Black Cat Blog

Thoughts, Stories, and Ideas

  • Another Day In The Salt Mines

    Another day and another shift working and toiling to make someone else wealthier. There’s nothing quite like the United State’s definition of freedom: economic freedom only. Have you ever noticed that the same self-righteous MAGAts that advocate locking up as many criminals as possible in dragnets complain that their freedumb is being impinged if laws are passed to help them? I’m sick and tired of the hypocrisy.

    Okay well enough whining on my part. I put Arch Linux – my favorite distro – back on my laptop. I don’t know why in the hell I was running Fedora. Clearly, I wasn’t thinking clearly. I’m happy to be back on the platform that I’ve grown to love. My desktop still uses Arch though. I had some dumb ass idea that Arch would not run that well on a laptop. I was very wrong. Arch is actually more battery efficient than Fedora.

    Well, in any case, I feel good about kicking Fedora to the curb. They capitulated to the age verification movement and they’re allowing AI contributions. As one of my favorite cartoon characters would say, “Uh huh huh huh …. Nope nope nope.” Chicken Hawk was hilarious! I digress. AI writes very poor code. Who knows what security holes are going to open. A good distribution is going down the toilet.

    I’m having fun being back on the fediverse via Mastodon. That’s the only social media that I feel is quality. If you’re already on it and want to follow me, just click on the link at the footer. Hope to see you there!

  • Next Steps

    I’m thinking about my next steps in life because I can no longer stomach the thought of another shift as an unarmed security guard. I only have one good iron in the fire and that is with VGM and Uber. I’d get $23 an hour plus tips but we know tips are quite rare. I need to seriously work on some other options. I do like my boss quite a bit and I’ll honestly miss the guy if I end up leaving my security job. He’s been very fair to me.

    I have work today, and to be honest, I am not looking forward to it at all. I am still a bit tired but I know I need the money so I’ll be there and on time. I am finding myself revisiting writing the book I had planned a bit ago. I used ChatGPT to help me organize my thoughts better and come up with an outline. I have a title in mind, The Beginner’s Home Lab Book: Learn Linux & BSD by Building Real Systems.

    By my figuring, I can work on the book on the weekends. My plan, if all things go as I hope, will be to reduce my hours to 16 on the weekends and spend 2-3 days per week driving for VGM. That should end up helping me out a lot more.

  • CGNAT and Self-Hosting

    ,

    One of the challenges for home lab enthusiasts with connections behind CGNAT is self-hosting. Due to the limitations of double NAT, you will need to rent a cloud VPS and create a VPN tunnel between the VPS and your router or a server behind the router. Fortunately, this can be done inexpensively and with relative ease. I use Cloudfanatic as they have the unusual blend of cheap with reliable. For $4.50 USD per month it cannot be beat. Let’s get down to business.

    We will be getting around the CGNAT restriction by using WireGuard. The neat thing with WireGuard is that you do not have to worry about random IP changes. This will be all updated on the WireGuard VPN endpoint. I need access to my home network so it will be routed appropriately.

    Here is an overview of the topology. Public IP addresses will be represented using the standard RFC5737 192.0.2.0/24 range. This is the exact solution that I use.

    [Home:CGNAT]<---------------->[VPS:192.0.2.1]
Network: 192.168.1.0/24       WG: 192.168.128.1/32       
WG: 192.168.128.2/32              fd00:f1ce:fd0d:1776::1
    fd00:f1ce:fd0d:1776::2

    Let’s work on the VPS-side first since that is the easiest one. I am running AlmaLinux 10 on the server. In the code blocks, commands beginning with hash marks need to be run as root. The first step is to enable IP Forwarding so that traffic gets passed between the WireGuard and public interfaces.

    # sysctl -w net.ipv4.ip_forward=1
# sysctl -w net.ipv6.conf.all.forwarding=1
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# echo "net.ipv6.conf.all.forwarding=1" >>     /etc/sysctl.conf

    Once IP forwarding is configured, we can begin the WireGuard side of the configuration. In the next step we will be generating the VPS private and public keypair.

    # dnf install epel-release wireguard-tools
# cd /etc/wireguard
# wg genkey | tee private.key | wg pubkey > public.key
# touch wg0.conf
# openssl rand -base64 32 > preshared.key

    Below is my server configuration which has been sanitized. You will have to provide your specific keys. Put the config below in your wg0.conf file that you created in the previous step. While a pre-shared key is not a requirement, it is a strong recommendation because this key provides extra protection against quantum-level attacks.

