I have a Bluetooth OBD-II scanner that works with Android/iOS but the app I use kind of sucks. Others I’ve found that claim to be something of a maintenance app suck as well.

Sometimes I wish I were an iOS developer.

I’m thinking about the RS6 a lot but really want to put Alpine Linux on it if I can manage it. My reasoning is I already know how to set up a router from scratch on the command line.

OpenWRT is probably easier but I’ve had bad experiences with its UI (and the distro as a whole) in the past, but the version of it on my GL.inet travel router is pretty rock solid though the UI still annoys me and I’d rather do most configuration via SSH.

Does OpenWRT support multiple WireGuard interfaces and VLANs? This is kind of what I’m wanting.

pfSense (I know, it’s UNIX) looked good on paper too but after playing with it on a VPS the UI just seemed overly complex. I don’t want to learn the ins and outs of some weird UI.

You can strike a balance with higher-end (in quality) consumer or small business networking gear.

If it’s in your budget, I’d suggest buying a simple router like the Ubiquiti Edgerouter X, run some Ethernet and rely on a switch and access points for WiFi (I use Ubiquiti U6 Pro but I wouldn’t be too picky about it). I’ve never been into the “mesh” WiFi networking concept because it doesn’t make sense to use the air as your backhaul (if you can help it).

What I wouldn’t recommend is buying some beefed up consumer all-in-one router. It’ll cost a fortune, your coverage won’t be as good and once it’s time to upgrade you’ll be forced to replace the entire thing.

Hopefully this helps.

Forgot to mention that I run a DNS server for blocking too. When using Tailscale I’ve found it’s important to use their resolver as upstream otherwise App Connectors won’t work (the VPN provider tunnels on each VPS routes to different countries so DNS wasn’t in sync). This kind of sucks but I make do with it after a month or two of App Connectors being very iffy.

Your setup looks more advanced than mine, and I’d really like to do something similar. I’m just going to copy/paste what I have with some addresses replaced by:

VPN_IPV4_CLIENT_ADDRESS: The WireGuard IPv4 address of the VPN provider’s interface (e.g. 172.0.0.1) VPN_IPV6_CLIENT_ADDRESS: The WireGuard IPv6 address of the VPN provider’s interface VPN_IPV6_CLIENT_ADDRESS_PLUS_ONE: The next IPv6 address that comes after VPN_IPV6_CLIENT_ADDRESS. I can’t remember the logic behinds this but I’d found an article online explaining it. WG_INTERFACE: The WireGuard network interface name (e.g. wg0) for the commercial VPN

I left 100.64.0.0/10, fd7a:115c:a1e0::/96 in my example because those are the networks Tailscale traffic will come from. I also left tailscale0 because that is the typical interface. Obviously these can be changed to support any network.

I’m using Alpine Linux so I don’t have the PostUp, PostDown, etc. in my WireGuard configuration. I’m not using wg-quick at all.

Before I hit paste, one thing I’ll say is I haven’t addressed the “kill switch” yet. But so far (~4 months) when the VPN provider’s tunnel goes down nothing leaks. 🤞

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

sysctl -p

ip link add dev WG_INTERFACE type wireguard

ip addr add VPN_IPV4_CLIENT_ADDRESS/32 dev WG_INTERFACE
ip -6 addr add VPN_IPV6_CLIENT_ADDRESS/127 dev WG_INTERFACE

wg setconf WG_INTERFACE /etc/wireguard/WG_INTERFACE.conf
ip link set up dev WG_INTERFACE

iptables -t nat -A POSTROUTING -o WG_INTERFACE -j MASQUERADE
iptables -t nat -A POSTROUTING -o WG_INTERFACE -s 100.64.0.0/10 -j MASQUERADE

ip6tables -t nat -A POSTROUTING -o WG_INTERFACE -j MASQUERADE
ip6tables -t nat -A POSTROUTING -o WG_INTERFACE -s fd7a:115c:a1e0::/96 -j MASQUERADE

iptables -A FORWARD -i WG_INTERFACE -o tailscale0 -j ACCEPT
iptables -A FORWARD -i tailscale0 -o WG_INTERFACE -j ACCEPT
iptables -A FORWARD -i WG_INTERFACE -o tailscale0 -m state --state RELATED,ESTABLISHED -j ACCEPT

ip6tables -A FORWARD -i WG_INTERFACE -o tailscale0 -j ACCEPT
ip6tables -A FORWARD -i tailscale0 -o WG_INTERFACE -j ACCEPT
ip6tables -A FORWARD -i WG_INTERFACE -o tailscale0 -m state --state RELATED,ESTABLISHED -j ACCEPT

mkdir -p /etc/iproute2/rt_tables

echo "70 wg" >> /etc/iproute2/rt_tables
echo "80 tailscale" >> /etc/iproute2/rt_tables

ip rule add from 100.64.0.0/10 table tailscale
ip route add default via VPN_IPV4_CLIENT_ADDRESS dev WG_INTERFACE table tailscale

