From d2eee3b79256166802729f576227dcb01d5d6556 Mon Sep 17 00:00:00 2001 From: hyang Date: Thu, 14 Sep 2023 21:44:23 -0700 Subject: fix --- assets/css/extended/custom.css | 27 ++++++-- content/post/services.md | 15 ---- content/post/setup/images/diagram.svg | 4 -- content/post/setup/index.md | 43 ------------ .../split-tunnelling-for-wireguard-in-linux.md | 79 ---------------------- content/posts/services.md | 15 ++++ content/posts/setup/images/diagram.svg | 4 ++ content/posts/setup/index.md | 43 ++++++++++++ .../split-tunnelling-for-wireguard-in-linux.md | 79 ++++++++++++++++++++++ content/search.md | 5 ++ hugo.toml | 17 ++++- 11 files changed, 183 insertions(+), 148 deletions(-) delete mode 100644 content/post/services.md delete mode 100644 content/post/setup/images/diagram.svg delete mode 100644 content/post/setup/index.md delete mode 100644 content/post/split-tunnelling-for-wireguard-in-linux.md create mode 100644 content/posts/services.md create mode 100644 content/posts/setup/images/diagram.svg create mode 100644 content/posts/setup/index.md create mode 100644 content/posts/split-tunnelling-for-wireguard-in-linux.md create mode 100644 content/search.md diff --git a/assets/css/extended/custom.css b/assets/css/extended/custom.css index 831259e..c78cacb 100644 --- a/assets/css/extended/custom.css +++ b/assets/css/extended/custom.css @@ -1,14 +1,29 @@ :root { - --link-hover-color: #449DD1 !important; - --link-hover-underline-color: #449DD1 !important; - --link-background-color: #78C0E0 !important; + --link-hover-color: #449DD1; + --link-hover-underline-color: #449DD1; + --link-background-color: #78C0E0; } .dark { --theme: rgb(0, 0, 0); - --link-hover-color: #449DD1 !important; - --link-hover-underline-color: #449DD1 !important; - --link-background-color: #449DD1 !important; + --link-hover-color: #449DD1; + --link-hover-underline-color: #449DD1; + --link-background-color: #449DD1; +} + +#menu a { + color: var(--secondary); +} +#menu a:hover { + color: var(--link-hover-color); +} +#menu .active { + color: var(--link-hover-color) !important; + box-shadow: 0 2px 0 var(--link-hover-color); +} + +.nav { + flex-direction: column; } .first-entry > header:nth-child(1) { diff --git a/content/post/services.md b/content/post/services.md deleted file mode 100644 index f01a901..0000000 --- a/content/post/services.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: "Topology" -date: 2023-09-14T19:27:08-07:00 -draft: false -weight: true -description: Cool stuff on hyang.xyz ---- - -On top of this blog, I host a bunch of services that I personally use. Available to the public as well! - - - -- [Invidious](https://inv.hyang.xyz) -- [Nitter](https://xitter.hyang.xyz) (Down for now) -- [Fediverse](https://post.hyang.xyz) diff --git a/content/post/setup/images/diagram.svg b/content/post/setup/images/diagram.svg deleted file mode 100644 index 40bc69e..0000000 --- a/content/post/setup/images/diagram.svg +++ /dev/null @@ -1,4 +0,0 @@ - - - -
hyang.xyz
BuyVM
Debian
hyang.xyz...
"Gaming"
Computer
NixOS
"Gaming"...
Docker
Docker
1TB NVME
1TB NVME
3x
Mirrored
4TB HDD
3x...
Backup 4TB HDD
Backup 4TB...
Offsite Backup?
