Comment by omnicognate

2 months ago

> Second, even if I installed a VPN on my main machine, what about my phone? My laptop? My desktop? Every device would need the VPN running, and I’d have to remember to connect it before browsing. It’s messy.

This is what routers are for. My router (a cheap fanless box with several network ports running linux) is the only thing on my network that knows there's a VPN. I can selectively route whatever I want through it, including having a separate SSID/VLAN from which everything is routed through the VPN. It's wireguard based so there's no "installing a VPN", just an interface/network configured in systemd-networkd (once, on the router).

Edit: Routing by domain name could be tricky, though. I haven't had a need for that, and a proxy with local DNS override (as in the article) might needed if it came to that. I'd still do it on the router, though.

28 comments

omnicognate

Reply
mr_mitm  2 months ago

You can just use FoxyProxy instead of a separate browser instance. This firefox addon will use a proxy based on URL patterns.

mschuster91  2 months ago

> This is what routers are for.

Useless in modern days though. IP addresses with anything backed by any cloud/CDN can vanish whenever they want, you'll always need to keep track of the upstream DNS responses.

That's extra fun if you do site-to-site-VPNs with a major customer. Won't name names, but they do have a habit of going through IP renumbering sprees every year or two and it's a true pain to keep the routing table, Zerotrust provider config and firewall rulesets in sync.

slig  2 months ago

> a cheap fanless box with several network ports running linux

Do you remember the name of the product?

  • denkmoon  2 months ago

    I like protectli boxes. x86, low power, coreboot options, lots of network interfaces. The apus everyone recommends (myself included) are no longer available :(

  • bitwize  2 months ago

    Qotom is a good chinesium brand for small cheap fanless multi-NIC PCs: https://qotom.net

    • scubbo  2 months ago

      +1, have had 10/10 experience with my Qotom - in fact I had to look up the brand to be sure that was what I had. Forgettability (due to reliability) is exactly what you want in router hardware.

  • iam-TJ  2 months ago

    Two devices I use - both running Debian, and both being open-source hardware to some degree or other:

    PC Engines APU2, AMD x86_64, 4-core, 4GiB, 3x Gigabit Ethernet, 3 x mini PCIe, SIM slot, USB 3, Serial, SATA ports. Mine has dual band WiFi in one mPCIe, SSD in another.

    Turris Mox, Marvel aarch64. This can expand via plug and go via a range of extension modules. I've got one with 25 Gigabit (3 x 8-port modules) Ethernet, 1 x SFP, 5 x USB3, Wifi, Serial.

  • CWuestefeld  2 months ago

    Not the poster you're responding to, but...

    I'm running OPNSense on a GMKtec G9 (a N150-based NUC with dual 2.5Gbps NICs), and a cheap managed switch. All-in, you can get it today for well under $300. Even that is rather overpowered for running my house.

    The toughest component to pin down was a mesh wifi system that supports tagging VLAN segments. That's almost exclusively enterprise territory, so it's hard to find something affordable.

    • necovek  2 months ago

      Is there a mesh wifi system that can run open source firmware? I imagine that might be the best bet for VLAN tagging too in the "affordable" sense too.

      1 reply →

matt-p  2 months ago

You can do it like this, or (easier IMO if your router doesn't support it) you can just setup a raspberry pi as a VPN router then set you dhcp server on your router to hand out the RPIs address. You can then switch on to the normal connection at any point you need by just changing your default gateway back to .1

2GB Pi5 maxes out the 1Gb port.

tvshtr  2 months ago

my solution to this is to have centralised VPN splitter (x-ray/singbox) sitting on RPi, with tailscale attached to it. This makes it available from anywhere if the device is on TS network. With added benefit of rule based geo splitting to various zones.