ip -6 rule add from fd7a:115c:a1e0::/96 table tailscale
ip -6 route add default via VPN_IPV6_CLIENT_ADDRESS_PLUS_1 dev WG_INTERFACE table tailscale

ip rule add from VPN_IPV4_CLIENT_ADDRESS/32 table wg
ip route add default via VPN_IPV4_CLIENT_ADDRESS dev WG_INTERFACE table wg

service tailscale start
rc-update add tailscale default

iptables -A INPUT -i tailscale0 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i tailscale0 -p tcp --dport 53 -j ACCEPT

ip6tables -A INPUT -i tailscale0 -p udp --dport 53 -j ACCEPT
ip6tables -A INPUT -i tailscale0 -p tcp --dport 53 -j ACCEPT

service unbound start
rc-update add unbound default

/sbin/iptables-save > /etc/iptables/rules-save
/sbin/ip6tables-save > /etc/ip6tables/rules-save

tailscale up --accept-dns=false --accept-routes --advertise-exit-node

It doesn’t seem obvious to you who claims it’s “bad” because it “has a hard time deciding.” It can decide, guess how? Configuration

Maybe it is pedantry, but people writing for the general public should explain things well. Why didn’t they just write:

As a result, anyone wanting to access blocked sites from Russia is forced to use a VPN that encrypts internet traffic and makes it appear to come from outside Russia.

This way you’re not lying and saying a VPN “changes your IP address” which is both not accurate nor easily digestible for the general public. That part specifically is what gets me.

It’s the case of every VPN, it’s just that typically people choose to send all their traffic through it rather than that destined to specific networks.

Oh. You just mean there are multiple instances spread out everywhere.

Federated in my mind means the servers are talking to each other, typically via ActivityPub, so I was confused.

It’s only bad if you’re splitting it incorrectly lol

Searx is federated? I’ll have to read up on that; I use it all the time but had no idea.

I already block a crazy amount of ads with DNS blocklists (and block Google as well) but I’m at a point where I’m about to start intercepting my own HTTPS traffic in order to cache it.

I’m tunneling all my internet traffic through commercial VPNs to a completely different country across the planet with better privacy laws but damn the high latency is exhausting.

Doing some neat HTTP header manipulation with Privoxy would be incredible too.

I’m at the point where I want to just build it but it’s a matter of free time (I’m a full time web developer with a side business). Also, I wouldn’t know where to source car maintenance schedules.

I use Tailscale to do this. I install the software on everything I can, but for resources on the LAN that don’t have Tailscale running I use its Subnet Router feature to masquerade the traffic and connect to those clients.

As for the commercial VPN, it’s a bit more involved. I have a few Exit Nodes (VPS) that take incoming Tailscale traffic destined to the Internet and re-route it via the commercial VPN’s WireGuard network interface.

This was a huge challenge for me (lots of iptables, ip6tables rules) but I have it down to a reproducible script I can provide if you’d like an example.

My next goal is to containerize the two VPS servers into one with Docker. Tailscale is a bit annoying that you can’t have multiple Nodes running on the same machine (hence my temporary two VPS solution).

Note: capitalized terms are Tailscale feature names

Yes but this isn’t the point I’m getting at — VPN doesn’t always mean you’re sending all your Internet traffic down the tunnel. You can choose to configure only specific networks to use the VPN tunnel.

Yes but this isn’t the point I’m getting at — VPN doesn’t always mean you’re sending all your Internet traffic down the tunnel. You can choose to configure only specific networks to use the VPN tunnel.

You won’t be “on a different local network,” you’ll be accessing specific networks (or subnets) via the VPN tunnel rather than some other network interface on your machine.

So if you’re at home with a 192.168.0.0/24 network and you want to access an office resource on the 192.168.141.0/24 network, likely what will happen is your machine with have a route to 192.168.131.0/24 via the network the VPN provides (let’s just say 10.0.0.1).

Depending on how everything’s configured, the server you’re accessing might see it coming from the VPN server (masquerade) or it could very well be passed on as-is (which would only work if the server has a routing table back to you via the VPN).

Typically when people use VPNs for internet access, the traffic is sent out masqueraded so that it appears to come from the VPN’s WAN IP address.

This is the right answer.

If you’re routing internet traffic via the VPN tunnel then yes of course that’s true.

But you can be connected to a VPN and only direct specific subnets (like the traditional office network example) to it. You’re not always forced to use it as a default route (using the term loosely here).

That’s a good point too.

I’m primarily a web developer so essentially my entire toolkit is already FOSS and it doesn’t make sense to even run half of it on Windows. Windows is usually the odd one out with weird hacks to make it play nice.

I use macOS a lot too and because it’s UNIX my Linux toolset is available and ported to the OS with (what I understand to be) minimal changes.

And I’ve never needed to deploy to some Windows Server either (the thought frightens me).