    [Interface]
PrivateKey = <Server Private Key>
Address = fd00:f1ce:fd0d:1776::1
Address = 192.168.128.1
ListenPort = 51820

[Peer]
PublicKey = <Home Public Key>
PresharedKey = <Your Preshared Key>
AllowedIPs = fd00:f1ce:fd0d:1776::2, 192.168.128.2/32, 192.168.1.0/24

    Once this configuration has been completed, it is time to configure the firewall to allow WireGuard traffic in-bound and forwarding between the WireGuard and public interfaces. Here is how to do this.

    # firewall-cmd --permanent --zone=public --add-service=wireguard
# firewall-cmd --reload
# firewall-cmd --permanent --zone=trusted --add-interface=wg0
# firewall-cmd --reload
# firewall-cmd --permanent --zone=trusted --add-forward
# firewall-cmd --reload
# firewall-cmd --permanent --zone=public --add-forward
# firewall-cmd --reload

    Once the VPS-side has been configured, we can set up the machine that is going to act as the end point at home. I have a VM that is running all of the services that I self-host. This VM also acts as my WireGuard tunnel endpoint. You have an array of options but this keeps things simple. Remember to copy the public key from your home end point to the VPS configuration and vice versa. Please do the same with the pre-shared key.

    The first and most important step is to enable routing on the home endpoint.

    # sysctl -w net.ipv4.ip_forward=1
# sysctl -w net.ipv6.conf.all.forwarding=1
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# echo "net.ipv6.conf.all.forwarding=1" >>     /etc/sysctl.conf

    Install WireGuard

    # dnf install wireguard-tools
# cd /etc/wireguard
# wg genkey | tee private.key | wg pubkey > public.key
# touch wg0.conf

    Configure WireGuard.

    [Interface]
PrivateKey = <Home Private Key>
Address = fd00:f1ce:fd0d:1776::2
Address = 192.168.128.2/32

[Peer]
PublicKey = <Server Public Key>
PresharedKey = <Pre-shared Key>
AllowedIPs = fd00:f1ce:fd0d:1776::1, 192.168.128.1/32
Endpoint = 192.0.2.1:51820
PersistentKeepalive = 25

    The firewall on the home side of the WireGuard tunnel is more complex because NAT must be enabled so that communication works bi-directionally.

    # firewall-cmd --permanent --zone=trusted --new-policy=wg-to-lan
# firewall-cmd --reload
# firewall-cmd --permanent --zone=trusted --add-interface=wg0
# firewall-cmd --reload
# firewall-cmd --permanent --zone=trusted --policy=wg-to-lan --add-ingress-zone=trusted
# firewall-cmd --reload
# firewall-cmd --permanent --zone=trusted --policy=wg-to-lan --add-egress-zone=public
# firewall-cmd --reload
# firewall-cmd --permanent --zone=trusted --policy=wg-to-lan --set-target ACCEPT
# firewall-cmd --reload
# firewall-cmd --permanent --zone=trusted --add-forward
# firewall-cmd --reload
# firewall-cmd --permanent --zone=public --add-masquerade
# firewall-cmd --reload
# firewall-cmd --permanent --zone=public --add-forward
# firewall-cmd --reload

    Now we can bring the tunnel up. Do the following on both the VPS and the home sides.

    # systemctl enable --now wg-quick@wg0

    Once the tunnel is brought up, we can do some verification and testing. On the home side, you should see something similar to the following:

    # sudo wg
interface: wg0
  public key: <Home Public Key>
  private key: (hidden)
  listening port: 58512

peer: <VPS Public Key>
  preshared key: (hidden)
  endpoint: 192.0.2.1:51820
  allowed ips: fd00:f1ce:fd0d:1776::1/128, 192.168.128.1/32
  latest handshake: 1 minute, 1 second ago
  transfer: 49.61 MiB received, 438.12 MiB sent
  persistent keepalive: every 25 seconds

# ping -c 5 192.168.128.1
PING 192.168.128.1 (192.168.128.1) 56(84) bytes of data.
64 bytes from 192.168.128.1: icmp_seq=1 ttl=64 time=19.4 ms
64 bytes from 192.168.128.1: icmp_seq=2 ttl=64 time=19.7 ms
64 bytes from 192.168.128.1: icmp_seq=3 ttl=64 time=18.0 ms
64 bytes from 192.168.128.1: icmp_seq=4 ttl=64 time=18.3 ms
64 bytes from 192.168.128.1: icmp_seq=5 ttl=64 time=22.9 ms

