Black Cat Blog

Thoughts, Stories, and Ideas

  • The War on Drugs

    I have said time and again that the war on drugs has nothing to do with public health or safety. Perhaps it once was but it’s not now. As with most laws nowadays, you have to see who stands to benefit from the law.

    The war is a cash cow for rehabilitation hospitals and private mental health facilities so big healthcare rakes in the dollars. The war benefits private corrections companies. Even law enforcement make extra money from overtime and special assignments.

    The drug cartels themselves are perhaps the biggest beneficiaries of these laws. Cartel leadership did not become as successful as they are by not having good business acumen. I am certain they accept a relatively small amount of product loss as the cost of doing business. Keeping drugs illegal means a higher street price and they know they would loose billions should laws change.

    I have no proof of this but I believe that the cartels donate to politicians hell bent on keeping drugs illegal. They may donate through shell corporations and borderline illegal money moving enterprises.

    Furthermore I believe that by maintaining the drug war, we are actually undermining safety. Violent crime would probably drop as a result of drug legalization. Drug legalization and treatment would go a long way towards making America safer and more secure.

    In conclusion, it’s time to admit that the drug war, much like alcohol prohibition, is a failure. We’re better off legalizing drugs. I forgot to mention one added benefit: the drugs would actually be safer because they don’t need to be produced secret. They can be manufactured using cleaner processes.

  • Great Therapy Session

    This morning I had a really good therapy session. I am reminded of the importance of therapy in addition to medication when treating depression. My therapist, Nan, is nothing short of incredible. We talked at length about learning, passion, and education.

    I told Nan about one of my goals which is to write a book about computers and networks. I shared with her my topic and intended audience but I was experiencing difficulty overcoming writer’s block. Since perfection in writing is impeding my progress, I had the insight that I would try speech to text. This may facilitate writing and lessen the tendency to seek perfection.

    Then Nan gave me a truly brilliant idea. Since the intended audience is a beginner to the professional side of computers and networks, she recommended that I write it in the form of a letter to a potential student. I was blown away! The sheer simple elegance. Now I have a weekend project. I’m going to start writing and see where this goes.

    Once I put words to paper so to speak, I’ll go back and edit my work. What if I could have the whole damn manuscript written and ready for publication!? That would be awesome. I’d love it if No Starch would take on publishing my book.

    I truly left the session feeling much much better than before. I feel renewed and motivated. I dare say I feel positive.

  • Nightmares

    I am not going to lie … last night was brutal for nightmares. They seemed to keep coming one after another so I am tired. Nightmares do not make for good sleep. Perhaps one day I will learn to control my dreams. I am honestly surprised because I had a decent day yesterday. Time to move on though.

    I hope to hear from VGM today or Monday. I’d like to be earning more money and have more flexibility. First I have to try it and see how it goes. If all goes well, I will reduce the number of hours I am working as a security guard to 16 on the weekends. I am tired of worrying about money and $23 an hour is significant.

    I don’t have any real grand plans for today other than going into work at 2:00PM instead of the usual time. This is okay with me and I don’t mind helping out the boss on occasion. I do have a therapy appointment at 11:00AM today which I am happy about because I need to talk to someone about some weighty issues. Perhaps I will find the concentration to work on my book, but if not, I won’t punish myself.

    I know that tomorrow I will have some good opportunities to work on my book. Since I seem to have writer’s block, I am going to try dictation. I just sent out a quick post on Mastodon to ask what tools might be available. Perhaps writer’s block isn’t really writer’s block but perfection being the enemy of progress. This is one of my mantra’s but I still seek perfection. Seeking perfection is blocking progress.

  • Another Day In The Salt Mines

    Another day and another shift working and toiling to make someone else wealthier. There’s nothing quite like the United State’s definition of freedom: economic freedom only. Have you ever noticed that the same self-righteous MAGAts that advocate locking up as many criminals as possible in dragnets complain that their freedumb is being impinged if laws are passed to help them? I’m sick and tired of the hypocrisy.

    Okay well enough whining on my part. I put Arch Linux – my favorite distro – back on my laptop. I don’t know why in the hell I was running Fedora. Clearly, I wasn’t thinking clearly. I’m happy to be back on the platform that I’ve grown to love. My desktop still uses Arch though. I had some dumb ass idea that Arch would not run that well on a laptop. I was very wrong. Arch is actually more battery efficient than Fedora.

