Black Cat Blog

Thoughts, Stories, and Ideas

  • Another Day In The Salt Mines

    Another day and another shift working and toiling to make someone else wealthier. There’s nothing quite like the United State’s definition of freedom: economic freedom only. Have you ever noticed that the same self-righteous MAGAts that advocate locking up as many criminals as possible in dragnets complain that their freedumb is being impinged if laws are passed to help them? I’m sick and tired of the hypocrisy.

    Okay well enough whining on my part. I put Arch Linux – my favorite distro – back on my laptop. I don’t know why in the hell I was running Fedora. Clearly, I wasn’t thinking clearly. I’m happy to be back on the platform that I’ve grown to love. My desktop still uses Arch though. I had some dumb ass idea that Arch would not run that well on a laptop. I was very wrong. Arch is actually more battery efficient than Fedora.

    Well, in any case, I feel good about kicking Fedora to the curb. They capitulated to the age verification movement and they’re allowing AI contributions. As one of my favorite cartoon characters would say, “Uh huh huh huh …. Nope nope nope.” Chicken Hawk was hilarious! I digress. AI writes very poor code. Who knows what security holes are going to open. A good distribution is going down the toilet.

    I’m having fun being back on the fediverse via Mastodon. That’s the only social media that I feel is quality. If you’re already on it and want to follow me, just click on the link at the footer. Hope to see you there!

  • Next Steps

    I’m thinking about my next steps in life because I can no longer stomach the thought of another shift as an unarmed security guard. I only have one good iron in the fire and that is with VGM and Uber. I’d get $23 an hour plus tips but we know tips are quite rare. I need to seriously work on some other options. I do like my boss quite a bit and I’ll honestly miss the guy if I end up leaving my security job. He’s been very fair to me.

    I have work today, and to be honest, I am not looking forward to it at all. I am still a bit tired but I know I need the money so I’ll be there and on time. I am finding myself revisiting writing the book I had planned a bit ago. I used ChatGPT to help me organize my thoughts better and come up with an outline. I have a title in mind, The Beginner’s Home Lab Book: Learn Linux & BSD by Building Real Systems.

    By my figuring, I can work on the book on the weekends. My plan, if all things go as I hope, will be to reduce my hours to 16 on the weekends and spend 2-3 days per week driving for VGM. That should end up helping me out a lot more.

  • CGNAT and Self-Hosting

    One of the challenges for home lab enthusiasts with connections behind CGNAT is self-hosting. Due to the limitations of double NAT, you will need to rent a cloud VPS and create a VPN tunnel between the VPS and your router or a server behind the router. Fortunately, this can be done inexpensively and with relative ease. I use Cloudfanatic as they have the unusual blend of cheap with reliable. For $4.50 USD per month it cannot be beat. Let’s get down to business.

    We will be getting around the CGNAT restriction by using WireGuard. The neat thing with WireGuard is that you do not have to worry about random IP changes. This will be all updated on the WireGuard VPN endpoint. I need access to my home network so it will be routed appropriately.

    Here is an overview of the topology. Public IP addresses will be represented using the standard RFC5737 192.0.2.0/24 range. This is the exact solution that I use.

    [Home:CGNAT]<---------------->[VPS:192.0.2.1]
Network: 192.168.1.0/24       WG: 192.168.128.1/32       
WG: 192.168.128.2/32              fd00:f1ce:fd0d:1776::1
    fd00:f1ce:fd0d:1776::2

    Let’s work on the VPS-side first since that is the easiest one. I am running AlmaLinux 10 on the server. In the code blocks, commands beginning with hash marks need to be run as root. The first step is to enable IP Forwarding so that traffic gets passed between the WireGuard and public interfaces.

    # sysctl -w net.ipv4.ip_forward=1
# sysctl -w net.ipv6.conf.all.forwarding=1
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# echo "net.ipv6.conf.all.forwarding=1" >>     /etc/sysctl.conf

    Once IP forwarding is configured, we can begin the WireGuard side of the configuration. In the next step we will be generating the VPS private and public keypair.