--- 192.168.128.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 17.993/19.646/22.872/1.737 ms

    On the VPS, do the same thing:

    # wg
interface: wg0
  public key: <VPS Public Key>
  private key: (hidden)
  listening port: 51820

peer: <Home Public Key>
  preshared key: (hidden)
  endpoint: <Home IP>:58512
  allowed ips: fd00:f1ce:fd0d:1776::2/128, 192.168.128.2/32, 192.168.1.0/24
  latest handshake: 45 seconds ago
  transfer: 2.27 GiB received, 259.69 MiB sent

# ping -c 5 192.168.128.2
PING 192.168.128.2 (192.168.128.2) 56(84) bytes of data.
64 bytes from 192.168.128.2: icmp_seq=1 ttl=64 time=18.0 ms
64 bytes from 192.168.128.2: icmp_seq=2 ttl=64 time=18.0 ms
64 bytes from 192.168.128.2: icmp_seq=3 ttl=64 time=18.2 ms
64 bytes from 192.168.128.2: icmp_seq=4 ttl=64 time=19.2 ms
64 bytes from 192.168.128.2: icmp_seq=5 ttl=64 time=19.3 ms

--- 192.168.128.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 17.961/18.527/19.331/0.603 ms

    If you get results similar to the ones above, than the tunnel itself has been established between the two end points. The next step is to see if the VPS can reach your home network. The address I am pinging here represents my default gateway on the LAN. Again, you should see results similar to the ones below.

    # ping -c 5 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=22.0 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=63 time=20.6 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=63 time=20.6 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=63 time=20.2 ms
64 bytes from 192.168.1.1: icmp_seq=5 ttl=63 time=20.0 ms

--- 192.168.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 20.031/20.694/22.026/0.707 ms

    From here, the sky is the limit. On the VPS, side though you will need to set up some port forwarding for access to services that are not http/https related. If you intend to host a website, use your favorite reverse proxy app. I use NGINX but configuring this is beyond the scope of the post. Below sets up port forwarding for SSH so you can remotely access your network.

    # firewall-cmd --permanent --zone=public --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.128.2

  • The Future Of Work

    Is the future of work going to be work on a 1099 contractual basis? The reason I ask is I am seeing a steady trend towards this kind of work. I am not necessarily against it either. In fact, I would be absolutely for it if universal healthcare could be made available. All of the big corporations and the wealthy would stand to benefit from this and so would the working class. It creates entrepreneurial freedom and working freedom.

    I am a actually a proponent of this style of working because it means more flexibility for life’s events that pop up. Although it is not without its warts because I could see the potential for abuse here, especially if work turned into a reverse auction where it is only offered to someone at the lowest price. I could also see abuse if people are charged to sign up for a gig site. There would need to be some controls put into place.

    The benefits are real and tangible though for people on both businesses and individuals if proper controls are put into place to prevent the moneyed class from outright exploitation. The freedom it would provide the working class would be wonderful. After all, we really don’t need to work 40 hours to get work accomplished. This is an anachronistic hold over from pre-technology times. Let’s all work less and enjoy life more.

  • Still Dragging

    It’s going to be nice having some time off after today. I get off at 11am and I don’t have to be at work again until Thursday at 4pm. I will enjoy having the time off as I am really tired. I think I want to sleep late tomorrow. That sounds delightful. I did my last few things to complete migration to a dual stack IPv4/IPv6 setup. I noticed my Mastodon instance has been cruising since I gave it IPv6 access.

    I am too tired to work on my business this morning. I’m thinking I’m just going to mess around on my laptop. Being productive just isn’t going to happen. I have a therapy appointment about the time I get home from work. After that I would like to have a nap and then watch a show or three with Denisse. A boring afternoon will be fine as well.

    I hope I hear from VGM soon as I am tired of doing security work. VGM offers a driving contract position through the Uber platform. Unlike other opportunities, this one pays $23 per hour on a 1099 basis. I think if I hear back from VGM with an offer, I’m going to start doing that instead of security work. I’m really and truly tired of being a security guard.

    VGM has quite a nice offering and if I need more time off one week, I can simply take that time because it has been ruled that 1099-basis workers cannot be forced into accepting a schedule. The courts ruled that 1099 is contractual basis and forcing a set schedule changes things into employment. I would rather not work so hard. Also driving a high end Lucid vehicle will be fun.