    Well, in any case, I feel good about kicking Fedora to the curb. They capitulated to the age verification movement and they’re allowing AI contributions. As one of my favorite cartoon characters would say, “Uh huh huh huh …. Nope nope nope.” Chicken Hawk was hilarious! I digress. AI writes very poor code. Who knows what security holes are going to open. A good distribution is going down the toilet.

    I’m having fun being back on the fediverse via Mastodon. That’s the only social media that I feel is quality. If you’re already on it and want to follow me, just click on the link at the footer. Hope to see you there!

  • CGNAT and Self-Hosting

    ,

    One of the challenges for home lab enthusiasts with connections behind CGNAT is self-hosting. Due to the limitations of double NAT, you will need to rent a cloud VPS and create a VPN tunnel between the VPS and your router or a server behind the router. Fortunately, this can be done inexpensively and with relative ease. I use Cloudfanatic as they have the unusual blend of cheap with reliable. For $4.50 USD per month it cannot be beat. Let’s get down to business.

    We will be getting around the CGNAT restriction by using WireGuard. The neat thing with WireGuard is that you do not have to worry about random IP changes. This will be all updated on the WireGuard VPN endpoint. I need access to my home network so it will be routed appropriately.

    Here is an overview of the topology. Public IP addresses will be represented using the standard RFC5737 192.0.2.0/24 range. This is the exact solution that I use.

    [Home:CGNAT]<---------------->[VPS:192.0.2.1]
Network: 192.168.1.0/24       WG: 192.168.128.1/32       
WG: 192.168.128.2/32              fd00:f1ce:fd0d:1776::1
    fd00:f1ce:fd0d:1776::2

    Let’s work on the VPS-side first since that is the easiest one. I am running AlmaLinux 10 on the server. In the code blocks, commands beginning with hash marks need to be run as root. The first step is to enable IP Forwarding so that traffic gets passed between the WireGuard and public interfaces.

    # sysctl -w net.ipv4.ip_forward=1
# sysctl -w net.ipv6.conf.all.forwarding=1
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# echo "net.ipv6.conf.all.forwarding=1" >>     /etc/sysctl.conf

    Once IP forwarding is configured, we can begin the WireGuard side of the configuration. In the next step we will be generating the VPS private and public keypair.

    # dnf install epel-release wireguard-tools
# cd /etc/wireguard
# wg genkey | tee private.key | wg pubkey > public.key
# touch wg0.conf
# openssl rand -base64 32 > preshared.key

    Below is my server configuration which has been sanitized. You will have to provide your specific keys. Put the config below in your wg0.conf file that you created in the previous step. While a pre-shared key is not a requirement, it is a strong recommendation because this key provides extra protection against quantum-level attacks.

    [Interface]
PrivateKey = <Server Private Key>
Address = fd00:f1ce:fd0d:1776::1
Address = 192.168.128.1
ListenPort = 51820

[Peer]
PublicKey = <Home Public Key>
PresharedKey = <Your Preshared Key>
AllowedIPs = fd00:f1ce:fd0d:1776::2, 192.168.128.2/32, 192.168.1.0/24

    Once this configuration has been completed, it is time to configure the firewall to allow WireGuard traffic in-bound and forwarding between the WireGuard and public interfaces. Here is how to do this.

    # firewall-cmd --permanent --zone=public --add-service=wireguard
# firewall-cmd --permanent --zone=trusted --add-interface=wg0
# firewall-cmd --permanent --zone=trusted --add-forward
# firewall-cmd --permanent --zone=public --add-forward
# firewall-cmd --reload

    Once the VPS-side has been configured, we can set up the machine that is going to act as the end point at home. I have a VM that is running all of the services that I self-host. This VM also acts as my WireGuard tunnel endpoint. You have an array of options but this keeps things simple. Remember to copy the public key from your home end point to the VPS configuration and vice versa. Please do the same with the pre-shared key.

    The first and most important step is to enable routing on the home endpoint.

    # sysctl -w net.ipv4.ip_forward=1
# sysctl -w net.ipv6.conf.all.forwarding=1
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# echo "net.ipv6.conf.all.forwarding=1" >>     /etc/sysctl.conf

    Install WireGuard

    # dnf install wireguard-tools
# cd /etc/wireguard
# wg genkey | tee private.key | wg pubkey > public.key
# touch wg0.conf

    Configure WireGuard.