    # dnf install epel-release wireguard-tools
# cd /etc/wireguard
# wg genkey | tee private.key | wg pubkey > public.key
# touch wg0.conf
# openssl rand -base64 32 > preshared.key

    Below is my server configuration which has been sanitized. You will have to provide your specific keys. Put the config below in your wg0.conf file that you created in the previous step. While a pre-shared key is not a requirement, it is a strong recommendation because this key provides extra protection against quantum-level attacks.

    [Interface]
PrivateKey = <Server Private Key>
Address = fd00:f1ce:fd0d:1776::1
Address = 192.168.128.1
ListenPort = 51820

[Peer]
PublicKey = <Home Public Key>
PresharedKey = <Your Preshared Key>
AllowedIPs = fd00:f1ce:fd0d:1776::2, 192.168.128.2/32, 192.168.1.0/24

    Once this configuration has been completed, it is time to configure the firewall to allow WireGuard traffic in-bound and forwarding between the WireGuard and public interfaces. Here is how to do this.

    # firewall-cmd --permanent --zone=public --add-service=wireguard
# firewall-cmd --reload
# firewall-cmd --permanent --zone=trusted --add-interface=wg0
# firewall-cmd --reload
# firewall-cmd --permanent --zone=trusted --add-forward
# firewall-cmd --reload
# firewall-cmd --permanent --zone=public --add-forward
# firewall-cmd --reload

    Once the VPS-side has been configured, we can set up the machine that is going to act as the end point at home. I have a VM that is running all of the services that I self-host. This VM also acts as my WireGuard tunnel endpoint. You have an array of options but this keeps things simple. Remember to copy the public key from your home end point to the VPS configuration and vice versa. Please do the same with the pre-shared key.

    The first and most important step is to enable routing on the home endpoint.

    # sysctl -w net.ipv4.ip_forward=1
# sysctl -w net.ipv6.conf.all.forwarding=1
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# echo "net.ipv6.conf.all.forwarding=1" >>     /etc/sysctl.conf

    Install WireGuard

    # dnf install wireguard-tools
# cd /etc/wireguard
# wg genkey | tee private.key | wg pubkey > public.key
# touch wg0.conf

    Configure WireGuard.

    [Interface]
PrivateKey = <Home Private Key>
Address = fd00:f1ce:fd0d:1776::2
Address = 192.168.128.2/32

[Peer]
PublicKey = <Server Public Key>
PresharedKey = <Pre-shared Key>
AllowedIPs = fd00:f1ce:fd0d:1776::1, 192.168.128.1/32
Endpoint = 192.0.2.1:51820
PersistentKeepalive = 25

    The firewall on the home side of the WireGuard tunnel is more complex because NAT must be enabled so that communication works bi-directionally.

    # firewall-cmd --permanent --zone=trusted --new-policy=wg-to-lan
# firewall-cmd --reload
# firewall-cmd --permanent --zone=trusted --add-interface=wg0
# firewall-cmd --reload
# firewall-cmd --permanent --zone=trusted --policy=wg-to-lan --add-ingress-zone=trusted
# firewall-cmd --reload
# firewall-cmd --permanent --zone=trusted --policy=wg-to-lan --add-egress-zone=public
# firewall-cmd --reload
# firewall-cmd --permanent --zone=trusted --policy=wg-to-lan --set-target ACCEPT
# firewall-cmd --reload
# firewall-cmd --permanent --zone=trusted --add-forward
# firewall-cmd --reload
# firewall-cmd --permanent --zone=public --add-masquerade
# firewall-cmd --reload
# firewall-cmd --permanent --zone=public --add-forward
# firewall-cmd --reload

    Now we can bring the tunnel up. Do the following on both the VPS and the home sides.