TODO
Offsite Ba...Text is not SVG - cannot display \ No newline at end of file diff --git a/content/post/setup/index.md b/content/post/setup/index.md deleted file mode 100644 index b635f94..0000000 --- a/content/post/setup/index.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: "My Setup" -date: 2023-08-27T18:09:49-07:00 -description: Hello again -draft: false ---- - - -## Hello Once Again -Welcome to my ~~third~~, first iteration of hyang.xyz. Now that my hosting stuff is stable again, I hope that I can finally stop messing around with Linux and start doing things that I can look back on years later. And what better way to do that than start writing blog posting? - -(I also need an excuse to get better at writing…) - -## The Setup -My adventures with hosting things on the online has been quite a wild ride for me. Until now, it has mostly been more of a learning experience thing. I had mostly focused on hosting stuff like SearX, Nitter, and Fediverse instances, with it lasting two weeks at most, before I got bored and just nuke it all. I also distro-hopped a lot, from Debian → Arch → OpenBSD → FreeBSD → NixOS. - -Now that I have gotten old, now I just want things to just work! - -So, I've decided to start over again. This time, I had to devise a set of goals that made operating this mess as “comfy” as possible. I settled on the following: -- Sane, easy to use backups -- No Cloudflare, (various reasons: mostly just want to host other stuff like email) -- Affordable (am broke) -- Make deploying stuff repetitive, and easy to maintain - -Here's my setup: - -![My setup as a diagram](images/diagram.svg) - -In essence: -- Small BuyVM VPS for connecting to the big Internet without revealing my residential address. - - Also runs my email server. -- Docker for running/managing services -- Loads of storage: - - 1TB NVME for running NixOS - - 3x 4 TB Hard Drives on ZFS RAID1 (mirror) -- 1x 4 TB Hard Drives (Backups) - - Using rsnapshot - - Backups for both my NVME and HDD. - - (Might be a problem in the future… Might move it to my 3x 4 TB drives) - -My small VPS contains a WireGuard server, which allows my home PC to securely communicate with my VPS. Along with that, it also contains Certbot for managing HTTPS certificates, and Nginx for reverse proxying. It also contains my Email server too. - -Originally, everything was managed via Nginx. However, logging into my VPS and reconfiguring Nginx every time I wanted to deploy something new was just cumbersome. I decided to try out Traefik, which works alongside Docker to handle most of the routing configurations. Thus, my Nginx now simply reverse proxies everything on port 80 and 443… to another reverse proxy! diff --git a/content/post/split-tunnelling-for-wireguard-in-linux.md b/content/post/split-tunnelling-for-wireguard-in-linux.md deleted file mode 100644 index a2ab221..0000000 --- a/content/post/split-tunnelling-for-wireguard-in-linux.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -title: "Split Tunnelling for Wireguard in Linux" -date: 2023-09-08T17:18:39-07:00 -description: How to split tunnel in Wireguard on Linux -ShowToc: true -draft: false ---- - -If you're under a VPN with WireGuard on Linux, as of writing this, there seems to be a surprising lack of documentation for selectively split tunneling certain applications. Fortunately, with Linux [network namespaces](https://en.wikipedia.org/wiki/Cgroups), we are able to do just that. - -## TL;DR -[Use my script :)](https://github.com/yanghuaxuan/stun) - -## How -Assuming that your WireGuard configuration is up and running, using something akin to what `wg-quick` does, it'll do the following to route all traffic to a WireGuard interface. -``` -# wg set wg0 fwmark 1234 -# ip route add default dev wg0 table 2468 -# ip rule add not fwmark 1234 table 2468 -# ip rule add table main suppress_prefixlength 0 -``` -Take note of the third command. The third command is a rule policy which routes all packets not marked with `fwmark` 1234. This means all packets, except for the packets used for communicating with the WireGuard endpoint, will be routed using WireGuard's routing tables. - -Therefore, to split tunnel, all we have to do is create a separate Linux namespace, which allows us to make a new routing table isolated from the main namespace. - -## Turn on IP forwarding -Before we get started, it is crucial that you have ipv4 forwarding set to 1 -``` -sysctl -w net.ipv4.conf.all.forwarding=1 -``` - -## Setup Linux namespace -To add a new network namespace, using ip(8), where the name of the namespace will be called *split* -``` -ip netns add split -``` - -Next, we're going to assign the loop back interface, set up a virtual Ethernet pair for communicating between the main and *split* namespace, and set the namespace routing table. -``` -ip netns exec split ip link set lo up -ip link add veth0 type veth peer name veth1 -ip addr add 10.1.1.1/24" dev veth0 -ip link set veth0 up - -ip link set veth1 netns split -ip netns exec split ip addr add 10.1.1.2/24" dev veth1 -ip netns exec split ip link set veth1 up -ip -n split route add default dev veth1 via 10.1.1.1" -``` - -Now, back to the main namespace; we route all traffic coming from 10.1.1.2 (the IP assigned to the veth interface inside the namespace) using the main table the computer booted up with. -``` -ip rule add from 10.1.1.2 table main priority 99 -``` - -## Firewall setup -Finally, we will now access the Worldwide Series of Tubes on the split tunnel namespace. Using IPTables, we can forward packets coming from veth0 (remember, packets sent from one end of the pair will flow to the other end). -``` -iptables -t nat -A POSTROUTING -s 10.1.1.1/24" -o $IF -j MASQUERADE -iptables -A FORWARD -i $IF -o veth0 -j ACCEPT -iptables -A FORWARD -o $IF -i veth0 -j ACCEPT -``` -## DNS -You may need to manually configure the DNS server. We will use Cloudflare's 1.1.1.1 to resolve DNS queries inside the network namespace. -``` -mkdir -p /etc/netns/split -echo "nameserver 1.1.1.1" > /etc/netns/split/resolv.conf -``` - -## Conclusion -That's it! Now to test it -``` -ip netns exec split curl ifconfig.me -``` -Your residential IP should now show up instead of your VPN's IP. - -## Credits -- https://www.procustodibus.com/blog/2023/04/wireguard-netns-for-specific-apps/ -- https://www.wireguard.com/netns/#the-new-namespace-solution diff --git a/content/posts/services.md b/content/posts/services.md new file mode 100644 index 0000000..f01a901 --- /dev/null +++ b/content/posts/services.md @@ -0,0 +1,15 @@ +--- +title: "Topology" +date: 2023-09-14T19:27:08-07:00 +draft: false +weight: true +description: Cool stuff on hyang.xyz +--- + +On top of this blog, I host a bunch of services that I personally use. Available to the public as well! + + + +- [Invidious](https://inv.hyang.xyz) +- [Nitter](https://xitter.hyang.xyz) (Down for now) +- [Fediverse](https://post.hyang.xyz) diff --git a/content/posts/setup/images/diagram.svg b/content/posts/setup/images/diagram.svg new file mode 100644 index 0000000..40bc69e --- /dev/null +++ b/content/posts/setup/images/diagram.svg @@ -0,0 +1,4 @@ + + + +
hyang.xyz
BuyVM
Debian
hyang.xyz...
"Gaming"
Computer
NixOS
"Gaming"...
Docker
Docker
1TB NVME
1TB NVME
3x
Mirrored
4TB HDD
3x...
Backup 4TB HDD
Backup 4TB...
Offsite Backup?
TODO
Offsite Ba...Text is not SVG - cannot display \ No newline at end of file diff --git a/content/posts/setup/index.md b/content/posts/setup/index.md new file mode 100644 index 0000000..b635f94 --- /dev/null +++ b/content/posts/setup/index.md @@ -0,0 +1,43 @@ +--- +title: "My Setup" +date: 2023-08-27T18:09:49-07:00 +description: Hello again +draft: false +--- + + +## Hello Once Again +Welcome to my ~~third~~, first iteration of hyang.xyz. Now that my hosting stuff is stable again, I hope that I can finally stop messing around with Linux and start doing things that I can look back on years later. And what better way to do that than start writing blog posting? + +(I also need an excuse to get better at writing…) + +## The Setup +My adventures with hosting things on the online has been quite a wild ride for me. Until now, it has mostly been more of a learning experience thing. I had mostly focused on hosting stuff like SearX, Nitter, and Fediverse instances, with it lasting two weeks at most, before I got bored and just nuke it all. I also distro-hopped a lot, from Debian → Arch → OpenBSD → FreeBSD → NixOS. + +Now that I have gotten old, now I just want things to just work! + +So, I've decided to start over again. This time, I had to devise a set of goals that made operating this mess as “comfy” as possible. I settled on the following: +- Sane, easy to use backups +- No Cloudflare, (various reasons: mostly just want to host other stuff like email) +- Affordable (am broke) +- Make deploying stuff repetitive, and easy to maintain + +Here's my setup: + +![My setup as a diagram](images/diagram.svg) + +In essence: +- Small BuyVM VPS for connecting to the big Internet without revealing my residential address. + - Also runs my email server. +- Docker for running/managing services +- Loads of storage: + - 1TB NVME for running NixOS + - 3x 4 TB Hard Drives on ZFS RAID1 (mirror) +- 1x 4 TB Hard Drives (Backups) + - Using rsnapshot + - Backups for both my NVME and HDD. + - (Might be a problem in the future… Might move it to my 3x 4 TB drives) + +My small VPS contains a WireGuard server, which allows my home PC to securely communicate with my VPS. Along with that, it also contains Certbot for managing HTTPS certificates, and Nginx for reverse proxying. It also contains my Email server too. + +Originally, everything was managed via Nginx. However, logging into my VPS and