elkalbil

joined 1 year ago
[–] elkalbil@jlai.lu 2 points 2 months ago (1 children)

Je ne vois pas la différence pour le point 2. Tant que le gouvernement n'est pas formé la personne n'est pas officiellement premier ministre, c'est ça ?

[–] elkalbil@jlai.lu 1 points 7 months ago

J'ai un Q1, c'est mon premier clavier mécanique custom, j'en suis très content.

[–] elkalbil@jlai.lu 30 points 10 months ago (1 children)

You could boot on an USB, mount the filesystem and change the permissions. But if the dude changed a whole lot of permissions, reinstalling might be the smart thing to do...

[–] elkalbil@jlai.lu 1 points 1 year ago

Si vous vous intéressez au sujet, Heu?reka a fait 3 bonnes vidéos sur le marché de l'électricité, pourquoi son prix est indexé sur celui du gaz, ...

Je colle les liens PeerTube, il a aussi une chaîne YT.

[–] elkalbil@jlai.lu 1 points 1 year ago* (last edited 1 year ago)

DISCLAIMER: I never used Tailscale. All I know about Tailscale I learned reading their "How it works" blogpost and documentation, because I wanted to understand the hype.

Since nobody answered your questions, I'll try my best. Just trust that I spent most of the last 25 years configuring security systems, including but not limited to VPNs.

Hmm, I guess my question would be how does this all work?

See my 2 links above.

I mean, is it not possible to configure STUN/DERP services yourself?

Of course it is, but it will be additional work, that most users are not willing/confident to do and Tailscale provides this service.

Or add control lists yourself? [...] For ACLs, I guess Apparmor and/or SELinux profiles would be configured?

Deploying network ACLs on your hosts indeed does not require you to use Tailscale. However they provide an centralised way to manage and deploy them, without worrying about the underlying OS and ACL system. Or even requiring you to have access to the host, it could be an authorised user trying to access your Tailscale network.

Note: AppArmor/SELinux are more "system/process ACLs", not directly related to network ACLs. I'm oversimplifying a lot, they're difficult to describe without knowing your sysadmin skills.

The removing a key I can understand why it's be a nightmare yourself, but how does Tailscale do it where it's just so simple?

Simple: they ask you to run an agent on all of your Tailscale hosts and connect to their centralised platform. To paraphrase their blogpost: config management is centralized, but that doesn’t matter because it carries virtually no traffic. It just exchanges a few tiny encryption keys and sets policies. The VPNs and their traffic are a distributed mesh.

EDIT: Another question I have is how does Tailscale work when I have a VPN for securing network traffic when browsing the internet etc.? Or is that just seamless?

I'm not sure to understand this question, so I'll make an asumption: you're asking what happens if you run Tailscale on a host that already has a VPN configured to access the Internet.

Tailscale (and Wireguard under it) is already a VPN solution, and tunneling a VPN inside another VPN is generally discouraged. But as Tailscale is providing STUN/DERP, if they manage correctly the MTU issues and things like that, I don't see an immediate reason why it should not work at all.

You can configure Tailscale or Wireguard to create a VPN to access the Internet though.

Once again, if you try to understand how Tailscale works, please read the links at the start of this post. RTFM, kids!

On a more personal opinion, I find their solution clever and elegant. If I have the need for a distributed VPN solution in the near future, I will definitively consider it (or Headscale's). For the moment, I'm fine with all my hosts connecting to my homelab, configuring a Wireguard tunnel for each roaming host, and opening ports and creating rules on my firewall. Compared to IPSec or OpenVPN tunnels, it seems almost too easy each time.

[–] elkalbil@jlai.lu 1 points 1 year ago

Merci. Si tu as besoin d'aide pour un détail ou une tournure de phrase technique, n'hésite pas à me MP. Je ne peux pas le contacter directement, je n'ai pas accès à son instance du tout...

[–] elkalbil@jlai.lu 1 points 1 year ago* (last edited 1 year ago) (2 children)

FAI = Fournisseur d'Accès à Internet.

Tant que je n'ai pas d'IPv6 chez mon FAI, ou que peertube.sidh.bzh ne soit aussi disponible sur une IPv4, pas de solution pour moi. Je viens de tester, mon FAI mobile ne fournit pas d'IPv6 non plus 😧 !

[–] elkalbil@jlai.lu 1 points 1 year ago (4 children)

Je viens de comprendre le problème : peertube.sidh.bzh n'est disponible qu'en IPv6, ce que mon FAI actuel ne fournit pas... Ce jour annoncé est enfin arrivé !

$ dig A peertube.sidh.bzh
[...]
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48558
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
[...]

$ dig AAAA peertube.sidh.bzh
[...]
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56184
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
[...]
;; ANSWER SECTION:
peertube.sidh.bzh.      6699    IN      AAAA    2a01:cb19:a72:e600:82fa:5bff:fe51:ed4a
[...]
[–] elkalbil@jlai.lu 1 points 1 year ago (6 children)

Je n'ai pas l'impression que celle-ci fonctionne : !joueurdugrenier@peertube.sidh.bzh ... J'y ai cru pourtant, surtout vu les derniers coups de gueule du JdG contre YouTube.

Testé avec mon client Lemmy, Firefox et Newpipe.

[–] elkalbil@jlai.lu 0 points 1 year ago (2 children)

The main benefit of Tailscale are:

  • It solves the key distribution problem. If you have multiple Wireguard hosts in a mesh infrastructure, it can be tricky to change or remove a key quickly and consistently. No benefit if it's only a single tunnel between 2 hosts.
  • It provides STUN/DERP services to connect hosts behind firewalls or NAT, without opening ports or redirections.

Tailscale also provides more advanced services or configuration helpers, such a file sharing (in alpha), ACLs...