    # systemctl enable --now wg-quick@wg0

    Once the tunnel is brought up, we can do some verification and testing. On the home side, you should see something similar to the following:

    # sudo wg
interface: wg0
  public key: <Home Public Key>
  private key: (hidden)
  listening port: 58512

peer: <VPS Public Key>
  preshared key: (hidden)
  endpoint: 192.0.2.1:51820
  allowed ips: fd00:f1ce:fd0d:1776::1/128, 192.168.128.1/32
  latest handshake: 1 minute, 1 second ago
  transfer: 49.61 MiB received, 438.12 MiB sent
  persistent keepalive: every 25 seconds

# ping -c 5 192.168.128.1
PING 192.168.128.1 (192.168.128.1) 56(84) bytes of data.
64 bytes from 192.168.128.1: icmp_seq=1 ttl=64 time=19.4 ms
64 bytes from 192.168.128.1: icmp_seq=2 ttl=64 time=19.7 ms
64 bytes from 192.168.128.1: icmp_seq=3 ttl=64 time=18.0 ms
64 bytes from 192.168.128.1: icmp_seq=4 ttl=64 time=18.3 ms
64 bytes from 192.168.128.1: icmp_seq=5 ttl=64 time=22.9 ms

--- 192.168.128.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 17.993/19.646/22.872/1.737 ms

    On the VPS, do the same thing:

    # wg
interface: wg0
  public key: <VPS Public Key>
  private key: (hidden)
  listening port: 51820

peer: <Home Public Key>
  preshared key: (hidden)
  endpoint: <Home IP>:58512
  allowed ips: fd00:f1ce:fd0d:1776::2/128, 192.168.128.2/32, 192.168.1.0/24
  latest handshake: 45 seconds ago
  transfer: 2.27 GiB received, 259.69 MiB sent

# ping -c 5 192.168.128.2
PING 192.168.128.2 (192.168.128.2) 56(84) bytes of data.
64 bytes from 192.168.128.2: icmp_seq=1 ttl=64 time=18.0 ms
64 bytes from 192.168.128.2: icmp_seq=2 ttl=64 time=18.0 ms
64 bytes from 192.168.128.2: icmp_seq=3 ttl=64 time=18.2 ms
64 bytes from 192.168.128.2: icmp_seq=4 ttl=64 time=19.2 ms
64 bytes from 192.168.128.2: icmp_seq=5 ttl=64 time=19.3 ms

--- 192.168.128.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 17.961/18.527/19.331/0.603 ms

    If you get results similar to the ones above, than the tunnel itself has been established between the two end points. The next step is to see if the VPS can reach your home network. The address I am pinging here represents my default gateway on the LAN. Again, you should see results similar to the ones below.

    # ping -c 5 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=22.0 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=63 time=20.6 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=63 time=20.6 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=63 time=20.2 ms
64 bytes from 192.168.1.1: icmp_seq=5 ttl=63 time=20.0 ms

--- 192.168.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 20.031/20.694/22.026/0.707 ms

    From here, the sky is the limit. On the VPS, side though you will need to set up some port forwarding for access to services that are not http/https related. If you intend to host a website, use your favorite reverse proxy app. I use NGINX but configuring this is beyond the scope of the post. Below sets up port forwarding for SSH so you can remotely access your network.

    # firewall-cmd --permanent --zone=public --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.128.2

  • The Future Of Work

    Is the future of work going to be work on a 1099 contractual basis? The reason I ask is I am seeing a steady trend towards this kind of work. I am not necessarily against it either. In fact, I would be absolutely for it if universal healthcare could be made available. All of the big corporations and the wealthy would stand to benefit from this and so would the working class. It creates entrepreneurial freedom and working freedom.

    I am a actually a proponent of this style of working because it means more flexibility for life’s events that pop up. Although it is not without its warts because I could see the potential for abuse here, especially if work turned into a reverse auction where it is only offered to someone at the lowest price. I could also see abuse if people are charged to sign up for a gig site. There would need to be some controls put into place.

