{Wire}guard from your ISP

People are getting into a recent uproar about entities like facebook and cambridge analytica while willing putting their information into these ecosystems. We should instead be considerably more concerned about the unwilling surveillance we’re a part of from our ISP. Recently the guardian and some discussion pushed me to finally look into applying wireguard to something like the home network design. So in this we're going to install wireguard on an edgemax router, bring up a wireguard tunnel to a VPN service, send all DNS queries over that tunnel, and send selective hosts or subnets Internet bound traffic over that tunnel.

Pass, with friends

Pass is a simple way to manage passwords locally, and with git one can collaborate on a password database with friends. To use pass with friends you must have pass, git, ssh, and gpg configured. We'll get into how to structure your pass databases for multiple projects and sharing them with multiple people.

ECC Certificates and mTLS with Nginx

If you want to be truly paranoid about authentication to services, you can implement your own Public Key Infrastructure (PKI). Many large organizations that are privacy focused have developed a digital/physical PKI strategy, for example the DoD’s Common Access Card. OpenSSL is a software that can be used to setup a “simple” PKI, however it’s command complexity is easy to get lost within. In this guide we’ll set up a “simple” PKI that we’ll use to authenticate users with, while still using the legitimately issued Let’s Encrypt Domain Validation certificates.

Modern TLS with Nginx and LetsEncrypt

With all of the nasties we are seeing about snarfing up data, there has been a concerted effort for people to get encryption in place. For the web, it has never been easier to get these things sorted because there have been significant efforts recently to reduce the barrier. Firstly the Letsencrypt project broke up the cabal of certificate authorities by providing a recognized authority that could issue certificates to verified domain operators without a transaction cost. Secondly, the letsencrypt projects and the EFF collaborated on certbot to provide a fully featured utility for requesting, issuing, and, updating certificates. And, thirdly, the openssl project has been getting a lot more external attention due to recent vulnerabilities being reported in a much more trendy fashion.

Limiting Exposure via ssh ProxyJump

ssh is an amazingly prolific tool that is used extensively by anyone who manages systems. It's a tool that many of us trust to provide the ultimate command and control access to devices we manage, and on many commercial systems it can be marginalized by being updated infrequently. If you're able to run modern openssh you have access to a new feature named ProxyJump, which makes using a jumphost much simpler.