    [Interface]
PrivateKey = <Home Private Key>
Address = fd00:f1ce:fd0d:1776::2
Address = 192.168.128.2/32

[Peer]
PublicKey = <Server Public Key>
PresharedKey = <Pre-shared Key>
AllowedIPs = fd00:f1ce:fd0d:1776::1, 192.168.128.1/32
Endpoint = 192.0.2.1:51820
PersistentKeepalive = 25

    The firewall on the home side of the WireGuard tunnel is more complex because NAT must be enabled so that communication works bi-directionally.

    # firewall-cmd --permanent --new-policy=wg-to-lan
# firewall-cmd --permanent --zone=trusted --add-interface=wg0
# firewall-cmd --permanent --zone=trusted --policy=wg-to-lan --add-ingress-zone=trusted
# firewall-cmd --permanent --zone=trusted --policy=wg-to-lan --add-egress-zone=public
# firewall-cmd --permanent --zone=trusted --policy=wg-to-lan --set-target ACCEPT
# firewall-cmd --permanent --zone=trusted --add-forward
# firewall-cmd --permanent --zone=public --add-masquerade
# firewall-cmd --permanent --zone=public --add-forward
# firewall-cmd --reload

    Now we can bring the tunnel up. Do the following on both the VPS and the home sides.

    # systemctl enable --now wg-quick@wg0

    Once the tunnel is brought up, we can do some verification and testing. On the home side, you should see something similar to the following:

    # sudo wg
interface: wg0
  public key: <Home Public Key>
  private key: (hidden)
  listening port: 58512

peer: <VPS Public Key>
  preshared key: (hidden)
  endpoint: 192.0.2.1:51820
  allowed ips: fd00:f1ce:fd0d:1776::1/128, 192.168.128.1/32
  latest handshake: 1 minute, 1 second ago
  transfer: 49.61 MiB received, 438.12 MiB sent
  persistent keepalive: every 25 seconds

# ping -c 5 192.168.128.1
PING 192.168.128.1 (192.168.128.1) 56(84) bytes of data.
64 bytes from 192.168.128.1: icmp_seq=1 ttl=64 time=19.4 ms
64 bytes from 192.168.128.1: icmp_seq=2 ttl=64 time=19.7 ms
64 bytes from 192.168.128.1: icmp_seq=3 ttl=64 time=18.0 ms
64 bytes from 192.168.128.1: icmp_seq=4 ttl=64 time=18.3 ms
64 bytes from 192.168.128.1: icmp_seq=5 ttl=64 time=22.9 ms

--- 192.168.128.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 17.993/19.646/22.872/1.737 ms

    On the VPS, do the same thing:

    # wg
interface: wg0
  public key: <VPS Public Key>
  private key: (hidden)
  listening port: 51820

peer: <Home Public Key>
  preshared key: (hidden)
  endpoint: <Home IP>:58512
  allowed ips: fd00:f1ce:fd0d:1776::2/128, 192.168.128.2/32, 192.168.1.0/24
  latest handshake: 45 seconds ago
  transfer: 2.27 GiB received, 259.69 MiB sent

# ping -c 5 192.168.128.2
PING 192.168.128.2 (192.168.128.2) 56(84) bytes of data.
64 bytes from 192.168.128.2: icmp_seq=1 ttl=64 time=18.0 ms
64 bytes from 192.168.128.2: icmp_seq=2 ttl=64 time=18.0 ms
64 bytes from 192.168.128.2: icmp_seq=3 ttl=64 time=18.2 ms
64 bytes from 192.168.128.2: icmp_seq=4 ttl=64 time=19.2 ms
64 bytes from 192.168.128.2: icmp_seq=5 ttl=64 time=19.3 ms

--- 192.168.128.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 17.961/18.527/19.331/0.603 ms

    If you get results similar to the ones above, than the tunnel itself has been established between the two end points. The next step is to see if the VPS can reach your home network. The address I am pinging here represents my default gateway on the LAN. Again, you should see results similar to the ones below.

    # ping -c 5 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=22.0 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=63 time=20.6 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=63 time=20.6 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=63 time=20.2 ms
64 bytes from 192.168.1.1: icmp_seq=5 ttl=63 time=20.0 ms

--- 192.168.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 20.031/20.694/22.026/0.707 ms

    From here, the sky is the limit. On the VPS, side though you will need to set up some port forwarding for access to services that are not http/https related. If you intend to host a website, use your favorite reverse proxy app. I use NGINX but configuring this is beyond the scope of the post. Below sets up port forwarding for SSH so you can remotely access your network.

    # firewall-cmd --permanent --zone=public --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.128.2