    The benefits are real and tangible though for people on both businesses and individuals if proper controls are put into place to prevent the moneyed class from outright exploitation. The freedom it would provide the working class would be wonderful. After all, we really don’t need to work 40 hours to get work accomplished. This is an anachronistic hold over from pre-technology times. Let’s all work less and enjoy life more.

  • Still Dragging

    It’s going to be nice having some time off after today. I get off at 11am and I don’t have to be at work again until Thursday at 4pm. I will enjoy having the time off as I am really tired. I think I want to sleep late tomorrow. That sounds delightful. I did my last few things to complete migration to a dual stack IPv4/IPv6 setup. I noticed my Mastodon instance has been cruising since I gave it IPv6 access.

    I am too tired to work on my business this morning. I’m thinking I’m just going to mess around on my laptop. Being productive just isn’t going to happen. I have a therapy appointment about the time I get home from work. After that I would like to have a nap and then watch a show or three with Denisse. A boring afternoon will be fine as well.

    I hope I hear from VGM soon as I am tired of doing security work. VGM offers a driving contract position through the Uber platform. Unlike other opportunities, this one pays $23 per hour on a 1099 basis. I think if I hear back from VGM with an offer, I’m going to start doing that instead of security work. I’m really and truly tired of being a security guard.

    VGM has quite a nice offering and if I need more time off one week, I can simply take that time because it has been ruled that 1099-basis workers cannot be forced into accepting a schedule. The courts ruled that 1099 is contractual basis and forcing a set schedule changes things into employment. I would rather not work so hard. Also driving a high end Lucid vehicle will be fun.

  • Dragging Today

    I am really dragging today as I had to come into work for 7a-11a after working last night from 3a-11p. This is definitely not an easy thing to do at my age. When I was 25 years younger, I could double back on shifts easily. Despite dragging hind tit, I managed to figure out why the Mastodon instance I setup last night wasn’t working. It turns out that I forgot to allow NGINX to be able to work properly on SELinux. With that resolved, I am back.

    It’s good to be back on Mastodon and the Fediverse. Out of all of the social media, the Fediverse is solidly my favorite because of the sheer variety of content posted and created. I learn a lot from the postings and it is fun to do some content creation of my own. Anyhow, while at work I managed to do something stupid and power down the Mastodon server so I’ll have to wait until I get home.

    When I finally get home, I am going straight to bed. I need to get some rest badly. Then I can do a little work on my Mastodon instance. I added ElasticSearch for some more powerful search options but it ain’t working the way it should. I am sure I will figure it out eventually.

    I have to go to work again tomorrow from 7a-11a. Then I have one day off and I go back at it again. Fun times!

  • Tough Day Mentally

    Today has been a really tough day mentally, no doubt on by the fact that I am so tired and I will only have 2 days off in the next 14. I’m at work and not motivated in the slightest. I have to find some things to do to keep me busy at work today or I will end up falling asleep. I don’t want to fall asleep as I really don’t like security guards that do it. So maybe I will have to get some caffeine of some sort.

    I did not sleep so well because I had a particularly vexing computer problem to solve. I eventually solved it when I realized that I needed a network address translation rule put into place which did the trick. I realized that routing was not working correctly from the default gateway back to the virtual machine acting as the VPN endpoint at home. Now I can access my homelab from anywhere that does not filter out WireGuard traffic.

    Okay, well I spoke too soon because I forgot to enable and start sshd on my desktop. This means I won’t be able to reach my desktop but I can reach other network services so I mostly solved the problem. I had some grand plans to get work done this afternoon and evening but that won’t happen. Instead, I am going to need to find an alternative way to work.

  • Hospital Regrets

    I’m lying in my hospital bed in Wilmington Hospital and now I see what that godawful gym teachers I had in middle and high school were driving at. They were telling us that our bodies are our most important possessions and to treat them right. But they were so mean to me that I could not hear this lesson. Even psychopaths have moments of good advice and concern I guess. It’s too bad the balance of their behavior obliterates the bad.

