The red light bit seems spot on. In every article stating “it blew through a red light” there’s always the caveat that it’s just trying to clear the intersection while getting pulled over. Technically people are allowed to do that (and/or move to a safer area, such as getting into the right lane when being pulled over in the left lane).

I think media like to add the intersection stuff to rile people up.

I have a Bluetooth OBD-II scanner that works with Android/iOS but the app I use kind of sucks. Others I’ve found that claim to be something of a maintenance app suck as well.

Sometimes I wish I were an iOS developer.

I’m thinking about the RS6 a lot but really want to put Alpine Linux on it if I can manage it. My reasoning is I already know how to set up a router from scratch on the command line.

OpenWRT is probably easier but I’ve had bad experiences with its UI (and the distro as a whole) in the past, but the version of it on my GL.inet travel router is pretty rock solid though the UI still annoys me and I’d rather do most configuration via SSH.

Does OpenWRT support multiple WireGuard interfaces and VLANs? This is kind of what I’m wanting.

pfSense (I know, it’s UNIX) looked good on paper too but after playing with it on a VPS the UI just seemed overly complex. I don’t want to learn the ins and outs of some weird UI.

You can strike a balance with higher-end (in quality) consumer or small business networking gear.

If it’s in your budget, I’d suggest buying a simple router like the Ubiquiti Edgerouter X, run some Ethernet and rely on a switch and access points for WiFi (I use Ubiquiti U6 Pro but I wouldn’t be too picky about it). I’ve never been into the “mesh” WiFi networking concept because it doesn’t make sense to use the air as your backhaul (if you can help it).

What I wouldn’t recommend is buying some beefed up consumer all-in-one router. It’ll cost a fortune, your coverage won’t be as good and once it’s time to upgrade you’ll be forced to replace the entire thing.

Hopefully this helps.

Forgot to mention that I run a DNS server for blocking too. When using Tailscale I’ve found it’s important to use their resolver as upstream otherwise App Connectors won’t work (the VPN provider tunnels on each VPS routes to different countries so DNS wasn’t in sync). This kind of sucks but I make do with it after a month or two of App Connectors being very iffy.

Your setup looks more advanced than mine, and I’d really like to do something similar. I’m just going to copy/paste what I have with some addresses replaced by:

VPN_IPV4_CLIENT_ADDRESS: The WireGuard IPv4 address of the VPN provider’s interface (e.g. 172.0.0.1) VPN_IPV6_CLIENT_ADDRESS: The WireGuard IPv6 address of the VPN provider’s interface VPN_IPV6_CLIENT_ADDRESS_PLUS_ONE: The next IPv6 address that comes after VPN_IPV6_CLIENT_ADDRESS. I can’t remember the logic behinds this but I’d found an article online explaining it. WG_INTERFACE: The WireGuard network interface name (e.g. wg0) for the commercial VPN

I left 100.64.0.0/10, fd7a:115c:a1e0::/96 in my example because those are the networks Tailscale traffic will come from. I also left tailscale0 because that is the typical interface. Obviously these can be changed to support any network.

I’m using Alpine Linux so I don’t have the PostUp, PostDown, etc. in my WireGuard configuration. I’m not using wg-quick at all.

Before I hit paste, one thing I’ll say is I haven’t addressed the “kill switch” yet. But so far (~4 months) when the VPN provider’s tunnel goes down nothing leaks. 🤞

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

sysctl -p

ip link add dev WG_INTERFACE type wireguard

ip addr add VPN_IPV4_CLIENT_ADDRESS/32 dev WG_INTERFACE
ip -6 addr add VPN_IPV6_CLIENT_ADDRESS/127 dev WG_INTERFACE

wg setconf WG_INTERFACE /etc/wireguard/WG_INTERFACE.conf
ip link set up dev WG_INTERFACE

iptables -t nat -A POSTROUTING -o WG_INTERFACE -j MASQUERADE
iptables -t nat -A POSTROUTING -o WG_INTERFACE -s 100.64.0.0/10 -j MASQUERADE

ip6tables -t nat -A POSTROUTING -o WG_INTERFACE -j MASQUERADE
ip6tables -t nat -A POSTROUTING -o WG_INTERFACE -s fd7a:115c:a1e0::/96 -j MASQUERADE

iptables -A FORWARD -i WG_INTERFACE -o tailscale0 -j ACCEPT
iptables -A FORWARD -i tailscale0 -o WG_INTERFACE -j ACCEPT
iptables -A FORWARD -i WG_INTERFACE -o tailscale0 -m state --state RELATED,ESTABLISHED -j ACCEPT

ip6tables -A FORWARD -i WG_INTERFACE -o tailscale0 -j ACCEPT
ip6tables -A FORWARD -i tailscale0 -o WG_INTERFACE -j ACCEPT
ip6tables -A FORWARD -i WG_INTERFACE -o tailscale0 -m state --state RELATED,ESTABLISHED -j ACCEPT