reconfiguring Nginx every time I wanted to deploy something new was just cumbersome. I decided to try out Traefik, which works alongside Docker to handle most of the routing configurations. Thus, my Nginx now simply reverse proxies everything on port 80 and 443… to another reverse proxy! diff --git a/content/posts/split-tunnelling-for-wireguard-in-linux.md b/content/posts/split-tunnelling-for-wireguard-in-linux.md new file mode 100644 index 0000000..a2ab221 --- /dev/null +++ b/content/posts/split-tunnelling-for-wireguard-in-linux.md @@ -0,0 +1,79 @@ +--- +title: "Split Tunnelling for Wireguard in Linux" +date: 2023-09-08T17:18:39-07:00 +description: How to split tunnel in Wireguard on Linux +ShowToc: true +draft: false +--- + +If you're under a VPN with WireGuard on Linux, as of writing this, there seems to be a surprising lack of documentation for selectively split tunneling certain applications. Fortunately, with Linux [network namespaces](https://en.wikipedia.org/wiki/Cgroups), we are able to do just that. + +## TL;DR +[Use my script :)](https://github.com/yanghuaxuan/stun) + +## How +Assuming that your WireGuard configuration is up and running, using something akin to what `wg-quick` does, it'll do the following to route all traffic to a WireGuard interface. +``` +# wg set wg0 fwmark 1234 +# ip route add default dev wg0 table 2468 +# ip rule add not fwmark 1234 table 2468 +# ip rule add table main suppress_prefixlength 0 +``` +Take note of the third command. The third command is a rule policy which routes all packets not marked with `fwmark` 1234. This means all packets, except for the packets used for communicating with the WireGuard endpoint, will be routed using WireGuard's routing tables. + +Therefore, to split tunnel, all we have to do is create a separate Linux namespace, which allows us to make a new routing table isolated from the main namespace. + +## Turn on IP forwarding +Before we get started, it is crucial that you have ipv4 forwarding set to 1 +``` +sysctl -w net.ipv4.conf.all.forwarding=1 +``` + +## Setup Linux namespace +To add a new network namespace, using ip(8), where the name of the namespace will be called *split* +``` +ip netns add split +``` + +Next, we're going to assign the loop back interface, set up a virtual Ethernet pair for communicating between the main and *split* namespace, and set the namespace routing table. +``` +ip netns exec split ip link set lo up +ip link add veth0 type veth peer name veth1 +ip addr add 10.1.1.1/24" dev veth0 +ip link set veth0 up + +ip link set veth1 netns split +ip netns exec split ip addr add 10.1.1.2/24" dev veth1 +ip netns exec split ip link set veth1 up +ip -n split route add default dev veth1 via 10.1.1.1" +``` + +Now, back to the main namespace; we route all traffic coming from 10.1.1.2 (the IP assigned to the veth interface inside the namespace) using the main table the computer booted up with. +``` +ip rule add from 10.1.1.2 table main priority 99 +``` + +## Firewall setup +Finally, we will now access the Worldwide Series of Tubes on the split tunnel namespace. Using IPTables, we can forward packets coming from veth0 (remember, packets sent from one end of the pair will flow to the other end). +``` +iptables -t nat -A POSTROUTING -s 10.1.1.1/24" -o $IF -j MASQUERADE +iptables -A FORWARD -i $IF -o veth0 -j ACCEPT +iptables -A FORWARD -o $IF -i veth0 -j ACCEPT +``` +## DNS +You may need to manually configure the DNS server. We will use Cloudflare's 1.1.1.1 to resolve DNS queries inside the network namespace. +``` +mkdir -p /etc/netns/split +echo "nameserver 1.1.1.1" > /etc/netns/split/resolv.conf +``` + +## Conclusion +That's it! Now to test it +``` +ip netns exec split curl ifconfig.me +``` +Your residential IP should now show up instead of your VPN's IP. + +## Credits +- https://www.procustodibus.com/blog/2023/04/wireguard-netns-for-specific-apps/ +- https://www.wireguard.com/netns/#the-new-namespace-solution diff --git a/content/search.md b/content/search.md new file mode 100644 index 0000000..ca4bc67 --- /dev/null +++ b/content/search.md @@ -0,0 +1,5 @@ +--- +title: "Search" +layout: "search" +--- + diff --git a/hugo.toml b/hugo.toml index af6307a..97d7173 100644 --- a/hugo.toml +++ b/hugo.toml @@ -2,14 +2,29 @@ baseURL = 'https://hyang.xyz' languageCode = 'en-us' title = "hyang's homepage" theme = 'papermodx' +enableRobotsTXT = true paginate = 5 [params] description = "Cool blogpostings" author = "hyang" - mainSections = ["post"] + email = "hyang@hyang.xyz" + mainSections = ["posts"] TocOpen = true TocSide = "left" + ShowReadingTime = true + ShowWordCount = true + ShowCodeCopyButtons = true + ShowPostNavLinks = true + + [[menu.main]] + name = "Posts" + url = "/posts" + weight = 1 + [[menu.main]] + name = "Search" + url = "/search" + weight = 2 [[params.socialIcons]] name = "email" -- cgit v1.2.3