    If you had asked me in high school if I would be a type 2 diabetic, I would’ve told you that whatever you were smoking would be powerful. I cannot change the past but I sure can look at what I have going for me. I have a healthy heart and my brain has no physical damage. I just never thought that I would really need my cane now.

    Climbing stairs is difficult as my feet grow numb from the activity. This makes bringing up heavy objects difficult. Not from a cardiovascular perspective, but from not knowing where I am in space. I’ve already had trouble with visual spatial awareness. Having a physical problem has worsened that condition. So I will walk with a cane and get handicapped tags for easier parking when I can finally get a car.

    In life, people learn to adapt and overcome. I’m nowhere near ready to quit. I’m just too damn stubborn. Also, I’ve done a lot of amazing and eye opening things. I’ve had a lot of life in my years. I’ve biked a couple of 100 milers, backpacked through Mt. Rainier and the Sierras, climbed Mt. Baker. That’s actually a lot of life in my years.

    I know I can do better and make better choices. I haven’t because I’m still looking to food for comfort. If I’m going to use food for comfort, then I need to choose nourishment not garbage.

  • Lost Some Time

    On Tuesday I was admitted to the hospital. Thankfully I did not have a stroke like the doctors suspected. I am however dizzy and tired all the time. I don’t know what the cause of this is and it is concerning. I was just too tired and foggy to blog yesterday.

    At any rate, I’m going to need a cane all of the time now for safety reasons. Aging can be difficult. But I must learn to accept this instead of feeling remorse for missed opportunities and connections. I actually have a good future ahead of my doctors can figure out what’s going on.

    It looks like business plans will need to be put on hold for a bit while I figure things out. I’ve been in a brain fog for the past two days. I hope I’ll be ready to go today. I miss my love and my bed. Maybe all this happening this week is changing my priorities. Maybe it’s okay to simply live basically.

    I feel strangely without much emotion right now. I feel like I’m existing but quietly. It’s difficult to explain. I miss my computers and my home lab. It’s so much fun to experiment with Linux and BSD. I miss that kind of fun right now. It’s fulfilling fun. 🤓

    Nobody really knows what the future holds but I hope things will get better than they are now. This year has started out difficult. It hasn’t been easy psychologically or medically for that matter. I guess I’m fine using a cane all or most of the time. Acceptance can be a good thing.

  • Monday Morning Loading Dock

    I have just started my new gig working on Monday and every other Tuesday mornings at my favorite site. I will enjoy the easy extra money. I am tired from working last night from 3-11 but it’s not like the shifts are even that stressful ordinarily. I might need to take a nap when I get home but that’s fine. At least this dock shift is only a 4 hour deal so it makes things easy.

    Tonight is date night with Denisse and boy am I looking forward to it. I love the simple pleasures in life like spending time with the love of my life. I will make certain that my phone is in a completely different room so that I have no distractions. We will have pizza, canned pre-mixed margaritas, and maybe one or two other little goodies. I plan on being a space case tomorrow and that is okay. I’m giving myself permission to relax.

    On Wednesday, I will have to be some sort of productive and I am okay with that. I’ll spend time working on my website and a few other matters. I got invited by VGM to drive for them on a contractual basis. Uber is testing out an all electric fleet of Lucid high-end vehicles. The nice thing is that it is hourly compensation with all tips going to the driver. If that comes through and it makes financial sense, I’ll resign from OPS. I’ve had it with security and struggling.

    My brother’s birthday is on Friday of this week and I want to get him a birthday gift for all the things he has done for me. I’ll probably get him a $100 gift card to Amazon. This should help him out considering he and his wife use Amazon a lot.

    I’m definitely ready for the next step in life which includes turning off the TV, reading, and educating. It’s time to go back to what I love which is learning. For me, learning is fulfilling so I want to go back to those activities. I want to do so much in life.