mkdir -p /etc/iproute2/rt_tables

echo "70 wg" >> /etc/iproute2/rt_tables
echo "80 tailscale" >> /etc/iproute2/rt_tables

ip rule add from 100.64.0.0/10 table tailscale
ip route add default via VPN_IPV4_CLIENT_ADDRESS dev WG_INTERFACE table tailscale

ip -6 rule add from fd7a:115c:a1e0::/96 table tailscale
ip -6 route add default via VPN_IPV6_CLIENT_ADDRESS_PLUS_1 dev WG_INTERFACE table tailscale

ip rule add from VPN_IPV4_CLIENT_ADDRESS/32 table wg
ip route add default via VPN_IPV4_CLIENT_ADDRESS dev WG_INTERFACE table wg

service tailscale start
rc-update add tailscale default

iptables -A INPUT -i tailscale0 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i tailscale0 -p tcp --dport 53 -j ACCEPT

ip6tables -A INPUT -i tailscale0 -p udp --dport 53 -j ACCEPT
ip6tables -A INPUT -i tailscale0 -p tcp --dport 53 -j ACCEPT

service unbound start
rc-update add unbound default

/sbin/iptables-save > /etc/iptables/rules-save
/sbin/ip6tables-save > /etc/ip6tables/rules-save

tailscale up --accept-dns=false --accept-routes --advertise-exit-node

I’m at the point where I want to just build it but it’s a matter of free time (I’m a full time web developer with a side business). Also, I wouldn’t know where to source car maintenance schedules.

I use Tailscale to do this. I install the software on everything I can, but for resources on the LAN that don’t have Tailscale running I use its Subnet Router feature to masquerade the traffic and connect to those clients.

As for the commercial VPN, it’s a bit more involved. I have a few Exit Nodes (VPS) that take incoming Tailscale traffic destined to the Internet and re-route it via the commercial VPN’s WireGuard network interface.

This was a huge challenge for me (lots of iptables, ip6tables rules) but I have it down to a reproducible script I can provide if you’d like an example.

My next goal is to containerize the two VPS servers into one with Docker. Tailscale is a bit annoying that you can’t have multiple Nodes running on the same machine (hence my temporary two VPS solution).

Note: capitalized terms are Tailscale feature names

Yeah, I had to bail. FreeBSD was awesome for stable yet bleeding-edge packages, a perfect blend of downloading binaries and compiling from source (when needed) with everything in sync.

These days I’m using Alpine Linux almost exclusively, but I miss the convenience of FreeBSD and wish it wasn’t being left behind by the Kool Kidz™.

I got downvoted for this? 😂

I looked over the links, and the ones listed for Google aren’t respected anymore (and haven’t been for a long time).

If you search for something specific using operators, Google will just ignore them and give you related (but irrelevant) results which is absolutely infuriating.

Instead of showing a low number of results it seems they’d rather try to be smarter than you just to show more results.

It’s for you to ask questions

For me in a big city it’s the annoyance of always being a part of the crowd. My free time is the same as everyone else’s now so traffic is always terrible on my days off (weekends), stores are always packed before/after work. Even walking my dogs becomes annoying because every other dog in the neighborhood is outside too.

Thankfully I work from home so I try to get out and walk the dog during lunch; if I have any errand to run I can just take my lunch later when everyone else has gone back to the office.

The other hard part for me is the afternoons; they drag on endlesssly. As a night person waking up in the morning was just killer, but I’ve finally adapted after… 10 years.

I really can’t stand the Tesla sound, it’s the worst. I can’t quite put my finger on it but it’s both uncanny and grating. I’ll be in my apartment and suddenly there’s this high-pitched screaming of sorts; it doesn’t sound like the car is doing well.

I’ve configured 2FA with my bank using verification codes (can’t think of the proper name, it’s that Authy-/Google-style 2FA c. 2010) but then never utilizes it — it pretends that’s not set up and requests the SMS code. 🫠

This is what I specifically hate about building Docker images based on Debian. Half your Dockerfile ends up mucking about with third-party repositories, verifying keys, etc.

I should be more clear: specifically I was rebuilding a Docker image based on Debian and needed Node.js for one build step, then Ruby for another as well as the final image.

In the Dockerfile there were a ton of weird commands for simply installing Node.js and Ruby whereas on Alpine Linux I could simply install the needed versions from apk. I understand it’s preferable to build these from scratch but in the case of Node.js I was looking to simply compile a bunch of assets then throw away the layer.

I could’ve spent a bunch of time figuring it out for Debian but I wanted a smaller image in the end anyway too.

It doesn’t help that most password managers kind of suck, you have to do a lot of manual work as a user sometimes.

I wish websites would start supporting Webauthn/FIDO2 sometime soon. I’m sick of SMS-based 2FA becoming more popular lately (like 10 years late).

I had to step away from it because packages are just too old.

I suppose what I could do is download a supported image (like OpenWRT) then get the image layout details from that in order to build my own image.

I know I’m going about it the hard way but it’s something I don’t mind learning.