxy app. I use NGINX but configuring this is beyond the scope of the post. Below sets up port forwarding for SSH so you can remotely access your network.

    # firewall-cmd --permanent --zone=public --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.128.2

  • The Future Of Work

    Is the future of work going to be work on a 1099 contractual basis? The reason I ask is I am seeing a steady trend towards this kind of work. I am not necessarily against it either. In fact, I would be absolutely for it if universal healthcare could be made available. All of the big corporations and the wealthy would stand to benefit from this and so would the working class. It creates entrepreneurial freedom and working freedom.

    I am a actually a proponent of this style of working because it means more flexibility for life’s events that pop up. Although it is not without its warts because I could see the potential for abuse here, especially if work turned into a reverse auction where it is only offered to someone at the lowest price. I could also see abuse if people are charged to sign up for a gig site. There would need to be some controls put into place.

    The benefits are real and tangible though for people on both businesses and individuals if proper controls are put into place to prevent the moneyed class from outright exploitation. The freedom it would provide the working class would be wonderful. After all, we really don’t need to work 40 hours to get work accomplished. This is an anachronistic hold over from pre-technology times. Let’s all work less and enjoy life more.